Integrate Infrastructure Security with Azure Devops
In the modern world companies are transferring their services to the cloud where flexibility and speed make it attractive for organizations looking to advantage a strong competitive edge. But working in the cloud also gives rise to a range of security concerns, because of shared responsibility in the cloud. For all cloud deployment types, you are the owner of your data and identities. You are the responsible for security of data regardless the type of deployment, the following responsibilities are always retained by you:
- Data
- Endpoints
- Account
- Access Management
Below points are covered in this article:
- Importance of cloud infrastructure security for an organization.
- Secure DevOps kit for Azure (AzSK).
- AzSK Configuration in azure DevOps pipeline.
3.1 Enable AzSK extension for your Azure DevOps.
3.2 Adding AzSK in the release pipeline
3.3 Advantages
3.4 Disadvantages
4. Conclusion
5. References
1. Importance of cloud infrastructure security for an organization
While adopting cloud technology, it’s vital to visualize the protection of cloud infrastructure as a crucial responsibility. There are lots of organizations out there that are still not sure about the security of their data present in the cloud environment.
In 2019, Capital one#1, a massive data breach held responsible for compromising a data set of over 100 million credit card applications, including social security and bank account numbers. 30 GB credit application data was stored on a cloud storage service.
The above example of infamous data breach proves that storage service providers like cloud require consistent security management. When we talk about security of cloud infrastructure, many enterprises wrongly assume that their data is well protected, secure and it is not visible for cyber criminals. But unfortunately, the truth is these cyber criminals are experts at scraping up the exposed vulnerable data by using unethical ways to look for vulnerable databases.
More than 4.1 billion records got exposed in 2019
78% of records got discovered because of misconfigurations
Source: IBM, Risk Based Security
Misconfigured protocols and safeguards are a number one source of data breaches today. The global intelligence firm IDC had conducted a survey of 300 senior IT decision makers, on behalf of Ermetic, confirming findings by Bitdefender researchers around the IT misconfigurations most leveraged by cybercriminals today.
According to CISOs associated with the survey, security misconfiguration is the biggest security threat with cloud environments, as cited by 67% of respondents.
62% of security professionals believe misconfigurations as the biggest security threat.
Source: 2018 Cloud Security Report, Cybersecurity Insiders
Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement and mistakes. Security and risk management leaders should invest in cloud security posture management processes and tools to proactively and reactively identify and remediate these risks.
-Gartner, Innovation Insight for Cloud Security Posture Management, 25 January 2019
2. Secure DevOps kit for Azure (AzSK)
Cloud infrastructure / services are built securely by cloud service providers and it is the customer’s responsibility to configure it securely. But cloud infrastructure / services are changing immediately and point in time security and compliance assessments don’t show the real picture anymore.
AzSK is a free and open source toolkit that collects actual configurations from cloud service providers, compares them against cloud security best practices, identifies misconfigurations, analyses risks and fixes. AzSK helping carry out secure devops with these 6 focus areas
- Secure the subscription.
- Enable Secure development.
- Integrate security into CICD.
- Continuous assurance.
- Alerting and Monitoring.
- Cloud Risk Governance.
3. AzSK configuration in Azure DevOps pipeline
3.1 Enable AzSK extension for your Azure DevOps
This extension has been published to the Azure DevOps gallery under the “Build and Release” category and now You can install this extension from the Marketplace directly.
3.2 Adding AzSK in the release pipeline
Step-1: Create a release definition or open an existing one.
Step-2:
2.1. Add the AzSK Security Verification Tests (SVT) release task to the pipeline. Click on “Add Tasks” and select “AzSK Security Verification Test”.
2.2. Click on “Add” and “Close”.
Step-3: Specify the input parameters for the AzSK_SVT task.
There are some options we have been specifying while running the AzSK manually.
- In the Select parameter set, you are able to see the two options; first is ResourceGroupName and second is TagNameValuePair.
a. If you select ResourceGroupName then you should provide the resource group name in the below mentioned text box.
b. If you select the second option TagNameValuePair then, you will be able to see two different empty text boxes one for Tag Name and another for Tag value.
2. Mention Subscription Id.
Step-4: (Optional) Configure Log Analytics into CICD.
To Enable the log analytics workspace, you need to add two variables into the respected release pipeline.
1.LAWSId Log analytics workspace id.
2.LAWSSharedKey -> Log analytics workspace key.
Note: Ensure that the variable names used are exactly as above and the values correspond to your Log Analytics workspace.
Step-5: Start the release pipeline.
Step-5.1: Verify that the release pipeline has started. Once the release is triggered, we will see that it is in progress by clicking on “Releases”.
Step-5.2: View the release output. Once the release pipeline is complete, we can see the output as shown below (in the pic below we can see that the release pipeline has failed).
Step-5.3: Look at the “Issues” to identify why the release failed. You need to click on the Logs button and the summary outcome shows the cause of failure.
Step-5.4: Look at the complete outcome log of the AzSK portion of the release pipeline execution.
Step-6: See the summary “Excel” and detailed “LOG” output files for the AzSK SVTs.
Open/extract the “AzSK_Logs” ZIP file will see all the logs with the respective resource group. When you open the securityReport.csv file you need to pay particular attention to failed and verify results. In this report you can see the severity of failure (High-Impact, Medium). CSV also contains the recommendation column where you can see the steps you should take to remedy each issue.
Note:- It will not provide automatic remedy of any issue. This tool provides you the remedy steps, its users’ responsibility to follow the steps and fix the issue.
3.3 Advantages
- Helps to maintain Security Posture in Azure.
- Helps to find security loopholes in the infrastructure.
3.4 Disadvantages
- Multi cloud support is not available.
4. Conclusion
This article explains the importance of cloud infrastructure security using AzSk for Azure. It is easy to integrate with Azure DevOps. To overcome the loopholes, present in cloud infrastructure it is extremely important to keep security of cloud services as high priority. Use the best cloud computing security tools to get better results and have the data secure.
