Slides from my presentation at Azure Saturday on 26.5.2018 in Munich.
In this session, I will cover the Secure DevOps Toolkit for Azure, a set of security-related tools, Powershell modules, extensions and automations for Azure. The session is a collection of lessons learned using the Toolkit from real-life projects.
After this sessions you will be able to improve the security of your Azure usage from IDE to Operations, regardless of your current state of security and level of cloud adoption.
3. KARL OTS @ KOMPOZURE
• Co-organizer of IglooConf and PolarConf
• Podcast host at Cloud Gossip
• Working on Azure since 2011
• Patented inventor
• Worked with tens of different customers on full-scale Azure projects,
from startups to Fortune 500 enterprises
Managing Consultant
karl.ots@kompozure.com
+358 50 480 1102
4.
5. SECURITY LANDSCAPE
• Cloud-based user account attacks have increased 300% YoY (Microsoft
Security Intelligence Report, Volume 22)
• An attacker is on a victim’s network 99 days on average before they are
detected (FireEye/Mandiant report – March 14, 2017)
• Average cost of a data breach in 2017 was 4 M $ (IBM security)
6. WHY AZSK?
• Cloud security is hard.
• Knowledge of Azure security controls is not widespread.
• MS IT wanted to accelerate internal Azure adoption in a
controlled way
• Approach: avoid reinventing the wheel
o Use as much out-of-the-box Azure features as possible
o For example: outsource VM controls to Security Center
10. SUBSCRIPTION SECURITYSubscription
RBAC
provisioning
Deploy mandatory and scenario/solution specific accounts/groups on a
subscription. Ability to specify and remove deprecated accounts.
Alerts setup Configure insights-based alerts for important activities. Runbooks for
critical alerts to send SMS with key alert body info.
ARM policy
setup
Deploy and enable ARM policy definitions (e.g., audit/deny use of
ASM/v1 resources)
ASC setup Configure Azure Security Center by enabling policies, setting security
POCs, etc.
Resource Locks Ensure that critical enterprise resources have locks deployed on them.
Health Check More than a dozen subscription hygiene security checks, including
proper provisioning
17. “UNIT TEST” AZURE SECURITY
Feature Scenarios/Details
Development
Security
IntelliSense
• Get inline support for secure coding right at the point of code
creation.
• Checks on Azure Best practices, ADAL and Crypto
• VS plug-in for C#.
Security
Verification Tests
• Scan cloud solutions during early dev and prototyping stages.
• Provides a variety of options to define scan targets.
• Easy, intuitive reports and detailed logs. Support for 25+ Azure
IaaS and PaaS service types.
20. DEVOPS
• Security Verification Tests (SVTs) in VSTS / on-prem TFS pipeline
• SVTs in Jenkins pipeline
• AzSK ARM Template Checker
21. CONTINUOUS ASSURANCE
• Run AzSK tests periodically using Azure Automation
• Write to Log Analytics
• Query with Gusto Query Language
• Integrate with your existing systems, such as your SIEM
22. #### Deploy the AzSK view in the OMS workspace ####
Install-AzSKOMSSolution -OMSSubscriptionId $subscriptionId `
-OMSResourceGroup $omsRGName `
-OMSWorkspaceId $omsWSId `
-ViewName $azSkViewName
#### Setup AzSK scan data to OMS ####
Set-AzSKOMSSettings -OMSWorkspaceID $omsWSId -OMSSharedKey $omskey
#### Run AzSK scripts per usual ####
Get-AzSKSubscriptionSecurityStatus -SubscriptionId $subscriptionId
#### Run AzSK SVT scan ####
Get-AzSKAzureServicesSecurityStatus -SubscriptionId $subscriptionId
SETTING UP CONTINUOUS ASSURANCE
23.
24.
25. ADVANCED FEATURES
• Generate PDF Report
• Generate AutoFix Script
• AzSK ARM Templates
• Customizing the security policies for your organization
26. DISCUSSION
• AzSK is not your magic bullet to tick the security box
o AzSK mostly covers “administrative access” in traditional threat models,
some “application access” as well
o You still have to worry about users, external threats and more
o Threat modeling and Defense in Depth approach are your friends!
• Carefully analyze the results in the scope of your application – are the
recommended controls right for your app?
27. RESOURCES
• Try out the Secure DevOps Kit for
Azure!
• Installation guide, docs:
https://github.com/azsk/DevOpsKit
-docs
• Controls coverage:
http://aka.ms/AzSKosstcp
• IT Showcase:
http://aka.ms/AzSK/itshowcase
• Support:
AzSKsupext@microsoft.com
28. 36 Azure Saturday 2018
Azure Saturday 2018
We appreciate your feedback!
SLIDESHARE.NET/KARLOTS