Joel Krooswyk’s Post

PREPARATION: 💠RBAC - Role-Based Access Control ➡️ It is a critical security feature in Kubernetes that allows you to define and manage access to resources based on roles and permissions. ➡️RBAC ensures that only authorized users, processes, or services can interact with specific resources within a Kubernetes cluster. There are two types of accounts in Kubernetes: 1.)User Account 2.) Service Account 🔹User account: User accounts are used to log into a Kubernetes cluster and manipulate resources therein.Each user account is associated with a unique set of credentials,which are used to authenticate the services Requests. 🔹 Service Account: Kubernetes service accounts are specialized accounts used by applications and services running on Kubernetes to interact with the Kubernetes API. ➡️There are four components to RBAC in Kubernetes: 1.Roles 2.Cluster roles 3.Role bindings 4.ClusterRoles bindings. ➡️Roles: Define what actions are allowed on resources . ➡️Role Bindings: Bind Roles to subjects, such as users, groups, or service accounts. ➡️Cluster Role Bindings: Grant access to resources within a cluster . ➡️Cluster Roles: Assign permissions that apply cluster wide . 💠Here are some best practices for using RBAC in Kubernetes: 🔹Principle of least privilege: Give users the minimum levels of access necessary to complete their job functions . 🔹Audit and monitor RBAC events: Log and analyze RBAC events to detect anomalies early and respond to unauthorized access attempts . 🔹Avoid default service accounts: Don't use default service accounts to assign permissions .

Keeper delivers the essential elements of Privileged Access Management (PAM) with a streamlined approach, removing the complexities often associated with traditional PAM systems. ❌ Integration challenges ❌ Adoption resistance ❌ Improper configuration ✅ Privileged Account and Session Management (PASM) ✅ Secrets Management ✅ Just-in-Time (JIT) access …and more Learn what makes KeeperPAM the modern privileged access management solution: https://lnkd.in/erBKMdmY #dontgethacked #keeper

The upcoming TSMS BPA deal for Enterprise Services offers a broader range of IT and management services, far beyond just cybersecurity. This includes key services such as project management, technical strategy, data analytics platforms, and much more. If your business specializes in software development, enterprise-level strategy integration, or IT systems management, this BPA is a perfect match for aligning your offerings with the IRS's evolving technological requirements. It is a valuable opportunity to showcase your capabilities and provide the IRS with cutting-edge solutions that enhance their technology infrastructure. Learn more: https://lnkd.in/g4y7J28T #TSMSBPA #ITManagement #ProjectManagement #TechnicalStrategy #DataAnalytics #SoftwareDevelopment #EnterpriseSolutions #IRSContracts #FederalContracting #TechnologySolutions #GovernmentContracting #ProposalDevelopment #IRS

The new OMB FedRAMP memo just dropped. I’m off work today, so I can say it’s my personal opinion as a private citizen that although the core matter is a positive improvement, there remains a fatal flaw. OMB has removed the exception clause that allowed agencies to use cloud-based services without a FedRAMP authorization, by simply informing OMB. This clause has been a blessing for disadvantaged small businesses that cannot afford to take their products through the very costly and time-consuming FedRAMP process. As a result, these companies will be left out in the cold and unable to compete in the Federal market at all. Moreover, this exception policy was absolutely critical during the early pandemic to allow agencies like the Small Business Administration to turn on services like cloud-based VPNs and collaboration tools. These were still new and hadn’t been authorized yet, but were desperately-needed for agencies to institute their COOP plans. I am very disappointed that OMB has chosen to ignore the comments of the Federal Secure Cloud Advisory Committee on this important matter. This oversight will make things infinitely harder for innovative small businesses, as well as large corporations with desperately-needed tools for the government. https://lnkd.in/e3_dRQn6

Mastering IAM without Losing Your Sanity: 5 Essential Tips 1. Understand the Basics of IAM Before diving into implementation, familiarize yourself with IAM fundamentals like roles, policies, and users. Know the difference between authentication and authorization, and get a grip on key concepts like least privilege, multi-factor authentication (MFA), and role-based access control (RBAC). 2. Start Small with Clear Objectives Don’t try to overhaul your entire access management system at once. Start with small, manageable tasks that address the most critical areas. For instance, begin by securing sensitive resources with MFA, then gradually apply IAM policies to other parts of your system. 3. Automate Where Possible Manual management of IAM can quickly become overwhelming. Leverage automation tools to streamline tasks like user provisioning, role assignments, and policy enforcement. Automation not only reduces human error but also helps maintain consistency across your environment. 4. Use Groups and Roles Strategically Instead of assigning permissions to individual users, create groups and roles that reflect your organizational structure and common access needs. This approach simplifies management and ensures that permissions are applied consistently. 5. Regularly Review and Update Access IAM is not a set-it-and-forget-it system. Schedule regular reviews of your IAM policies and access rights to ensure they still align with your organization’s needs. Remove unnecessary permissions and adjust roles as your organization evolves to minimize security risks.

Forrester's latest budget planning guide for security and risk clarifies that securing business-critical IT assets needs to be a high priority going into next year. A key area it highlights is hardening software supply chain and API security. Defining an API security strategy that integrates directly into DevOps workflows and treats the continuous integration and continuous delivery (CI/CD) process as a unique threat surface is table stakes for any enterprise doing DevOps today. API detection and response, remediation policies, risk assessment, and API usage monitoring are also urgent for enterprises to better secure this potential attack vector. Do you have a good handle on your APIs? https://lnkd.in/erqf_RsM #apisecurity #apisec #akamai

The ‘Getting started at CYBER’ List When you go into a new org what do you need at a minimum? LOADS! But let’s give this a go at showing the world some of the key artefacts you are going to need when you start discovery (this might be as part of a job onboarding process or from a project perspective). This is both specific and general because the detailed list if organisational specific and contains a load of generic ITSM process areas etc. and if you want the long list either open excel or do a project with a friendly consultant ;) ! right onto a bit of a list! ·      An enterprise context statement ·      An organisational chart (Business and IT) ·      A copy of any relevant internal policies (e.g. security policies + more) ·      A copy of the key customer contractual requirements ·      A copy of the key suppliers’ contracts ·      A view of the financial landscape ·      A risk appetite statement ·      A security mission statement ·      Traceable goals and objectives ·      A view of the enterprise architecture at a reasonable level of abstraction ·      Network Diagrams ·      Previous security documentation (e.g. Audits, Vulnerability Reports, Pentest, Assessments, certifications etc.) ·      A high-level view of key supply chain interactions ·      A high-level view of key business processes ·      A crown jewels analysis ·      Zoomed in details on key business areas and services ·      Supplier registers ·      An asset register ·      Any relevant Polices, processes, procedures, SLAs/OLAs etc. ·      Public DNS Zone Exports ·      Lists of Public and Private Networks/Subnets etc. Anyway, I hope that gives people an idea of what the start of the world of discovering what the security posture of an organisation is like!

Today lets discuss RBAC. RBAC stands for Role-Based Access Control. It's a security model used to manage access to resources within an organization based on the roles assigned to individual users. Rather than assigning permissions to each user directly, RBAC assigns permissions to roles, and then users are assigned to those roles. Key Concepts of RBAC: Roles: A role represents a set of permissions that define what actions a user can perform. For example, roles might include "Admin," "Manager," "Employee," or "Guest." Users: Users are individuals who are assigned to one or more roles. The roles dictate what resources they can access and what operations they can perform on those resources. Permissions: Permissions are the specific rights or actions that can be performed on resources (e.g., read, write, delete, modify). Resources: Resources are the objects or data that users need access to (e.g., files, applications, databases, networks). RBAC helps to enforce least privilege by ensure users only have access to the resouces they need to perform their job functions. If you stop to think about it, it also greatly simplifies the management of assigning users to the required permissions. For example you no longer have to keep track of what permissions are required to do a function as its nicely bundled in a role. You just need to apply for the role.

Following on the heels of the IRS’s Cybersecurity and Infrastructure Governance (CIG) opportunity, here’s another prime contract aimed squarely at small businesses—the Enterprise Services Technology Strategy and Management Support Services (TSMS) BPA. This upcoming contract isn’t focused on cybersecurity alone; it covers a much broader range of IT and management services, including everything from data analytics platforms to project management and technical strategy. If your company specializes in IT systems management, software development, or enterprise-level strategy integration, this BPA offers a chance to align your services with the IRS’s evolving technology needs. It’s a multi-year opportunity designed to support the agency’s digital transformation efforts, and it could provide a lasting pipeline of business for skilled contractors. #businessdevelopment #coaching #contractproposal #govcon #internalrevenueservice #irs #ostglobal #ostglobalsoutions #procurement #winmorebd

Following on the heels of the IRS’s Cybersecurity and Infrastructure Governance (CIG) opportunity, here’s another prime contract aimed squarely at small businesses—the Enterprise Services Technology Strategy and Management Support Services (TSMS) BPA. This upcoming contract isn’t focused on cybersecurity alone; it covers a much broader range of IT and management services, including everything from data analytics platforms to project management and technical strategy. If your company specializes in IT systems management, software development, or enterprise-level strategy integration, this BPA offers a chance to align your services with the IRS’s evolving technology needs. It’s a multi-year opportunity designed to support the agency’s digital transformation efforts, and it could provide a lasting pipeline of business for skilled contractors. #businessdevelopment #coaching #contractproposal #govcon #internalrevenueservice #irs #ostglobal #ostglobalsoutions #procurement #winmorebd