In any cloud transformation journey, you must ensure that the security is automated and baked into all aspects of engineering. Learn how to use the new Secure DevOps Kit for Azure to tighten up the security of your Azure Resources and how to automate it as part of your DevOps Pipelines.

1. Get On Top of Azure Resource
Security Using Secure DevOps
Kit for Azure
Kasun Kodagoda
Technical Lead | 99X Technology
https://kasunkodagoda.com

2. Agenda
• Why Care About Cloud Security?
• Security in the Cloud
• Security In Azure
• Secure DevOps Kit for Azure (AzSK)
• History of AzSK
• AzSK Focus Areas
• AzSK Features
• AzSK in Action

3. I am, Kasun Kodagoda
• In ♥ with Azure & Azure DevOps
• Active Blogger – https://kasunkodagoda.com
• Open Source Contributor - https://github.com/kasunkv
• Technical Lead
I Work For,
• Established in 2004
• Headquartered in Sri Lanka with offices in
Europe and Australia
• Providing high quality, high value Software
Product Engineering + R&D services

4. Why Care About Cloud Security?
• Growing reliance on the cloud for businesses
• Ensuring the security of the data and business
critical systems
• Software running on the cloud are the interface
for the business
• Regulatory and Compliance needs of the
businesses
• Protecting the privacy of the customers is a
major concern

5. Security in the Cloud
• “Security of the Cloud. Security in the Cloud”
• Responsibility of the organization
• Can not entirely relay on the cloud platform
• It’s not only the application you need to worry
about
• Infrastructure, Configuration mismanagement
• You can be a victim or an unwilling collaborator

6. Security In Azure
• As a cloud platform, provides a lot of capabilities
• Ensures Security of the Cloud
• Helps with Security in the cloud as well
• Number of Services at your disposal
• Azure Security Center
• Azure Bastion
• Azure DDoS Protection
• Azure Key Vault
• Web Application Firewall
• Encryption

7. Secure DevOps Kit for Azure (AzSK)
• A collection of scripts, tools, extensions and
automation
• Caters end-to-end Azure Subscription &
Resource security
• Built to cater automation
• Seamless integration into DevOps workflows
and Pipelines
• Focus on 6 Areas

8. History of AzSK
• Created by Core Services Engineering &
Operations division at Microsoft
• Used to help the Azure adaptation inside
Microsoft
• Shares best practices used by Microsoft in their
cloud adoption with the community
• Not an official Microsoft Product

9. AzSK Focus Areas
• Securing the Subscription
• Secure Development
• Security Integration into CI/CD
• Continuous Assurance
• Alerting and Monitoring
• Cloud Risk Governance

10. AzSK Features
• Subscription Health Checks
• Subscription Provisioning
• Alerts Configuration
• ARM Policy Configuration
• Azure Security Center Configuration
• IAM Hygiene
Securing the Subscription

11. AzSK Features
• Security Verification Tests (SVTs)
• Security IntelliSense
• AzSK Visual Studio Extension
Secure Development
• AzSK Azure DevOps Extension
• ARM Template Checker
• Security Verification Tests (SVTs)
Security Integration into CI/CD

12. AzSK Features
• Configure Azure Automation Runbooks for
Security Scanning
Continuous Assurance
• AzSK Monitoring Solution with Log Analytics
• Security Dashboards with overview on states/actions
• Generate Alerts with Log Analytics queries
Alerting and Monitoring

13. AzSK Features
• Control/Usage telemetry through insights
Cloud Risk Governance

14. Let’s See it in Action

15. Installing AzSK
• Available to download from PowerShell Gallery
• Prerequisites
• PowerShell 5.0 or Higher
• Windows OS
# Install AzSK
Install-Module AzSK -Scope CurrentUser -AllowClobber -Force

16. Running Analysis on the Subscription
• Checks and warns about
• Security Issues
• Security Misconfigurations
• Obsolete settings/configurations in the subscription
• Add-on to Azure Security Center, Azure IAM etc.
# Analyze Azure Subscription
Get-AzSKSubscriptionSecurityStatus -SubscriptionId $subscriptionId

17. Running Analysis on Azure Resources
• Executes Security Verification Tests (SVTs)
• Covers all main Azure resource types
• Azure App Services, Key Vault, SQL DB, Storage etc.
• Checks for best practices and security
configuration for each resource type
# Analyze Resource Group
Get-AzSKAzureServicesSecurityStatus -SubscriptionId $subscriptionId `
-ResourceGroupNames $rgName

18. Making Sense of the Output
• Output folder will automatically open
• C:Users<User_Name>AppDataLocalMicrosoftAzSKLogs
• Security Control evaluation details and state in CSV
• Detailed information available in the LOG file
• For Failed/Verify security controls
• Use the Log file to see what exactly made the control fail
• You may also find
• Automatically generated fix scripts if you asked for it
• Detailed PDF report
• And other support files

19. Sending Security Events to Log Analytics
• Create a Log Analytics Workspace for security events
• Register Log Analytics Workspace locally to send
security events
• Your local commands will automatically send security
events to Azure
# Set Log Analytics Workspace Settings Locally
Set-AzSKMonitoringSettings -LAWSId $LAWSId -LAWSSharedKey $LAWSKey

20. Setting Up Monitoring Dashboard
• Deployed onto the Log Analytics Workspace
• Get an overview of overall security status
• Drill into different areas using built-in and custom
queries
• Individual Resource Security state
• Resource Group security state
• AKS Cluster security (Preview) etc.
# Install Monitoring Dashboard on Log Analytics
Install-AzSKMonitoringSolution -LAWSSubscriptionId $subscriptionId `
-LAWSResourceGroup $LAWSRg `
-LAWSId $LAWSId `
-ViewName "AzSK Monitoring Dashboard"

21. Setting Up Continuous Assurance
• Sets the ability to check the “security drift”
• Compare with a secure “snapshot” of the system
• Treat security as a state rather than point in time
• Detect when more security options available for
resources
# Install and Configure Azure Automation Runbook
Install-AzSKContinuousAssurance -SubscriptionId $subscriptionId `
-AutomationAccountName $automationAccountName `
-AutomationAccountRGName $automationAccountRg `
-AutomationAccountLocation $automationAccountLocation `
-ResourceGroupNames "*" `
-LAWSId $LAWSId `
-LAWSSharedKey $LAWSKey

22. Security in the DevOps Pipeline
• Available for Azure DevOps and Jenkins
• Run
• ARM Template Checker on your builds
• Security Verification Tests (SVTs) on your releases
• Install Azure DevOps extension from Marketplace
• For Jenkins manually upload the plug-in

23. Thank You :)
Any Questions? ;)

24. Sample Code
https://github.com/kasunkv/secure-devops-kit-for-azure-demo-application
Documentation
https://azsk.azurewebsites.net/README.html
Slide Deck
https://www.slideshare.net/KasunKodagoda1
Blog Posts
https://kasunkodagoda.com/tag/azsk/
Connect With Me
Twitter: https://twitter.com/kasun_kodagoda
Facebook: https://www.facebook.com/kasun.kodagoda
LinkedIn: https://www.linkedin.com/in/kasunkodagoda/
Blog: https://kasunkodagoda.com/
http://bit.ly/365SjyU