@xdev-asia/xdev-knowledge-mcp 1.0.38 → 1.0.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/01-phan-1-kien-truc-nen-tang/lessons/04-bai-4-threat-modeling-stride-dread.md +79 -114
  2. package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/02-phan-2-iam-keycloak/lessons/01-bai-5-setup-keycloak-realm-benh-vien.md +33 -84
  3. package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/02-phan-2-iam-keycloak/lessons/02-bai-6-phan-quyen-rbac-abac.md +6 -23
  4. package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/02-phan-2-iam-keycloak/lessons/03-bai-7-smart-on-fhir-oauth2-oidc.md +25 -36
  5. package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/02-phan-2-iam-keycloak/lessons/04-bai-8-mfa-passkeys-emergency-access.md +7 -23
  6. package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/03-phan-3-data-layer-postgresql/lessons/01-bai-9-postgresql-security-hardening.md +23 -69
  7. package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/03-phan-3-data-layer-postgresql/lessons/02-bai-10-ma-hoa-du-lieu-postgresql.md +25 -80
  8. package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/03-phan-3-data-layer-postgresql/lessons/03-bai-11-row-level-security-column-encryption.md +26 -55
  9. package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/03-phan-3-data-layer-postgresql/lessons/04-bai-12-audit-logging-cdc-pgaudit.md +51 -87
  10. package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/04-phan-4-microservices-quarkus/lessons/03-bai-15-ma-hoa-end-to-end-microservices.md +18 -63
  11. package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/04-phan-4-microservices-quarkus/lessons/04-bai-16-mtls-service-mesh.md +26 -88
  12. package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/05-phan-5-compliance-audit/lessons/01-bai-17-hipaa-technical-safeguards.md +50 -61
  13. package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/05-phan-5-compliance-audit/lessons/02-bai-18-audit-trail-opentelemetry-elk.md +11 -34
  14. package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/05-phan-5-compliance-audit/lessons/03-bai-19-data-masking-anonymization.md +113 -223
  15. package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/05-phan-5-compliance-audit/lessons/04-bai-20-backup-disaster-recovery.md +92 -149
  16. package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/06-phan-6-production-van-hanh/lessons/01-bai-21-zero-trust-architecture.md +126 -271
  17. package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/06-phan-6-production-van-hanh/lessons/02-bai-22-container-kubernetes-security.md +10 -52
  18. package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/06-phan-6-production-van-hanh/lessons/03-bai-23-penetration-testing.md +51 -90
  19. package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/06-phan-6-production-van-hanh/lessons/04-bai-24-capstone-deploy-production.md +137 -232
  20. package/package.json +1 -1
package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/06-phan-6-production-van-hanh/lessons/01-bai-21-zero-trust-architecture.md CHANGED
@@ -27,36 +27,18 @@ course:
27
27
 
28
28
  Mô hình bảo mật truyền thống dựa trên **perimeter security** — "tin tưởng mọi thứ bên trong firewall" — đã không còn phù hợp với hệ thống y tế hiện đại. Với sự gia tăng của telemedicine, IoT medical devices, cloud adoption, và remote access cho bác sĩ, **perimeter không còn tồn tại rõ ràng**.
29
29
 
30
- ```
31
- ┌─────────────────────────────────────────────────────────────┐
32
- │ Traditional Perimeter Security (OUTDATED) │
33
- │ │
34
- │ Internet ──► [Firewall] ──► ┌────────────────────────┐ │
35
- │ │ "Trusted Zone" │ │
36
- │ │ │ │
37
- │ │ EHR ◄──► Lab System │ │
38
- │ │ │ │ │
39
- │ │ ▼ │ │
40
- │ │ Database (ePHI) │ │
41
- │ │ ▲ │ │
42
- │ │ IoT ─────┘ │ │
43
- │ │ │ │
44
- │ │ ⚠ Nếu 1 device bị │ │
45
- │ │ compromise → toàn │ │
46
- │ │ bộ network bị │ │
47
- │ │ truy cập! │ │
48
- │ └────────────────────────┘ │
49
- │ │
50
- │ Problems: │
51
- │ ✗ Ransomware lây lan lateral trong trusted zone │
52
- │ ✗ Insider threats không bị kiểm soát │
53
- │ ✗ IoT devices yếu bảo mật → entry point │
54
- │ ✗ Remote doctors bypass perimeter │
55
- │ ✗ Cloud services nằm ngoài perimeter │
56
- └─────────────────────────────────────────────────────────────┘
57
- ```
30
+ ![Traditional Perimeter Security vs Zero Trust — so sánh mô hình bảo mật](/storage/uploads/2026/04/healthcare-zero-trust-vs-perimeter.png)
31
+
32
+ **Problems với Perimeter Security:**
33
+
34
+ - Ransomware lây lan lateral trong trusted zone
35
+ - Insider threats không bị kiểm soát
36
+ - IoT devices yếu bảo mật → entry point
37
+ - Remote doctors bypass perimeter
38
+ - Cloud services nằm ngoài perimeter
58
39
 
59
40
  **Thống kê đáng lo ngại:**
41
+
60
42
  - 89% tổ chức healthcare từng bị data breach (Ponemon 2024)
61
43
  - Chi phí trung bình của healthcare data breach: **$10.93 triệu** (cao nhất mọi ngành)
62
44
  - 60% ransomware attacks vào healthcare bắt nguồn từ lateral movement trong internal network
@@ -65,40 +47,27 @@ Mô hình bảo mật truyền thống dựa trên **perimeter security** — "t
65
47
 
66
48
  NIST Special Publication 800-207 định nghĩa **Zero Trust Architecture** (ZTA) là mô hình bảo mật dựa trên nguyên tắc: **không có implicit trust** cho bất kỳ asset, user, hay network segment nào.
67
49
 
68
- ```
69
- ┌─────────────────────────────────────────────────────────────┐
70
- │ NIST SP 800-207 — Zero Trust Architecture │
71
- │ │
72
- │ Core Components: │
73
- │ │
74
- │ ┌──────────┐ ┌──────────────┐ ┌──────────────────┐ │
75
- │ │ Policy │ │ Policy │ │ Policy │ │
76
- │ │ Engine │◄──►│ Administrator│◄──►│ Enforcement │ │
77
- │ │ (PE) │ │ (PA) │ │ Point (PEP) │ │
78
- │ └────┬─────┘ └──────────────┘ └────────┬─────────┘ │
79
- │ │ │ │
80
- │ ▼ ▼ │
81
- │ ┌──────────┐ ┌──────────────┐ │
82
- │ │ Data │ │ Enterprise │ │
83
- │ │ Sources: │ │ Resources: │ │
84
- │ │ CDM │ │ • EHR │ │
85
- │ │ Threat │ │ • Lab APIs │ │
86
- │ │ Intel │ │ • Databases │ │
87
- │ │ Activity│ │ • FHIR │ │
88
- │ │ Logs │ │ • PACS │ │
89
- │ │ • PKI │ └──────────────┘ │
90
- │ └──────────┘ │
91
- │ │
92
- │ Tenets: │
93
- │ 1. All data sources and computing services are resources │
94
- │ 2. All communication is secured regardless of location │
95
- │ 3. Access to individual resources is granted per-session │
96
- │ 4. Access is determined by dynamic policy │
97
- │ 5. Enterprise monitors and measures security posture │
98
- │ 6. Authentication and authorization are dynamic │
99
- │ 7. Enterprise collects info about current state of assets │
100
- └─────────────────────────────────────────────────────────────┘
101
- ```
50
+ **NIST SP 800-207 — Zero Trust Architecture:**
51
+
52
+ **Core Components:**
53
+
54
+ - **Policy Engine (PE)** — Quyết định access dựa trên data sources
55
+ - **Policy Administrator (PA)** — Thực thi decisions từ PE
56
+ - **Policy Enforcement Point (PEP)** — Điểm kiểm soát access
57
+
58
+ **Data Sources:** CDM, Threat Intel, Activity Logs, PKI
59
+
60
+ **Enterprise Resources:** EHR, Lab APIs, Databases, FHIR, PACS
61
+
62
+ **7 Tenets:**
63
+
64
+ 1. All data sources and computing services are resources
65
+ 2. All communication is secured regardless of location
66
+ 3. Access to individual resources is granted per-session
67
+ 4. Access is determined by dynamic policy
68
+ 5. Enterprise monitors and measures security posture
69
+ 6. Authentication and authorization are dynamic
70
+ 7. Enterprise collects info about current state of assets
102
71
 
103
72
  ### 1.3. Zero Trust Principles cho Healthcare
104
73
 
@@ -115,55 +84,15 @@ NIST Special Publication 800-207 định nghĩa **Zero Trust Architecture** (ZTA
115
84
 
116
85
  ### 2.1. Healthcare ZTA Overview
117
86
 
118
- ```
119
- ┌─────────────────────────────────────────────────────────────────────┐
120
- │ Zero Trust Architecture — Hospital System │
121
- │ │
122
- │ ┌─────────────┐ ┌──────────────┐ ┌──────────────┐ │
123
- │ │ Doctor │ │ Nurse │ │ IoT Medical │ │
124
- │ │ (Mobile) │ │ (Workstation)│ │ Device │ │
125
- │ └──────┬──────┘ └──────┬───────┘ └──────┬───────┘ │
126
- │ │ │ │ │
127
- │ ▼ ▼ ▼ │
128
- │ ┌─────────────────────────────────────────────────┐ │
129
- │ │ Policy Enforcement Point (PEP) │ │
130
- │ │ Istio Ingress Gateway + Envoy Proxy │ │
131
- │ │ ┌─────────┐ ┌──────────┐ ┌────────────────┐ │ │
132
- │ │ │ mTLS │ │ JWT │ │ Rate Limiting │ │ │
133
- │ │ │ Termina.│ │ Validat. │ │ + WAF │ │ │
134
- │ │ └─────────┘ └──────────┘ └────────────────┘ │ │
135
- │ └────────────────────┬────────────────────────────┘ │
136
- │ │ │
137
- │ ┌────────────────────▼────────────────────────────┐ │
138
- │ │ Policy Engine + Policy Administrator │ │
139
- │ │ │ │
140
- │ │ ┌──────────┐ ┌──────────┐ ┌──────────────┐ │ │
141
- │ │ │ Keycloak │ │ OPA │ │ Risk Engine │ │ │
142
- │ │ │ (AuthN) │ │ (AuthZ) │ │ (Scoring) │ │ │
143
- │ │ └──────────┘ └──────────┘ └──────────────┘ │ │
144
- │ │ │ │
145
- │ │ Data Sources: │ │
146
- │ │ • Device posture (MDM) │ │
147
- │ │ • User behavior analytics │ │
148
- │ │ • Threat intelligence feeds │ │
149
- │ │ • GeoIP + Time-of-day │ │
150
- │ └─────────────────────────────────────────────────┘ │
151
- │ │ │
152
- │ ┌────────────────────▼────────────────────────────┐ │
153
- │ │ Micro-segmented Services │ │
154
- │ │ │ │
155
- │ │ ┌──────────┐ ┌──────────┐ ┌──────────────┐ │ │
156
- │ │ │ Patient │ │ Lab │ │ Appointment │ │ │
157
- │ │ │ Service │ │ Service │ │ Service │ │ │
158
- │ │ │ (mTLS) │ │ (mTLS) │ │ (mTLS) │ │ │
159
- │ │ └────┬─────┘ └────┬─────┘ └──────┬───────┘ │ │
160
- │ │ │ │ │ │ │
161
- │ │ ┌────▼─────────────▼──────────────▼───────┐ │ │
162
- │ │ │ Encrypted Database Layer (RLS + TDE) │ │ │
163
- │ │ └────────────────────────────────────────┘ │ │
164
- │ └─────────────────────────────────────────────────┘ │
165
- └─────────────────────────────────────────────────────────────────────┘
166
- ```
87
+ ![Zero Trust Architecture — Hospital System với PEP, Policy Engine, Micro-segmented Services](/storage/uploads/2026/04/healthcare-zero-trust-architecture.png)
88
+
89
+ **Layers:**
90
+
91
+ - **Users:** Doctor (Mobile), Nurse (Workstation), IoT Medical Device
92
+ - **PEP:** Istio Ingress Gateway + Envoy Proxy (mTLS, JWT Validation, Rate Limiting + WAF)
93
+ - **Policy Engine:** Keycloak (AuthN) + OPA (AuthZ) + Risk Engine (Scoring)
94
+ - **Data Sources:** Device posture (MDM), User behavior analytics, Threat intelligence, GeoIP + Time-of-day
95
+ - **Micro-segmented Services:** Patient/Lab/Appointment Service (mTLS) → Encrypted Database Layer (RLS + TDE)
167
96
 
168
97
  ### 2.2. So sánh Perimeter Security vs Zero Trust
169
98
 
@@ -465,39 +394,18 @@ public class StepUpAuthenticationService {
465
394
 
466
395
  ### 4.1. Network Architecture cho Healthcare
467
396
 
468
- ```
469
- ┌────────────────────────────────────────────────────────────────┐
470
- │ Micro-segmented Healthcare Kubernetes Cluster │
471
- │ │
472
- │ Namespace: healthcare-frontend │
473
- │ ┌──────────────┐ │
474
- Patient Portal│──── ONLY port 443 ────► │
475
- │ │ API Gateway │ │ │
476
- │ └──────────────┘ │ │
477
- │ ▼ │
478
- │ ──────────────── Network Policy ────────────────── │
479
- │ │ │
480
- │ Namespace: healthcare-services │ │
481
- │ ┌──────────────┐ ┌──────────────┐ ┌─────▼────────┐ │
482
- │ │ Patient Svc │ │ Lab Svc │ │ Appointment │ │
483
- │ │ port:8080 │ │ port:8080 │ │ Svc port:8080│ │
484
- │ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ │
485
- │ │ │ │ │
486
- │ ──────────────── Network Policy ────────────────── │
487
- │ │ │ │ │
488
- │ Namespace: healthcare-data │ │
489
- │ ┌──────▼───────┐ ┌─────▼────────┐ │ │
490
- │ │ PostgreSQL │ │ Redis Cache │ │ │
491
- │ │ port:5432 │ │ port:6379 │ │ │
492
- │ └──────────────┘ └──────────────┘ │ │
493
- │ │ │
494
- │ Namespace: healthcare-monitoring (READ ONLY) │
495
- │ ┌──────────────┐ ┌──────────────┐ │
496
- │ │ Prometheus │ │ Falco │ │
497
- │ │ (scrape only)│ │ (eBPF hooks) │ │
498
- │ └──────────────┘ └──────────────┘ │
499
- └────────────────────────────────────────────────────────────────┘
500
- ```
397
+ **Micro-segmented Healthcare Kubernetes Cluster:**
398
+
399
+ - **Namespace: `healthcare-frontend`**
400
+ - Patient Portal / API Gateway → ONLY port 443
401
+ - *── Network Policy ──*
402
+ - **Namespace: `healthcare-services`**
403
+ - Patient Svc (port:8080), Lab Svc (port:8080), Appointment Svc (port:8080)
404
+ - *── Network Policy ──*
405
+ - **Namespace: `healthcare-data`**
406
+ - PostgreSQL (port:5432), Redis Cache (port:6379)
407
+ - **Namespace: `healthcare-monitoring`** (READ ONLY)
408
+ - Prometheus (scrape only), Falco (eBPF hooks)
501
409
 
502
410
  ### 4.2. Kubernetes NetworkPolicies
503
411
 
@@ -858,42 +766,15 @@ public class DeviceTrustService {
858
766
 
859
767
  ### 6.1. OPA Architecture trong Healthcare ZTA
860
768
 
861
- ```
862
- ┌─────────────────────────────────────────────────────────┐
863
- │ OPA Policy Architecture │
864
- │ │
865
- │ ┌───────────────────────────────────────────────┐ │
866
- │ │ Policy Bundle Server │ │
867
- │ (Git repo OPA Bundle Distribution) │ │
868
- └───────────────────────┬───────────────────────┘ │
869
- │ │ Pull bundles │
870
- │ ▼ │
871
- │ ┌───────────────────────────────────────────────┐ │
872
- │ │ OPA Server (Sidecar/Central) │ │
873
- │ │ │ │
874
- │ │ ┌─────────────────────────────────────────┐ │ │
875
- │ │ │ Rego Policies: │ │ │
876
- │ │ │ • healthcare/patient_access.rego │ │ │
877
- │ │ │ • healthcare/device_trust.rego │ │ │
878
- │ │ │ • healthcare/data_classification.rego │ │ │
879
- │ │ │ • healthcare/emergency_access.rego │ │ │
880
- │ │ └─────────────────────────────────────────┘ │ │
881
- │ │ │ │
882
- │ │ ┌─────────────────────────────────────────┐ │ │
883
- │ │ │ Data: │ │ │
884
- │ │ │ • roles_permissions.json │ │ │
885
- │ │ │ • department_assignments.json │ │ │
886
- │ │ │ • data_classification_rules.json │ │ │
887
- │ │ └─────────────────────────────────────────┘ │ │
888
- │ └───────────────────────────────────────────────┘ │
889
- │ ▲ ▲ ▲ ▲ │
890
- │ │ query │ query │ query │ query │
891
- │ ┌────┴──┐ ┌───┴───┐ ┌───┴───┐ ┌───┴──────┐ │
892
- │ │Patient│ │ Lab │ │ Appt. │ │ API │ │
893
- │ │ Svc │ │ Svc │ │ Svc │ │ Gateway │ │
894
- │ └───────┘ └───────┘ └───────┘ └──────────┘ │
895
- └─────────────────────────────────────────────────────────┘
896
- ```
769
+ ![OPA Policy Architecture — Bundle Server → OPA Server → Healthcare Services](/storage/uploads/2026/04/healthcare-opa-policy-engine.png)
770
+
771
+ **Components:**
772
+
773
+ - **Policy Bundle Server:** Git repo → OPA Bundle → Distribution
774
+ - **OPA Server** (Sidecar/Central):
775
+ - **Rego Policies:** patient_access, device_trust, data_classification, emergency_access
776
+ - **Data:** roles_permissions.json, department_assignments.json, data_classification_rules.json
777
+ - **Clients (query):** Patient Svc, Lab Svc, Appt. Svc, API Gateway
897
778
 
898
779
  ### 6.2. OPA Rego Policies cho Healthcare
899
780
 
@@ -1313,52 +1194,49 @@ data:
1313
1194
 
1314
1195
  ### 9.1. Phased Zero Trust Migration
1315
1196
 
1316
- ```
1317
- ┌─────────────────────────────────────────────────────────────┐
1318
- │ Zero Trust Migration Roadmap — Healthcare │
1319
- │ │
1320
- │ Phase 1: Foundation (Month 1-3)
1321
- │ ├── Deploy Keycloak (centralized identity) │
1322
- │ ├── Enable MFA for all staff │
1323
- │ ├── Inventory all assets and data flows │
1324
- │ ├── Classify data (PHI vs non-PHI) │
1325
- │ └── Implement basic audit logging │
1326
- │ │
1327
- │ Phase 2: Identity-Centric Security (Month 4-6) │
1328
- │ ├── SSO for all applications (Keycloak OIDC)
1329
- │ ├── RBAC enforcement (roles → permissions)
1330
- │ ├── Device registration program
1331
- │ ├── Certificate-based auth for services
1332
- │ └── Decommission shared accounts
1333
- │ │
1334
- Phase 3: Micro-segmentation (Month 7-9)
1335
- │ ├── Network segmentation (VLANs per department) │
1336
- │ ├── Kubernetes NetworkPolicies │
1337
- │ ├── Istio service mesh (mTLS everywhere) │
1338
- │ ├── Database: RLS per user context │
1339
- │ └── Block lateral movement paths │
1340
- │ │
1341
- │ Phase 4: Continuous Verification (Month 10-12) │
1342
- │ ├── OPA policy engine deployment │
1343
- │ ├── Risk scoring engine │
1344
- │ ├── Device posture checking (MDM integration) │
1345
- │ ├── Step-up authentication for sensitive ops │
1346
- │ └── Behavioral analytics (UBA)
1347
- │ │
1348
- │ Phase 5: Advanced & Optimization (Month 13-18)
1349
- │ ├── Replace VPN with ZTNA │
1350
- │ ├── Full DLP integration │
1351
- │ ├── IoT medical device isolation │
1352
- │ ├── Automated incident response │
1353
- │ └── Continuous compliance monitoring │
1354
- │ │
1355
- │ ─────────── Ongoing ─────────── │
1356
- │ • Red team exercises quarterly │
1357
- │ • Policy review and updates │
1358
- │ • New threat assessment
1359
- │ • Staff training │
1360
- └─────────────────────────────────────────────────────────────┘
1361
- ```
1197
+ **Zero Trust Migration Roadmap — Healthcare:**
1198
+
1199
+ **Phase 1: Foundation (Month 1-3)**
1200
+
1201
+ - Deploy Keycloak (centralized identity)
1202
+ - Enable MFA for all staff
1203
+ - Inventory all assets and data flows
1204
+ - Classify data (PHI vs non-PHI)
1205
+ - Implement basic audit logging
1206
+
1207
+ **Phase 2: Identity-Centric Security (Month 4-6)**
1208
+
1209
+ - SSO for all applications (Keycloak OIDC)
1210
+ - RBAC enforcement (roles → permissions)
1211
+ - Device registration program
1212
+ - Certificate-based auth for services
1213
+ - Decommission shared accounts
1214
+
1215
+ **Phase 3: Micro-segmentation (Month 7-9)**
1216
+
1217
+ - Network segmentation (VLANs per department)
1218
+ - Kubernetes NetworkPolicies
1219
+ - Istio service mesh (mTLS everywhere)
1220
+ - Database: RLS per user context
1221
+ - Block lateral movement paths
1222
+
1223
+ **Phase 4: Continuous Verification (Month 10-12)**
1224
+
1225
+ - OPA policy engine deployment
1226
+ - Risk scoring engine
1227
+ - Device posture checking (MDM integration)
1228
+ - Step-up authentication for sensitive ops
1229
+ - Behavioral analytics (UBA)
1230
+
1231
+ **Phase 5: Advanced & Optimization (Month 13-18)**
1232
+
1233
+ - Replace VPN with ZTNA
1234
+ - Full DLP integration
1235
+ - IoT medical device isolation
1236
+ - Automated incident response
1237
+ - Continuous compliance monitoring
1238
+
1239
+ **Ongoing:** Red team exercises quarterly, policy review, new threat assessment, staff training
1362
1240
 
1363
1241
  ### 9.2. Migration Checklist
1364
1242
 
@@ -1384,51 +1262,28 @@ data:
1384
1262
 
1385
1263
  ### 10.1. Data-Centric Zero Trust
1386
1264
 
1387
- ```
1388
- ┌─────────────────────────────────────────────────────────────┐
1389
- │ Zero Trust Data Protection Layers │
1390
- │ │
1391
- │ Layer 1: Classify Everything │
1392
- │ ┌─────────────────────────────────────────────────┐ │
1393
- │ │ Data Classification Engine │ │
1394
- │ │ • PHI: patient name, SSN, diagnosis, labs │ │
1395
- │ │ • PII: email, phone, address │ │
1396
- │ │ • Sensitive: billing, insurance │ │
1397
- │ │ • Internal: schedules, inventory │ │
1398
- │ │ • Public: hospital info, general health tips │ │
1399
- │ └─────────────────────────────────────────────────┘ │
1400
- │ │
1401
- │ Layer 2: Encrypt Everything │
1402
- │ ┌─────────────────────────────────────────────────┐ │
1403
- │ │ Encryption Matrix: │ │
1404
- │ │ ┌──────────┬──────────┬──────────┬──────────┐ │ │
1405
- │ │ │ │ At Rest │In Transit│ In Use │ │ │
1406
- │ │ ├──────────┼──────────┼──────────┼──────────┤ │ │
1407
- │ │ │ PHI │ AES-256 │ TLS 1.3 │ Enclaves │ │ │
1408
- │ │ │ PII │ AES-256 │ TLS 1.3 │ Masking │ │ │
1409
- │ │ │ Sensitive│ AES-256 │ TLS 1.3 │ — │ │ │
1410
- │ │ │ Internal │ TDE │ TLS 1.2+ │ — │ │ │
1411
- │ │ └──────────┴──────────┴──────────┴──────────┘ │ │
1412
- │ └─────────────────────────────────────────────────┘ │
1413
- │ │
1414
- │ Layer 3: Control Everything │
1415
- │ ┌─────────────────────────────────────────────────┐ │
1416
- │ │ • Row-Level Security (PostgreSQL RLS) │ │
1417
- │ │ • Column-level encryption (pgcrypto) │ │
1418
- │ │ • Dynamic data masking per role │ │
1419
- │ │ • DLP: block unauthorized data transfer │ │
1420
- │ │ • Watermarking for screenshots/exports │ │
1421
- │ └─────────────────────────────────────────────────┘ │
1422
- │ │
1423
- │ Layer 4: Monitor Everything │
1424
- │ ┌─────────────────────────────────────────────────┐ │
1425
- │ │ • Full audit trail (who, what, when, why) │ │
1426
- │ │ • Real-time anomaly detection │ │
1427
- │ │ • Data lineage tracking │ │
1428
- │ │ • Compliance dashboards │ │
1429
- │ └─────────────────────────────────────────────────┘ │
1430
- └─────────────────────────────────────────────────────────────┘
1431
- ```
1265
+ ![Zero Trust Data Protection Layers — Classify, Encrypt, Control, Monitor](/storage/uploads/2026/04/healthcare-data-zero-trust-layers.png)
1266
+
1267
+ **Layer 1: Classify Everything**
1268
+
1269
+ - PHI: patient name, SSN, diagnosis, labs
1270
+ - PII: email, phone, address
1271
+ - Sensitive: billing, insurance
1272
+ - Internal: schedules, inventory
1273
+ - Public: hospital info, general health tips
1274
+
1275
+ **Layer 2: Encrypt Everything**
1276
+
1277
+ | | At Rest | In Transit | In Use |
1278
+ |---|---------|-----------|--------|
1279
+ | PHI | AES-256 | TLS 1.3 | Enclaves |
1280
+ | PII | AES-256 | TLS 1.3 | Masking |
1281
+ | Sensitive | AES-256 | TLS 1.3 | — |
1282
+ | Internal | TDE | TLS 1.2+ | — |
1283
+
1284
+ **Layer 3: Control Everything** — RLS, Column-level encryption, Dynamic masking, DLP, Watermarking
1285
+
1286
+ **Layer 4: Monitor Everything** — Full audit trail, Real-time anomaly detection, Data lineage tracking, Compliance dashboards
1432
1287
 
1433
1288
  ### 10.2. Application Properties cho Zero Trust
1434
1289
 
package/content/series/architecture/xay-dung-he-thong-y-te-microservices/chapters/06-phan-6-production-van-hanh/lessons/02-bai-22-container-kubernetes-security.md CHANGED
@@ -23,7 +23,6 @@ course:
23
23
 
24
24
  ![Container Attack Surface — Build, Deploy, Runtime vulnerabilities](/storage/uploads/2026/04/healthcare-container-attack-surface.png)
25
25
 
26
-
27
26
  ### 1.1. Container Attack Surface
28
27
 
29
28
  Container là đơn vị triển khai chính trong microservices healthcare. Mỗi container chứa application code, dependencies, và runtime — tất cả đều là attack surface tiềm năng. Trong healthcare, một container bị compromise có thể dẫn đến rò rỉ ePHI của hàng triệu bệnh nhân.
@@ -465,36 +464,13 @@ echo " - Retention: keep last 10 releases"
465
464
 
466
465
  Kubernetes định nghĩa 3 mức Pod Security Standards (PSS):
467
466
 
468
- ```
469
- ┌─────────────────────────────────────────────────────────────┐
470
- │ Kubernetes Pod Security Standards (PSS) │
471
- │ │
472
- │ ┌─────────────────────────────────────────────────┐ │
473
- │ │ PRIVILEGED │ │
474
- │ │ • No restrictions │ │
475
- │ │ • Full host access │ │
476
- │ │ ⚠ NEVER for healthcare workloads │ │
477
- │ └─────────────────────────────────────────────────┘ │
478
- │ │
479
- │ ┌─────────────────────────────────────────────────┐ │
480
- │ │ BASELINE │ │
481
- │ │ • Prevents known privilege escalations │ │
482
- │ │ • No hostNetwork, hostPID, hostIPC │ │
483
- │ │ • No privileged containers │ │
484
- │ │ → OK for monitoring, logging sidecars │ │
485
- │ └─────────────────────────────────────────────────┘ │
486
- │ │
487
- │ ┌─────────────────────────────────────────────────┐ │
488
- │ │ RESTRICTED ◄── REQUIRED cho Healthcare │ │
489
- │ │ • Everything in Baseline, plus: │ │
490
- │ │ • Must run as non-root │ │
491
- │ │ • Must drop ALL capabilities │ │
492
- │ │ • Read-only root filesystem │ │
493
- │ │ • Seccomp profile required │ │
494
- │ │ • No privilege escalation │ │
495
- │ └─────────────────────────────────────────────────┘ │
496
- └─────────────────────────────────────────────────────────────┘
497
- ```
467
+ **Kubernetes Pod Security Standards (PSS) — 3 levels:**
468
+
469
+ | Level | tả | Healthcare Use |
470
+ |-------|--------|---------------|
471
+ | **PRIVILEGED** | No restrictions, full host access | ⚠️ NEVER cho healthcare workloads |
472
+ | **BASELINE** | Prevents known privilege escalations (no hostNetwork/PID/IPC, no privileged containers) | OK cho monitoring, logging sidecars |
473
+ | **RESTRICTED** ◄ Required | Everything in Baseline + must run as non-root, drop ALL capabilities, read-only root filesystem, Seccomp profile required, no privilege escalation | **Bắt buộc cho Healthcare** |
498
474
 
499
475
  ### 5.2. Pod Security Standards Enforcement
500
476
 
@@ -905,27 +881,9 @@ rules:
905
881
 
906
882
  ### 8.1. Kyverno Architecture
907
883
 
908
- ```
909
- ┌─────────────────────────────────────────────────────────┐
910
- Kyverno Admission Controller │
911
- │ │
912
- │ kubectl apply ──► API Server ──► Kyverno Webhook │
913
- │ │ │
914
- │ ▼ │
915
- │ ┌─────────────────┐ │
916
- │ │ Policy Engine │ │
917
- │ │ │ │
918
- │ │ Validate ──► ✓/✗│ │
919
- │ │ Mutate ──► Patch│ │
920
- │ │ Generate ──► New│ │
921
- │ └─────────────────┘ │
922
- │ │ │
923
- │ ▼ │
924
- │ ┌─────────────────┐ │
925
- │ │ Admit / Reject │ │
926
- │ └─────────────────┘ │
927
- └─────────────────────────────────────────────────────────┘
928
- ```
884
+ **Kyverno Admission Controller Flow:**
885
+
886
+ `kubectl apply` → **API Server** → **Kyverno Webhook** → **Policy Engine** (Validate → ✓/✗, Mutate → Patch, Generate → New) → **Admit / Reject**
929
887
 
930
888
  ### 8.2. Kyverno Policies cho Healthcare
931
889