Compliance As Code

@ebrucucen 2019/02/11
WHO AM I?
▸ DevOps Consultant at Contino,
spent 11 years of 16 years of
career in consulting ﬁnancial
institutions delivering
applications/platforms 
Banksoft, AXA, BUPA, Investec,
VanquisBank, LloydsBank
▸ Life time student, with more
questions than answers,
developer in heart, loves APIs,
automation, cloud/hybrid
solutions, vegan, mum…

AGENDA
PART I
1. Compliance
2. Compliance On Azure
‣ Data Sources
‣ Metrics/Logs
‣ Monitoring
‣ Log Analytics
PART II
3. Governance on Azure
‣ Security Center
‣ BluePrints
4. AzSK
‣ CI/CD
‣ Customize

THIS TALK IS NOT
▸ By a security expert
▸ a personal experience/battles with the Operations/
Security/Risk teams
▸ About saving money
▸ almost every solution will incur cost

I. COMPLIANCE
CONFORMING TO A RULE, SUCH AS A
SPECIFICATION, POLICY, STANDARD OR LAW

COMPLIANCE CHALLENGES
▸ Data Protection Compliance
▸ Risk assessment, auditing, operations, technology
▸ Industrial regulations and standards <> tech knowledge
▸ Multi-device/cloud/
▸ Cost:
▸ >200 updates from 750 regulatory bodies
▸ 32% of companies spend >4h/w to create/amend reports 
 
 
 
 
 
Human effort required for organisational compliance

COMPLIANCE ON CLOUD?
▸ Azure Complied with Shared Responsibility Model
▸ Azure
“MORE CERTIFICATIONS THAN ANY OTHER CLOUD PROVIDER”

AZURE SUPPORT
▸ Documents
▸ Audit Reports
▸ Data Protection Guides
▸ Azure Security and Compliance BluePrints
https://servicetrust.microsoft.com/ViewPage/BlueprintOverview 
http://aka.ms/pciblueprint 
https://docs.microsoft.com/en-us/azure/security/blueprints/pcidss-paaswa-overview#compliance-documentation
Government Blueprints 
FedRAMP Blueprint 
UK OFFICIAL Blueprint 
NIST SP 800-171 Blueprint 
AU-PROTECTED 
Additional Frameworks
Finance Blueprints 
 
FFIEC Blueprint 
PCI-DSS Blueprint
Healthcare Blueprints 
 
HIPAA / HITRUST Blueprint 
UK NHS Blueprint
Retail Blueprints 
 
PCI-DSS Blueprint
Customer Responsibility Matrix 
Reference Architecture 
Implementation Matrix 
Overview 
Threat Model
Data Analytics/Data Warehouse/IAAS/PAAS

QUICK INSIGHT
▸ What does PCI-DSS BluePrint look like?
http://aka.ms/pciblueprint

II. AZURE BASICS FOR COMPLIANCE DATA

Azure MonitorData Sources

▸ Are collected at regular intervals
▸ One minute by default
▸ Unique: Category = Metric + Namespace
▸ Stored for 93 days
▸ Multi-dimensional
▸ Properties [up to 10]
▸ Resource
▸ Type of Measurement
▸ Value
▸ Time
DATA SOURCES - METRICS

▸ Properties
▸ Irregular
▸ Stored for x days
▸ Metrics -> Logs
▸ Types
▸ Control/Management Plane
▸ Data Plane
▸ Processed Events
DATA SOURCES - LOGS

▸ Properties
▸ Irregular
▸ Stored for x days
▸ Metrics -> Logs
▸ Types
▸ Control/Management Plane
▸ Data Plane
▸ Processed Events
DATA SOURCES - LOGS
Audit Logs
Azure Tenant
Metrics
Application
Azure Subscription
Service Health
Activity Logs
Azure Resources
Diagnostic Logs
Monitoring Solutions
Guest OS
Application Insights
Dependency Agent
Log Analytics Agent
Diagnostics Extension
Azure
Custom API
Data Collector API
Non-Azure
Service Configuration

AZURE AD LOGS
▸ Editions: Basic, Free, Premium P1, Premium P2
▸ Diagnostics Settings
▸ Audit Logs
▸ Sign-in Logs (PP2)
▸ Security Signals (opt-in IPC)
▸ Users at risk
▸ Risky sign-ins
▸ Activity Data is available 2 hours after turning on reporting
▸ 30 days of retention reports (PP1/PP2)
▸ 30/90 days of retention of security signals (PP1/PP2)

AZURE SERVICES
AZURE PLATFORM

VIRTUAL MACHINES
APPLICATIONS

LOG ANALYTICS
▸ Kusto query language

LOG ANALYTICS WORKSPACE

SOLUTIONS TO QUERY

▸ Low Latency (min 1 min interval)
▸ Control over metric condition
▸ Combined monitoring of multiple metrics
▸ Modular notiﬁcation system
▸ Tip: Unify your alerts/sampling intervals for sanity
ALERTS (NEW)

DEMO
▸ WebApp & VM
▸ Metrics/Logs
▸ Query
▸ Alert

SECURITY

SECURITY
DON’T YOU DARE!

SECURE?
✓ Data Protection
✓ Identity and Access Management
✓ Network Security
✓ Threat Protection
✓ Security Management
https://www.cisecurity.org/benchmark/azure/

AZURE SPACE COVERED

AZURE SECURITY CENTRE
https://www.gartner.com/reviews/market/cloud-workload-protection-platforms/vendors

COMPLIANCE DASHBOARD

SECURITY CENTRE
▸ One Step Closer to Automation

DEMO
▸ Security Dashboard
▸ Issues
▸ Recommendations

AZURE MANAGEMENT/GOVERNANCE
▸ How to do Compliance As Code with Azure

MANAGEMENT GROUPS

RESOURCE GRAPH
where type =~ 'Microsoft.Compute/virtualMachines'
| project name, properties.storageProfile.osDisk.osType
| top 5 by name desc
Search-AzGraph -Query "project tags | summarize buildschema(tags)”
# Use Resource Graph to get all NICs and store in the 'nic' variable
az graph query -q "where type =~ 'Microsoft.Compute/virtualMachines' | project nic =
tostring(properties['networkProfile']['networkInterfaces'][0]['id']) | where isnotempty(nic) | distinct nic |
limit 20" --output table | tail -n +3 > nics.txt
# Review the output of the query stored in 'nics.txt'
cat nics.txt
# Use Resource Graph with the 'nics.txt' file to get all related public IP addresses and store in 'publicIp.txt'
file
az graph query -q="where type =~ 'Microsoft.Network/networkInterfaces' | where id in ('$(awk -vORS="','" '{print
$0}' nics.txt | sed 's/,$//')') | project publicIp = tostring(properties['ipConfigurations'][0]['properties']
['publicIPAddress']['id']) | where isnotempty(publicIp) | distinct publicIp" --output table | tail -n +3 > ips.txt
# Review the output of the query stored in 'ips.txt'
cat ips.txt
# Use Resource Graph with the 'ips.txt' file to get the IP address of the public IP address resources
az graph query -q="where type =~ 'Microsoft.Network/publicIPAddresses' | where id in ('$(awk -vORS="','" '{print
$0}' ips.txt | sed 's/,$//')') | project ip = tostring(properties['ipAddress']) | where isnotempty(ip) | distinct
ip" --output table
ALL VM PUBLIC IPS: (AZ CLI)
ALL TAG NAMES: (POWERSHELL)
FIRST 5 VM OS TYPES: (KUSTO QUERY*)
https://docs.microsoft.com/en-us/azure/kusto/query/index

▸ Enforce
▸ ASC on?
▸ Level of compliance?
▸ Threat detection/protection?
▸ Monitoring and auditing on?
▸ Network Security
▸ JIT and NSG for everything
▸ Adaptive Application Controls
▸ SIEM?
▸ WAF (Tested)?
▸ Integrate other sec tools (IPS/IDS/HIPS/Other)
POLICY (SET)
WHAT?
PAAS?
IAAS?
NETWORK?
HOW?
IDENTITY & ACCESS
MANAGEMENT?
DATA & ENCRYPTION?
AUDIT DEPLOY APPENDDENY

BLUEPRINTS

AZURE MANAGEMENT/GOVERNANCE

HOW TO PIPELINE?

SECURE PIPELINE?
APPLICATION
CI/CD
NIGHTLY
TEST RUNS
Static code analysis
Code Review
WI Linking
Static Code Analysis
OSS Vulnerability Scan
Unit Tests
Code Metrics
Passive Pen Test
SSL Scanner 
Infrastructure Scan
Infrastructure Scan
Load and Performance Testing
Automated Regression Testing
Infrastructure Scan
Active Pen Test
Infrastructure Scan
LOCAL/ 
PR CI DEV TEST
FEEDBACK
Code Review Comments 
Static Code Rules Warnings
OSS Library Vulnerabilities 
OSS Licence Violations 
Failed Unit Testing 
Static Code Rule Warnings
Pen Test Issues 
SSL Issues 
Performance Issues 
Regression Issues
Pen Test Issues 
Infrastructure Issues

SECURE PIPELINE?
APPLICATION
CI/CD
NIGHTLY
TEST RUNS
Static code analysis
Code Review
WI Linking
Static Code Analysis
OSS Vulnerability Scan
Unit Tests
Code Metrics
Passive Pen Test
SSL Scanner 
Infrastructure Scan
Infrastructure Scan
Load and Performance Testing
Automated Regression Testing
Infrastructure Scan
Active Pen Test
Infrastructure Scan
LOCAL/ 
PR CI DEV TEST
FEEDBACK
Code Review Comments 
Static Code Rules Warnings
OSS Library Vulnerabilities 
OSS Licence Violations 
Failed Unit Testing 
Static Code Rule Warnings
Pen Test Issues 
SSL Issues 
Performance Issues 
Regression Issues
Pen Test Issues 
Infrastructure Issues
POLICY

AZSK - OVERVIEW
▸ Requires SPN / OMS
▸ Runs Default policies
▸ Creates a Log/PDF Report for each execution
▸ Generates Manual/AutoFix scripts

DEMO: AZSK
▸ Set up Policy Conﬁguration
▸ CI/CD
▸ Check ARM Template
▸ Security Veriﬁcation Test

CONTINUOUS ASSURANCE

PLAN B -DEMO FAILS
▸ GSS

PLAN B - #3 CI/CD

▸ IOP
PLAN B -DEMO FAILS

PLAN B: DEMO FAILS CI/CD

EXTRAS: WEB APP - BEST PRACTICES
▸ Use Certs
▸ Authenticate users (with)
▸ Advanced auth
▸ Conﬁgure TLS mutual auth
▸ Managed Identity
▸ Reference secrets from Key Vault
▸ Restrict IPs
▸ Turn on Web Server/Application Logging
▸ Automate Backups
https://docs.microsoft.com/en-us/azure/app-service/web-sites-purchase-ssl-web-site

EXTRAS: HARDENING VM
▸ Control VM access
▸ Reduce variability in your setup and
deployment of VMs
▸ Secure privileged access
▸ Use multiple VMs for better availability
▸ Protect against malware
▸ Keep VMs current
▸ Deploy and test a backup solution
▸ Encrypt your virtual hard disk ﬁles
https://docs.microsoft.com/en-us/azure/security/azure-security-iaas

EXTRAS: HARDENING IDENTITY MANAGEMENT
 
Protect privileged accounts with MFA
1. Strengthen your credentials.
2. Reduce your attack surface area.
3. Automate threat response.
4. Increase your awareness of auditing
and monitoring.
5. Enable more predictable and complete
end-user security with self-help
https://docs.microsoft.com/en-us/azure/security/azure-ad-secure-steps

EXTRAS: IDENTITY MANAGEMENT BEST PRACTICES
1. Treat Identity as the primary security perimeter
2. Centralise Identity Management
3. Enable SSO
4. Turn on Conditional Access
5. Enforce MFA
6. Use RBAC
7. Lower exposure of privileged accounts (JIT, 2 EmergencyAccess)
8. Actively monitor for suspicious activities

EXTRAS: NETWORK SECURITY BEST PRACTICES
1. Logically segment subnets
2. Control routing behaviour
3. Enable forced tunnelling
4. Use virtual network appliances
5. Deploy perimeter network for security zones
6. Avoid exposure to Internet with dedicated WAN links
7. Optimise uptime and performance
8. Disable RDP/SSH to VMs

EXTRAS: THREAT MODELLING
Threat Security property Potential Azure platform mitigation
Spoofing Authentication Require HTTPS connections.
Tampering Integrity
Validate SSL/TLS certificates.Applications that use SSL/TLS must fully
verify the X.509 certificates of the entities they connect to. Use Azure
Key Vault certificates to manage your x509 certificates.
Repudiation Non-repudiation Enable Azure monitoring and diagnostics.
Information
Disclosure
Confidentiality Encrypt sensitive data at rest and in transit.
Denial of
Service
Availability
Monitor performance metrics for potential denial of service conditions.
Implement connection filters. Azure DDoS protection combined with
application design best practices provides defense against DDoS
attacks.
Elevation of
Privilege
Authorization Use Azure Active Directory Privileged Identity Management.

REFERENCES - BOOKS
▸ Microsoft Security Center 
https://www.amazon.co.uk/Microsoft-Azure-Security-Center-Practices-ebook/
dp/B07D5J97JV
▸ Pentesting Azure Applications 
https://www.amazon.co.uk/Pentesting-Azure-Deﬁnitive-Attack-Defense/dp/
1593278632
▸ Deep dive Presentation: 
https://www.sans.org/cyber-security-summit/archives/ﬁle/summit-
archive-1540308627.pdf
▸ AZSK:  
https://github.com/azsk/DevOpsKit-docs
▸ Security White Papers 
https://docs.microsoft.com/en-us/azure/security/security-white-papers

BRK3062 - Architecting Security and Governance Across your Azure Subscriptions
THR2291 - Secure architecting for Azure
BRK2368 - Practical guide for using Azure Security Center to protect hybrid cloud environment
BRK3384 - Best practices for protecting modern cloud application architectures
BRK2021 - Azure security & management
THR3085 - The wizarding world of Microsoft CloudApp Security
GS008 - Microsoft security: How the cloud helps us all be more secure
REFERENCES - VIDEOS IGNITE/2018

SO AS A SUMMARY
▸ Enable Security Center
▸ Enable all the logs you can
▸ Automate your policy management: Think AZSK!
▸ Give AppDevs freedom on the ring fenced cloud!

QUESTIONS?

QUESTIONS?
THANK YOU

Compliance As Code

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Compliance As Code

Similar to Compliance As Code (20)

More from Ebru Cucen Çüçen

More from Ebru Cucen Çüçen (10)

Recently uploaded

Recently uploaded (20)

Compliance As Code