Security and Identity Management
Security and Identity Management
Identity & Access Management (IAM)
| Req ID | Test Details (Legend) | Requirement Area | Description |
|---|---|---|---|
| SEC01 | add | Authentication | Users: Support standards-based user authentication via OIDC for platform and tenant-facing services, and validate OIDC-issued tokens including signature, issuer, audience, expiration, and required claims for identity and authorization decisions. |
| SEC02 | add | Authentication | In-Cluster Workloads/Nodes: Support authenticated in-cluster identities for workloads and nodes, using short-lived credentials or tokens |
| SEC03 | add | Authentication | External Services: Support authentication of out of cluster service accounts for service-to-service access. Must support credential-based access, including long-lived credentials where required. |
| SEC04 | add | INFO | Authorization (RBAC) |
| SEC05 | INFO | Identity / Directory Services | The platform shall integrate with an LDAP (RFC2307bis) directory service such that users identities and group membership can be resolved by dependent services for authentication and authorization decisions (e.g. storage - POSIX-based access control ) |
| SEC06 | INFO | Workload/Service Identity | Support standard workload, service, and node security identities, including OIDC-based identity federation and Kubernetes Service Accounts where applicable. |
| SEC07 | INFO | Admin Interfaces | All administrative interfacesâwhether UI, CLI, or APIâmust be protected by Multi-Factor Authentication (e.g. kubectl) |
| SEC08 | add | Audit Logs | Audit logs must be generated and retained for all security-relevant events, including management and control plane API calls, authentication events, and authorization decisions. Audit logs shall be retained for a minimum of 30 days and accessible to authorized platform operators. |
Cryptography and Key Management
| Req ID | Test Details (Legend) | Requirement Area | Description |
|---|---|---|---|
| SEC09 | add | INFO | Key & Certificate Lifecycle |
| SEC10 | add | Key Usage | The platform shall support use of managed keys and certificates across platform services for encryption, authentication, and signing. |
Network Isolation & Encryption
| Req ID | Test Details (Legend) | Requirement Area | Description |
|---|---|---|---|
| SEC11 | add | Tenancy Model | Hard physical or logical isolation for network, data, and compute. Separation of control planes and tenants is mandatory. This includes separation of storage resources. |
| SEC12 | add | BMC Security | Out-of-band management (BMC) must be on a dedicated, restricted network (physically separate or VLAN/VRF-isolated). Direct access from the public internet or general corporate networks must be blocked, and only accessed via a hardened bastion (jumphost) server. |
| SEC13 | add | Network Traffic Encryption | Encryption and mutual authentication (mTLS or equivalent) for all east-west and north-south network traffic |
Edge Network Security
| Req ID | Test Details (Legend) | Requirement Area | Description |
|---|---|---|---|
| SEC14 | INFO | Private Access | No public internet access by default; all API endpoints (e.g. K8s API Server) must be restricted via firewall/private link. |
| SEC15 | INFO | Edge Network Security Policy | All traffic must be filtered via Security Groups and/or user customizable ACLs using 5-tuple rules. |
| SEC16 | INFO | Enforcement | NCP must specify the enforcement technology (e.g., Hardware firewalls, SDN, DPUs/SmartNICs) and its specific placement in the packet path. |
| SEC17 | INFO | Threat Intelligence & Scale | Ability to subscribe to GeoIP threat & Embargo feeds and import them into security groups. NCP should share the max supported records/rules. |
| SEC18 | INFO | MACSec protection links: | Protect links between NCP Data Center and NVIDIA POP & Object store. |
Hardware Security & Compliance
| Req ID | Test Details (Legend) | Requirement Area | Description |
|---|---|---|---|
| SEC19 | INFO | SOC 2 | SOC2 type 1 or better is required covering Security, Availability, and Confidentiality across all services and DC infrastructure |
| SEC20 | INFO | At-Rest Data Protection | Mandatory encryption of all data at rest (e.g. local NVMe/SSD, network-attached storage) via Self-Encrypted Drives (SED). |
| SEC21 | add | Data Sanitization | Data sanitization must be performed between tenants or on a hardware replacement, including cryptographic erase of all data drives between tenants; sanitization/wipe of any persistent or volatile memory including SRAM/GPU memory; resetting of TPM and BIOS |
| SEC22 | INFO | Root of Trust + Secure Boot. | Mandatory support across all platforms for Hardware Root of Trust mechanisms (TPM 2.0). The platform must enable UEFI OS Secure Boot w/ TPM 2.0. |
