The document discusses challenges faced when decentralizing cloud security controls and enabling collaboration between security and application teams. It describes how behavioral driven development (BDD) and policy workshops were used to define shared policies in code with associated tests. Challenges included policy engine limitations and decisions around test language, timing, and environments.
3. 3
Agenda
01 | Problems with Cloud Security Guard Rails
02 | How we enabled collaboration?
03 | What challenges we had?
4. Key Takeaways
44
● Application teams should contribute to the cloud security
controls, as it is not just security team’s responsibility
● BDD offers a great way to provide human-readable tests to
increase collaboration across multiple functional teams.
● Try small iteration & innovate
10. Day4: Upskilling
10
Can I bring our
own key?
What is our
retention policy?
For signed url, can we
audit/stop the call if
source IP is not
in our allowed list?
18. Day2: Security Team focus on Base Policy
18
Which regions are
allowed?
What are tagging
policies?
Which resources
will be allowed?
18
19. Submit a PR of policies
- We need a use case for KeyVault
- x/y/z permissions
- To be applied on Management Group
! All in code
! With tests associated with them
Day3: App Team Contributes
19
24. Azure Policy - Trade Offs
24
1. Policy Engine is not
effective real-time
2. Policy Engine has
(different) wait time for
each effect
3. Azure Policy Repo
versioning is not enforced
1. We assumed worst case 24 hour
into plan of pipeline
2. We favoured Deny policy over
Audit policy
3. We favored Custom Policies over
Built-in Policies to track versioning
internally
24
25. Assignment Effects
25
Enforcements can have several effects depending on both requirements and Policy type
●Audit: generates a warning
event in activity log but
doesn't fail the request
●AuditIfNotExists:
generates a warning event
in activity log if a related
resource doesn't exist
Deny
generates an event in the
activity log and fails the
request
Disabled
doesn't evaluate
resources for
compliance to the
policy rule
Most
Restrictive
● Append: adds the defined set
of fields to the request
● DeployIfNotExists: deploys a
related resource if it doesn't
already exist
● Modify: adds, updates, or
removes the defined tags
from a resource
TimeLeast
Restrictive
26. BDD - Trade Offs
26
1.Decision on Language
(Golang/ Typescript/Java)
2. Decision on when to run the
tests?
3. Decisions on where to run
the tests?
1.We favoured top in-house skillset
(Typescript)
2. Executed with the policy
assignment
3. A dedicated integration
environment