CloudBrew 2017 - Security + DevOps + Azure = Awesomeness
2 likes288 views
The Secure DevOps Kit for Azure (azsdk) provides tools for enhancing cloud security by utilizing Azure's built-in features and facilitating secure coding practices. It aims to help organizations manage security in Azure environments, focusing on continuous assurance, security verification tests, and developer support. Despite its capabilities, users must still be vigilant about broader security concerns and continue to apply thorough threat modeling strategies.
CloudBrew 2017 - Security + DevOps + Azure = Awesomeness
- 1. SECURE DEVOPS KIT FOR AZURE CLOUDBREW 25.11.2017
- 2. KARL OTS @ KOMPOZURE • Co-organizer of Finland Azure User Group and IglooConf • Working on Azure since 2011 • Patented inventor • Worked with tens of different customers on full-scale Azure projects, from startups to Fortune 500 enterprises Managing Consultant, Kompozure Ltd [email protected]
- 5. SECURITY LANDSCAPE • Cloud-based user account attacks have increased 300% YoY (Microsoft Security Intelligence Report, Volume 22) • An attacker is on a victim’s network 99 days on average before they are detected (FireEye/Mandiant report – March 14, 2017) • Average cost of a data breach in 2017 was 4 M $ (IBM security)
- 6. WHY AZSDK? • Cloud security is hard. • Knowledge of Azure security controls is not widespread. • MS IT wanted to accelerate internal Azure adoption in a controlled way • Vision: avoid reinventing the wheel o Use as much out-of-the-box Azure features as possible o For example: outsource VM controls to Security Center
- 8. SECURE DEVOPS KIT FOR AZURE (AZSDK)
- 9. SECURE DEVOPS KIT FOR AZURE (AZSDK)
- 10. INSTALLATION
- 11. SUBSCRIPTION SECURITYSubscription RBAC provisioning Deploy mandatory and scenario/solution specific accounts/groups on a subscription. Ability to specify and remove deprecated accounts. Alerts setup Configure insights-based alerts for important activities. Runbooks for critical alerts to send SMS with key alert body info. ARM policy setup Deploy and enable ARM policy definitions (e.g., audit/deny use of ASM/v1 resources) ASC setup Configure Azure Security Center by enabling policies, setting security POCs, etc. Resource Locks Ensure that critical enterprise resources have locks deployed on them. Health Check More than a dozen subscription hygiene security checks, including proper provisioning
- 13. DEVELOP SECURELY Feature Scenarios/Details Development Security IntelliSense • Get inline support for secure coding right at the point of code creation. • Checks on Azure Best practices, ADAL and common crypto • VS plug-in for C#. • Security IntelliSense extension works on Visual Studio 2015 Update 3 or later.
- 15. SPOT CHECK SECURITY Feature Scenarios/Details Development Security IntelliSense • Get inline support for secure coding right at the point of code creation. • Checks on Azure Best practices, ADAL and Crypto • VS plug-in for C#. Security Verification Tests • Scan cloud solutions during early dev and prototyping stages. • Provides a variety of options to define scan targets. • Easy, intuitive reports and detailed logs. Support for 25+ Azure IaaS and PaaS service types.
- 18. DEMO TIME!
- 19. CONTINUOUS ASSURANCE • Run AzSDK tests periodically using Azure Automation • Write to Log Analytics • Query with Gusto Query Language • Integrate with your existing systems, such as your SIEM
- 24. RECENT UPDATES • New features: o Generate PDF Report o Generate AutoFix Script o Jenkins support • Upcoming: o AzSDK ARM Templates Evaluator - Preview
- 25. Role How to use AzSDK Subscription Owner • Check the overall security health of your Azure subscription. • Ensure that AzSDK artifacts are properly provisioned. Developer Team • Get inline support with security tips and corrections while writing code for Azure apps (and also standard web applications in general). • Test that Azure resources you are using for your application/solutions are configured and deployed securely. • Enable security in CICD by including various security tests in the build/release pipelines Deployment Team • Control deployment workflows according to outcomes of security checks. Operations Team • Observe the security state with subscription health checks and SVT’s. • Track security state in a 'continuous' manner • Provide support and templates for frequently failing operational security activities such as key rotation, access reviews, public ips, etc.
- 26. DISCUSSION • AzSDK is not your magic bullet to tick the security box o AzSDK mostly covers “administrative access” in traditional threat models, some “application access” as well o You still have to worry about users, external threats and more o Threat modeling and Defense in Depth approach are your friends! • Carefully analyze the results in the scope of your application – are the recommended controls right for your app?
- 27. RESOURCES • Try out the Secure DevOps Kit for Azure! • Installation guide, docs: http://aka.ms/azsdkossdocs • Controls coverage: http://aka.ms/azsdkosstcp • IT Showcase: http://aka.ms/azsdk/itshowcase • Support: [email protected]