Azure Secure DevOps Kit FrameworkCloud Security Scanning at Scale & Continuous Assurance

Jiri PihikCloud Architect, Vice President, Group Operations

Swiss Re

Agenda

• What is AzSK• Demo• Our architecture and implementation

Azure Secure DevOps Kit Framework=

AzSK

Recommendation

Prevention

Automated remediation

Bounty

scan and suggest on improvement

locks, deny policy

automate fix

introduce systems that test the security

Levels of Cloud Security Maturity

Azure PolicyExample: Prevent adding Owner role

Azure PolicyPolicy in effect

AzSK vs Azure PolicyWhat’s the difference?

AzSK Azure Policy

Audit Yes Yes

Prevention No Yes

Local instance PowerShell module N/A

Enforcement No Yes

Remediation No Yes

Integration Centrally via App Insights Difficult at scale

Controls / checks 400+ 50

Security Verification Tests (SVTs)

Subscription Security

(Policy, ASC Config, Alerts,

RBAC, etc..)

CI / CD Build /Release

Extensions

Continuous Assurance

Cloud Risk Governance

Log Analytics & Alerting for

Monitoring

Is my storage account HTTPS only?

Is my storage encrypted at rest?

Does my storage account allow Anonymous access?

Is my DB encrypted at rest?

Do I allow access to my Azure subscription to an outsider?

CIS

ISO

FINMA

CSF

PCI DSS

Security Verification Tests (SVT)Helps application teams to follow security best practices and Swiss Re to maintain compliant Azure Tenant.

Security Verification TestsPolicy Definitions

Minimum Mandatory Requirements (MMR)

Defined by CyberSecurity Engineering and

Domain Experts

Security Control MappingPolicy Definitions (SVTs)

CIS Security Control

AzSK

Azure policy

Other Rules Engine

Technical control

• Check • Implement

Security Control MappingPolicy Definitions (SVTs)

Security Control MappingPolicy Definitions (SVTs)

Demo

Continuous Assurance & AzSK Engine

AzSK Subscription

Timer

Function App

Free Plan App Insights

Storage Account

Scanner

Container Fleet

Base

Container Registry

Storage Queue Log Analytics

OrgPolicy

Storage Account App Insights

KeyVault

Dashboard

Log Analytics Workspace

Auth

Managed Identity

Rest API

Function App

Free Plan App Insights

Storage Account

Azure SecDevOps KitIntegration & Continuous Assurance

Summary

AzSK• Helps to maintain Security posture in Azure• Enables transparency into Azure security status at scale• Can be integrated in various way thanks to PowerShell / CSV• Allows to find security gaps early in the Application Lifecycle• Enables both Local and Global assessments• Suggested as Complementary to Azure Policy• Beneficial in Audit

Azure SecDevOps KitLearning resources

Azure SecDevOps Kit (AzSK) documentation https://azsk.azurewebsites.net/index.html

Azure SecDevOps Kit GitHubhttps://github.com/azsk/DevOpsKit

How Microsoft's internal enterprise increases compliance and creates a trusted cloud environment using AzSKhttps://azure.microsoft.com/en-us/resources/videos/azure-friday-getting-started-with-the-secure-devops-kit-for-azure-azsk/

CIS Microsoft Azure Foundations Benchmark blueprint samplehttps://docs.microsoft.com/en-us/azure/governance/blueprints/samples/cis-azure-1.1.0/control-mapping

CIS Microsoft Azure Foundationshttps://azure.microsoft.com/mediahandler/files/resourcefiles/cis-microsoft-azure-foundations-security-benchmark/CIS_Microsoft_Azure_Foundations_Benchmark_v1.0.0.pdf