Security Deck workspaces
Note
This feature is in the Preview stage. To get access, contact tech support or your account manager.
A Security Deck workspace is a container holding the Security Deck module settings and resources, a list of controlled resources, control parameters, and other settings. Workspaces allow for more granular management of Yandex Cloud infrastructure security by monitoring it for compliance with industry security standards.
You can choose Yandex Identity Hub organizations, individual clouds and folders as resources controlled by the workspace. The workspace accesses its controlled resources via connectors.
To create and manage workspaces, the user needs the following roles:
security-deck.adminfor the folder to contain Security Deck resources and modules.auditorfor the organization, cloud, or folder the workspace will control the security of.
Workspace settings
The settings and resources of the Security Deck modules used by the workspace are stored in the folder you specify when creating the workspace. Once the workspace is created, you cannot change this folder.
Tip
Security standards
In the Security Deck workspace settings, you should specify the industry security standards and regulations your controlled resources will be monitored against:
-
Yandex Cloud basic security rules: Minimum set of security requirements ensuring basic protection of cloud infrastructure and applications deployed on the Yandex Cloud platform. -
Yandex Cloud cloud infrastructure protection standard: Standard providing comprehensive security requirements and best practices for protection of the cloud infrastructure and applications deployed on the Yandex Cloud platform. These elements help ensure security policy compliance and protection against common threats and vulnerabilities in the cloud environment.
-
Kubernetes Pod Security Standards (Restricted): This standard contains security controls based on the Kubernetes Pod Security Standards (PSS) Restricted profile. A restricted profile is the most secure and provides the highest detection efficiency for container-based attacks. It applies strict security policies that may require modifying applications to ensure compliance. A restricted profile is recommended for security-critical applications and environments where maximum security is required. -
Kubernetes Pod Security Standards (Baseline): This standard contains security controls based on the Kubernetes Pod Security Standards (PSS) Baseline profile. A baseline profile is designed for easy implementation and provides common best practices for container security. It prevents the most common security issues in containers while maintaining compatibility with most applications. The baseline profile is a good starting point for organizations just getting started with container security. -
Microsoft Threat Matrix for Kubernetes: This standard contains security controls based on the Microsoft Threat Matrix for Kubernetes, which is a framework that helps security teams understand and fend off threats specific to Kubernetes environments. It provides a comprehensive approach to attack methods and defensive strategies tailored for container orchestration platforms.
For a single workspace, you can select several security standards at the same time: Depending on what standards you select, the workspace will use the Security Deck modules called Cloud Security Posture Management (CSPM) and/or Kubernetes Kubernetes Security Posture Management (KSPM).
Connectors
Access to Security Deck resources controlled within a workspace takes place via connectors that access the resources under a service account associated with the connector. Connectors ensure uniform access to both Yandex Cloud internal resources and external resources, e.g., Yandex 360.
The resources that are going to be monitored for security compliance must be explicitly assigned to the connector associated with the workspace. You can associate controlled resources with a workspace when creating or updating it.
The service account the connector will use to access the controlled resources must have the security-deck.worker role assigned for them.
When you delete the workspace, its connector will be preserved.
Alert sinks
The Security Deck workspace also gets an associated alert sink to receive alerts coming from all Security Deck modules. The alert sink must reside in the same folder you specified when creating the workspace.
When you delete the workspace, its alert sink will be preserved.
Workspace access
By default, access to a workspace is limited to the user who created it.
For other users to be able to use the workspace, you should grant them access to it. The user who gets access to the workspace must also have access to the folder used for the workspace's resources and the cloud that folder is in.
Depending on expected scope of work, the user should get the security-deck.viewer role or higher for the workspace.
Workspace dashboard
Depending on the Security Deck modules configured in the workspace, the dashboard contains these general information cards:
- Number of alerts in the workspace.
- Number of detected rule violations.
- Selected standards (requirements) the controlled resources must comply with.
- Percentage of the controlled resources’ compliance with the selected security standards.
In addition to the cards, the dashboard includes widgets of Security Deck modules used in the workspace:
-
Cloud Security Posture Management (CSPM) widget you can use to configure the module and view the following information:
- Number of rules with violations.
- Number of rules without violations.
-
Kubernetes Security Posture Management (KSPM) widget you can use to configure the module and view the following information:
- Number of clusters with errors.
- Number of clusters requiring attention.
-
Alert widget you can use to configure alerts and view the list of workspace alerts.
The alert list contains text descriptions of alerts, their sources and statuses, as well as severity indicators.