28 KiB
28 KiB
FinTech GitOps CI/CD - Безопасность и Compliance
Версия: 1.0
Дата: Январь 2026
Целевая аудитория: CISO, Security Team, Compliance Officer, AML Team, Аудиторы
Содержание
- Регуляторные требования
- Безопасность инфраструктуры
- Управление доступом
- Защита данных
- Аудит и логирование
- Compliance процедуры
- Incident Response
1. Регуляторные требования
1.1 PCI DSS (Payment Card Industry Data Security Standard)
Требования применимые к нашей инфраструктуре:
Requirement 1: Install and maintain firewall configuration
Реализация:
- VLAN сегментация с firewall между зонами
- Deny all, allow explicitly policy
- Quarterly review firewall rules
- Все изменения правил через Git (audit trail)
- Automated compliance scanning
Audit trail:
- Все изменения firewall rules в Git commits
- Who, when, why documented
- Change approval через Pull Request process
- Automated testing перед применением
Requirement 2: Do not use vendor-supplied defaults
Реализация:
- Все пароли уникально генерируются при установке
- Default admin accounts disabled или удалены
- Минимальная длина пароля: 16 символов
- Password complexity: uppercase, lowercase, digits, special chars
- Rotation policy: 90 дней для administrative accounts
Хранение паролей:
- Docker Swarm Secrets (encrypted at rest)
- HashiCorp Vault (опционально для более сложных сценариев)
- Никогда в Git repositories
- Никогда в environment variables в открытом виде
- Никогда в configuration files в открытом виде
Requirement 3: Protect stored cardholder data
Применимость к инфраструктуре: Инфраструктура сама не хранит карточные данные, но должна обеспечить:
- Encryption at rest для всех databases
- Secure transmission (TLS) между компонентами
- Access control к application databases
- Audit logging доступа к sensitive data
Реализация:
- PostgreSQL Transparent Data Encryption (TDE)
- LUKS encryption для disk volumes
- TLS 1.3 для всех inter-service communication
- Certificate management через automated renewal
- Key rotation procedures
Requirement 6: Develop and maintain secure systems and applications
CI/CD Security:
- Mandatory security scanning в pipeline
- SAST (Static Application Security Testing) через SonarQube
- DAST (Dynamic Application Security Testing) для web apps
- Container vulnerability scanning через Trivy
- Dependency checking через OWASP Dependency-Check
- Fail pipeline если critical vulnerabilities detected
Patch Management:
- Security patches применяются в течение 24 часов для critical
- Weekly patching window для non-critical
- Automated vulnerability scanning infrastructure
- Tracking через Jira/ServiceNow tickets
Requirement 10: Track and monitor all access to network resources
Logging Requirements:
- Все administrative access logged
- Failed login attempts logged
- Access to cardholder data environment logged
- All privilege escalation logged
- Logs tamper-proof (write-once storage)
- Logs retained минимум 1 год, immediately available 3 месяца
Our Implementation:
- Centralized logging через Loki
- Audit logs separate от application logs
- Immutable storage (append-only)
- 7 years retention для compliance (FinTech requirement)
- Real-time correlation and alerting
- Daily log review для critical systems
Requirement 11: Regularly test security systems and processes
Testing Procedures:
- Quarterly vulnerability scans (external vendor)
- Annual penetration testing
- Monthly internal scans
- Continuous automated security testing в CI/CD
- Change detection monitoring
1.2 GDPR (General Data Protection Regulation)
Right to be Forgotten:
Infrastructure Support:
- Ability to identify все данные конкретного user
- Automated deletion procedures
- Verification deletion завершен
- Audit trail deletion requests
Implementation:
- Database soft-delete with flag
- Hard-delete procedures после retention period
- Backup handling (encrypted, time-bound retention)
- Log anonymization для long-term storage
Data Minimization:
- Collect только necessary data
- Purpose limitation enforcement
- Storage limitation policies
- Regular review stored data
Infrastructure Measures:
- Не логировать PII без necessity
- Mask sensitive data в non-production environments
- Separate storage для PII data
- Access control по принципу need-to-know
Data Breach Notification:
- Detection в течение 24 часов
- Assessment impact в течение 48 часов
- Notification regulator в течение 72 часов
- User notification если high risk
Our Capabilities:
- Real-time security monitoring
- Automated breach detection
- Incident response playbooks
- Pre-prepared notification templates
- Tracking системы для deadline compliance
1.3 Локальные FinTech Регуляторы
Общие требования:
- Данные должны храниться в jurisdiction
- Physical server location documented
- Data sovereignty compliance
- Cross-border data transfer restrictions
Our Approach:
- Все сервера в локальном ЦОД
- Нет cloud dependencies (data не уходит за границу)
- DR site также в jurisdiction
- Contractual agreements с ЦОД providers
Financial Transaction Logging:
- Полная audit trail для всех transactions
- Non-repudiation через digital signatures
- Immutable logs
- Long-term retention (7-10 years typical)
AML (Anti-Money Laundering) Support:
- Transaction monitoring logs available
- Customer due diligence data accessible
- Suspicious activity report generation
- Real-time alerts для unusual patterns
Our Infrastructure:
- Logs retention 7 years минимум
- Audit API для AML team access
- Real-time streaming к AML systems
- Tamper-proof storage
2. Безопасность инфраструктуры
2.1 Network Security
Network Segmentation:
Benefits:
- Limit blast radius при compromise
- Different security controls per zone
- Easier compliance demonstration
- Simplified audit scope
Implementation:
- Dedicated VLAN per zone
- Firewall между каждой VLAN
- No direct routing between VLANs (must go through firewall)
- Each VLAN has own subnet
Firewall Configuration Management:
- All rules defined в Infrastructure as Code
- Version controlled в Git
- Changes через Pull Request процесс
- Automated testing перед применением
- Quarterly review unused rules
DDoS Protection:
- Rate limiting на application level
- Connection limits per source IP
- Traffic shaping priorities
- Blacklist известных bad actors
- Integration с threat intelligence feeds
Intrusion Detection/Prevention:
- Network-based IDS monitoring traffic
- Host-based IDS на critical servers
- Signature-based detection
- Anomaly-based detection
- Automated response для clear threats
2.2 Server Hardening
Operating System:
Baseline Configuration:
- CIS Benchmark compliance
- Minimal installation (только necessary packages)
- Disabled unused services
- Firewall enabled (iptables/nftables)
- SELinux/AppArmor enforcing mode
Regular Maintenance:
- Automated security patching
- Monthly vulnerability scanning
- Configuration drift detection
- Kernel hardening parameters
- Audit subsystem enabled
Docker Security:
Daemon Configuration:
- Run as non-root user
- User namespace enabled
- Seccomp profiles applied
- AppArmor/SELinux profiles
- No privileged containers without justification
Image Security:
- Only trusted registry (Harbor)
- Image signing verification
- Vulnerability scanning перед deployment
- Minimal base images (distroless где possible)
- No secrets baked в images
Container Runtime:
- Resource limits enforced (CPU, memory)
- Read-only root filesystem где possible
- No new privileges flag
- Drop unnecessary capabilities
- Network policy enforcement
2.3 Secrets Management
Types of Secrets:
- Database passwords
- API keys и tokens
- TLS certificates и private keys
- SSH private keys
- Encryption keys
- Service account credentials
Storage Options:
Docker Swarm Secrets:
- Native encrypted storage
- Mounted as files в containers
- Automatic lifecycle management
- Encryption at rest by default
Advantages:
- Native integration с Swarm
- Simple to use
- No external dependencies
- Good enough для many use cases
Limitations:
- No automatic rotation
- No audit trail built-in
- Limited access control granularity
HashiCorp Vault (Advanced):
- Centralized secrets management
- Dynamic secrets generation
- Automatic rotation
- Detailed audit trail
- Fine-grained access control
- Encryption as a Service
When to use:
- Complex secret rotation requirements
- Need for audit trail
- Dynamic credentials
- Compliance requirements
- Multiple teams/projects
Secret Rotation:
Automated Rotation:
- Database passwords: Quarterly
- API tokens: Monthly
- TLS certificates: Before expiry (automated renewal)
- SSH keys: Annually или on employee departure
Process:
- Generate new secret
- Update all consumers
- Verify functionality
- Deprecate old secret
- Delete old secret после grace period
Emergency Rotation:
- Suspected compromise
- Employee termination
- Accidental exposure
- Compliance requirement
2.4 Certificate Management
TLS Certificates:
Internal Services:
- Internal CA (Certificate Authority)
- Wildcard certificates для *.company.local
- 2-year validity период
- Automated renewal 30 days before expiry
External Services (если есть):
- Let's Encrypt для automatic renewal
- Commercial CA для OV/EV certificates
- Shorter validity periods (90 days typical)
- ACME protocol automation
Certificate Inventory:
- Tracking всех issued certificates
- Expiry notifications
- Automated renewal где possible
- Manual renewal process для exceptions
mTLS (Mutual TLS):
- Client certificates для service-to-service
- Strong authentication without passwords
- Certificate-based authorization
- Automatic rotation challenge
3. Управление доступом
3.1 Authentication
Primary Authentication:
LDAP/Active Directory Integration:
- Centralized user management
- Single source of truth для identities
- Automatic provisioning/deprovisioning
- Group-based access control
Configuration:
- Secure LDAP (LDAPS) на порт 636
- Certificate validation
- Connection pooling для performance
- Fallback к local admin account
Multi-Factor Authentication (MFA):
Requirement:
- Mandatory для всех administrative access
- Mandatory для production access
- Mandatory для VPN
Methods:
- Time-based OTP (TOTP) - primary
- Hardware tokens (YubiKey) - for high-privilege accounts
- SMS backup codes (не recommended но fallback)
Implementation:
- TOTP через Google Authenticator, Authy, etc.
- Challenge при login
- Remember device for 7 дней (optional)
- Emergency bypass codes (stored securely)
Session Management:
Timeouts:
- Idle timeout: 30 минут
- Absolute timeout: 8 часов
- Re-authentication для sensitive operations
- Concurrent session limits
Session Security:
- Secure cookies (httpOnly, secure, sameSite)
- Session tokens regularly rotated
- Logout invalidates immediately
- Session storage encrypted
3.2 Authorization
Role-Based Access Control (RBAC):
Principle: Users assigned to roles, roles have permissions
Common Roles:
admin:
- Full system access
- Create/modify/delete anything
- Access to all environments
- Assigned to: DevOps leads, Infrastructure team
developer:
- Create и modify code
- Trigger builds
- View logs и metrics
- Deploy to dev/staging only
- Assigned to: Development team
operator:
- View system status
- Restart services
- View logs
- No code changes
- Assigned to: Operations team, Support
auditor:
- Read-only access to everything
- Cannot modify anything
- Full audit trail
- Assigned to: Security team, Compliance, Auditors
manager:
- View dashboards и reports
- Read-only
- Assigned to: Management, Stakeholders
Least Privilege Principle:
- Users granted minimum необходимых permissions
- Just-in-time elevation для temporary needs
- Regular access reviews (quarterly)
- Automatic revocation after period
Segregation of Duties:
- Developers cannot approve own code
- Cannot deploy own changes to production
- Different person reviews Pull Requests
- Ops team independent от development
3.3 Service Accounts
Purpose:
- Automated processes
- CI/CD pipelines
- Monitoring agents
- Integration между systems
Management:
Creation:
- Documented purpose
- Approval required
- Minimal permissions granted
- Expiry date set
Credentials:
- Strong auto-generated passwords
- Stored в secrets management
- Never shared between services
- Regular rotation
Monitoring:
- Usage tracked
- Anomaly detection
- Failed authentication alerts
- Unused account cleanup
Examples:
jenkins-ci:
- Purpose: CI pipeline execution
- Permissions: Read Gitea, Push to Harbor, Update Git repos
- Credential type: API token
- Rotation: Quarterly
gitops-operator:
- Purpose: Automated deployment
- Permissions: Read Git, Manage Swarm via API
- Credential type: TLS client certificate
- Rotation: Annually
prometheus-scraper:
- Purpose: Metrics collection
- Permissions: Read-only metrics endpoints
- Credential type: Bearer token
- Rotation: Semi-annually
4. Защита данных
4.1 Encryption at Rest
Database Encryption:
PostgreSQL TDE (Transparent Data Encryption):
- Encrypts data files на disk
- Transparent to applications
- Minimal performance impact (<5%)
- Key management через OS или external KMS
Alternative:
- LUKS (Linux Unified Key Setup) для full disk encryption
- Encrypt entire volume
- Key stored separately (не на encrypted volume)
- Automatic mount с ключом при boot
Git Repository Encryption:
- Filesystem-level encryption (LUKS)
- Individual repository encryption не required (Git не содержит sensitive data at rest)
- Backup encryption обязательно
Docker Image Storage:
- Harbor storage backend encrypted
- S3/Object storage с encryption
- Encryption keys rotated annually
4.2 Encryption in Transit
TLS Everywhere:
Principle: All network communication encrypted
External Communications:
- HTTPS (TLS 1.3) для web interfaces
- SSH для Git operations
- VPN для remote access
Internal Communications:
- Service-to-service TLS
- Database connections encrypted
- Docker overlay network encrypted (IPSec by default в Swarm)
TLS Configuration:
Minimum Version: TLS 1.2 (prefer 1.3)
Cipher Suites (ordered by preference):
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Disable:
- SSLv2, SSLv3, TLS 1.0, TLS 1.1
- Weak ciphers (RC4, DES, 3DES)
- Anonymous ciphers
- Export ciphers
Certificate Validation:
- Always validate certificates
- Pin certificates для critical services
- OCSP stapling enabled
- Certificate transparency logs
4.3 Data Classification
Classification Levels:
Public:
- Non-sensitive information
- No encryption required (но recommended)
- No access restrictions
- Example: Marketing materials, public documentation
Internal:
- Business information
- Encryption recommended
- Access control required
- Example: Internal docs, non-sensitive metrics
Confidential:
- Sensitive business information
- Encryption required
- Strong access control
- Audit logging mandatory
- Example: Financial reports, customer lists, employee data
Restricted:
- Highly sensitive
- Encryption required (at rest и in transit)
- Strict access control
- Comprehensive audit trail
- Additional controls (DLP, etc.)
- Example: Payment card data, authentication credentials, encryption keys
Handling Requirements:
Storage:
- Public: Any storage
- Internal: Encrypted storage preferred
- Confidential: Encrypted storage required
- Restricted: Encrypted dedicated storage, access logged
Transmission:
- Public: Any method
- Internal: Encrypted preferred
- Confidential: Encrypted required
- Restricted: Encrypted + authenticated channels only
Retention:
- Public: Indefinite
- Internal: Based на business need
- Confidential: Regulatory requirements + business need
- Restricted: Regulatory requirements, secure deletion after
4.4 Backup Security
Backup Encryption:
- All backups encrypted перед storage
- Encryption keys separate от backups
- Key escrow procedures для disaster scenarios
Backup Access:
- Limited to backup administrators
- MFA required для access
- All access logged
- Audit trail для compliance
Backup Testing:
- Monthly restore tests
- Verify encryption/decryption works
- Measure recovery time
- Document any issues
Backup Retention:
- Hourly: 48 hours
- Daily: 30 days
- Weekly: 12 weeks
- Monthly: 7 years (compliance requirement)
Off-site Storage:
- Encrypted backups replicated к off-site location
- Different geographic region
- Different administrator accounts
- Air-gapped где possible
5. Аудит и логирование
5.1 What to Log
Authentication Events:
- Successful logins (user, source IP, timestamp)
- Failed login attempts
- Logout events
- Password changes
- MFA challenges и results
- Session timeouts
Authorization Events:
- Permission checks (allowed/denied)
- Role assignments/removals
- Access to sensitive data
- Privilege escalation attempts
- Policy violations
Infrastructure Changes:
- Server creation/deletion/modification
- Network configuration changes
- Firewall rule changes
- Service deployments
- Configuration updates
- Scale up/down events
Application Activity:
- Critical business transactions
- Data access (especially PII)
- Data modifications
- Data deletions
- Export operations
Security Events:
- Vulnerability scans results
- Intrusion detection alerts
- Malware detection
- Certificate expiry warnings
- Unusual activity patterns
5.2 Log Format и Storage
Structured Logging:
- JSON format для machine parsing
- Consistent timestamp format (ISO 8601 UTC)
- Correlation IDs для tracing
- Standardized field names
Example:
{
"timestamp": "2026-01-12T10:30:00Z",
"level": "INFO",
"service": "gitea",
"event": "user.login",
"user": "john.doe",
"source_ip": "10.10.10.100",
"result": "success",
"correlation_id": "abc-123-def-456"
}
Centralized Storage:
- All logs forwarded к Loki
- Long-term storage в compressed format
- Hot storage: 90 days (immediately searchable)
- Warm storage: 1 year (slower но available)
- Cold storage: 7 years (archive, retrieval на request)
Log Integrity:
- Write-once storage (cannot be modified)
- Cryptographic hashing для tamper detection
- Chain of custody documented
- Periodic integrity verification
5.3 Log Monitoring
Real-time Monitoring:
- Security events trigger alerts
- Failed authentication patterns
- Unusual access patterns
- Configuration changes
- Error spikes
Alerting Thresholds:
- Failed logins: 5 within 5 minutes from same IP
- Privilege escalation attempts: Any
- Unauthorized access attempts: Any
- Critical configuration changes: Any (для review)
- Service unavailability: Immediate
Alert Routing:
- Critical security: CISO, Security team, PagerDuty
- Infrastructure issues: DevOps team, Slack
- Application errors: Development team, Slack
- Compliance events: Compliance officer, Email
5.4 Log Retention
Regulatory Requirements:
- Financial transactions: 7 years minimum
- Audit logs: 7 years minimum
- Access logs: 3 years minimum
- Application logs: 1 year minimum
Our Policy:
- Security logs: 7 years
- Audit logs: 7 years
- Application logs: 1 year
- Debug logs: 90 days
- Infrastructure metrics: 1 year
Retention Enforcement:
- Automated архивация по schedule
- Encrypted archives
- Documented chain of custody
- Secure deletion после retention period
6. Compliance процедуры
6.1 Regular Compliance Activities
Daily:
- Security monitoring review
- Failed authentication analysis
- Critical alert review
- Backup verification
Weekly:
- Vulnerability scan review
- Patch status review
- Access review для high-privilege accounts
- Incident response drill
Monthly:
- Full vulnerability assessment
- User access review
- Unused account cleanup
- Certificate expiry check
- Disaster recovery test
Quarterly:
- External vulnerability scan
- Firewall rule review
- Policy compliance audit
- Security training для employees
- Risk assessment update
Annually:
- Penetration testing
- Full security audit
- DR full drill
- Policy review и update
- Compliance certification renewal
6.2 Change Management
Change Types:
Standard Change:
- Pre-approved, low risk
- Automated deployment
- Example: Application deployment через CI/CD
Normal Change:
- Requires approval
- Risk assessment
- Testing required
- Example: Infrastructure changes, new services
Emergency Change:
- Immediate action required
- Reduced approval process
- Post-implementation review mandatory
- Example: Security patch, service outage
Change Process:
Request:
- Document change requirements
- Identify affected systems
- Assess risk и impact
- Plan rollback procedure
Approval:
- Technical review
- Security review (для significant changes)
- CAB (Change Advisory Board) для high-risk
- Management approval для major changes
Implementation:
- Follow defined procedure
- Use automation где possible
- Verify success
- Document results
Review:
- Post-implementation review
- Lessons learned
- Update procedures
- Close change ticket
6.3 Audit Preparation
Continuous Audit Readiness:
Documentation:
- All policies documented и up-to-date
- Procedures documented
- Architecture diagrams current
- Data flow diagrams maintained
- Risk assessments current
Evidence Collection:
- Automated compliance reporting
- Audit logs readily available
- Change history в Git
- Access reviews documented
- Training records maintained
Pre-Audit Checklist:
- Review all policies
- Ensure documentation current
- Gather evidence для past year
- Identify any gaps
- Remediate issues
- Prepare explanation для exceptions
During Audit:
- Provide requested information promptly
- Explain controls и their effectiveness
- Demonstrate security measures
- Show evidence compliance
- Address questions thoroughly
Post-Audit:
- Review findings
- Create remediation plan для gaps
- Implement improvements
- Update documentation
- Schedule follow-up
6.4 Compliance Reporting
Regular Reports:
Weekly Security Report:
- Security incidents
- Vulnerability scan results
- Failed login attempts
- Unusual activity
- Audience: CISO, Security team
Monthly Compliance Report:
- Access reviews completed
- Changes implemented
- Audit findings status
- Policy violations
- Audience: Compliance officer, Management
Quarterly Risk Report:
- Risk assessment updates
- New threats identified
- Mitigation status
- Risk trend analysis
- Audience: Board, Executive team
Annual Compliance Statement:
- Compliance status for all regulations
- Audit results summary
- Major incidents и responses
- Roadmap для next year
- Audience: Board, Regulators, Auditors
7. Incident Response
7.1 Incident Classification
Severity Levels:
P1 - Critical:
- Data breach
- Service completely unavailable
- Active attack in progress
- Response: Immediate, 24/7
- Resolution target: 1 hour
P2 - High:
- Degraded service
- Potential security issue
- Significant performance problem
- Response: Within 1 hour
- Resolution target: 4 hours
P3 - Medium:
- Minor service issues
- Non-critical security concern
- Workaround available
- Response: Within 4 hours
- Resolution target: 24 hours
P4 - Low:
- Cosmetic issues
- Feature requests
- Questions
- Response: Within 24 hours
- Resolution target: Best effort
7.2 Incident Response Process
Phase 1: Detection и Triage
- Incident detected (automated monitoring или manual report)
- Initial assessment severity
- Assign incident commander
- Form response team
- Notify stakeholders
Phase 2: Containment
- Isolate affected systems
- Prevent spread
- Preserve evidence
- Implement temporary fixes
- Continue monitoring
Phase 3: Investigation
- Determine root cause
- Assess scope impact
- Identify all affected systems
- Document timeline
- Collect evidence
Phase 4: Eradication
- Remove cause
- Patch vulnerabilities
- Update security controls
- Verify threat eliminated
Phase 5: Recovery
- Restore systems from clean state
- Verify functionality
- Monitor for recurrence
- Gradual return to normal
Phase 6: Lessons Learned
- Post-mortem meeting
- Document findings
- Update procedures
- Implement improvements
- Train team
7.3 Incident Response Playbooks
Pre-defined playbooks для common scenarios:
Suspected Breach:
- Isolate affected systems
- Capture memory dumps
- Preserve logs
- Notify CISO и Legal
- Begin forensic investigation
- Consider external expertise
- Assess notification requirements
- Document everything
Ransomware:
- Immediate isolation
- Do not pay ransom (policy)
- Assess backup availability
- Determine extent
- Notify law enforcement
- Begin recovery from backups
- Identify entry vector
- Remediate vulnerability
DDoS Attack:
- Activate DDoS mitigation
- Contact ISP
- Rate limiting
- Block source IPs
- Scale up infrastructure если needed
- Communication to customers
- Monitor для end of attack
Insider Threat:
- Revoke access immediately
- Preserve evidence
- Notify HR и Legal
- Review activity logs
- Assess data exposure
- Change credentials
- Document incident
7.4 Communication Plan
Internal Communication:
Incident Team:
- Dedicated Slack channel
- Regular updates
- Action items tracking
- Status changes
Management:
- Initial notification: Immediate для P1/P2
- Status updates: Hourly для P1, Daily для P2
- Resolution notification
- Post-mortem report
Stakeholders:
- Need-to-know basis
- Clear, non-technical language
- Regular updates
- Next steps
External Communication:
Customers (если impacted):
- Timely notification
- Clear explanation
- Impact assessment
- Mitigation steps
- Timeline для resolution
- Contact для questions
Regulators (если required):
- Within 72 hours для data breach (GDPR)
- Detailed incident report
- Remediation plan
- Follow-up reports
Media (если necessary):
- Coordinated через PR team
- Consistent messaging
- Factual information только
- No speculation
Approval:
- CISO: _______________
- Compliance Officer: _______________
- Legal: _______________
- Date: _______________