Delivering value focused products slider
Security Front and Center With
The Azure Secure DevOps Kit
OPINION
ProArch
Slider

Cloud providers make it extremely easy to provision PaaS services. One of their goals to is to maximize ease of use in order to ensure adoption and a low barrier to entry for consumers. Whilst PaaS services come with a basic level of security by default, they are not as secure as they could be. Proarch’s product team have recently adopted Microsoft’s Secure DevOps kit. Based on this kit we have implemented three new practices to improve security throughout our life cycle at the following stages

1. Development
2. CI/CD
3. Continuous Governance

Development phase

Improve security during development by leveraging the Security IntelliSense Extension which augments the standard Visual Studio IntelliSense feature with additional secure coding analysis. The extension provides ‘inline’ assistance for fixing potential security issues while authoring code. Code that is vulnerable or non-compliant with policy is flagged with red or green squiggles based on the level of severity.

Installing and using the extension is extremely easy, in Visual Studio, go to Extensions -> Manage Extensions, select Online -> Visual Studio Marketplace, search for Security IntelliSense and install.

Potential vulnerabilities are then automatically flagged up during development, for example:

Development phase

You can find full details in the Microsoft documentation here

CI/CD Process

The AzSK extension for Azure DevOps contains Security Verification Tests (SVTs) for multiple Azure PaaS and IaaS services. Whilst SVTs can be performed manually, it is better practice to embed them in to your build and release pipelines.

After every Release we now carry out Security Verification Tests on all the services contained in relevant Azure Resource Groups.

CI CD Process

Outcomes of the SVTs are routed to a Log Analytics workspace configured to receive various events generated by the AzSK.

ci cd process 2

Further details can be found in the Microsoft documentation here

Continuous Assurance

Continuous Assurance (CA) allows us to check for “drift” from what is considered a secure snapshot of a system. Support for Continuous Assurance lets us treat security truly as a ‘state’ as opposed to a ‘point in time’ achievement. This is particularly important in today’s context when ‘continuous change’ has become a norm.

These scans are scheduled to run every 24 hours and the outcomes are routed to Log Analytics workspace.

Continuous Assurance

Installation Steps

1.      Open the PowerShell ISE and login to your Azure account (using Connect-AzAccount).
2.      Run the ‘Install-AzSKContinuousAssurance‘ command with required parameters given in below table.

Install-AzSKContinuousAssurance -SubscriptionId <SubscriptionId> `
            
   [-AutomationAccountLocation <AutomationAccountLocation>] `

   [-AutomationAccountRGName <AutomationAccountRGName>] `

   [-AutomationAccountName <AutomationAccountName>] `

    -ResourceGroupNames <ResourceGroupNames> `

    -LAWSId <WorkspaceId> `

    -LAWSSharedKey <SharedKey> `

    [-AltLAWSId <AltWorkspaceId>] `

    [-AltLAWSSharedKey <AltSharedKey>] `

    [-WebhookUrl <WebhookUrl>] `

    [-WebhookAuthZHeaderName <WebhookAuthZHeaderName>] `

    [-WebhookAuthZHeaderValue <WebhookAuthZHeaderValue>] `

    [-ScanIntervalInHours <ScanIntervalInHours>] `


    [-AzureADAppName <AzureADAppName>]

Continuous Assurance results (BEFORE)

After configuring continuous assurance, we ended up with a dashboard of identified issues. This was slightly surprising since we had made much effort to secure our architecture, however we were not too far off the mark. We set about remediating the identified issues.

Continuous Assurance results (BEFORE)

Continuous Assurance results (AFTER)

Your mileage may vary according to your resources and configuration, but we needed to perform the following remediations. We built them in to our to our ARM templates which are deployed through our release pipelines. We use Azure CLI, but similar functionality is available in PowerShell.

Enable Diagnostic Logging for KeyVaults

az monitor diagnostic-settings create  \

   --name $diagnosticSettingName \
   --resource $keyVaultResourceId \
   --logs    '[{"category": "AuditEvent","enabled": true,"retentionPolicy":{"enabled": true,"days": 365}}]' \
   --metrics '[{"category": "AllMetrics","enabled": true,"retentionPolicy":{"enabled": true,"days": 365}}]' \

Enable HttpsOnly for Web Apps

az webapp update --name $webAppName --resource-group $resourceGroupName --https-only true

Data Lakes must be configured to log and monitor authentication request data

az storage logging update --log rwd --retention 365 --services btq --connection-string $datalakeStorageConnectionString

az storage metrics update --api true --hour true --minute false --retention 365 --services bftq --connection-string $datalakeStorageConnectionString

All done, we now have a clean bill of health!

propo

Written by
Sr. Azure Architect, Rohan Kulkarni

Talk to us

Get in touch to see how ProArch can support your
Cloud-enabled business transformation.

Email our US office in Atlanta at us@proarch.com, or our UK office at uk@proarch.com

More ProArch insights