azure secure devops kit framework - dotnetdays.cz · azure secure devops kit framework cloud...
TRANSCRIPT
Azure Secure DevOps Kit FrameworkCloud Security Scanning at Scale & Continuous Assurance
Jiri PihikCloud Architect, Vice President, Group Operations
Swiss Re
Agenda
• What is AzSK• Demo• Our architecture and implementation
Azure Secure DevOps Kit Framework=
AzSK
Recommendation
Prevention
Automated remediation
Bounty
scan and suggest on improvement
locks, deny policy
automate fix
introduce systems that test the security
Levels of Cloud Security Maturity
Azure PolicyExample: Prevent adding Owner role
Azure PolicyPolicy in effect
AzSK vs Azure PolicyWhat’s the difference?
AzSK Azure Policy
Audit Yes Yes
Prevention No Yes
Local instance PowerShell module N/A
Enforcement No Yes
Remediation No Yes
Integration Centrally via App Insights Difficult at scale
Controls / checks 400+ 50
Security Verification Tests (SVTs)
Subscription Security
(Policy, ASC Config, Alerts,
RBAC, etc..)
CI / CD Build /Release
Extensions
Continuous Assurance
Cloud Risk Governance
Log Analytics & Alerting for
Monitoring
Is my storage account HTTPS only?
Is my storage encrypted at rest?
Does my storage account allow Anonymous access?
Is my DB encrypted at rest?
Do I allow access to my Azure subscription to an outsider?
CIS
ISO
FINMA
CSF
PCI DSS
Security Verification Tests (SVT)Helps application teams to follow security best practices and Swiss Re to maintain compliant Azure Tenant.
Security Verification TestsPolicy Definitions
Minimum Mandatory Requirements (MMR)
Defined by CyberSecurity Engineering and
Domain Experts
Security Control MappingPolicy Definitions (SVTs)
CIS Security Control
AzSK
Azure policy
Other Rules Engine
Technical control
• Check • Implement
Security Control MappingPolicy Definitions (SVTs)
Security Control MappingPolicy Definitions (SVTs)
Demo
Continuous Assurance & AzSK Engine
AzSK Subscription
Timer
Function App
Free Plan App Insights
Storage Account
Scanner
Container Fleet
Base
Container Registry
Storage Queue Log Analytics
OrgPolicy
Storage Account App Insights
KeyVault
Dashboard
Log Analytics Workspace
Auth
Managed Identity
Rest API
Function App
Free Plan App Insights
Storage Account
Azure SecDevOps KitIntegration & Continuous Assurance
Summary
AzSK• Helps to maintain Security posture in Azure• Enables transparency into Azure security status at scale• Can be integrated in various way thanks to PowerShell / CSV• Allows to find security gaps early in the Application Lifecycle• Enables both Local and Global assessments• Suggested as Complementary to Azure Policy• Beneficial in Audit
Azure SecDevOps KitLearning resources
Azure SecDevOps Kit (AzSK) documentation https://azsk.azurewebsites.net/index.html
Azure SecDevOps Kit GitHubhttps://github.com/azsk/DevOpsKit
How Microsoft's internal enterprise increases compliance and creates a trusted cloud environment using AzSKhttps://azure.microsoft.com/en-us/resources/videos/azure-friday-getting-started-with-the-secure-devops-kit-for-azure-azsk/
CIS Microsoft Azure Foundations Benchmark blueprint samplehttps://docs.microsoft.com/en-us/azure/governance/blueprints/samples/cis-azure-1.1.0/control-mapping
CIS Microsoft Azure Foundationshttps://azure.microsoft.com/mediahandler/files/resourcefiles/cis-microsoft-azure-foundations-security-benchmark/CIS_Microsoft_Azure_Foundations_Benchmark_v1.0.0.pdf