Are you currently experiencing an attack?

Are you currently experiencing an attack?

Using DevSecOps on Azure

In a previous article, Using DevSecOps to Strengthen Security on Microsoft Azure, we covered the fundamentals of DevSecOps security and how to use them to achieve hardened deployments in Azure. 

More than a year has passed since then, so it’s time to revisit this issue and see what has changed. This article will provide some updates on the major services and techniques that can be used to accomplish production-grade deployments in Azure without sacrificing speed. To do this, we’ll tour the DevSecOps services available from the perspective of the DevOps blade within the Azure portal. Azure DevOps is the cloud-native replacement for Team Foundation Server (TFS); if you’ve been using TFS, there is a guide to assist you in your migration. 

Secure Software-Defined Lifecycle

Your DevOps design should be based on Key Performance Indicators (KPIs) related to speed, frequency, and failure. This means you should be using metrics like “mean time to detection” or “mean time between failures” to meet delivery objectives. But you also have to ask, “What security metrics are relevant to us?” Often these will include “mean time to resolve security issues” and a review of your security-tagged backlog. As your team matures, you’ll also want to have special security-focused dashboards to track metrics and progress while using solutions like Azure WAF.

Software development will often start with Azure Boards, where you can plan sprints. Tasks here should be tagged, requiring any design or code commit to be reviewed for security impact. Variations in the number of security reviews per month should roughly match expectations based on the sensitivity of components being worked on. Production branches should require multiple reviewers. 

Integrations and extensions let you incorporate most of the tools your team typically uses, such as a bug tracking system or a vulnerability scanning tool like Micro Focus or Checkmarx. If you have a preferred CI like Jenkins, you can use that instead of the native Azure DevOps builds, or replace the CD with your favorite deployment tool, e.g., Spinnaker.

Access to Azure DevOps is controlled by an RBAC system with default roles to satisfy the needs of most development teams. 

IaC Azure Pipelines 

In Azure, infrastructure as code (IaC) is often based on either Terraform modules or Azure Resource Manager (ARM) templates. These are languages that specify a desired state (nouns) and allow the tooling system to perform the actions (verbs). This is in contrast to scripting with Azure CLI or Powershell, which has become bloated with checks to see if things already exist to avoid deploying them twice. In the new shift-left world, you should integrate a linting system for your IaC, e.g., Secure DevOps Kit for Azure, ARM Template Best Practice Analyzer, or checkov, to catch security fails before they’re deployed.

These building blocks can then be assembled in Azure Pipelines and triggered by commits to IaC or developer repositories. Pipelines are composed of steps (units of code), jobs (several steps executed on a single machine), and stages (groups of jobs). It’s worth spending the time to make these pipelines efficient at caching and parallelization techniques, as this will ensure a tight feedback loop for developers. If the builds are efficient, developers will be much more receptive to adding security features such as code scanning.

Note: It’s crucially important that secrets are stored properly when developing IaC templates. Follow the guide on using Azure Key Vault to reference secrets in ARM templates. The link mentions a github repo with many examples of integrating these two to do this.

Kubernetes on Azure

Kubernetes is a complete ecosystem of services worth an article of its own, so we’ll just touch on a few points here. 

Azure Kubernetes Service (AKS) is a managed service that comes with enhanced security features like Azure Policy and Azure Defender. Many third parties also offer solutions to solve specific security needs not yet provided for by AKS. These are often inducted into the Cloud Native Computing Foundation, including Reblaze’s Curiefense, which is a CNFC sandbox project offering enhanced WAF protection, application DDoS, rate limiting, and more.

Observability and Response in the Cloud

In order to deploy with confidence, you need to have code commits flowing through a suitable test environment, collect all the data to perform tests, and gather all that information into dashboards with an effective layout to guide the operations team to the correct actions. 

Logging begins with enabling sufficient logs. By default, most services only log control plane activity—like creating a storage account—not data plane read/write activity. Storage accounts have several options for enabling enhanced logging, but for most services, you need to configure this yourself via Azure’s diagnostic settings. There are cost trade-offs to be sure, but it is definitely worth enabling maximum logging during security incidents or for security testing and tagging resources that should have enhanced logging enabled, which, at a minimum, should include all resources related to CI/CD.

You can export logs to a Log Analytics workspace or third-party vendors. By processing logs and creating dashboards, you can set up alerts on suspicious activity; furthermore, all sources can be fed into Azure Monitor and Azure Sentinel for higher-order observability analytics.

Finally, Azure Defender can add endpoint detection and intrusion prevention capabilities. In addition to running agents on VMs and containers, many services like SQL or Kubernetes have an option to enable Azure Defender. The choice between this and third-party solutions will require a service-by-service evaluation. Very often, outside solutions will have better capabilities, but Defender may offer better integration with related Azure services (such as Azure WAF).

Azure Policy and Azure Security Center

Azure is a platform with a tremendous number of hardening capabilities, but the hardenings required for one business may only cause friction—and no value—for another. All clouds thus tend to favor ease-of-use over hardening in their default settings for deployments. This is where Azure Policy comes in, as it allows organizations to tune the “default” or allowed configurations and prevent those that violate company policy. Azure Policy is a Desired State Configuration (DSC) service that lets you specify the degree to which your resources and services are hardened and whether Azure should alert or prevent/remediate a deployment. 

Azure Policy enforcement environments should be considered when designing the topology of subscriptions in an Azure tenant. Policies can be applied at the management group, subscription, or resource group level. Therefore, compliance can be gradually enforced as deployments progress through the test, stage, and production environments. 

As the security posture of a DevOps team matures, they will integrate Azure Security Center (ASC) and Azure Advisor into their DevOps processes as well. ASC allows third parties to enrich data sources and stream events into it. This is how Reblaze extends and completes Azure’s WAF offering for Web App Services.

Larger enterprises will want to take advantage of the services in the Management and Governance blade. Azure offers a complete guide on how to build a governance strategy as well as blueprints tailored to specific industry-compliance requirements.

Conclusion

Cloud DevSecOps tools and best practices are evolving very rapidly. A good way to keep your team current on the latest offerings is to have new hires complete a certification like DevOps Engineer Expert, which will expose them to the most-recent best practices and tools on Azure. Almost all SMEs or larger organizations require a mix of Azure Cloud-native and third-party solutions to achieve their security goals. You can avoid runaway technical debt by leveraging IaC solutions and keeping on top of your monitoring and alerting dashboards.

For more information on Azure security, see our white paper Securely Using Microsoft Azure.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.