This document discusses controls for audit and risk management in Azure DevOps. It covers controls for environments, code, data at rest, and data in motion. For environments, it recommends using ARM templates, VSTS branch policies, and deployment pipelines. For code, it suggests using GitFlow, branch policies, and deployment pipelines with approvals. For data at rest, it proposes encryption with TDE, Always Encrypted, and Storage Service Encryption. For data in motion, it advises using TLS and virtual networks. The document also outlines logging, monitoring, and response controls using tools like Application Insights, Azure Policy, and Security Center.
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Risk and Control in Azure DevOps
1. P re s e n t e d b y
Control Freak: Risk and Control in
Azure DevOps
Barkha Herman
South Florida Code Camp ‘18
2. What will be covered:
• Audit and Controls for Environments
• Audit and Controls for Code
• Audit and Controls Data at Rest
• Audit and Controls Data In Motion
• Monitoring and Response
4. Some sample Controls:
1. Logical and physical Segregation of Environments
2. Lifecycle Methodology for Deployments
3. Process set for Approvals and review
5. Implementation
1. Use ARM Templates to create PaaS and IaaS Applications
2. Use VSTS Branch Policies to control changes to Templates
3. Use a deployment Pipeline to control Environment Changes
6. Use ARM Templates to deploy
1. Azure Resource Manager
templates automate
Deployment.
2. Creating environment becomes
repeatable.
3. Creating environments can be
scripted.
7. 1.Use VSTS for Templates
1. Use VSTS to maintain ARM
Templates and standardize
changes to environments.
2. Use gitflow Pull Request Process
to validate and audit any
changes to the environments.
8. 1.Use Pipelines for Deployments
1. Use Deployment Pipelines for Deployments.
2. Use SPNs for environments; devops cannot deploy directly to an environment.
3. Approvers setup for each environment – QA approvers differ from PROD
approvers.
11. Some Sample Controls
1. Code is located in a secure location
2. Access to modify code is restricted
3. Code is reviewed, tested and scanned etc.
4. Code deployment is “gated” and “Audited”
12. Implementation
1. Git Flow & Branch Policies in VSTS
2. Build once, deploy several for consistency
3. Deployment Pipeline with Approvals for “Gates” and audits
13. Git Flow + Controls
1. Use GitFlow
2. Pull Requests for Merges, required reviews
and Work Items
3. Developer code lives in PR branches, merged
into Develop
4. Master keeps release versions
5. Code must compile before merge to develop
6. Builds run tests, scan for issues
7. Deployments are gated
14. Deployment
Pipelines
1. Build artifacts are created once
2. Continuous deployment ensures
compile, unit tests, etc.
3. Deployment to any environment
from CD requires approvals
4. Create different groups for
approvals to different
environments
17. Some Sample Controls
1. Ensure that Data is Encrypted at rest
2. Access to static data is controlled and audited
3. Ensure that Data is “Highly Available”
4. Ensure Data is Restorable, i.e. Loss Prevention
5. Ensure Data is auditable, i.e., Retention Policies
18. Implementation - SQL
1. TDE is available for Azure SQL. Uses Key Vault for
Encryption Keys.
2. Always Encrypted Option available.
19. Implementation – Storage Blob / Files
1. Storage Service
Encryption is also
available.
2. Key Management using
Key Vault.
23. Some Sample Controls
1. All end points use TLS
2. Authentication and Authorization is Implemented
3. All communication is secure in transit – not only from client
to server, but within a data center
24. Implementation
1. TLS is default in PaaS Services
2. ASEs can be setup web apps and web api for performance,
virtual networks, isolation
3. Azure site-to-site VPN
4. Azure Point-to-site VPN
5. ExpressRoute
26. Some Sample Controls
1. All end points have logs for auditing.
2. All end points have monitoring available.
3. Alerts are set for disaster as well as security related events.
4. Diagnostics are available for all services.
27. Logging and Analysis Tools available
1. Application Insights
2. Azure Policy
3. Security Center
4. Azure Monitor
5. Others…
29. Stay Connected
If you have questions or would like more
information, feel free to contact me via email
barkha.herman@agilethought.com
• www.agilethought.com
• www. linkedin.com/company/AgileThought
• @AgileThought