The objective of identifying security settings is to later apply the required measurements and ensure that particular settings are enabled in production.
- Possible sources for security settings:
- Regulatory compliance.
- The Company's desired security risk level that is also reflected in the blueprint.
- Current attack vectors (e.g. Log4Shell, ...).
- Feedback from pen tests.
- The functionality of the security components.
It might be obvious that these sources change over time and must be re-evaluated as well as some of them might be optional while others are mandatory.
By going through the settings Airlock Microgateway provides, candidates for configuration templates can be identified.
- Sources for Airlock Microgateway settings:
- Consider the Airlock Microgateway manual.
- Go through the Airlock Microgateway
CustomResourceDefinition
with kubectl explain
.
Depending if a certain security setting is mandatory or not it should be part of a policy and enforced or in a template and facultative.
- Possible settings to disallow by policies:
- deny rules in log-only mode,
- allow rules in log-only mode,
- injecting HSTS header is disabled,
- limits are set too high,
- ...
| - Possible settings to recommend, but not disallowed:
- only allow standard HTTP request headers,
- default allow-rule to restrict unused HTTP methods,
- inject CSP header,
- ...
|
After identifying the settings that should be configured, either mandatory or optional, the required actions could take place.