Creating a Security Deck workspace

Go to Yandex Security Deck.

In the left-hand panel, select Workspace.

If you do not have any workspaces yet, click Create workspace.

If you already have a workspace and want to create another one to complement your existing environment, click More at the top of the window and click Create workspace.

In the window that opens, select Creating and configuring workspace in the Main parameters section:

1. Under Workspace name, enter a name for the new workspace. Follow these naming requirements:

   • It must be from 1 to 63 characters long.
   • It may contain lowercase Latin letters, numbers, and hyphens.
   • It must start with a letter and cannot end with a hyphen.

   Provide a brief description for the new workspace, if required.

2. Under Resource storage folder, select the folder to store Security Deck resources for the new workspace.

   For security reasons, we recommend storing Security Deck resources in a separate cloud and folder restricted only to security staff.

   Note

   Once the workspace is created, you cannot change this folder.

3. Under Payment for resources, add a billing account to use to pay for security module resources the workspace consumes.

4. Under Alert sink, select the alert sink to receive all alerts generated in the workspace.

   Create a new alert sink if needed. Do it by clicking Create sink. In the window that opens, enter enter a name for the sink Create.

5. Click Create and continue to proceed to the next step and configure the workspace resources.

In the Resources section that opens:

1. Under Workspace resources, select the connector to use in the workspace being created to access the controlled resources.

   If needed, create a new connector:

   1. Click Create connector and in the window that opens:

      1. In the Name field, enter a name for the connector.

      2. Optionally, give the connector's description in the Description field.

      3. Select the service account for access to cloud resources in the Service account field.

         In the section below, you can see which resources the selected service account has access to.

         Make sure to assign the security-deck.worker role to this service account for the resources controlled in the workspace being created.

      4. Click Create connector.

2. In the connector section that appears, click Select cloud/catalog to select the resources (clouds and folders) whose security will be managed in the new workspace:

   1. Select the resources whose security you want to manage in the workspace. You can only select the resources that are accessible to the previously selected service account.
   2. Click Save selection.

3. Click Save and continue.

In the Security compliance section that opens:

1. Under Rule sets, select the industry standards and regulations the resources you chose at the previous step will be benchmarked against.

   • Yandex Cloud basic security rules: Minimum set of security requirements ensuring basic protection of cloud infrastructure and applications deployed on the Yandex Cloud platform.
   • Yandex Cloud cloud infrastructure protection standard: Standard providing comprehensive security requirements and best practices for protection of the cloud infrastructure and applications deployed on the Yandex Cloud platform. These elements help ensure security policy compliance and protection against common threats and vulnerabilities in the cloud environment.
   • Kubernetes Pod Security Standards (Restricted): This standard contains security controls based on the Kubernetes Pod Security Standards (PSS) Restricted profile. A restricted profile is the most secure and provides the highest detection efficiency for container-based attacks. It applies strict security policies that may require modifying applications to ensure compliance. A restricted profile is recommended for security-critical applications and environments where maximum security is required.
   • Kubernetes Pod Security Standards (Baseline): This standard contains security controls based on the Kubernetes Pod Security Standards (PSS) Baseline profile. A baseline profile is designed for easy implementation and provides common best practices for container security. It prevents the most common security issues in containers while maintaining compatibility with most applications. The baseline profile is a good starting point for organizations just getting started with container security.
   • Microsoft Threat Matrix for Kubernetes: This standard contains security controls based on the Microsoft Threat Matrix for Kubernetes, which is a framework that helps security teams understand and fend off threats specific to Kubernetes environments. It provides a comprehensive approach to attack methods and defensive strategies tailored for container orchestration platforms.

   You can select several standards at the same time. The Control modules section will display the Security Deck modules, which will be activated in the new workspace to check your resources for compliance with the selected standards and regulations.

2. Click Save and continue.

Optionally, in the Participants section that opens, add users who will have access to the workspace being created and assign them roles in this workspace:

1. Click Add participants and in the window that opens:

   1. Select the user from the list. If required, use the search bar.
   2. In the window that opens, click Add role and select the role you want to assign to the user. You can assign multiple roles.
   3. Click Save.

2. Click Finish to complete creating the Security Deck workspace.

You do not have to add additional users to the workspace. In this case, the workspace will only be available to its creator.