Security and Governance

Security works best when the safe path is the easy path. Put controls in source control, CI/CD, cloud identity, and runtime admission instead of relying on late manual review.

Identity and access

Use single sign-on, groups, and just-in-time access for humans.
Use workload identity and OIDC federation for systems.
Apply least privilege at account, project, namespace, and service level.
Review privileged access, break-glass use, and inactive identities.
Separate production duties where regulation or risk requires it.

Supply chain security

Adopt a practical SLSA-aligned baseline:

Pin dependencies and use trusted package registries.
Scan dependencies, containers, infrastructure code, and secrets.
Generate software bills of materials for release artifacts.
Sign container images and important build artifacts.
Verify provenance and signatures before deployment where feasible.

Policy as code

Automated policy should cover:

Public exposure, encryption, backups, tagging, and network boundaries.
Kubernetes pod security, image sources, resource limits, and privilege.
Terraform module usage, drift, cost, and destructive changes.
Data classification and environment-specific compliance needs.

Use exceptions with owners, expiry dates, and risk acceptance. Permanent exceptions become undocumented architecture.

Governance artifacts

During onboarding, create or refresh:

A risk register tied to concrete remediation work.
A control map from compliance requirements to automated evidence.
Access review procedures for production and administrative systems.
A vulnerability intake process with severity and remediation timelines.
A change-management model that matches deployment risk.

Tooling examples

OPA, Conftest, Gatekeeper, Kyverno, ValidatingAdmissionPolicy, and HashiCorp Sentinel for policy.
Snyk, Dependabot, Renovate, Trivy, Grype, Wiz, Orca, Prisma Cloud, or Lacework for vulnerability and cloud posture management.
Sigstore Cosign, Rekor, in-toto, Syft, and SLSA generators for supply chain controls.