DevSecOps in the Azure Cloud
Many organizations are transitioning to a DevSecOps model, with closer collaboration between developers, security and operations teams from the onset of application development. There is a close connection between DevSecOps and the cloud — organizations operating in cloud computing environments have much greater flexibility, which allows them to implement security practices more easily and at a larger scale.
Learn Cloud Security
What is DevSecOps?
DevSecOps is a methodology that merges development (Dev) with security (Sec) and operations (Ops). It aims to introduce security into all phases of the software development lifecycle, including planning, development, building, testing, release, delivery, deployment, operations and monitoring.
DevSecOps facilitates rapid and secure software development through automated continuous integration (CI) and continuous delivery (CD) cycles. However, DevSecOps requires teamwork to be truly effective despite the reliance on automation tools. It requires a change in a work culture that promotes security without compromising speed and quality.
DevSecOps in Azure: Architecture and data flow
DevSecOps involves implementing security best practices through a shift-left strategy across the entire development lifecycle. The data flow below explains how this concept works in Azure’s architecture.
Image Source: Azure
Data flow in Azure:
- Azure active directory (AD) — you can configure Azure AD as the identity provider for GitHub and enable multi-factor authentication (MFA) to harden security.
- Commit to GitHub — you can use Azure Boards to plan work items and track bugs committed to GitHub.
- Automated scanning — you can integrate with GitHub Advanced Security and GitHub Open Source Security to add automatic security and dependency scanning to GitHub.
- Automated testing — you can use pull requests to trigger automated testing, and CI builds in Azure Pipelines.
- Containers deployment — Azure Pipelines uses CI builds to generate a Docker container image stored in Azure Container Registry (ACR). Azure Kubernetes Service (AKS) can use this image to release containers.
- Vulnerabilities scanner — Microsoft Defender for Cloud scans images uploaded to ACR for Azure-native vulnerabilities. It also checks it against security recommendations.
- Provisioning — Azure Pipelines employs Terraform to manage releases. It can manage cloud infrastructure as code and provision various resources, including AKS, Azure databases and Application Gateway.
- Continuous delivery (CD) — Azure Pipelines uses a secure service connection to access the Container Registry to establish a secure CD for AKS.
- Azure policy — Azure Pipelines employs this service to enforce post-deployment gateways. You can also apply it directly to the AKS engine.
- Securing secrets — Azure Key Vault securely injects secrets and credentials into the application to abstract sensitive information at runtime.
- Authentication — Azure AD B2C helps authenticate end-users. It uses MFA and can route traffic through an application gateway to protect core services.
- Continuous monitoring — Azure Monitor provides visibility into release pipelines. It ingests security logs and provides alerts on detected suspicious activity.
- Active threat monitoring — Microsoft Defender for Cloud actively monitors threats on AKS, including internals and the node level (VM threats).
DevSecOps products and services in Azure
GitHub actions
GitHub Actions enable you to automate software development workflows in GitHub using the GitOps pattern. It lets you deploy workflows as an automated process in your GitHub repository. You can use these workflows to build, test, package, release and deploy your projects on GitHub.
Each workflow includes individual actions that run after a certain event occurs, such as a pull request. An action is a packaged script that automates specific software development tasks.
Microsoft created GitHub Actions that support Azure services, such as Azure App Service, Azure Key Vault, Azure Functions, Azure Policy, Azure CLI and Azure Resource Manager templates. You can use these workflows to build, test, package, release and deploy projects on Azure.
Azure Boards
Azure Boards is a cloud service that offers interactive and customizable tools to manage software projects. The service provides various features, such as configurable dashboards, calendar views, integrated reporting, and native support for Scrum, Kanban and agile processes.
You can use Azure Boards to track default work items, such as user stories, features, epics, and bugs, or customize your own items. The service provides dashboards to create customized views, analyze trends, improve workflow processes and share information.
You can connect Azure Boards with your GitHub repositories to link GitHub commits, pull requests, and issues to work items. This integration enables you to use GitHub for software development and Azure Boards for work planning and tracking.
Azure AD
Azure Active Directory (Azure AD) is an identity and access management (IAM) cloud service. You can use it to provide employees with access to external resources, including Microsoft 365 and the Azure portal. Azure AD can also help you manage internal resources, including apps on a corporate network or cloud apps developed by your organization.
IT administrators can use Azure AD to control access to apps and resources according to specific business requirements. Application developers can use Azure AD to add single sign-on (SSO) to apps and use APIs to build personalized app experiences based on existing organizational data.
Microsoft Defender for Cloud
Defender for Cloud (previously Azure Security Center) is a security posture management and threat protection solution. It aims to strengthen the security posture of cloud resources and protect workloads running in various environments, including hybrid clouds, Azure and other cloud platforms.
Defender for Cloud offers various tools to help you harden resources, track the organization’s security posture, streamline security management and protect against cyberattacks. Defender for Cloud is natively integrated to provide simple auto-provisioning for securing resources by default.
Learn Cloud Security
Basics of DevSecOps and Azure cloud implementation
There are three Azure security offerings that can help you adopt DevSecOps:
- GitHub actions — Microsoft has developed custom GitHub actions that let you automate development processes and integrate Azure with your GitHub repositories.
- Azure boards — an agile project management solution that lets you link GitHub repositories, and commit pull requests, issues and work items. This lets you achieve the traceability that is necessary for a DevSecOps pipeline.
- Azure AD — provides strong authentication and identity management for development processes and pipelines.
- Microsoft Defender for Cloud — a security posture management solution that provides actionable recommendations for hardening cloud resources and improving security management.
I hope this will be useful as you take your first steps to a full DevSecOps process in the Azure cloud.