Cloud-native Infrastructure Security

Contenu

This course introduces the principles, tools, and practices required to secure modern cloud-native applications across the full software supply chain. It follows the lifecycle of a cloud application from source code and dependencies to build, distribution, deployment, runtime, monitoring, and incident-oriented use cases. The central objective is to understand how contemporary cloud-native systems are built and how each stage of their lifecycle can be secured.

The course combines lectures and practical labs. Students work with containerized applications, Docker, Kubernetes, CI/CD pipelines, GitLab-based workflows, security scanning, Kubernetes security mechanisms, runtime monitoring, and realistic cloud-security use cases. The labs are designed both as tutorials for cloud technologies and as practical exercises requiring students to solve security-oriented tasks and submit written answers.

A recurring case study, CICDiaries, is used to illustrate secure CI/CD workflows and software-supply-chain risks in a realistic development and deployment environment.

Course content

1. Introduction to cloud and software supply chain security

The course begins with the cloud model, public/private/hybrid cloud, IaaS/PaaS/SaaS, regions and availability zones, virtualization, the shared-responsibility model, and the relationship between cloud environments and software supply chains. It also introduces major supply-chain incidents such as SolarWinds and Log4Shell as motivating examples.

2. Cloud virtualization stack and containers

Students review Linux as a foundation for cloud systems, including kernel/user space, Linux networking, iptables, eBPF, virtual machines, hypervisors, and containers. The associated lab introduces Docker, image discovery, container execution modes, Dockerfiles, image building, and container networking.

3. Kubernetes and orchestration

The course covers microservice architectures, container orchestration, Kubernetes concepts, and Kubernetes networking. Students use Minikube to create a local Kubernetes cluster and explore Kubernetes resources and network behavior.

4. Kubernetes security

This part addresses container and Kubernetes security best practices, Kubernetes networking security, RBAC, seccomp, AppArmor, and the security implications of shared kernels and container isolation.

5. Software supply chain and CI/CD security

Students study direct and indirect adversary models against containers, host systems, Docker daemons, networks, repositories, and image ecosystems. Practical activities include Git, GitLab, merge requests, signed and verified commits, and security controls around CI/CD workflows.

6. Runtime monitoring and detection

The course introduces the distinction between prevention and detection in Kubernetes environments. Topics include metrics, alerts, kube-state-metrics, Metrics Server, Prometheus, Grafana, and Jaeger for monitoring microservice-based systems.

7. Practical testbed and use cases

The final part applies the previous concepts to a practical Kubernetes testbed, including Vagrant, Ansible, multi-node clusters, namespaces, isolated environments, and realistic cloud-security scenarios.

References

Kubernetes. (n.d.). Security concepts. Kubernetes Documentation. https://kubernetes.io/docs/concepts/security/

Kubernetes. (n.d.). Pod security standards. Kubernetes Documentation. https://kubernetes.io/docs/concepts/security/pod-security-standards/

National Institute of Standards and Technology. (2019). Security strategies for microservices-based application systems(NIST Special Publication 800-204). https://csrc.nist.gov/pubs/sp/800/204/final

National Institute of Standards and Technology. (2022). Implementation of DevSecOps for a microservices-based application with service mesh (NIST Special Publication 800-204C). https://csrc.nist.gov/pubs/sp/800/204/c/final

Open Source Security Foundation. (n.d.). Supply-chain Levels for Software Artifacts. https://openssf.org/projects/slsa/

OWASP Foundation. (n.d.). Software Component Verification Standard. https://owasp.org/www-project-software-component-verification-standard/

SLSA. (n.d.). Supply-chain Levels for Software Artifacts. https://slsa.dev/

Modalités d'évaluation

The evaluation combines continuous practical assessment and a final exam.

Lab deadlines are announced after publication, typically around one week after the lab is released. Some labs are tutorials, while others are graded exercises requiring students to solve tasks and submit answers.