azure secure devops kit framework - dotnetdays.cz · azure secure devops kit framework cloud...
TRANSCRIPT
![Page 1: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/1.jpg)
Azure Secure DevOps Kit FrameworkCloud Security Scanning at Scale & Continuous Assurance
Jiri PihikCloud Architect, Vice President, Group Operations
Swiss Re
![Page 2: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/2.jpg)
![Page 3: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/3.jpg)
![Page 4: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/4.jpg)
Agenda
• What is AzSK• Demo• Our architecture and implementation
![Page 5: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/5.jpg)
Azure Secure DevOps Kit Framework=
AzSK
![Page 6: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/6.jpg)
![Page 7: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/7.jpg)
Recommendation
Prevention
Automated remediation
Bounty
scan and suggest on improvement
locks, deny policy
automate fix
introduce systems that test the security
Levels of Cloud Security Maturity
![Page 8: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/8.jpg)
Azure PolicyExample: Prevent adding Owner role
![Page 9: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/9.jpg)
Azure PolicyPolicy in effect
![Page 10: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/10.jpg)
AzSK vs Azure PolicyWhat’s the difference?
AzSK Azure Policy
Audit Yes Yes
Prevention No Yes
Local instance PowerShell module N/A
Enforcement No Yes
Remediation No Yes
Integration Centrally via App Insights Difficult at scale
Controls / checks 400+ 50
![Page 11: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/11.jpg)
Security Verification Tests (SVTs)
Subscription Security
(Policy, ASC Config, Alerts,
RBAC, etc..)
CI / CD Build /Release
Extensions
Continuous Assurance
Cloud Risk Governance
Log Analytics & Alerting for
Monitoring
![Page 12: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/12.jpg)
Is my storage account HTTPS only?
Is my storage encrypted at rest?
Does my storage account allow Anonymous access?
Is my DB encrypted at rest?
Do I allow access to my Azure subscription to an outsider?
CIS
ISO
FINMA
CSF
PCI DSS
Security Verification Tests (SVT)Helps application teams to follow security best practices and Swiss Re to maintain compliant Azure Tenant.
![Page 13: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/13.jpg)
Security Verification TestsPolicy Definitions
Minimum Mandatory Requirements (MMR)
Defined by CyberSecurity Engineering and
Domain Experts
![Page 14: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/14.jpg)
Security Control MappingPolicy Definitions (SVTs)
CIS Security Control
AzSK
Azure policy
Other Rules Engine
Technical control
• Check • Implement
![Page 15: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/15.jpg)
Security Control MappingPolicy Definitions (SVTs)
![Page 16: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/16.jpg)
Security Control MappingPolicy Definitions (SVTs)
![Page 17: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/17.jpg)
Demo
![Page 18: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/18.jpg)
Continuous Assurance & AzSK Engine
![Page 19: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/19.jpg)
AzSK Subscription
Timer
Function App
Free Plan App Insights
Storage Account
Scanner
Container Fleet
Base
Container Registry
Storage Queue Log Analytics
OrgPolicy
Storage Account App Insights
KeyVault
Dashboard
Log Analytics Workspace
Auth
Managed Identity
Rest API
Function App
Free Plan App Insights
Storage Account
![Page 20: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/20.jpg)
![Page 21: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/21.jpg)
Azure SecDevOps KitIntegration & Continuous Assurance
![Page 22: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/22.jpg)
![Page 23: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/23.jpg)
Summary
AzSK• Helps to maintain Security posture in Azure• Enables transparency into Azure security status at scale• Can be integrated in various way thanks to PowerShell / CSV• Allows to find security gaps early in the Application Lifecycle• Enables both Local and Global assessments• Suggested as Complementary to Azure Policy• Beneficial in Audit
![Page 24: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/24.jpg)
Azure SecDevOps KitLearning resources
Azure SecDevOps Kit (AzSK) documentation https://azsk.azurewebsites.net/index.html
Azure SecDevOps Kit GitHubhttps://github.com/azsk/DevOpsKit
How Microsoft's internal enterprise increases compliance and creates a trusted cloud environment using AzSKhttps://azure.microsoft.com/en-us/resources/videos/azure-friday-getting-started-with-the-secure-devops-kit-for-azure-azsk/
CIS Microsoft Azure Foundations Benchmark blueprint samplehttps://docs.microsoft.com/en-us/azure/governance/blueprints/samples/cis-azure-1.1.0/control-mapping
CIS Microsoft Azure Foundationshttps://azure.microsoft.com/mediahandler/files/resourcefiles/cis-microsoft-azure-foundations-security-benchmark/CIS_Microsoft_Azure_Foundations_Benchmark_v1.0.0.pdf
![Page 25: Azure Secure DevOps Kit Framework - dotnetdays.cz · Azure Secure DevOps Kit Framework Cloud Security Scanning at Scale & Continuous Assurance Jiri Pihik Cloud Architect, Vice President,](https://reader030.vdocuments.site/reader030/viewer/2022040323/5e6a185e1bb91454852ecb88/html5/thumbnails/25.jpg)