As more and more organisations shift their infrastructure and applications to Public cloud one of the biggest questions arises is how will they approach security.
Organisations who are leveraging the dynamic nature of cloud with modern DevOps practices are also realising that traditional approaches to security are outdated.
With the advent of Infrastructure as Code, the ability to deploy infrastructure via APIs, and practices such as Continuous integration and Continuous delivery security teams are facing the dilemma of how to manage, govern and secure cloud environments effectively.
The shared responsibility model
One of the key principals of security in the Cloud is the shared responsibility model. This fundamentally means that the responsibility of security is not just in the hands of the provider or partner (managed service provider). Security in the Cloud is a collaborative model. As you move through the Service stacks of IaaS to SaaS the shared responsibility model also shifts.
Additionally customers always retain responsibility of data and identities, access control and endpoints.
The cost of failure
Security breakouts are a CIO/CTO’s nightmare scenario. As more and more companies move workloads, data and applications to the Cloud the nature of security attacks are becoming more sophisticated.
In the Accenture report ( “The cost of cybercrime 2019“) it mentions that from 2017 to 2018 the average cost of cybercrime increased by 12% from $11.7 million to $13 million. In the past 5 years up-to 2018 there has been a 72% increase!
As more and more teams adopt practices of DevOps to build applications and infrastructure in a consistent and reliable manner the need for security teams to understand how shifting left security concerns in the development life cycle is as crucial as ever.
Shifting security left
In many organisations security is usually governed by a separate teams. However, with constant demand for new features and spinning up of Cloud environments the traditional security audit at the end of development cycle no longer fits the model constant and frequent release cycles. As alluded to before security now becomes a crucial cross cutting concern across the whole IT team. From developers, ops, testers, CISO all play a crucial approach in this new security paradigm. To be successful security teams should shift their focus left so a fail fast approach to security can be adopted at the beginning of any project.
The key glue in all of this is the CI/CD process. With the advent of automation traditional security steps can now be automated into tasks which form part of the overall process of delivering secure applications and environments. The first step for the IT security team is to collaborate with developers, operations on how the security steps will integrate into the existing CI/CD workflow. This requires a shift in thinking from traditional waterfall approaches to security. The shift left approach allows security team to transition from just being approval gate to a more cross functional role where they can audit and review the whole CI/CD process.
Applying DevSecOps in Azure
In this Blog I will use Azure DevOps as the example. Azure DevOps is a comprehensive release management tool that allows organisations to plan, deploy and manage projects at scale in the Cloud and on premise.
Compliance plays a big part in an IT security teams of things to do. Making sure the Azure environment is correctly audited and issues are flagged is crucial part of security governance.
The above example CI/CD workflow clearly shows how security teams can work with developers to ensure a particular web app is deployed to a valid region. This is achieved through IT security teams authoring an Azure policy to deny deployments to regions not in the list. By Adding a compliance gate to the application security process IT teams can catch compliance issues early in the development life cycle.
The same principles can then be applied to multiple use case scenarios. To name a few:
- Open source package scanning (https://marketplace.visualstudio.com/items?itemName=whitesource.ws-bolt) during the CI phase
- Container image scanning (https://github.com/aquasecurity/trivy) as part of the CI stage
- Automation of security penetration with OWASP Zap during the Continuous delivery phase (https://github.com/deliveron/owasp-zap-vsts-extension)
In this blog article we discovered how IT security teams can collaborate with engineers, architects and developers by shifting their view of security left in the Cloud. IT security teams can then review CI/CD workflows by creating security policies for effective auditing of environments, making sure automated security checks are integrated into the CI/CD workflow. By following this approach teams can be confident of catching security issues early on and build confidence in the product or service they are building.