DevSecOps in the Azure Cloud
Many organizations are transitioning to a DevSecOps model, with closer collaboration between developers, security and operations teams from the onset of application development. There is a close connection between DevSecOps and the cloud — organizations operating in cloud computing environments have much greater flexibility, which allows them to implement security practices more easily and at a larger scale.
Learn Cloud Security
What is DevSecOps?
DevSecOps is a methodology that merges development (Dev) with security (Sec) and operations (Ops). It aims to introduce security into all phases of the software development lifecycle, including planning, development, building, testing, release, delivery, deployment, operations and monitoring.
DevSecOps facilitates rapid and secure software development through automated continuous integration (CI) and continuous delivery (CD) cycles. However, DevSecOps requires teamwork to be truly effective despite the reliance on automation tools. It requires a change in a work culture that promotes security without compromising speed and quality.
DevSecOps in Azure: Architecture and data flow
DevSecOps involves implementing security best practices through a shift-left strategy across the entire development lifecycle. The data flow below explains how this concept works in Azure’s architecture.
Image Source: Azure
Data flow in Azure:
- Azure active directory (AD) — you can configure Azure AD as the identity provider for GitHub and enable multi-factor authentication (MFA) to harden security.
- Commit to GitHub — you can use Azure Boards to plan work items and track bugs committed to GitHub.
- Automated scanning — you can integrate with GitHub Advanced Security and GitHub Open Source Security to add automatic security and dependency scanning to GitHub.
- Automated testing — you can use pull requests to trigger automated testing, and CI builds in Azure Pipelines.
- Containers deployment — Azure Pipelines uses CI builds to generate a Docker container image stored in Azure Container Registry (ACR). Azure Kubernetes Service (AKS) can use this image to release containers.
- Vulnerabilities scanner — Microsoft Defender for Cloud scans images uploaded to ACR for Azure-native vulnerabilities. It also checks it against security recommendations.
- Provisioning — Azure Pipelines employs Terraform to manage releases. It can manage cloud infrastructure as code and provision various resources, including AKS, Azure databases and Application Gateway.
- Continuous delivery (CD) — Azure Pipelines uses a secure service connection to access the Container Registry to establish a secure CD for AKS.
- Azure policy — Azure Pipelines employs this service to enforce post-deployment gateways. You can also apply it directly to the AKS engine.
- Securing secrets — Azure Key Vault securely injects secrets and credentials into the application to abstract sensitive information at runtime.
- Authentication — Azure AD B2C helps authenticate end-users. It uses MFA and can route traffic through an application gateway to protect core services.
- Continuous monitoring — Azure Monitor provides visibility into release pipelines. It ingests security logs and provides alerts on detected suspicious activity.
- Active threat monitoring — Microsoft Defender for Cloud actively monitors threats on AKS, including internals and the node level (VM threats).
DevSecOps products and services in Azure
GitHub actions
GitHub Actions enable you to automate software development workflows in GitHub using the GitOps pattern. It lets you deploy workflows as an automated process in your GitHub repository. You can use these workflows to build, test, package, release and deploy your projects on GitHub.
Each workflow includes individual actions that run after a certain event occurs, such as a pull request. An action is a packaged script that automates specific software development tasks.
Microsoft created GitHub Actions that support Azure services, such as Azure App Service, Azure Key Vault, Azure Functions, Azure Policy, Azure CLI and Azure Resource Manager templates. You can use these workflows to build, test, package, release and deploy projects on Azure.
Azure Boards
Azure Boards is a cloud service that offers interactive and customizable tools to manage software projects. The service provides various features, such as configurable dashboards, calendar views, integrated reporting, and native support for Scrum, Kanban and agile processes.
You can use Azure Boards to track default work items, such as user stories, features, epics, and bugs, or customize your own items. The service provides dashboards to create customized views, analyze trends, improve workflow processes and share information.
You can connect Azure Boards with your GitHub repositories to link GitHub commits, pull requests, and issues to work items. This integration enables you to use GitHub for software development and Azure Boards for work planning and tracking.
Azure AD
Azure Active Directory (Azure AD) is an identity and access management (IAM) cloud service. You can use it to provide employees with access to external resources, including Microsoft 365 and the Azure portal. Azure AD can also help you manage internal resources, including apps on a corporate network or cloud apps developed by your organization.
IT administrators can use Azure AD to control access to apps and resources according to specific business requirements. Application developers can use Azure AD to add single sign-on (SSO) to apps and use APIs to build personalized app experiences based on existing organizational data.
Microsoft Defender for Cloud
Defender for Cloud (previously Azure Security Center) is a security posture management and threat protection solution. It aims to strengthen the security posture of cloud resources and protect workloads running in various environments, including hybrid clouds, Azure and other cloud platforms.
Defender for Cloud offers various tools to help you harden resources, track the organization’s security posture, streamline security management and protect against cyberattacks. Defender for Cloud is natively integrated to provide simple auto-provisioning for securing resources by default.
Learn Cloud Security
Basics of DevSecOps and Azure cloud implementation
There are three Azure security offerings that can help you adopt DevSecOps:
- GitHub actions — Microsoft has developed custom GitHub actions that let you automate development processes and integrate Azure with your GitHub repositories.
- Azure boards — an agile project management solution that lets you link GitHub repositories, and commit pull requests, issues and work items. This lets you achieve the traceability that is necessary for a DevSecOps pipeline.
- Azure AD — provides strong authentication and identity management for development processes and pipelines.
- Microsoft Defender for Cloud — a security posture management solution that provides actionable recommendations for hardening cloud resources and improving security management.
I hope this will be useful as you take your first steps to a full DevSecOps process in the Azure cloud.
In this Series
- DevSecOps in the Azure Cloud
- The rise of cloud computing: Trends and predictions
- Understanding the basics of cloud infrastructure: What you need to know
- How cloud security, data privacy, and cybersecurity convergence drives successful careers
- Secure cloud computing: What you need to know
- Working across multiple cloud service providers: CSP security learning path
- Securing cloud-based applications training: What you need to know
- Security risks of cloud migration
- Amazon Athena Security: 6 essential tips
- Securing cloud endpoints: What you should know
- AWS security and compliance overview
- CloudGoat walkthrough series: IAM privilege escalation by attachment
- CloudGoat walkthrough series: EC2 server-side request forgery (SSRF)
- CloudGoat walkthrough series: Remote code execution
- CloudGoat walkthrough series: Lambda Privilege Escalation
- Information security strategy for the hybrid and multi-cloud
- CloudGoat walkthrough series: Cloud Breach S3
- CloudGoat walkthrough series: IAM privilege escalation by rollback
- Working with CloudGoat: The “vulnerable by design” AWS environment
- Malicious Amazon Machine Images (AMIs)
- Key findings from Ponemon’s State of Vulnerability Management in the Cloud and On-Premises report
- Cloud Pentesting Certification Boot Camp: The ultimate guide
- Cloud Based IDS and IPS Solutions [Updated 2019]
- AWS Security Monitoring Checklist [Updated 2019]
- Amazon Inspector: A cloud-based vulnerability assessment tool
- System administrator vs. cloud administrator
- 5 key cloud security use cases
- Deep Packet Inspection in the Cloud
- Honeypots in the Cloud
- Biometrics in the Cloud
- Open-Source Intelligence Collection in Cloud Platforms
- How to Safeguard Against the Privacy Implications of Cloud Computing
- AWS Cloud Security for Beginners — Part 2
- AWS Cloud Security for Beginners — Part 1
- AWS Security Monitoring Checklist — Part 2
- Rise of the Rogue Cloud: The Fundamental Security Mistake Enterprises Make and How to Correct It
- Controlling the Risks of Cloud-Enabled End-Point Security Products
- The Ultimate Guide to CCSP Certification
- Five Reasons Why Security Professionals Need the Cloud
- Amazon S3 Buckets-Hardening
- Cloud Service Reconnaissance
- Cloud Computing Security: Be Secure Before Moving to Cloud
- Cloud Technology Bringing New Possibilities in Threat Management
- Attacking the Cloud
- Man in the Cloud Attacks: Prevention and Containment
- Cloud originated DDoS attacks
- Where Is Your Data Safer? In the Cloud Or On Premise?
- DDOS Protection for Public Cloud Customers
- Security Barriers in the Adaptation of Cloud Technology
- SIEM as a Service
- Cloud Security Incident Compensation
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Cloud security
Cloud security