Presentation at the CloudBRew 2017 conference in in 25th of November 2017 in Mechelen, Belgium. In this session, I will cover the Secure DevOps Toolkit for Azure, a set of security-related tools, Powershell modules, extensions and automations for Azure. The session is a collection of lessons learned using the Toolkit from real-life projects. After this sessions you will be able to improve the security of your Azure usage from IDE to Operations, regardless of your current state of security and level of cloud adoption.

1. SECURE DEVOPS KIT FOR
AZURE
CLOUDBREW
25.11.2017

2. KARL OTS @ KOMPOZURE
• Co-organizer of Finland Azure User Group and
IglooConf
• Working on Azure since 2011
• Patented inventor
• Worked with tens of different customers on full-scale
Azure projects, from startups to Fortune 500
enterprises
Managing Consultant,
Kompozure Ltd
Karl.ots@kompozure.com

5. SECURITY LANDSCAPE
• Cloud-based user account attacks have increased 300% YoY (Microsoft
Security Intelligence Report, Volume 22)
• An attacker is on a victim’s network 99 days on average before they are
detected (FireEye/Mandiant report – March 14, 2017)
• Average cost of a data breach in 2017 was 4 M $ (IBM security)

6. WHY AZSDK?
• Cloud security is hard.
• Knowledge of Azure security controls is not widespread.
• MS IT wanted to accelerate internal Azure adoption in a
controlled way
• Vision: avoid reinventing the wheel
o Use as much out-of-the-box Azure features as possible
o For example: outsource VM controls to Security Center

8. SECURE DEVOPS KIT FOR AZURE (AZSDK)

9. SECURE DEVOPS KIT FOR AZURE (AZSDK)

10. INSTALLATION

11. SUBSCRIPTION SECURITYSubscription
RBAC
provisioning
Deploy mandatory and scenario/solution specific accounts/groups on a
subscription. Ability to specify and remove deprecated accounts.
Alerts setup Configure insights-based alerts for important activities. Runbooks for
critical alerts to send SMS with key alert body info.
ARM policy
setup
Deploy and enable ARM policy definitions (e.g., audit/deny use of
ASM/v1 resources)
ASC setup Configure Azure Security Center by enabling policies, setting security
POCs, etc.
Resource Locks Ensure that critical enterprise resources have locks deployed on them.
Health Check More than a dozen subscription hygiene security checks, including
proper provisioning

13. DEVELOP SECURELY
Feature Scenarios/Details
Development
Security
IntelliSense
• Get inline support for secure coding right at the point of code
creation.
• Checks on Azure Best practices, ADAL and common crypto
• VS plug-in for C#.
• Security IntelliSense extension works on Visual Studio 2015
Update 3 or later.

15. SPOT CHECK SECURITY
Feature Scenarios/Details
Development
Security
IntelliSense
• Get inline support for secure coding right at the point of code
creation.
• Checks on Azure Best practices, ADAL and Crypto
• VS plug-in for C#.
Security
Verification Tests
• Scan cloud solutions during early dev and prototyping stages.
• Provides a variety of options to define scan targets.
• Easy, intuitive reports and detailed logs. Support for 25+ Azure
IaaS and PaaS service types.

18. DEMO TIME!

19. CONTINUOUS ASSURANCE
• Run AzSDK tests periodically using Azure Automation
• Write to Log Analytics
• Query with Gusto Query Language
• Integrate with your existing systems, such as your SIEM

24. RECENT UPDATES
• New features:
o Generate PDF Report
o Generate AutoFix Script
o Jenkins support
• Upcoming:
o AzSDK ARM Templates Evaluator - Preview

25. Role How to use AzSDK
Subscription Owner
• Check the overall security health of your Azure subscription.
• Ensure that AzSDK artifacts are properly provisioned.
Developer Team
• Get inline support with security tips and corrections while writing
code for Azure apps (and also standard web applications in
general).
• Test that Azure resources you are using for your
application/solutions are configured and deployed securely.
• Enable security in CICD by including various security tests in the
build/release pipelines
Deployment Team
• Control deployment workflows according to outcomes of security
checks.
Operations Team
• Observe the security state with subscription health checks and
SVT’s.
• Track security state in a 'continuous' manner
• Provide support and templates for frequently failing operational
security activities such as key rotation, access reviews, public ips, etc.

26. DISCUSSION
• AzSDK is not your magic bullet to tick the security box
o AzSDK mostly covers “administrative access” in traditional threat
models, some “application access” as well
o You still have to worry about users, external threats and more
o Threat modeling and Defense in Depth approach are your friends!
• Carefully analyze the results in the scope of your application – are the
recommended controls right for your app?

27. RESOURCES
• Try out the Secure DevOps Kit for
Azure!
• Installation guide, docs:
http://aka.ms/azsdkossdocs
• Controls coverage:
http://aka.ms/azsdkosstcp
• IT Showcase:
http://aka.ms/azsdk/itshowcase
• Support:
azsdksupext@microsoft.com