SlideShare a Scribd company logo

Risk and Control in Azure DevOps

Download as PPTX, PDF
AgileThought
AgileThought

This document discusses controls for audit and risk management in Azure DevOps. It covers controls for environments, code, data at rest, and data in motion. For environments, it recommends using ARM templates, VSTS branch policies, and deployment pipelines. For code, it suggests using GitFlow, branch policies, and deployment pipelines with approvals. For data at rest, it proposes encryption with TDE, Always Encrypted, and Storage Service Encryption. For data in motion, it advises using TLS and virtual networks. The document also outlines logging, monitoring, and response controls using tools like Application Insights, Azure Policy, and Security Center.

Technology
1 of 29
P re s e n t e d b y Control Freak: Risk and Control in Azure DevOps Barkha Herman South Florida Code Camp ‘18
What will be covered: • Audit and Controls for Environments • Audit and Controls for Code • Audit and Controls Data at Rest • Audit and Controls Data In Motion • Monitoring and Response
Audit and Control for Environments
Some sample Controls: 1. Logical and physical Segregation of Environments 2. Lifecycle Methodology for Deployments 3. Process set for Approvals and review
Implementation 1. Use ARM Templates to create PaaS and IaaS Applications 2. Use VSTS Branch Policies to control changes to Templates 3. Use a deployment Pipeline to control Environment Changes
Use ARM Templates to deploy 1. Azure Resource Manager templates automate Deployment. 2. Creating environment becomes repeatable. 3. Creating environments can be scripted.
1.Use VSTS for Templates 1. Use VSTS to maintain ARM Templates and standardize changes to environments. 2. Use gitflow Pull Request Process to validate and audit any changes to the environments.
1.Use Pipelines for Deployments 1. Use Deployment Pipelines for Deployments. 2. Use SPNs for environments; devops cannot deploy directly to an environment. 3. Approvers setup for each environment – QA approvers differ from PROD approvers.
Demo…
Audit and Control for Code
Some Sample Controls 1. Code is located in a secure location 2. Access to modify code is restricted 3. Code is reviewed, tested and scanned etc. 4. Code deployment is “gated” and “Audited”
Implementation 1. Git Flow & Branch Policies in VSTS 2. Build once, deploy several for consistency 3. Deployment Pipeline with Approvals for “Gates” and audits
Git Flow + Controls 1. Use GitFlow 2. Pull Requests for Merges, required reviews and Work Items 3. Developer code lives in PR branches, merged into Develop 4. Master keeps release versions 5. Code must compile before merge to develop 6. Builds run tests, scan for issues 7. Deployments are gated
Deployment Pipelines 1. Build artifacts are created once 2. Continuous deployment ensures compile, unit tests, etc. 3. Deployment to any environment from CD requires approvals 4. Create different groups for approvals to different environments
Demo..
Audit and Controls for Data at Rest
Some Sample Controls 1. Ensure that Data is Encrypted at rest 2. Access to static data is controlled and audited 3. Ensure that Data is “Highly Available” 4. Ensure Data is Restorable, i.e. Loss Prevention 5. Ensure Data is auditable, i.e., Retention Policies
Implementation - SQL 1. TDE is available for Azure SQL. Uses Key Vault for Encryption Keys. 2. Always Encrypted Option available.
Implementation – Storage Blob / Files 1. Storage Service Encryption is also available. 2. Key Management using Key Vault.
Implementation - CosmosDB 1. Encrypted by default. 2. Backup to Blob is also encrypted.
Demo…
Audit and Control for Data in Motion
Some Sample Controls 1. All end points use TLS 2. Authentication and Authorization is Implemented 3. All communication is secure in transit – not only from client to server, but within a data center
Implementation 1. TLS is default in PaaS Services 2. ASEs can be setup web apps and web api for performance, virtual networks, isolation 3. Azure site-to-site VPN 4. Azure Point-to-site VPN 5. ExpressRoute
Monitoring and Response
Some Sample Controls 1. All end points have logs for auditing. 2. All end points have monitoring available. 3. Alerts are set for disaster as well as security related events. 4. Diagnostics are available for all services.
Logging and Analysis Tools available 1. Application Insights 2. Azure Policy 3. Security Center 4. Azure Monitor 5. Others…
Demo…
Stay Connected If you have questions or would like more information, feel free to contact me via email barkha.herman@agilethought.com • www.agilethought.com • www. linkedin.com/company/AgileThought • @AgileThought

Recommended

Introducing the Agile KM Manifesto.pdf
Introducing the Agile KM Manifesto.pdfIntroducing the Agile KM Manifesto.pdf
Introducing the Agile KM Manifesto.pdfEnterprise Knowledge
 
Modul 8 enterprise architecture-2012
Modul 8 enterprise architecture-2012Modul 8 enterprise architecture-2012
Modul 8 enterprise architecture-2012Ir. Zakaria, M.M
 
Design Principles
Design PrinciplesDesign Principles
Design Principlesuniversity of education,Lahore
 
DOES SFO 2016 - Topo Pal - DevOps at Capital One
DOES SFO 2016 - Topo Pal - DevOps at Capital OneDOES SFO 2016 - Topo Pal - DevOps at Capital One
DOES SFO 2016 - Topo Pal - DevOps at Capital OneGene Kim
 
Software Project Management
Software Project ManagementSoftware Project Management
Software Project Managementasim78
 
Design Patterns Presentation - Chetan Gole
Design Patterns Presentation - Chetan GoleDesign Patterns Presentation - Chetan Gole
Design Patterns Presentation - Chetan GoleChetan Gole
 
Systems Migration
Systems MigrationSystems Migration
Systems Migrationrichchihlee
 
Project managemen concept
Project managemen conceptProject managemen concept
Project managemen conceptKarthikeyan Subramanian
 

Recommended

Introducing the Agile KM Manifesto.pdf
Introducing the Agile KM Manifesto.pdfIntroducing the Agile KM Manifesto.pdf
Introducing the Agile KM Manifesto.pdfEnterprise Knowledge
 
Modul 8 enterprise architecture-2012
Modul 8 enterprise architecture-2012Modul 8 enterprise architecture-2012
Modul 8 enterprise architecture-2012Ir. Zakaria, M.M
 
Design Principles
Design PrinciplesDesign Principles
Design Principlesuniversity of education,Lahore
 
DOES SFO 2016 - Topo Pal - DevOps at Capital One
DOES SFO 2016 - Topo Pal - DevOps at Capital OneDOES SFO 2016 - Topo Pal - DevOps at Capital One
DOES SFO 2016 - Topo Pal - DevOps at Capital OneGene Kim
 
Software Project Management
Software Project ManagementSoftware Project Management
Software Project Managementasim78
 
Design Patterns Presentation - Chetan Gole
Design Patterns Presentation - Chetan GoleDesign Patterns Presentation - Chetan Gole
Design Patterns Presentation - Chetan GoleChetan Gole
 
Systems Migration
Systems MigrationSystems Migration
Systems Migrationrichchihlee
 
Project managemen concept
Project managemen conceptProject managemen concept
Project managemen conceptKarthikeyan Subramanian
 
Dcs cloud architecture-high-level-design
Dcs cloud architecture-high-level-designDcs cloud architecture-high-level-design
Dcs cloud architecture-high-level-designIsaac Chiang
 
CA IDMS Database Navigation
CA IDMS Database NavigationCA IDMS Database Navigation
CA IDMS Database NavigationCA Technologies
 
JAD - Joint Application Development
JAD - Joint Application DevelopmentJAD - Joint Application Development
JAD - Joint Application DevelopmentJohn Crosby
 
Interface specification
Interface specificationInterface specification
Interface specificationmaliksiddique1
 
A Day in the Life of an Enterprise Architect (Role Play Exercise) 2016
A Day in the Life of an Enterprise Architect (Role Play Exercise) 2016A Day in the Life of an Enterprise Architect (Role Play Exercise) 2016
A Day in the Life of an Enterprise Architect (Role Play Exercise) 2016Daljit Banger
 
Software systems engineering PRINCIPLES
Software systems engineering PRINCIPLESSoftware systems engineering PRINCIPLES
Software systems engineering PRINCIPLESIvano Malavolta
 
Introduction to Gremlin
Introduction to GremlinIntroduction to Gremlin
Introduction to GremlinMax De Marzi
 
Enterprise Business Analysis Capability - Strategic Asset for Business Alignm...
Enterprise Business Analysis Capability - Strategic Asset for Business Alignm...Enterprise Business Analysis Capability - Strategic Asset for Business Alignm...
Enterprise Business Analysis Capability - Strategic Asset for Business Alignm...Alan McSweeney
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Enterprise Architecture
Enterprise ArchitectureEnterprise Architecture
Enterprise ArchitectureVikas Grover
 
extreme Programming
extreme Programmingextreme Programming
extreme ProgrammingBilal Shah
 
Saga about distributed business transactions in microservices world
Saga about distributed business transactions in microservices worldSaga about distributed business transactions in microservices world
Saga about distributed business transactions in microservices worldMikalai Alimenkou
 
Process Oriented Architecture
Process Oriented ArchitectureProcess Oriented Architecture
Process Oriented ArchitectureAlan McSweeney
 
Design Architecture Review Board (ARB) to Enable Digital Strategy
Design Architecture Review Board (ARB) to Enable Digital Strategy Design Architecture Review Board (ARB) to Enable Digital Strategy
Design Architecture Review Board (ARB) to Enable Digital Strategy Mohan K.
 
Test Factory Implementation V 1 3 (2)
Test Factory Implementation V 1 3 (2)Test Factory Implementation V 1 3 (2)
Test Factory Implementation V 1 3 (2)La Salle BCN
 
Security Design Concepts
Security Design ConceptsSecurity Design Concepts
Security Design ConceptsMohammed Fazuluddin
 
How I learned to time travel, or, data pipelining and scheduling with Airflow
How I learned to time travel, or, data pipelining and scheduling with AirflowHow I learned to time travel, or, data pipelining and scheduling with Airflow
How I learned to time travel, or, data pipelining and scheduling with AirflowPyData
 
DevSecOps on Azure
DevSecOps on AzureDevSecOps on Azure
DevSecOps on AzureSeven Peaks Speaks
 
Requirements Engineering Process
Requirements Engineering ProcessRequirements Engineering Process
Requirements Engineering ProcessJomel Penalba
 
Exposing and Controlling Kafka Event Streaming with Kong Konnect Enterprise |...
Exposing and Controlling Kafka Event Streaming with Kong Konnect Enterprise |...Exposing and Controlling Kafka Event Streaming with Kong Konnect Enterprise |...
Exposing and Controlling Kafka Event Streaming with Kong Konnect Enterprise |...HostedbyConfluent
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScaleAmazon Web Services
 
Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Mary Joy Sabal
 

More Related Content

What's hot

Dcs cloud architecture-high-level-design
Dcs cloud architecture-high-level-designDcs cloud architecture-high-level-design
Dcs cloud architecture-high-level-designIsaac Chiang
 
CA IDMS Database Navigation
CA IDMS Database NavigationCA IDMS Database Navigation
CA IDMS Database NavigationCA Technologies
 
JAD - Joint Application Development
JAD - Joint Application DevelopmentJAD - Joint Application Development
JAD - Joint Application DevelopmentJohn Crosby
 
Interface specification
Interface specificationInterface specification
Interface specificationmaliksiddique1
 
A Day in the Life of an Enterprise Architect (Role Play Exercise) 2016
A Day in the Life of an Enterprise Architect (Role Play Exercise) 2016A Day in the Life of an Enterprise Architect (Role Play Exercise) 2016
A Day in the Life of an Enterprise Architect (Role Play Exercise) 2016Daljit Banger
 
Software systems engineering PRINCIPLES
Software systems engineering PRINCIPLESSoftware systems engineering PRINCIPLES
Software systems engineering PRINCIPLESIvano Malavolta
 
Introduction to Gremlin
Introduction to GremlinIntroduction to Gremlin
Introduction to GremlinMax De Marzi
 
Enterprise Business Analysis Capability - Strategic Asset for Business Alignm...
Enterprise Business Analysis Capability - Strategic Asset for Business Alignm...Enterprise Business Analysis Capability - Strategic Asset for Business Alignm...
Enterprise Business Analysis Capability - Strategic Asset for Business Alignm...Alan McSweeney
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Enterprise Architecture
Enterprise ArchitectureEnterprise Architecture
Enterprise ArchitectureVikas Grover
 
extreme Programming
extreme Programmingextreme Programming
extreme ProgrammingBilal Shah
 
Saga about distributed business transactions in microservices world
Saga about distributed business transactions in microservices worldSaga about distributed business transactions in microservices world
Saga about distributed business transactions in microservices worldMikalai Alimenkou
 
Process Oriented Architecture
Process Oriented ArchitectureProcess Oriented Architecture
Process Oriented ArchitectureAlan McSweeney
 
Design Architecture Review Board (ARB) to Enable Digital Strategy
Design Architecture Review Board (ARB) to Enable Digital Strategy Design Architecture Review Board (ARB) to Enable Digital Strategy
Design Architecture Review Board (ARB) to Enable Digital Strategy Mohan K.
 
Test Factory Implementation V 1 3 (2)
Test Factory Implementation V 1 3 (2)Test Factory Implementation V 1 3 (2)
Test Factory Implementation V 1 3 (2)La Salle BCN
 
How I learned to time travel, or, data pipelining and scheduling with Airflow
How I learned to time travel, or, data pipelining and scheduling with AirflowHow I learned to time travel, or, data pipelining and scheduling with Airflow
How I learned to time travel, or, data pipelining and scheduling with AirflowPyData
 
Requirements Engineering Process
Requirements Engineering ProcessRequirements Engineering Process
Requirements Engineering ProcessJomel Penalba
 
Exposing and Controlling Kafka Event Streaming with Kong Konnect Enterprise |...
Exposing and Controlling Kafka Event Streaming with Kong Konnect Enterprise |...Exposing and Controlling Kafka Event Streaming with Kong Konnect Enterprise |...
Exposing and Controlling Kafka Event Streaming with Kong Konnect Enterprise |...HostedbyConfluent
 

What's hot (20)

Dcs cloud architecture-high-level-design
Dcs cloud architecture-high-level-designDcs cloud architecture-high-level-design
Dcs cloud architecture-high-level-design
 
CA IDMS Database Navigation
CA IDMS Database NavigationCA IDMS Database Navigation
CA IDMS Database Navigation
 
JAD - Joint Application Development
JAD - Joint Application DevelopmentJAD - Joint Application Development
JAD - Joint Application Development
 
Interface specification
Interface specificationInterface specification
Interface specification
 
A Day in the Life of an Enterprise Architect (Role Play Exercise) 2016
A Day in the Life of an Enterprise Architect (Role Play Exercise) 2016A Day in the Life of an Enterprise Architect (Role Play Exercise) 2016
A Day in the Life of an Enterprise Architect (Role Play Exercise) 2016
 
Software systems engineering PRINCIPLES
Software systems engineering PRINCIPLESSoftware systems engineering PRINCIPLES
Software systems engineering PRINCIPLES
 
Introduction to Gremlin
Introduction to GremlinIntroduction to Gremlin
Introduction to Gremlin
 
Enterprise Business Analysis Capability - Strategic Asset for Business Alignm...
Enterprise Business Analysis Capability - Strategic Asset for Business Alignm...Enterprise Business Analysis Capability - Strategic Asset for Business Alignm...
Enterprise Business Analysis Capability - Strategic Asset for Business Alignm...
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Enterprise Architecture
Enterprise ArchitectureEnterprise Architecture
Enterprise Architecture
 
extreme Programming
extreme Programmingextreme Programming
extreme Programming
 
Saga about distributed business transactions in microservices world
Saga about distributed business transactions in microservices worldSaga about distributed business transactions in microservices world
Saga about distributed business transactions in microservices world
 
Process Oriented Architecture
Process Oriented ArchitectureProcess Oriented Architecture
Process Oriented Architecture
 
Design Architecture Review Board (ARB) to Enable Digital Strategy
Design Architecture Review Board (ARB) to Enable Digital Strategy Design Architecture Review Board (ARB) to Enable Digital Strategy
Design Architecture Review Board (ARB) to Enable Digital Strategy
 
Test Factory Implementation V 1 3 (2)
Test Factory Implementation V 1 3 (2)Test Factory Implementation V 1 3 (2)
Test Factory Implementation V 1 3 (2)
 
Security Design Concepts
Security Design ConceptsSecurity Design Concepts
Security Design Concepts
 
How I learned to time travel, or, data pipelining and scheduling with Airflow
How I learned to time travel, or, data pipelining and scheduling with AirflowHow I learned to time travel, or, data pipelining and scheduling with Airflow
How I learned to time travel, or, data pipelining and scheduling with Airflow
 
DevSecOps on Azure
DevSecOps on AzureDevSecOps on Azure
DevSecOps on Azure
 
Requirements Engineering Process
Requirements Engineering ProcessRequirements Engineering Process
Requirements Engineering Process
 
Exposing and Controlling Kafka Event Streaming with Kong Konnect Enterprise |...
Exposing and Controlling Kafka Event Streaming with Kong Konnect Enterprise |...Exposing and Controlling Kafka Event Streaming with Kong Konnect Enterprise |...
Exposing and Controlling Kafka Event Streaming with Kong Konnect Enterprise |...
 

Similar to Risk and Control in Azure DevOps

Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScaleAmazon Web Services
 
Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Mary Joy Sabal
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOpsEklove Mohan
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
OWASP OTG-configuration (OWASP Thailand chapter november 2015)
OWASP OTG-configuration (OWASP Thailand chapter november 2015)OWASP OTG-configuration (OWASP Thailand chapter november 2015)
OWASP OTG-configuration (OWASP Thailand chapter november 2015)Noppadol Songsakaew
 
Best practices in Deploying SUSE CaaS Platform v3
Best practices in Deploying SUSE CaaS Platform v3Best practices in Deploying SUSE CaaS Platform v3
Best practices in Deploying SUSE CaaS Platform v3Juan Herrera Utande
 
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...garrett honeycutt
 
Open Policy Agent for governance as a code
Open Policy Agent for governance as a code Open Policy Agent for governance as a code
Open Policy Agent for governance as a code Alexander Tokarev
 
Super chargeyourcontiniousintegrationdeployments
Super chargeyourcontiniousintegrationdeploymentsSuper chargeyourcontiniousintegrationdeployments
Super chargeyourcontiniousintegrationdeploymentsNikola Gotsev
 
Supercharge Your Continuous Integration Deployments
Supercharge Your Continuous Integration DeploymentsSupercharge Your Continuous Integration Deployments
Supercharge Your Continuous Integration DeploymentsNikola Gotsev
 
Context Driven Automation Gtac 2008
Context Driven Automation Gtac 2008Context Driven Automation Gtac 2008
Context Driven Automation Gtac 2008Pete Schneider
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsAmazon Web Services
 
Improving Batch-Process Testing Techniques with a Domain-Specific Language
Improving Batch-Process Testing Techniques with a Domain-Specific LanguageImproving Batch-Process Testing Techniques with a Domain-Specific Language
Improving Batch-Process Testing Techniques with a Domain-Specific LanguageDr. Spock
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
Jose Luis Soria - XP2014 - Designing a Release Pipeline
Jose Luis Soria - XP2014 - Designing a Release PipelineJose Luis Soria - XP2014 - Designing a Release Pipeline
Jose Luis Soria - XP2014 - Designing a Release PipelineJose Luis Soria
 
KoprowskiT_Session2_SDNEvent_SourceControlForDBA
KoprowskiT_Session2_SDNEvent_SourceControlForDBAKoprowskiT_Session2_SDNEvent_SourceControlForDBA
KoprowskiT_Session2_SDNEvent_SourceControlForDBATobias Koprowski
 
The QA/Testing Process
The QA/Testing ProcessThe QA/Testing Process
The QA/Testing ProcessSynerzip
 
Test Driven Development with Sql Server
Test Driven Development with Sql ServerTest Driven Development with Sql Server
Test Driven Development with Sql ServerDavid P. Moore
 
Geek Sync | Handling HIPAA Compliance with Your Data Access
Geek Sync | Handling HIPAA Compliance with Your Data AccessGeek Sync | Handling HIPAA Compliance with Your Data Access
Geek Sync | Handling HIPAA Compliance with Your Data AccessIDERA Software
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 

Similar to Risk and Control in Azure DevOps (20)

Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud Scale
 
Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOps
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
 
OWASP OTG-configuration (OWASP Thailand chapter november 2015)
OWASP OTG-configuration (OWASP Thailand chapter november 2015)OWASP OTG-configuration (OWASP Thailand chapter november 2015)
OWASP OTG-configuration (OWASP Thailand chapter november 2015)
 
Best practices in Deploying SUSE CaaS Platform v3
Best practices in Deploying SUSE CaaS Platform v3Best practices in Deploying SUSE CaaS Platform v3
Best practices in Deploying SUSE CaaS Platform v3
 
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
 
Open Policy Agent for governance as a code
Open Policy Agent for governance as a code Open Policy Agent for governance as a code
Open Policy Agent for governance as a code
 
Super chargeyourcontiniousintegrationdeployments
Super chargeyourcontiniousintegrationdeploymentsSuper chargeyourcontiniousintegrationdeployments
Super chargeyourcontiniousintegrationdeployments
 
Supercharge Your Continuous Integration Deployments
Supercharge Your Continuous Integration DeploymentsSupercharge Your Continuous Integration Deployments
Supercharge Your Continuous Integration Deployments
 
Context Driven Automation Gtac 2008
Context Driven Automation Gtac 2008Context Driven Automation Gtac 2008
Context Driven Automation Gtac 2008
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
 
Improving Batch-Process Testing Techniques with a Domain-Specific Language
Improving Batch-Process Testing Techniques with a Domain-Specific LanguageImproving Batch-Process Testing Techniques with a Domain-Specific Language
Improving Batch-Process Testing Techniques with a Domain-Specific Language
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 
Jose Luis Soria - XP2014 - Designing a Release Pipeline
Jose Luis Soria - XP2014 - Designing a Release PipelineJose Luis Soria - XP2014 - Designing a Release Pipeline
Jose Luis Soria - XP2014 - Designing a Release Pipeline
 
KoprowskiT_Session2_SDNEvent_SourceControlForDBA
KoprowskiT_Session2_SDNEvent_SourceControlForDBAKoprowskiT_Session2_SDNEvent_SourceControlForDBA
KoprowskiT_Session2_SDNEvent_SourceControlForDBA
 
The QA/Testing Process
The QA/Testing ProcessThe QA/Testing Process
The QA/Testing Process
 
Test Driven Development with Sql Server
Test Driven Development with Sql ServerTest Driven Development with Sql Server
Test Driven Development with Sql Server
 
Geek Sync | Handling HIPAA Compliance with Your Data Access
Geek Sync | Handling HIPAA Compliance with Your Data AccessGeek Sync | Handling HIPAA Compliance with Your Data Access
Geek Sync | Handling HIPAA Compliance with Your Data Access
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 

More from AgileThought

Adventures in Agile Testing
Adventures in Agile TestingAdventures in Agile Testing
Adventures in Agile TestingAgileThought
 
From Device To Cloud
From Device To CloudFrom Device To Cloud
From Device To CloudAgileThought
 
Operationalizing Machine Learning
Operationalizing Machine LearningOperationalizing Machine Learning
Operationalizing Machine LearningAgileThought
 
Patterns Are Good For Managers
Patterns Are Good For ManagersPatterns Are Good For Managers
Patterns Are Good For ManagersAgileThought
 

More from AgileThought (6)

Adventures in Agile Testing
Adventures in Agile TestingAdventures in Agile Testing
Adventures in Agile Testing
 
From Device To Cloud
From Device To CloudFrom Device To Cloud
From Device To Cloud
 
Operationalizing Machine Learning
Operationalizing Machine LearningOperationalizing Machine Learning
Operationalizing Machine Learning
 
Patterns Are Good For Managers
Patterns Are Good For ManagersPatterns Are Good For Managers
Patterns Are Good For Managers
 
The Agile Journey
The Agile JourneyThe Agile Journey
The Agile Journey
 
Psychology In UX
Psychology In UXPsychology In UX
Psychology In UX
 

Recently uploaded

SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 

Recently uploaded (20)

SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 

Risk and Control in Azure DevOps

  • 1. P re s e n t e d b y Control Freak: Risk and Control in Azure DevOps Barkha Herman South Florida Code Camp ‘18
  • 2. What will be covered: • Audit and Controls for Environments • Audit and Controls for Code • Audit and Controls Data at Rest • Audit and Controls Data In Motion • Monitoring and Response
  • 3. Audit and Control for Environments
  • 4. Some sample Controls: 1. Logical and physical Segregation of Environments 2. Lifecycle Methodology for Deployments 3. Process set for Approvals and review
  • 5. Implementation 1. Use ARM Templates to create PaaS and IaaS Applications 2. Use VSTS Branch Policies to control changes to Templates 3. Use a deployment Pipeline to control Environment Changes
  • 6. Use ARM Templates to deploy 1. Azure Resource Manager templates automate Deployment. 2. Creating environment becomes repeatable. 3. Creating environments can be scripted.
  • 7. 1.Use VSTS for Templates 1. Use VSTS to maintain ARM Templates and standardize changes to environments. 2. Use gitflow Pull Request Process to validate and audit any changes to the environments.
  • 8. 1.Use Pipelines for Deployments 1. Use Deployment Pipelines for Deployments. 2. Use SPNs for environments; devops cannot deploy directly to an environment. 3. Approvers setup for each environment – QA approvers differ from PROD approvers.
  • 10. Audit and Control for Code
  • 11. Some Sample Controls 1. Code is located in a secure location 2. Access to modify code is restricted 3. Code is reviewed, tested and scanned etc. 4. Code deployment is “gated” and “Audited”
  • 12. Implementation 1. Git Flow & Branch Policies in VSTS 2. Build once, deploy several for consistency 3. Deployment Pipeline with Approvals for “Gates” and audits
  • 13. Git Flow + Controls 1. Use GitFlow 2. Pull Requests for Merges, required reviews and Work Items 3. Developer code lives in PR branches, merged into Develop 4. Master keeps release versions 5. Code must compile before merge to develop 6. Builds run tests, scan for issues 7. Deployments are gated
  • 14. Deployment Pipelines 1. Build artifacts are created once 2. Continuous deployment ensures compile, unit tests, etc. 3. Deployment to any environment from CD requires approvals 4. Create different groups for approvals to different environments
  • 16. Audit and Controls for Data at Rest
  • 17. Some Sample Controls 1. Ensure that Data is Encrypted at rest 2. Access to static data is controlled and audited 3. Ensure that Data is “Highly Available” 4. Ensure Data is Restorable, i.e. Loss Prevention 5. Ensure Data is auditable, i.e., Retention Policies
  • 18. Implementation - SQL 1. TDE is available for Azure SQL. Uses Key Vault for Encryption Keys. 2. Always Encrypted Option available.
  • 19. Implementation – Storage Blob / Files 1. Storage Service Encryption is also available. 2. Key Management using Key Vault.
  • 20. Implementation - CosmosDB 1. Encrypted by default. 2. Backup to Blob is also encrypted.
  • 22. Audit and Control for Data in Motion
  • 23. Some Sample Controls 1. All end points use TLS 2. Authentication and Authorization is Implemented 3. All communication is secure in transit – not only from client to server, but within a data center
  • 24. Implementation 1. TLS is default in PaaS Services 2. ASEs can be setup web apps and web api for performance, virtual networks, isolation 3. Azure site-to-site VPN 4. Azure Point-to-site VPN 5. ExpressRoute
  • 26. Some Sample Controls 1. All end points have logs for auditing. 2. All end points have monitoring available. 3. Alerts are set for disaster as well as security related events. 4. Diagnostics are available for all services.
  • 27. Logging and Analysis Tools available 1. Application Insights 2. Azure Policy 3. Security Center 4. Azure Monitor 5. Others…
  • 29. Stay Connected If you have questions or would like more information, feel free to contact me via email barkha.herman@agilethought.com • www.agilethought.com • www. linkedin.com/company/AgileThought • @AgileThought