# Security Measures We must develop security measures and procedures for cases when a) hacked, b) internal threat, and c) host becomes inaccessible. Measures and procedures differ from cloud and used platform: VM, K8S, and bare servers. ## VM ### Measures * Use profiles and AppArmor to detect suspicious activity. * Track integrity of the host and detect attempts to tamper. ### Emergency * Hosts should be treated immutable and easily recovarable from IaC. This way we always can shut down a tempered host and set up a new one. Use snapshots if it is stateful, for instance geth database to avoid syncing time. * Hosts should not have emergency ssh keys, otherwise it defies the purpose of having Teleport and short-lived certificates. ## Kubernetes ### Measures * Achieve isolation between services. Every service must be running using a `ServiceAcount` with limited permisions using RBAC and `ClusterRoles`-s. * Run `terrascan` to enforce security requirements to deployed helm charts. * Add `kubescrape` to CI/CD and build regular security reports. ### Emergency * Every cluster administrator has access to pods. ## Bare servers ### Measures * Same as for VM. * Use Chassis Intrusion sensor and [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module). ### Emergency * Connecting to IPMI should do. * Console with a U2F key. # Security roles, levels and protocols * We must segrate access to installations and servers holding private money-keys. * To improve the bus factor, every key person (Mason, Chun) has to have access to all hosts and private money-keys. * DevOps team members should be granted with roles from the central SSO console allowing them to control an installation's account. * Every role must have strict and definitive IAM (or equivalent) rules. No `AdmininstratorAccess` should be given. * For audit purposes, every action should be logged and associated with a person performing or causing to perform it. No accounts for bots.