Improving DevOps Security Posture with Azure Security Services

December 13, 2022
, ,
no comments

In the previous articles, we discussed different angles of secure DevOps for Microsoft Azure cloud solutions. Having a stable infrastructure management process utilizing the Infrastructure as a Code approach, and having workloads deployments automated provides many benefits and enables fast, and predictable deployments to the Azure cloud. However, it is crucial to remember security at every stage of DevOps practices implementation. It is not only important to remember source code security but also about DevOps platforms security like Azure DevOps and GitHub. This is why in this article we are going to focus on improvements around the security of DevOps with helpful Azure security services that we use as practices included in our Formula5’s Modular DevSecOps framework.

Holistic look into DevOps platforms security with Microsoft Sentinel

Monitoring source code security and automation pipelines are important. We want to make sure that no secrets are committed to the source code repository and that no deployment can proceed without code review and proper acceptance. However, it can be challenging to keep an eye on each aspect of secure DevOps. Let’s list some examples to make it easier to understand where the challenge is:

  • Verifying if there are no secrets in source code repositories owned by our organization
  • Verifying whether vulnerable extensions are not installed
  • Verifying if branch policies are enabled
  • Being notified when the source code repository is deleted
  • Being notified when there is activity from suspicious locations.

There can be even more challenges. This is where Microsoft Sentinel can be helpful. Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. It provides intelligent security analytics and threat intelligence, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. Microsoft Sentinel can be used to monitor DevOps platforms’ security and for auditing purposes.

With Microsoft Sentinel, we can collect data from the DevOps platforms like Azure DevOps or GitHub, detect threats, investigate them and respond to them quickly. Because Microsoft Sentinel utilizes Azure Log Analytics Workspace underneath, we can inject data from many different sources. There are also dedicated connectors that can be configured to start ingesting data into Microsoft Sentinel.

GitHub and Azure DevOps monitoring with Microsoft Sentinel

Let’s discuss Azure DevOps monitoring first. When Azure DevOps organizations are connected with Azure Active Directory, it is possible to enable auditing. Once enabled, Azure DevOps logs each action that occurs in each project under our organization:

All events can be streamed directly to Azure Log Analytics Workspace connected with Microsoft Sentinel. With such an approach, it is possible to define analytics rules in the Microsoft Sentinel to detect potential security threats in Azure DevOps.

It is possible to define many different analytics rules that can produce incidents in the Microsoft Sentinel for further investigation.

It is possible to monitor GitHub too. Microsoft Sentinel provides a dedicated data connector to ingest and analyze data from GitHub.

GitHub connector provides many useful analytics rules to detect potential security incidents when for instance source code repository is deleted or there are activities from a new country.

Based on the generated incidents, Microsoft Sentinel can automatically run a playbook. Playbooks are collections of procedures that can be run from Microsoft Sentinel in response to an alert or incident. For example, it is possible to send an e-mail to a specific person in the team with the information that the source code repository was deleted or a new extension was installed.

Monitoring security with Microsoft Defender for DevOps

Microsoft Defender for DevOps addresses the intersection of DevOps with the current threat landscape. It provides end-to-end security including visibility into code and code management systems and security capabilities that help prevent, detect, and respond to current threats. We can connect Microsoft Defender for DevOps with DevOps platforms like Azure DevOps or GitHub to detect security issues.

Once we connect GitHub or Azure DevOps with Defender for DevOps, we can easily check the security conditions of all repositories within our organization. For example, when there is a secret committed to the source code repository, we are informed with a comprehensive report.

It is also possible to enable scanning for the Azure infrastructure code so once there are security issues, we are immediately informed and can react properly.

Formula5’s DevSecOps modular framework starter pack

At Formula5 we understand that configuring everything that was mentioned above in the article can be challenging. This is why as part of our Formula5’s DevSecOps modular framework starter pack we offer help to our clients to configure both services, Microsoft Sentinel, and Defender for DevOps. We provide pre-defined templates for analytics rules and automation playbooks so once the services are configured, our clients can immediately start getting value from them. We have also dedicated guidance on how to handle security alerts generated by the above services and how to make sure that there is a consistent approach to DevOps security across the whole client’s organization.

Summary

With a comprehensive look into DevOps platforms’ security, we can implement secure DevOps practices from the source code repository up to the release pipeline deploying the solution to the production environment. Tools are important but they are not enough. The proper process of handling security incidents is important too. How to collect information about security events, how to analyze them, and how to react is also very important. This is why with our Formula5’s Modular DevSevOps framework we provide not only ready-to-use configuration templates but also guidance on the process so it can be learned and utilized consistently across the whole organization.

I also encourage you to watch the video where, in a more practical way, I present some of the above concepts.

Previous PostNext Post
Written By

Innovation Lead for Microsoft Cloud Services

Related Posts

November 7, 2023

Microsoft Entra – The Future of Customer Identity and Access Management

June 6, 2023

Modern Identity Implementation with Verifiable Credentials and Microsoft Entra Verified ID

Webinars

Recent Articles

November 7, 2023
Microsoft Entra – The Future of Customer Identity and Access Management
June 6, 2023
Modern Identity Implementation with Verifiable Credentials and Microsoft Entra Verified ID
May 9, 2023
Managing Customer Identities with Azure Active Directory B2C

We are using cookies to give you the best experience. You can find out more about which cookies we are using or switch them off in privacy settings.
AcceptPrivacy Settings

GDPR

  • We value your privacy

We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking “Accept All”, you consent to our use of cookies.

Let’s make your vision a reality!

Want to discuss my work or a challenge you’re facing?  Leave your details and I’ll get back to you!

Popup Form