Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Azure Saturday: Security + DevOps + Azure = Awesomeness


Published on

Slides from my presentation at Azure Saturday on 26.5.2018 in Munich.

In this session, I will cover the Secure DevOps Toolkit for Azure, a set of security-related tools, Powershell modules, extensions and automations for Azure. The session is a collection of lessons learned using the Toolkit from real-life projects.

After this sessions you will be able to improve the security of your Azure usage from IDE to Operations, regardless of your current state of security and level of cloud adoption.

Published in: Technology
  • Be the first to comment

Azure Saturday: Security + DevOps + Azure = Awesomeness

  1. 1. 1 Azure Saturday 2018 Security + DevOps + Azure = Awesomeness Karl Ots | Kompozure @fincooper
  2. 2. 2 Azure Saturday 2018 Thank you, sponsors!
  3. 3. KARL OTS @ KOMPOZURE • Co-organizer of IglooConf and PolarConf • Podcast host at Cloud Gossip • Working on Azure since 2011 • Patented inventor • Worked with tens of different customers on full-scale Azure projects, from startups to Fortune 500 enterprises Managing Consultant +358 50 480 1102
  4. 4. SECURITY LANDSCAPE • Cloud-based user account attacks have increased 300% YoY (Microsoft Security Intelligence Report, Volume 22) • An attacker is on a victim’s network 99 days on average before they are detected (FireEye/Mandiant report – March 14, 2017) • Average cost of a data breach in 2017 was 4 M $ (IBM security)
  5. 5. WHY AZSK? • Cloud security is hard. • Knowledge of Azure security controls is not widespread. • MS IT wanted to accelerate internal Azure adoption in a controlled way • Approach: avoid reinventing the wheel o Use as much out-of-the-box Azure features as possible o For example: outsource VM controls to Security Center
  8. 8. SUBSCRIPTION SECURITYSubscription RBAC provisioning Deploy mandatory and scenario/solution specific accounts/groups on a subscription. Ability to specify and remove deprecated accounts. Alerts setup Configure insights-based alerts for important activities. Runbooks for critical alerts to send SMS with key alert body info. ARM policy setup Deploy and enable ARM policy definitions (e.g., audit/deny use of ASM/v1 resources) ASC setup Configure Azure Security Center by enabling policies, setting security POCs, etc. Resource Locks Ensure that critical enterprise resources have locks deployed on them. Health Check More than a dozen subscription hygiene security checks, including proper provisioning
  9. 9. SUBSCRIPTION HEALTH SCAN Select-AzureRmSubscription -SubscriptionId $subscriptionId # Sub health scan Get-AzSKSubscriptionSecurityStatus -SubscriptionId $subscriptionId -GeneratePDF Portrait
  10. 10. DEVELOP SECURELY Feature Scenarios/Details Development Security IntelliSense • Get inline support for secure coding right at the point of code creation. • Checks on Azure Best practices, ADAL and common crypto • VS plug-in for C#. • Security IntelliSense extension works on Visual Studio 2015 Update 3 or later.
  12. 12. “UNIT TEST” AZURE SECURITY Feature Scenarios/Details Development Security IntelliSense • Get inline support for secure coding right at the point of code creation. • Checks on Azure Best practices, ADAL and Crypto • VS plug-in for C#. Security Verification Tests • Scan cloud solutions during early dev and prototyping stages. • Provides a variety of options to define scan targets. • Easy, intuitive reports and detailed logs. Support for 25+ Azure IaaS and PaaS service types.
  13. 13. SECURITY VERIFICATION TESTS Select-AzureRmSubscription -SubscriptionId $subscriptionId # Security Verification Test Get-AzSKAzureServicesSecurityStatus -SubscriptionId $subscriptionId -GeneratePDF Portrait
  14. 14. DEMO TIME!
  15. 15. DEVOPS • Security Verification Tests (SVTs) in VSTS / on-prem TFS pipeline • SVTs in Jenkins pipeline • AzSK ARM Template Checker
  16. 16. CONTINUOUS ASSURANCE • Run AzSK tests periodically using Azure Automation • Write to Log Analytics • Query with Gusto Query Language • Integrate with your existing systems, such as your SIEM
  17. 17. #### Deploy the AzSK view in the OMS workspace #### Install-AzSKOMSSolution -OMSSubscriptionId $subscriptionId ` -OMSResourceGroup $omsRGName ` -OMSWorkspaceId $omsWSId ` -ViewName $azSkViewName #### Setup AzSK scan data to OMS #### Set-AzSKOMSSettings -OMSWorkspaceID $omsWSId -OMSSharedKey $omskey #### Run AzSK scripts per usual #### Get-AzSKSubscriptionSecurityStatus -SubscriptionId $subscriptionId #### Run AzSK SVT scan #### Get-AzSKAzureServicesSecurityStatus -SubscriptionId $subscriptionId SETTING UP CONTINUOUS ASSURANCE
  18. 18. ADVANCED FEATURES • Generate PDF Report • Generate AutoFix Script • AzSK ARM Templates • Customizing the security policies for your organization
  19. 19. DISCUSSION • AzSK is not your magic bullet to tick the security box o AzSK mostly covers “administrative access” in traditional threat models, some “application access” as well o You still have to worry about users, external threats and more o Threat modeling and Defense in Depth approach are your friends! • Carefully analyze the results in the scope of your application – are the recommended controls right for your app?
  20. 20. RESOURCES • Try out the Secure DevOps Kit for Azure! • Installation guide, docs: -docs • Controls coverage: • IT Showcase: • Support:
  21. 21. 36 Azure Saturday 2018 Azure Saturday 2018 We appreciate your feedback! SLIDESHARE.NET/KARLOTS