Get On Top of Azure Resource Security Using Secure DevOps Kit for Azure
Download as PPTX, PDF0 likes391 views
In any cloud transformation journey, you must ensure that the security is automated and baked into all aspects of engineering. Learn how to use the new Secure DevOps Kit for Azure to tighten up the security of your Azure Resources and how to automate it as part of your DevOps Pipelines.
Ad
More Related Content
What's hot (20)
Similar to Get On Top of Azure Resource Security Using Secure DevOps Kit for Azure (20)
Ad
More from Kasun Kodagoda (15)
Ad
Recently uploaded (20)
Get On Top of Azure Resource Security Using Secure DevOps Kit for Azure
- 1. Get On Top of Azure Resource Security Using Secure DevOps Kit for Azure Kasun Kodagoda Technical Lead | 99X Technology https://kasunkodagoda.com
- 2. Agenda • Why Care About Cloud Security? • Security in the Cloud • Security In Azure • Secure DevOps Kit for Azure (AzSK) • History of AzSK • AzSK Focus Areas • AzSK Features • AzSK in Action
- 3. I am, Kasun Kodagoda • In ♥ with Azure & Azure DevOps • Active Blogger – https://kasunkodagoda.com • Open Source Contributor - https://github.com/kasunkv • Technical Lead I Work For, • Established in 2004 • Headquartered in Sri Lanka with offices in Europe and Australia • Providing high quality, high value Software Product Engineering + R&D services
- 4. Why Care About Cloud Security? • Growing reliance on the cloud for businesses • Ensuring the security of the data and business critical systems • Software running on the cloud are the interface for the business • Regulatory and Compliance needs of the businesses • Protecting the privacy of the customers is a major concern
- 5. Security in the Cloud • “Security of the Cloud. Security in the Cloud” • Responsibility of the organization • Can not entirely relay on the cloud platform • It’s not only the application you need to worry about • Infrastructure, Configuration mismanagement • You can be a victim or an unwilling collaborator
- 6. Security In Azure • As a cloud platform, provides a lot of capabilities • Ensures Security of the Cloud • Helps with Security in the cloud as well • Number of Services at your disposal • Azure Security Center • Azure Bastion • Azure DDoS Protection • Azure Key Vault • Web Application Firewall • Encryption
- 7. Secure DevOps Kit for Azure (AzSK) • A collection of scripts, tools, extensions and automation • Caters end-to-end Azure Subscription & Resource security • Built to cater automation • Seamless integration into DevOps workflows and Pipelines • Focus on 6 Areas
- 8. History of AzSK • Created by Core Services Engineering & Operations division at Microsoft • Used to help the Azure adaptation inside Microsoft • Shares best practices used by Microsoft in their cloud adoption with the community • Not an official Microsoft Product
- 9. AzSK Focus Areas • Securing the Subscription • Secure Development • Security Integration into CI/CD • Continuous Assurance • Alerting and Monitoring • Cloud Risk Governance
- 10. AzSK Features • Subscription Health Checks • Subscription Provisioning • Alerts Configuration • ARM Policy Configuration • Azure Security Center Configuration • IAM Hygiene Securing the Subscription
- 11. AzSK Features • Security Verification Tests (SVTs) • Security IntelliSense • AzSK Visual Studio Extension Secure Development • AzSK Azure DevOps Extension • ARM Template Checker • Security Verification Tests (SVTs) Security Integration into CI/CD
- 12. AzSK Features • Configure Azure Automation Runbooks for Security Scanning Continuous Assurance • AzSK Monitoring Solution with Log Analytics • Security Dashboards with overview on states/actions • Generate Alerts with Log Analytics queries Alerting and Monitoring
- 13. AzSK Features • Control/Usage telemetry through insights Cloud Risk Governance
- 14. Let’s See it in Action
- 15. Installing AzSK • Available to download from PowerShell Gallery • Prerequisites • PowerShell 5.0 or Higher • Windows OS # Install AzSK Install-Module AzSK -Scope CurrentUser -AllowClobber -Force
- 16. Running Analysis on the Subscription • Checks and warns about • Security Issues • Security Misconfigurations • Obsolete settings/configurations in the subscription • Add-on to Azure Security Center, Azure IAM etc. # Analyze Azure Subscription Get-AzSKSubscriptionSecurityStatus -SubscriptionId $subscriptionId
- 17. Running Analysis on Azure Resources • Executes Security Verification Tests (SVTs) • Covers all main Azure resource types • Azure App Services, Key Vault, SQL DB, Storage etc. • Checks for best practices and security configuration for each resource type # Analyze Resource Group Get-AzSKAzureServicesSecurityStatus -SubscriptionId $subscriptionId ` -ResourceGroupNames $rgName
- 18. Making Sense of the Output • Output folder will automatically open • C:Users<User_Name>AppDataLocalMicrosoftAzSKLogs • Security Control evaluation details and state in CSV • Detailed information available in the LOG file • For Failed/Verify security controls • Use the Log file to see what exactly made the control fail • You may also find • Automatically generated fix scripts if you asked for it • Detailed PDF report • And other support files
- 19. Sending Security Events to Log Analytics • Create a Log Analytics Workspace for security events • Register Log Analytics Workspace locally to send security events • Your local commands will automatically send security events to Azure # Set Log Analytics Workspace Settings Locally Set-AzSKMonitoringSettings -LAWSId $LAWSId -LAWSSharedKey $LAWSKey
- 20. Setting Up Monitoring Dashboard • Deployed onto the Log Analytics Workspace • Get an overview of overall security status • Drill into different areas using built-in and custom queries • Individual Resource Security state • Resource Group security state • AKS Cluster security (Preview) etc. # Install Monitoring Dashboard on Log Analytics Install-AzSKMonitoringSolution -LAWSSubscriptionId $subscriptionId ` -LAWSResourceGroup $LAWSRg ` -LAWSId $LAWSId ` -ViewName "AzSK Monitoring Dashboard"
- 21. Setting Up Continuous Assurance • Sets the ability to check the “security drift” • Compare with a secure “snapshot” of the system • Treat security as a state rather than point in time • Detect when more security options available for resources # Install and Configure Azure Automation Runbook Install-AzSKContinuousAssurance -SubscriptionId $subscriptionId ` -AutomationAccountName $automationAccountName ` -AutomationAccountRGName $automationAccountRg ` -AutomationAccountLocation $automationAccountLocation ` -ResourceGroupNames "*" ` -LAWSId $LAWSId ` -LAWSSharedKey $LAWSKey
- 22. Security in the DevOps Pipeline • Available for Azure DevOps and Jenkins • Run • ARM Template Checker on your builds • Security Verification Tests (SVTs) on your releases • Install Azure DevOps extension from Marketplace • For Jenkins manually upload the plug-in
- 23. Thank You :) Any Questions? ;)
- 24. Sample Code https://github.com/kasunkv/secure-devops-kit-for-azure-demo-application Documentation https://azsk.azurewebsites.net/README.html Slide Deck https://www.slideshare.net/KasunKodagoda1 Blog Posts https://kasunkodagoda.com/tag/azsk/ Connect With Me Twitter: https://twitter.com/kasun_kodagoda Facebook: https://www.facebook.com/kasun.kodagoda LinkedIn: https://www.linkedin.com/in/kasunkodagoda/ Blog: https://kasunkodagoda.com/ http://bit.ly/365SjyU
Editor's Notes
- #6: One of our ADFS servers used for testing the application got exploited with LDAP Amplified Reflection attack