Merge pull request #346 from stakater/infosec

cleanup and updates

.vale.ini

@@ -1,7 +1,7 @@
 StylesPath = styles
 MinAlertLevel = warning
 
-Packages = https://github.com/stakater/vale-package/releases/download/v0.0.40/Stakater.zip
+Packages = https://github.com/stakater/vale-package/releases/download/v0.0.42/Stakater.zip
 Vocab = Stakater
 
 # Only check MarkDown files

content/about/service-definition/overview.md

@@ -17,7 +17,6 @@ This section outlines the service definition for Stakater App Agility Platform (
 1. [Managed Certificates](../../managed-addons/cert-manager/overview.md)
 1. [Managed Continuous Delivery (ArgoCD)](../../managed-addons/argocd/overview.md)
 1. [Managed Continuous Integration (Tekton)](../../managed-addons/tekton/overview.md)
-1. [Managed Policy Enforcement (Kyverno, OPA)](../../for-cisos/policies/policies.md)
 1. [Managed Downtime Alerting (IMC)](../../managed-addons/imc/overview.md)
 1. [Managed Dynamic Environments (Tronador)](../../managed-addons/tronador/overview.md)
 1. [Managed Dynamic Application Reload (Reloader)](../../managed-addons/reloader/overview.md)

content/for-cisos-dpos/bsi-it-grundschutz.md

@@ -0,0 +1,24 @@
+# BSI IT-Grundschutz Controls
+
+The BSI IT-Grundschutz framework, a German standard for IT security, defines systematic methodologies and controls for safeguarding IT systems. With Stakater App Agility Platform (SAAP) built on Red Hat OpenShift, organizations can effectively implement these controls for Kubernetes-based workloads.
+
+- Total applicable modules in BSI IT-Grundchutz: 2
+    - SYS.1.6 - Containerization: 10 Controls
+    - APP.4.4 - Kubernetes: 21 Controls
+- Total applicable controls in BSI IT-Grundchutz: 31
+
+## Controls Addressed by SAAP
+
+SAAP enables the implementation of all 31 controls defined in the SYS.1.6 and APP.4.4 modules, leveraging Kubernetes configurations, OpenShift’s features, and additional tooling as necessary. Key areas include:
+
+- **Secure Container Images (SYS.1.6)**: Enforcing signed and verified container images via Red Hat Certified Container images and automated vulnerability scanning.
+- **Role-Based Access Control (RBAC) (APP.4.4)**: Implementing least privilege access and detailed role management through OpenShift’s integrated RBAC.
+- **Logging and Monitoring (APP.4.4)**: Ensuring comprehensive audit logging and monitoring with OpenShift Logging and Prometheus.
+- **Resource Quotas and Limits (APP.4.4)**: Managing resource usage through Kubernetes’ Resource Quotas and LimitRanges.
+- **Container Runtime Security (SYS.1.6)**: Restricting runtime capabilities using OpenShift’s Security Context Constraints (SCCs).
+- **Persistent Data Security (APP.4.4)**: Encrypting data at rest and securing Persistent Volumes (PVs) with Kubernetes RBAC and OpenShift storage features.
+- **Network Isolation (SYS.1.6 and APP.4.4)**: Securing inter-service communication using OpenShift NetworkPolicies and Service Mesh.
+
+SAAP enables organizations to meet all **31 controls** across the SYS.1.6 and APP.4.4 modules of the BSI IT-Grundschutz framework. While some controls may require additional tooling or configurations, SAAP provides the foundational capabilities needed for complete compliance.
+
+This comprehensive alignment ensures SAAP remains an indispensable tool for organizations targeting robust security and regulatory adherence.

content/for-cisos-dpos/gdpr-eu.md

@@ -0,0 +1,31 @@
+# GDPR (Regulation (EU) 2016/679)
+
+## Shared Responsibility Model
+
+The shared responsibility model outlines how GDPR compliance is a shared obligation between Stakater and its customers, with clearly defined roles:
+
+### Stakater’s Responsibility
+
+Stakater is responsible for:
+
+- Securing the Kubernetes infrastructure, including the control plane, nodes, and network.
+- Implementing technical measures like encryption, access controls, and monitoring.
+- Providing tools and capabilities to support customer compliance.
+
+### Customer’s Responsibility
+
+The customer is responsible for:
+
+- Ensuring application-level compliance with GDPR.
+- Managing workloads, data, and user access policies on the platform.
+- Conducting audits and maintaining compliance documentation.
+
+This division ensures clarity on roles while positioning Stakater as a compliance partner.
+
+## Technical and Organizational Measures (TOMs)
+
+[These](toms.md) specific measures are implemented to ensure GDPR compliance.
+
+## Subprocessors
+
+Stakater subprocessors can be found [here](subprocessors.md).

content/for-cisos-dpos/iso27k1.md

@@ -0,0 +1,24 @@
+# ISO 27001 Controls
+
+ISO 27001, an international standard for information security, includes 14 domains and 114 controls aimed at protecting information assets. SAAP plays a critical role in enabling compliance with these controls by focusing on the technical aspects of Kubernetes-based workloads.
+
+- Total Domains in ISO 27001: 14
+- Total Controls in ISO 27001: 114
+
+## Controls Addressed by SAAP
+
+- **Directly Applicable Controls**: SAAP enables the implementation of 28 controls, fully enforceable through Kubernetes configurations and features. These controls span critical areas such as:
+
+    - **Access Control (A.9)**: Implementing Role-Based Access Control (RBAC) and restricting unauthorized access to resources.
+    - **Cryptography (A.10)**: Ensuring data security through encryption and robust key management.
+    - **Operations Security (A.12)**: Automating vulnerability scanning, logging, and secure cluster configurations.
+    - **Communications Security (A.13)**: Securing inter-service communication with encrypted traffic and network isolation.
+
+- **Partially Applicable Controls**: An additional 22 controls are partially supported by SAAP through integrations and configurable policies. For example:
+
+    - **Information Security Policies (A.5)**: SAAP helps align Kubernetes policies with organizational security frameworks.
+    - **Supplier Relationships (A.15)**: Ensures the use of trusted container images and compliance checks for third-party integrations.
+
+SAAP directly or partially addresses approximately **50 controls** across ISO 27001’s domains, enabling organizations to align their Kubernetes-based workloads with best practices for security, availability, and compliance. By focusing on technical measures and leveraging Kubernetes features, SAAP simplifies the complex task of meeting international security standards.
+
+This comprehensive support makes SAAP an invaluable tool for organizations aiming to achieve ISO 27001 compliance in modern cloud-native environments.

content/for-cisos-dpos/nist-sp-800-171.md

@@ -0,0 +1,25 @@
+# NIST SP 800-171 Controls
+
+NIST SP 800-171, a cybersecurity standard developed by the National Institute of Standards and Technology (NIST), provides 14 families of controls and 110 requirements to protect Controlled Unclassified Information (CUI) in non-federal systems and organizations. SAAP plays a critical role in enabling compliance with these controls by focusing on the technical aspects of Kubernetes-based workloads.
+
+- Total Families in NIST SP 800-171: 14
+- Total Controls in NIST SP 800-171: 110
+
+## Controls Addressed by SAAP
+
+- **Directly Applicable Controls:** SAAP enables the implementation of approximately 65 controls, fully enforceable through Kubernetes configurations and features. These controls span critical areas such as:
+
+    - **Access Control (AC)**: Implementing Role-Based Access Control (RBAC), service account restrictions, and network policies to ensure least privilege and secure access.
+    - **Audit and Accountability (AU)**: Centralizing log management, enabling Kubernetes audit logging, and enforcing immutable log storage.
+    - **System and Communications Protection (SC)**: Securing data in transit with TLS encryption, encrypting etcd data at rest, and isolating network traffic with Kubernetes NetworkPolicies.
+    - **System and Information Integrity (SI)**: Scanning container images for vulnerabilities, implementing runtime security with tools like Falco, and automating patch management.
+
+- **Partially Applicable Controls**: An additional 15 controls are partially supported by SAAP through integrations and configurable policies. For example:
+
+    - **Incident Response (IR)**: SAAP integrates with monitoring tools to detect anomalies and supports automated alerting for incidents.
+    - **Risk Assessment (RA)**: Facilitates regular vulnerability assessments and compliance checks for Kubernetes environments.
+    - **Media Protection (MP)**: Supports encryption for Persistent Volume Claims (PVCs) and relies on underlying storage systems for further compliance.
+
+SAAP directly or partially addresses approximately **80 controls** across NIST SP 800-171’s families, enabling organizations to align their Kubernetes-based workloads with federal standards for protecting sensitive information. By focusing on technical measures and leveraging Kubernetes features, SAAP simplifies the complex task of meeting stringent cybersecurity requirements.
+
+This comprehensive support makes SAAP an invaluable tool for organizations aiming to achieve NIST SP 800-171 compliance in modern cloud-native environments.

content/for-cisos-dpos/overview.md

@@ -0,0 +1,18 @@
+# CISOs and DPOs Guide Overview
+
+At Stakater, compliance is not just a checkbox; it is a cornerstone of our philosophy. We understand the critical role that Data Protection Officers (DPOs) and Chief Information Security Officers (CISOs) play in safeguarding organizational integrity and building trust. With our Risk and Compliance as Code (RCaC) approach, we embed compliance practices directly into the infrastructure and workflows, ensuring that compliance becomes an automated, continuous process.
+
+Through the Stakater App Agility Platform (SAAP), we provide our customers with the tools and capabilities necessary to achieve and maintain compliance effortlessly. Whether it’s adhering to GDPR, NIST, ISO 27001, BSI IT-Grundschutz  or other industry standards, SAAP empowers your teams with automated checks, auditable policies, and streamlined workflows to mitigate risks and stay compliant at all times. By leveraging our platform, organizations can focus on innovation and growth while ensuring that regulatory requirements are consistently met.
+
+To explore specific compliance frameworks and how SAAP addresses them, please refer to the detailed resources linked below:
+
+- [GDPR](gdpr-eu.md)
+- [ISO270001](iso27k1.md)
+- [NIST SP 800 171](nist-sp-800-171.md)
+- [BSI IT-Grundschutz](bsi-it-grundschutz.md)
+
+## Disclaimer
+
+We would like to emphasize that the implementation of the measures described in these document and the use of the technologies mentioned do not guarantee compliance with any specific regulations, certifications, or guidelines. Instead, this document is intended to serve as a starting point for defining the necessary measures based on your organization's unique requirements, technological setup, and protection needs.
+
+It is important to note that the information provided in this document is for general informational purposes only. Any liability for the completeness, accuracy, timeliness, or reliability of the content is expressly excluded. Organizations are advised to consult with legal, compliance, or technical experts to ensure that their specific compliance and security needs are adequately addressed.

content/for-cisos-dpos/subprocessors.md

@@ -0,0 +1,15 @@
+# Stakater Subprocessor List
+
+## Third Party Subprocessors
+
+| Supplier   |  Function  |  Geographic Location  |  Legal basis  |
+| -- | -- | -- | -- |
+| Digital Realty + OpenMetal | Hardware/bare metal infrastructure | EU (Amsterdam) | GDPR |
+
+## Stakater Subprocessors
+
+| Supplier   |  Function  |  Geographic Location  |  Legal basis  |
+| -- | -- | -- | -- |
+| Stakater AB | Stakater Processor | Sweden | Intra-group Agreement |
+| Stakater Czech s.r.o. | Stakater Processor | Czech Republic | Intra-group Agreement |
+| Stakater Pakistan SMC-Pvt Ltd | Stakater Processor | Pakistan | Intra-group Agreement with SCCs |

content/for-cisos-dpos/toms.md

@@ -0,0 +1,51 @@
+# Technical and Organizational Security Measures
+
+Stakater Cloud meet the specific requirements of data protection, including, without limitation, Article 28 of the General Data Protection Regulation GDPR and which are listed as SOC 2 Type 2 (Security & Confidentiality).
+
+At a minimum, Stakater has implemented for the Stakater Cloud the technical and organizational measures and maintains security practices within the production environments as follows:
+
+## Confidentiality of processing systems
+
+### Identity and Access Management
+
+- Role-based access controls are enforced using predefined security groups to segregate and manage data access to production systems.
+- Administrative access to production systems is restricted to authorized personnel and granted solely based on their job roles and responsibilities.
+
+### Audit Assurance: Compliance, Governance and Risk Management
+
+- Stakater conducts annual security operational risk assessments for production applications and services. The findings are documented in a risk register, with identified risks prioritized for treatment based on their severity.
+- Stakater evaluates the security of third-party vendors through a vendor security review, specifically focusing on vendors that store, process, or transmit Stakater and/or customer data.
+- Stakater implements risk-based continuous control monitoring by performing control testing throughout the year using a structured methodology. Testing results are documented, reviewed by management, and accompanied by remediation plans for any identified issues.
+- Controlled documents undergo annual review and approval by management, with updates communicated to relevant employees to ensure alignment and compliance.
+
+### Human Resources
+
+- Stakater team members complete security awareness training upon hire and annually thereafter. The training includes relevant Stakater security policies, instructions for reporting security incidents and general industry security best practices.
+- Stakater new hires are required to pass a background check as a condition of their employment.
+
+## Integrity of processing systems
+
+### Application & Infrastructure Security
+
+- Infrastructure and configuration management tools are employed to implement security hardening and establish standardized baseline configurations for production servers.
+- Network traffic originating from or directed to untrusted networks is routed through a policy enforcement point, with firewall rules configured to block unauthorized access effectively.
+- A centralized issue tracking system is utilized to manage, monitor, and document application and infrastructure changes throughout their lifecycle, from development to implementation.
+
+### Threat and Vulnerability Management
+
+- Stakater conducts regular vulnerability scans on the production environment to identify threats, assess their impact, and remediate findings based on severity.
+- Continuous monitoring tools track security events, system latency, network performance, and physical server health in real time.
+- Incident response procedures define steps for managing security events, including recovery and post-incident analysis to improve effectiveness.
+
+## Availability of processing systems
+
+### Resilience
+
+- A business continuity plan is established to provide clear procedures for protecting operations against disruptions caused by unexpected events, with annual tabletop exercises conducted to validate its effectiveness.
+- Enterprise monitoring tools are configured to track system capacity levels and promptly alert operations personnel when predefined thresholds are reached, ensuring proactive management of resources.
+
+## Additional Considerations
+
+- Stakater Cloud is designed to enable customers to delete their data when it is no longer needed.
+- Digital Realty and OpenMetal are responsible for implementing controls to manage both physical access to servers and supporting infrastructure that host Stakater Cloud.
+- Customers can choose to implement technical and organizational measures to safeguard their own (Red) data.