Are you currently experiencing an attack?

Are you currently experiencing an attack?

Using DevSecOps to Strengthen Security on Microsoft Azure

DevSecOps is the practice of building security into every phase of the software development lifecycle, including infrastructure. An airtight infrastructure will provide a secure foundation for anything that gets layered on top of it, whether that be virtual servers, containers, or even microservices.

In Azure, there are a few best practices to help secure your cloud infrastructure. These practices include securing the perimeter, utilizing gold-hardened images from the Azure marketplace, managing server drift via containers, and using immutable servers. Let’s dive into some of these practices that you can implement in Azure using DevSecOps.

Perimeter Security in Azure

Whether it’s in the cloud or on-premises, network security isn’t something that happens automatically. Azure does provide resources to help automate network creation, yet not network security. But by applying some networking best practices to the provided resources, you can create a secure networking infrastructure in Azure.

Azure Virtual Networking

Azure virtual networking allows you to filter network traffic, route network traffic, and even restrict access to network resources. And you can do all of the above internally between your infrastructure in the cloud as well as along your network’s perimeter. With the proper configuration, your Azure Virtual Network can connect devices on the same network, to your on-premises environment, or even between virtual networks. However, an improper configuration can increase your network’s footprint and leave you open to attack. Without a proper Azure Virtual Network configuration, you will most likely have problems.

Zero Trust

The best way to approach this problem is by adopting a Zero Trust architecture. This is different than relying only on a traditional “perimeter security” model, because that model has a weakness: an attacker needs only to compromise one endpoint in order to penetrate the entire network.

Zero Trust networks address this issue by removing implied trust across the whole network. This structure allows you to construct multiple gates between your infrastructure endpoints in order to validate trust at the time of access. This is similar to having to badge into various buildings and sometimes even various rooms on an office or college campus. You aren’t allowed in until you can prove you belong.

Control Routing Behavior

Another way to control the traffic in your Azure environment is to configure user-defined routes. By default, when you spin up an Azure Virtual Machine, it can connect to any other virtual machine in the Azure Virtual Network–even if it is across subnets! Default routing also allows outbound connections to the internet. By implementing user-defined routes, you can override the Azure defaults and specify where you want your traffic to be able to go. This helps reduce your network footprint and also ensures that the right traffic is going to the right place, minimizing potential impact in case of a breach.

Virtual Network Infrastructure

Azure allows you to deploy any number of virtualized network security appliances based on your use case. These could be firewalls, vulnerability management applications, antivirus software, or even intrusion detection/intrusion prevention appliances. For an infrastructure that needs to be web-accessible, you can also create a virtual DMZ to act as an additional logical network segment. This allows you to separate your internet-accessible resources from infrastructure that needs more measured security.

Lock Down Critical Resources to Your Network

An additional benefit of utilizing Azure’s Virtual Network service endpoints is that you can choose to secure your critical Azure resources to only your Azure Virtual Network. The endpoints will provide improved security by fully removing accessibility from the open internet, use forced tunneling to optimize Azure traffic, and reduce overhead by eliminating the need for a border firewall, NAT, or any other gateway device.

DevSecOps through CI/CD

The popularity of CI/CD pipelines continues to increase. Here we’ll cover the most common way to start with a solid foundation as you build your pipeline.

Gold-Hardened Images

Hardened images allow you to deploy a securely configured virtual instance of many different popular operating systems with preconfigured security settings attached. For example, you can take a hardened image, apply your internal security requirements, install the necessary software, apply a desired configuration, and voilà! You have created a gold-hardened image.

In the DevSecOps world, we often talk about “configuration drift,” and your gold-hardened image is where the configuration drift migrates from. If you’re looking for a good place to start, you may want to check out the “Center for Internet Security” Hardened Images on the Azure Marketplace. These images implement a few important security features, which may help you maintain compliance with a data security standard such as PCI or HIPAA. But they also go above and beyond standard compliance in some instances.

Whether you’re using a pre-hardened image, or you want to harden an image of your own, you’ll want to make sure you have implemented these controls:

  • All volumes are encrypted (even root).
  • All attached storage is encrypted.
  • The image has been patched (including third-party software).
  • Future updates are in a pipeline.

Here’s more information about creating and deploying hardened images.

DevSecOps for Applications

Although you can secure your applications in a number of ways, here we’ll cover Containerization and Immutability. These two methods allow you to increase replicability and durability while reducing your attack surface.

Using Containers

It goes without saying that people on the internet can be malicious, and this is still true when it comes to containers. The first step toward securing your Azure containers is to use a private repository. Public repositories such as Docker Hub do not guarantee security, as each container has multiple layers of software, and each layer may possess vulnerabilities.

You should definitely consider creating and maintaining your own container registry since this is the only way to ensure that you’re using secured containers. If you must use a public-facing container registry, use a private one such as the Docker Trusted Repository or the Azure Container Registry. These registries are managed by the vendor, which helps reduce vulnerabilities and the threat of attacks. Internally, be sure to also only permit certain approved registries so that your developers and security teams are on the same page. This will further help improve the ability of both teams to prevent vulnerabilities by limiting the possibility of an unknown or unauthorized container being deployed.

Speaking of vulnerabilities, you’ll want to monitor and scan your container infrastructure using the same standards as you do for your virtual and physical infrastructure. This means that you will need to incorporate vulnerability management into the container development lifecycle, the same as you do with your software development lifecycle. Just because it’s a container doesn’t mean it gets off the hook when it comes to monitoring and scanning.

Finally, you can implement a Continuous Integration (CI) pipeline with integrated security scanning to build your images and push them to your private registry, ensuring that your builds comes from an approved, authorized, and hardened source.

Immutable Servers

As the DevOps mantra says, treat your infrastructure as “cattle, not pets.” One way to do this in Azure with DevSecOps is by recreating an environment when there are configuration changes simply by modifying the infrastructure code. This differs from the traditional opinion that each server needs to be touched by you or by your orchestration tools in order to implement a new configuration. Immutability means that you destroy your previous infrastructure, simply create it anew, and deploy. This eliminates the possibility of configuration drift and keeps your infrastructure as secure as possible.

Of course, you would have done all of your development and testing in the appropriate environments, so you won’t have to have any hand in production, keeping it as pure as possible. This allows your developers to be as free as possible during the early phases of the software development lifecycle while still maintaining a properly hardened production environment.

Conclusion

There are many more ways to implement DevSecOps within Azure than what we’ve listed here. This article has only scratched the surface of the possibilities within DevSecOps. By maintaining appropriate perimeter security, utilizing gold-hardened images, practicing safe container management, and keeping your hands out of the production environment, you’ll be well on your way to achieving a mature DevSecOps posture in your Azure environment.

Also, for a robust security posture, protection must be provided not only for the infrastructure, but also for your web applications and APIs. Incoming web traffic must still be scrubbed, and the security solution that does this must run natively on Azure, be cloud-native and able to support your CI/CD and DevSecOps practices, and have other necessary features as well. To protect your web assets with a comprehensive web security solution that fulfills all these requirements, consider Reblaze.

Get more information or request a demo here.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.