What is SOC 2 and how do you achieve SOC 2 compliance for containers and Kubernetes?

SOC 2 is a compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. SOC 2 is based on five overarching Trust Services Criteria (TSC): security, availability, processing integrity, confidentiality, and privacy. Specifically, the security criteria are broken down into nine sections called common criteria (CC):

  • CC1: Control Environment
  • CC2: Communication and Information
  • CC3: Risk Assessment
  • CC4: Monitoring Activities
  • CC5: Control Activities
  • CC6: Logical and Physical Access Controls
  • CC7: System Operations
  • CC8: Change Management
  • CC9: Risk Mitigation

How does SOC 2 compliance apply to containers and Kubernetes?

Running Kubernetes clusters often presents challenges for CC6 (logical and physical access), CC7 (systems operations), and CC8 (change management) when trying to comply with SOC 2 standards.

In this technical blog, we will dive into how Calico can help you achieve full compliance in achieving all the requirements of CC6. To understand how to achieve compliance with CC7 and CC8, you can review our SOC 2 white paper.

Control # Compliance requirements Calico controls
CC 6.1, 6.6, 6.7, 6.8

 

 Implement logical access security measures to authorized systems only, implement controls to prevent or detect and act upon Continue reading

Using the Linux ncdu command to view your disk usage

The ncdu command provides a fast and very easy-to-use way to see how you are using disk space on your Linux system. It allows you to navigate through your directories and files and review what file content is using up the most disk space. If you’ve never used this command, you’ll likely have to install it before you can take advantage of the insights it can provide with a command like one of these:$ sudo dnf install ncdu $ sudo apt install ncdu The name “ncdu” stands for “NCurses disk usage. .It uses an ncurses interface to provide the disk usage information. “Curses”, as you probably know, has no connection to foul language. Instead, when related to Linux, “curses” is a term related to “cursor” – that little marker on your screen that indicates where you are currently working. Ncurses is a terminal control library that lends itself to constructing text user interfaces.To read this article in full, please click here

Using ncdu to view your disk usage while grasping those TiB, GiB, MiB and KiB file sizes

The ncdu command provides a fast and very easy-to-use way to see how you are using disk space on your Linux system. It allows you to navigate through your directories and files and review what file content is using up the most disk space. If you’ve never used this command, you’ll likely have to install it before you can take advantage of the insights it can provide with a command like one of these:$ sudo dnf install ncdu $ sudo apt install ncdu The name “ncdu” stands for “NCurses disk usage. .It uses an ncurses interface to provide the disk usage information. “Curses”, as you probably know, has no connection to foul language. Instead, when related to Linux, “curses” is a term related to “cursor” – that little marker on your screen that indicates where you are currently working. Ncurses is a terminal control library that lends itself to constructing text user interfaces.To read this article in full, please click here

Using ncdu to view your disk usage while grasping those TiB, GiB, MiB and KiB file sizes

The ncdu command provides a fast and very easy-to-use way to see how you are using disk space on your Linux system. It allows you to navigate through your directories and files and review what file content is using up the most disk space. If you’ve never used this command, you’ll likely have to install it before you can take advantage of the insights it can provide with a command like one of these:$ sudo dnf install ncdu $ sudo apt install ncdu The name “ncdu” stands for “NCurses disk usage. .It uses an ncurses interface to provide the disk usage information. “Curses”, as you probably know, has no connection to foul language. Instead, when related to Linux, “curses” is a term related to “cursor” – that little marker on your screen that indicates where you are currently working. Ncurses is a terminal control library that lends itself to constructing text user interfaces.To read this article in full, please click here

Why is the transition from SD-WAN to SASE so painful?

The transition from software-defined WAN (SD-WAN) to secure access service edge (SASE) is proving to be difficult for many enterprises, according to new research from Enterprise Management Associates (EMA).If you’re a network or security professional, you’re probably familiar with SASE, a new class of solutions that integrates SD-WAN, secure remote access, and cloud-delivered, multi-function network security. Many enterprises are now evolving their SD-WAN implementations into a SASE solution, either by adopting their SD-WAN providers’ SASE capabilities or integrating their SD-WAN with third-party, cloud-based network security solutions.To read this article in full, please click here

Why is the transition from SD-WAN to SASE so painful?

The transition from software-defined WAN (SD-WAN) to secure access service edge (SASE) is proving to be difficult for many enterprises, according to new research from Enterprise Management Associates (EMA).If you’re a network or security professional, you’re probably familiar with SASE, a new class of solutions that integrates SD-WAN, secure remote access, and cloud-delivered, multi-function network security. Many enterprises are now evolving their SD-WAN implementations into a SASE solution, either by adopting their SD-WAN providers’ SASE capabilities or integrating their SD-WAN with third-party, cloud-based network security solutions.To read this article in full, please click here

AMD announces video streaming accelerator

Use of video streaming encoder cards in the data center is on the rise, and AMD is the latest to tackle the demands of high-volume streaming.Even before the pandemic forced everyone to work from home, videoconferencing usage was climbing. Once schools and businesses became dependent on Zoom calls, video streams started clogging data centers and network pipes across the country. Reliance on video among consumers also took off as TikTok, Twitch, and Facebook became broadcast platforms.With users demanding broadcast-quality video – no one wants blurry, blocky, poor resolution – enterprises are left to deal with increased strain on server CPUs.To read this article in full, please click here

AMD announces video streaming accelerator

Use of video streaming encoder cards in the data center is on the rise, and AMD is the latest to tackle the demands of high-volume streaming.Even before the pandemic forced everyone to work from home, videoconferencing usage was climbing. Once schools and businesses became dependent on Zoom calls, video streams started clogging data centers and network pipes across the country. Reliance on video among consumers also took off as TikTok, Twitch, and Facebook became broadcast platforms.With users demanding broadcast-quality video – no one wants blurry, blocky, poor resolution – enterprises are left to deal with increased strain on server CPUs.To read this article in full, please click here

NVA Part II – Internet Access with a single NVA

Introduction

In the previous chapter, you learned how to route east-west traffic through the Network Virtual Appliance (NVA) using subnet-specific route tables with User Defined Routes (UDR). This chapter introduces how to route north-south traffic between the Internet and your Azure Virtual Network through the NVA.

Figure 3-1 depicts our VNet setup, which includes DMZ and Web Tier zones. The NVA, vm-nva-fw, is connected to subnet snet-north (10.0.2.0/24) in the DMZ via a vNIC with Direct IP (DIP) 10.0.2.4. We've also assigned a public IP address, 51.12.90.63, to this vNIC. The second vNIC is connected to subnet snet-west (10.0.0.0/24) in the Web Tier, with DIP 10.0.0.5. We have enabled IP Forwarding in both vNICs and Linux kernel. We are using Network Security Groups (NSGs) for filtering north-south traffic.

Our web server, vm-west, has a vNIC with DIP 10.0.0.4 that is connected to the subnet snet-west in the Web Tier. We have associated the route table to the subnet with the UDR, which forwards traffic to destination IP 141.192.166.81 (remote host) to NVA. To publish the web server to the internet, we've used the public IP of NVA. 

On the NVA, we have configured a Destination NAT rule which rewrites the destination IP address to 10.0.0.4 to packets with the source IP address 141.192.166.81 and protocol ICMP. To simulate an http connection, we're using ICMP requests from a remote host.


Figure 3-1: Example Diagram and.

Continue reading

BrandPost: Private 5G and Wi-Fi: New Paradigm on the Horizon

By: Stuart Strickland, Wireless CTO and Fellow, Aruba, a Hewlett Packard Enterprise company.Although Wi-Fi will undoubtedly remain the dominant wireless technology for enterprise networks, over the coming years we can expect private cellular to gain a significant foothold. It will be deployed to serve an increasing number of use cases, particularly where wide coverage areas, deterministic behavior, or securely segregated traffic are required.The success of enterprise private cellular will depend on both the availability of private shared spectrum and the integration of enterprise-grade management capabilities to make it significantly easier for organizations to deploy and manage private cellular networks on their own.To read this article in full, please click here

DDoS threat report for 2023 Q1

DDoS threat report for 2023 Q1
DDoS threat report for 2023 Q1

Welcome to the first DDoS threat report of 2023. DDoS attacks, or distributed denial-of-service attacks, are a type of cyber attack that aim to overwhelm Internet services such as websites with more traffic than they can handle, in order to disrupt them and make them unavailable to legitimate users. In this report, we cover the latest insights and trends about the DDoS attack landscape as we observed across our global network.

Kicking off 2023 with a bang

Threat actors kicked off 2023 with a bang. The start of the year was characterized by a series of hacktivist campaigns against Western targets including banking, airports, healthcare and universities — mainly by the pro-Russian Telegram-organized groups Killnet and more recently by AnonymousSudan.

While Killnet-led and AnonymousSudan-led cyberattacks stole the spotlight, we haven’t witnessed any novel or exceedingly large attacks by them.

Hyper-volumetric attacks

We did see, however, an increase of hyper-volumetric DDoS attacks launched by other threat actors — with the largest one peaking above 71 million requests per second (rps) — exceeding Google’s previous world record of 46M rps by 55%.

Back to Killnet and AnonymousSudan, while no noteworthy attacks were reported, we shouldn't underestimate the potential risks. Unprotected Internet Continue reading

DHCP Relaying with Redundant DHCP Servers

Previous posts in this series (DHCP relaying principles, inter-VRFs relaying, relaying in VXLAN segments and relaying from EVPN VRF) used a single DHCP server. It’s time to add another layer of complexity: redundant DHCP servers.

Lab Topology

We’ll use a lab topology similar to the VXLAN DHCP relaying lab, add a second DHCP server, and a third switch connecting the two DHCP servers to the rest of the network.

Read more …
1 334 335 336 337 338 3,860