Securing Cloud Apps with the Secure DevOps Kit for Azure

Viplove

January 8, 2018

Wit DevOps becoming the way forward, more and more applications are being developed using DevOps methodologies. Along with the DevOps wave, is riding the cloud wave across platforms. When selling cloud-based applications to customers, one of the biggest question that is posed at service providers is – security. It becomes a little more complicated when the cloud-based applications are developed using DevOps methodologies. Read on to find about the challenges and the new toolkit from Microsoft to take care of them.

Security Challenges

DevOps has resulted in an evolved IT ecosystem which has:

1. Quicker and more frequent deployments
2. More complex development environments
3. Constantly changing applications
4. Developers responsible for operational responsibilities

The traditional security methods, that have done well for us all these years, cannot scale enough to adapt to the new world of automation. If a security check is missed in a DevOps lifecycle, within no time it can potentially bomb in the Production environment. The modern application development, especially on the cloud, demands much more proactive security systems in place.

Secure DevOps Toolkit for Azure

In the summer of 2017, Microsoft released Secure DevOps Toolkit for Azure, a set of tools that are specifically targeted to Azure-based applications that are build using DevOps methodologies. It essentially secures every stage of the DevOps lifecycle keeping Azure in mind:

1. Subscription Security – scripts and programs that ensure secure provisioning, configuration and administration of an Azure subscription, e.g. Health Check Script, Provisioning Script
2. Secure Development – components that integrate security into the day-to-day development process, e.g. Security Verification Tests (SVTs), Security IntelliSense
3. Security in CI/CD – build/release tasks for SVTs in CI/CD pipeline (needs VSTS extension)
4. Continuous Assurance – prevents security drift in the wrong direction but helps stay current with security improvements, using Azure Automation runbooks, ARM templates, and PowerShell scripts
5. Alerting and Monitoring – monitors the security state and the trends as reported by the components of the kit using Operations Management Suite (OMS)
6. Security Telemetry – tracks all telemetry, aggregates, and presents via Application Insights and Power BI Dashboards

Benefits

Microsoft themselves have used the toolkit extensively in their organization with most of their Azure subscriptions using it. Some of the benefits that they realized are as follows:

1. Reduction in development time and costs
2. Higher awareness of security in development teams, earlier in development than later
3. Easier transition to DevOps thanks to the security assurance
4. Simple process for checking existing solutions, not just for current applications
5. Easier assurance checks and problem resolution, just check the dashboards or run the scripts!

The kit is for you, if you are:

1. Moving your applications to or have already moved to Azure
2. Following agile development methodologies
3. Looking at automating your development processes
4. Building highly-secure applications for large clients
5. Aiming to reduce costs incurred in ensuring security

We recently delivered a webinar titled “Building Modern Apps using the Secure DevOps Kit for Azure”, where we spoke about the tools and best practices for building security into every stage of enterprise cloud application development and operations. Watch the on-demand webinar for more insights.

WinWire Technologies – a global IT solutions company is working with several enterprises on security, DevOps and governance. We can help you get the kit deployed to build a cloud governance model that leverages the Secure DevOps kit for Azure. Please reach us to learn how we can help you with Secure DevOps kit for Azure.