//// Purpose ------- Information about security. //// [id="security_{context}"] = Security ACS is deployed as the container security platform, providing vulnerability scanning, compliance checking, and runtime security for containerized workloads. == Identity and Access Management Access control is implemented through Helvetia's enterprise account system. The access management model follows the Principle of Least Privilege (POLP) with a maximum of two administrators per project. A dedicated RBAC tool is used to manage role-based access permissions across the platform. == Secrets Management Sealed Secrets is used to encrypt and manage sensitive information within the Kubernetes environment. This enables version control of encrypted secrets while maintaining access controls and audit capabilities. == PKI Certificate management is handled through cert-manager with plans to implement an ACME provider. Currently, TLS certificates are issued through the internal Helvetia.io certificate authority. A migration project is underway to implement Helvetia.com certificates. Certificate lifecycle operations including issuance, renewal, and revocation are managed through automated processes. == Base Images The container image architecture uses Red Hat Universal Base Images (UBI) with additional components: - Custom certificates - Tracing agents - Specialized variants including Java, Quarkus, and JBoss tooling Base images are automatically rebuilt and pushed to Nexus on a monthly schedule to incorporate security updates and organizational requirements. == Compliance Helvetia maintains a customized set of CIS benchmarks adapted to organizational requirements. Compliance monitoring and reporting is performed through Red Hat Advanced Cluster Security, which replaced the previously used OpenShift Compliance Operator. == Customer Visibility Operational insights are aggregated through multiple integrated tools: - Lifecycle management tooling - Red Hat Advanced Cluster Security - LeanIX - MongoDB Dashboards provide visibility into: - Resource allocation efficiency - Containers with low requests but high limits - Security posture and compliance status == Recommendations === Short-term Improvements 1. **Security Posture Enhancement**: - Expand ACS policy coverage for runtime security monitoring - Implement automated responses for common security events through ACS - Develop standardized security metrics using ACS data 2. **Certificate Management**: - Complete the migration to Helvetia.com certificates - Implement automated ACME-based certificate provisioning - Configure alerts for certificate expiration events 3. **Resource Management**: - Implement automated container rightsizing recommendations based on usage data - Define standard resource profiles for common application patterns - Configure alerts for resource allocation mismatches === Long-term Strategy 1. **Service Security**: - Evaluate Red Hat Service Interconnect for service-to-service mTLS without full service mesh complexity - Define standard service security patterns for cross-namespace communication 2. **Automation Enhancement**: - Automate security incident response through ACS integration with operational tools - Implement automated remediation for common security findings - Create automated security assessment workflows for new applications 3. **Compliance Evolution**: - Develop automated compliance reporting integrated with ACS - Implement continuous compliance validation through ACS policies - Create standardized compliance assessment workflows for new applications