[Yandex Cloud documentation](../index.md) > [Yandex Security Deck](index.md) > Getting started > Overview

# Getting started with Yandex Security Deck

Security Deck offers tools for data security and compliance with regulatory requirements and industry standards.

{% note info %}

The service is at the [Preview](../overview/concepts/launch-stages.md) stage.

{% endnote %}

## Getting started {#before-begin}

To get started with Security Deck in Yandex Cloud:

1. If you have not signed up to Yandex Cloud yet, go to the [management console](https://console.yandex.cloud) and follow the instructions.
1. In [Yandex Cloud Billing](https://center.yandex.cloud/billing/accounts), make sure you have a [billing account](../billing/concepts/billing-account.md) linked and its [status](../billing/concepts/billing-account-statuses.md) is `ACTIVE` or `TRIAL_ACTIVE`. If you do not have a billing account yet, [create one](../billing/quickstart/index.md#create_billing_account).
1. If you do not have a [folder](../resource-manager/concepts/resources-hierarchy.md#folder) yet, [create one](../resource-manager/operations/folder/create.md).
1. Make sure you have the necessary [permissions](security/index.md) to work with the Security Deck modules. You optimal roles are:

    * `security-deck.admin` for the folder to contain Security Deck resources and modules.
    * `auditor` for the [organization](../organization/concepts/organization.md), [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud), or folder security in which will be controlled by the workspace.
1. [Create](../iam/operations/sa/create.md) a [service account](../iam/concepts/users/service-accounts.md) and [assign](../iam/operations/sa/assign-role-for-sa.md) to it the `security-deck.worker` [role](security/index.md#security-deck-worker) for the organization, cloud, or folder security in which will be controlled by the workspace.

## Create a Security Deck workspace {#create-workspace}

A [workspace](concepts/workspace.md) is a container holding the Security Deck module settings and resources, a list of controlled resources, control parameters, and other settings. Workspaces allow for more granular management of Yandex Cloud infrastructure security.

To create your first Security Deck workspace:

{% list tabs group=instructions %}

- Security Deck UI {#cloud-sd}

  1. Go to [Yandex Security Deck](https://center.yandex.cloud/security/).
  1. In the left-hand panel, select ![vector-circle](../_assets/console-icons/vector-circle.svg) **Workspace** and click **Create workspace**.
  1. In the window that opens, select **Creating and configuring workspace** in the **Main parameters** section:
     
     1. Under **Workspace name**, enter a name for the new workspace. Follow these naming requirements:
     
         * It must be from 1 to 63 characters long.
         * It may contain lowercase Latin letters, numbers, and hyphens.
         * It must start with a letter and cannot end with a hyphen.
     
         Provide a brief description for the new workspace, if required.
     1. Under **Resource storage folder**, select the folder to store Security Deck resources for the new workspace.
     
         For security reasons, we recommend storing Security Deck resources in a separate [cloud](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../resource-manager/concepts/resources-hierarchy.md#folder) restricted only to security staff.
     
         {% note info %}
     
         Once the workspace is created, you cannot change this folder.
     
         {% endnote %}
     
     1. Under **Payment for resources**, add a billing account to use to pay for security module resources the workspace consumes.
     1. Under **Alert sink**, select the [alert sink](concepts/workspace.md#alert-sinks) to receive all [alerts](concepts/alerts.md) generated in the workspace.
        
        Create a new alert sink if needed. Do it by clicking **Create sink**. In the window that opens, enter enter a name for the sink **Create**.
     1. Click **Create and continue** to proceed to the next step and configure the workspace resources.
  1. In the **Resources** section that opens:
     
     1. Under **Workspace resources**, select the connector to use in the workspace being created to access the controlled resources.
     
         If needed, create a new connector:
         
         1. Click ![plug-connection](../_assets/console-icons/plug-connection.svg) **Create connector** and in the window that opens:
         
             1. In the **Name** field, enter a name for the connector.
             1. Optionally, give the connector's description in the **Description** field.
             1. Select the [service account](../iam/concepts/users/service-accounts.md) for access to cloud resources in the **Service account** field.
         
                 In the section below, you can see which resources the selected service account has access to.
                 
                 Make sure to assign the `security-deck.worker` [role](security/index.md#security-deck-worker) to this service account for the resources controlled in the workspace being created.
         
             1. Click **Create connector**.
     
     1. In the connector section that appears, click ![circle-plus](../_assets/console-icons/circle-plus.svg) **Select cloud/catalog** to select the resources ([clouds](../resource-manager/concepts/resources-hierarchy.md#cloud) and [folders](../resource-manager/concepts/resources-hierarchy.md#folder)) whose security will be managed in the new workspace:
        
        1. Select the resources whose security you want to manage in the workspace. You can only select the resources that are accessible to the previously selected service account.
        1. Click **Save selection**.
     1. Click **Save and continue**.
  1. In the **Control modules** section that opens:
     
     1. Under **Sets of requirements**, select the industry standards and regulations the resources you chose at the previous step will be benchmarked against.
     
         * ![base-standard-yc](../_assets/security-deck/cspm-base-yc.svg) [Yandex Cloud](concepts/standard-compliance/yc-security-baseline.md) basic security rules: Minimum set of security requirements ensuring basic protection of cloud infrastructure and applications deployed on the Yandex Cloud platform.
         * ![cspm-standard-yc](../_assets/security-deck/cspm-standard-yc.svg) [Yandex Cloud](concepts/standard-compliance/yc-cloud-security-standard.md) cloud infrastructure protection standard: [Standard](../security/standard/all.md) providing comprehensive security requirements and best practices for protection of the cloud infrastructure and applications deployed on the Yandex Cloud platform. These elements help ensure security policy compliance and protection against common threats and vulnerabilities in the cloud environment.
         * ![pci-dss-standard](../_assets/security-deck/cspm-pci-dss.svg) [PCI DSS](https://yandex.cloud/en/security/standards/pci) (Payment Card Industry Data Security Standard): Data security standard for payment cards that includes requirements for security management, rules, procedures, network architecture, software development, and other critical security measures.
         * ![152-fz-standard](../_assets/security-deck/cspm-152-fz.svg) [FSTEC Requirements (Order No. 21) for the protection of personal data](https://fstec.ru/dokumenty/vse-dokumenty/prikazy/prikaz-fstek-rossii-ot-18-fevralya-2013-g-n-21): Standard providing measures for protection of personal data from unauthorized or accidental access, destruction, modification, blocking, copying, disclosure, distribution, or other unlawful actions.
         
         * ![cspm-standard-k8s-restricted](../_assets/security-deck/cspm-standard-k8s-restricted.svg) Kubernetes Pod Security Standards (Restricted): This standard contains security controls based on the [Kubernetes Pod Security Standards (PSS) Restricted profile](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). A restricted profile is the most secure and provides the highest detection efficiency for container-based attacks. It applies strict security policies that may require modifying applications to ensure compliance. A restricted profile is recommended for security-critical applications and environments where maximum security is required.
         * ![cspm-standard-k8s-baseline](../_assets/security-deck/cspm-standard-k8s-baseline.svg) Kubernetes Pod Security Standards (Baseline): This standard contains security controls based on the [Kubernetes Pod Security Standards (PSS) Baseline profile](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline). A baseline profile is designed for easy implementation and provides common best practices for container security. It prevents the most common security issues in containers while maintaining compatibility with most applications. The baseline profile is a good starting point for organizations just getting started with container security.
         * ![cspm-standard-k8s-ms](../_assets/security-deck/cspm-standard-k8s-ms.svg) Microsoft Threat Matrix for Kubernetes: This standard contains security controls based on the [Microsoft Threat Matrix for Kubernetes](https://www.microsoft.com/en-us/security/blog/2020/04/02/attack-matrix-kubernetes/), which is a framework that helps security teams understand and fend off threats specific to Kubernetes environments. It provides a comprehensive approach to attack methods and defensive strategies tailored for container orchestration platforms.
         * ![cspm-cis-k8s-standard](../_assets/security-deck/cspm-cis-k8s-standard.svg) CIS Kubernetes Benchmark: This standard contains [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes) recommendations for secure configuration of components on Kubernetes worker nodes. It includes only the automated checks from the `4 Worker Nodes` section.
     
         You can select several standards at the same time. In this case, you will see the Security Deck modules under **Control modules**, which will be activated in the workspace being created to check resources for compliance with the selected standards and regulations.
     1. Optionally, under **Control modules**, activate additional Security Deck modules that you need in your environment.
        
        For example, the **Data Security Posture Management (DSPM)
        ** module is independent of the standards and regulations selected in the environment and must be activated manually for the environment in question.
     1. Click **Save and continue**.
  1. Optionally, in the **Access bindings** section that opens, add users who will have access to the workspace being created and assign them roles in this workspace:
     
     1. Click ![person-plus](../_assets/console-icons/person-plus.svg) **Add participants** and in the window that opens:
     
         1. Select the user from the list. If required, use the search bar.
         1. In the window that opens, click ![plus](../_assets/console-icons/plus.svg) **Add role** and select the role you want to assign to the user. You can assign multiple roles.
         1. Click **Save**.
     
     1. Click **Finish** to complete creating the Security Deck workspace.
     
     You do not have to add additional users to the workspace. In this case, the workspace will only be available to its creator.

{% endlist %}

## Yandex Security Deck modules {#modules}

Security Deck includes the following modules:

* [Data Security Posture Management (DSPM)](#dspm)
* [Kubernetes® Security Posture Management (KSPM)](#kspm)
* [Cloud Infrastructure Entitlement Management (CIEM)](#ciem)
* [Cloud Security Posture Management (CSPM)](#cspm)
* [Threat Detector (TD)](#td)
* [Vulnerability Management](#vulnerability-management)
* [Access Transparency](#access-transparency)
* [Compliance Portal](#compliance)

To use any of the modules, navigate to the [Security Deck interface](https://center.yandex.cloud/security/) and select the module you need in the left-hand panel. On the page that opens, you can learn more about the tool's features and terms of use. To use the module you select, complete the required setup.

### Data Security Posture Management (DSPM) {#dspm}

[Data Security Posture Management](https://center.yandex.cloud/security/dspm/), or DSPM, quickly detects sensitive information stored in Yandex Object Storage [buckets](../storage/concepts/bucket.md) and [Yandex Disks](https://yandex.com/support/yandex-360/business/disk/web/en/index.html) in Yandex 360 for timely action to protect it from unauthorized access or leaks (through [access policies](../storage/concepts/policy.md), data anonymization, etc.).

A key feature of DSPM is automatic analysis of all data stored in buckets within a given environment. The [analysis](operations/dspm/discovery-mode.md) starts as soon as an environment is created and scans all bucket data.

These insights help you more accurately identify which resources may contain sensitive data and provide you with a data source for your next detailed scanning. Identifying sensitive data this way takes less time than scanning a manually created data source.

{% note info %}

The data analysis feature is currently in [Preview](../overview/concepts/launch-stages.md) and provided free of charge.

Upon General Availability, data analysis will be billed independently of data source [scans](concepts/dspm.md#scanning).

{% endnote %}

To get started with DSPM, [activate](#create-workspace) it in the current Security Deck [workspace](concepts/workspace.md) settings and follow the guides on how to [analyze data](operations/dspm/discovery-mode.md), [create a data source](operations/dspm/create-data-source.md), and [create a scan](operations/dspm/create-scan.md) for the information.

For more information, see [Data Security Posture Management (DSPM)](concepts/dspm.md).

### Kubernetes® Security Posture Management (KSPM) {#kspm}

[Kubernetes® Security Posture Management (KSPM)](concepts/kspm.md) ensures the security of containerized applications.

The KSPM module automatically identifies all Kubernetes clusters and containers in a given [workspace](concepts/workspace.md) and deploys security components in them as per the configuration. New clusters automatically get security coverage, without requiring manual search or installation of any components.

The module continuously assesses workloads for misconfigurations and provides runtime security monitoring through sensors that detect attacks targeting nodes and containers.

### Cloud Infrastructure Entitlement Management (CIEM) {#ciem}

Security Deck [Cloud Infrastructure Entitlement Management](https://center.yandex.cloud/security/iam-diagnostics/) is a tool providing a centralized [view](operations/ciem/view-permissions.md) of the full list of accesses to the organization's [resources](../iam/concepts/access-control/resources-with-access-control.md) available to [subjects](../iam/concepts/access-control/index.md#subject), i.e., [users](../overview/roles-and-resources.md#users), [service accounts](../iam/concepts/users/service-accounts.md), [user groups](../organization/concepts/groups.md), [system groups](../iam/concepts/access-control/system-group.md), and [public groups](../iam/concepts/access-control/public-group.md). The tool also makes it easy to [revoke](operations/ciem/revoke-permissions.md) excessive access permissions from subjects. To learn more, see [Cloud Infrastructure Entitlement Management (CIEM)](concepts/ciem.md).

To get started with the CIEM module, follow the guides for [viewing](operations/ciem/view-permissions.md) and [revoking](operations/ciem/revoke-permissions.md) accesses.

### Cloud Security Posture Management (CSPM) {#cspm}

[Cloud Security Posture Management (CSPM)](concepts/cspm.md) is a tool that monitors infrastructure security level based on security standards, such as [Yandex Cloud's Cloud Infrastructure Security Standard](../security/standard/all.md).

In a given [workspace](concepts/workspace.md), Cloud Security Posture Management (CSPM) checks the cloud infrastructure and applications deployed on the Yandex Cloud platform for compliance with comprehensive security requirements and best practices. The module's [rules](concepts/cspm.md#rules) and [exceptions](concepts/cspm.md#exceptions) help ensure compliance with security policies and protection against common threats and vulnerabilities in the cloud environment.

### Threat Detector (TD) {#td}

The [Threat Detector (TD)](concepts/threat-detector.md) module is the first line of defense of the user's cloud infrastructure in Yandex Security Deck, which automatically detects suspicious activity and notifies the user about detected threats.

Threat Detector analyzes the audit events found in the client's infrastructure and registered using [Yandex Audit Trails](../audit-trails/index.md). The module does not require you to configure rules or involve security experts; it activates automatically when you set up your Security Deck [workspace](concepts/workspace.md).

Each time a [rule](concepts/threat-detector.md#rules) is triggered by a potential security threat, Security Deck generates an [alert](concepts/alerts.md) with detailed information about the event and recommendations for how to remove the threat. You can analyze the alert and find a solution with the help of the AI assistant, which will drill down on the problem and propose some remedies.

### Vulnerability Management {#vulnerability-management}

[Vulnerability Management](https://center.yandex.cloud/security/vulnerability-management/) enables you to centrally manage container image vulnerability scanning and view resource scan results within your workspace. This module supports scanning images from Container Registry and Cloud Registry, and those running in Managed Service for Kubernetes clusters.

Scanning can start automatically when the image is pushed to the registry, on a schedule, or when the image is used in a Kubernetes cluster. The module is integrated with KSPM to detect active images and inform you which vulnerable images are used in the monitored workspace.

For more information, see [About Vulnerability Management (VM)](concepts/vulnerability-management.md).

### Access Transparency {#access-transparency}

[Access Transparency](https://center.yandex.cloud/security/transparency/) is an automated tool you can use to view analytical data about actions by Yandex Cloud engineers involving the organization's resources, whether when processing [requests](../support/overview.md), addressing security issues, or during maintenance.

The tool ensures operations are transparent and provides control over actions by Yandex Cloud engineers: a specially trained YandexGPT-based model automatically analyzes their action logs and escalates issues, if any, so that a Yandex Cloud information security specialist can check the session.

To connect and use Access Transparency, your [organization](../organization/quickstart.md) must be linked to a [billing account](../billing/concepts/billing-account.md). Follow [this guide](../billing/operations/change-organization.md) to link your organization to a billing account.

Once your organization links a billing account, select it in the [Access Transparency](https://center.yandex.cloud/security/transparency/) module.

For more information, see [Access Transparency](concepts/access-transparency.md).

## What's next {#whats-next}

* Learn [how to view the CSPM module's security control rules and related violations](operations/cspm/view-rules.md).
* Learn [how to scan buckets for sensitive information](operations/dspm/create-scan.md) in Security Deck.
* Learn [how to view a subject's access list](operations/ciem/view-permissions.md) in Security Deck.
* Learn about the [required access permissions](security/index.md) to work with Security Deck.