DevOps practices are crucial when building and maintaining cloud solutions. DevOps provides many different benefits:

• Faster, better features delivery
• Faster issue resolution and reduced complexity
• More stable operating environments
• Greater automation
• Greater visibility into system outcomes

When implementing DevOps, it is important to integrate security into every stage of the DevOps lifecycle, from idea through planning, architectural design, iterative application development, and operations. This is what we call DevSecOps, or Secure DevOps.

Despite DevOps (and DevSecOps) practices being quite well-known, it can be challenging to combine them with the right processes, tools, and stages when building solutions using Microsoft Azure cloud. We can talk about secure DevOps practices and automation from different perspectives:

1. Secure Azure environments (landing zones).
2. Azure compliance with Azure Policies.
3. Infrastructure management and creation using the Infrastructure as a Code (IaaC) approach.
4. Application workloads deployments.
5. Security of Azure workloads and source code.

When working on DevOps adoptions with multiple clients, we noticed that very often there are two common problems:

1. Clients are already in a different parts in their DevOps adoption journey.
2. Clients would like to see the effects of DevOps adoption faster.

This is why at Formula5 we decided to create Modular DevSecOps. It is an accelerator for implementing secure DevOps (DevSecOps) practices. Think about it as package which consists of practices basing on our previous experience, and set of tools and templates which can be helpful at each point in your secure DevOps adoption.

In the industries like Financial and Insurance, Healthcare and Life science, or Energy it is very important to carefully plan and implement cloud solutions, together with secure and efficient deployment processes. This is exactly where Formula5’s Modular DevSecOps can help. Let’s talk about different stages and motivations to implement secure DevOps.

We would like to start small with secure Azure cloud environments setup and adopt secure DevOps practices

Cloud accelerates solutions development and deployment however it is important to properly plan Azure cloud environments setup to avoid problems like increased cost, security threats, or lack of standardization across a portfolio of workloads. This is why before deploying anything to Azure cloud, it is worth understanding how we want to operate in the cloud and how to prepare our cloud environment structure. This can be achieved by leveraging Microsoft Cloud Adoption Framework for Azure. One of the key elements is the Azure Landing Zone concept. Let’s first explain this term to avoid confusion. A landing zone is a multi-subscription Azure environment for hosting workloads, pre-provisioned through the code, that accounts for scale, security governance, networking, and identity. Here is an example of a basic Azure Landing Zone:

Azure Landing Zones enable creating of consistent Azure environments utilizing configuration kept as a source code (Infrastructure as a Code approach). With DevOps automation, we can easily provision new Azure environments with configurations compliant with our organization’s standards. We could also extend Azure Landing Zones because of their modular structure. Here is Enterprise Azure Landing Zone with connection to the on-premises network:

Configuring everything manually would be hard so utilizing DevOps automation makes Azure Landing Zones deployments more predictable, secure, and reusable. At Formula5 we are aware that some of clients can be already migrated to the Azure cloud and utilize concepts above. This is why in our Modular DevSecOps we focus on Secure App Zones, predefined templates for creating landing zones for different kinds of workloads to enable teams to deploy application workloads to secure and compliant cloud environments.

Our Azure environment setup is stable, but we want to improve Azure infrastructure management and deployments

Many organizations started their journey with the Azure cloud before the Azure Landing Zone concept was ready. This is why they can have different standards for managing Azure. Even if Azure Landing Zones are not fully utilized, secure DevOps automation for Azure infrastructure is still possible. Utilizing Azure Bicep or Terraform to declare Azure infrastructure code and configuration is a good start to automate managing Azure environments for application workloads.

With tools like Azure DevOps or GitHub, it is possible to implement end-to-end, automated deployment flows for Azure infrastructure. Azure DevOps and GitHub can securely connect to Azure subscriptions to make deployments and provide many helpful features like approvals so we can verify planned deployment before it is executed.

This is a sample architecture of containerized application solution on Azure. All resources were created using Azure Bicep – declarative language for Azure resources:

Declaration of above Azure resources is kept in the GIT repository in Azure DevOps:

With Infrastructure as a Code (IaaC) approach we can store our Azure environment configuration in the code and implement DevOps automation to deploy Azure infrastructure components exactly in the same way we deploy application packages. Formula5’s Modular DevSecOps accelerator already consists of predefined templates for different Azure resources to make it faster to provision cloud environments.

Our Azure infrastructure management and deployments are stable but we want to improve security and compliance when creating Azure resources

In the industries like Financial and Insurance, Healthcare and Life science, or Energy there are important regulations around utilizing the cloud. There is always compliance verification to make sure that cloud resources are created with proper configuration and security. This is why enterprises need to control and audit Azure resources.

Azure Policy helps to enforce organizational standards and to assess compliance at scale in the Azure cloud. Provides governance and resource consistency with regulatory compliance, security, cost, and management to make sure that organizations stay compliant with corporate standards. Organizations want to make sure that each of their departments implements and deploys resources to the cloud in the correct way and this is where Azure Policies can help.

Many Azure Policies definitions can be grouped as initiatives to make sure that before anything is deployed to the Azure cloud, a compliance check is done.

However, the question is – do we have to manage policies manually? It can be hard, especially for larger organizations with many Azure environments. This is the place where DevOps automation can help. Each Azure Policy can be stored as JSON files in the source control – like the GIT repository. We can store all policies in the Azure DevOps or GitHub, and whenever a change is made, test, and validate that change. This strategy is called Azure Policy as Code.

Here is the example of publicly available Azure Policies on GitHub:

With the above approach, we can avoid creating Azure resources which are not compliant with our organization’s standards. In the Modular DevSecOps, we collected the most popular policies templates to make it faster for our clients to implement compliance verification in the cloud.

Our Azure cloud environment is stable, and compliant together with the Infrastructure as a Code approach but we need consistent automation for our application workloads

This scenario is the most popular one. Many organizations established managing Azure environments, use the Infrastructure as a Code approach for infrastructure management and configuration but do not have stable release and automation processes for application workloads. Platforms like Azure DevOps or GitHub can help establish a predictable and faster deployment process.

With Azure DevOps Pipelines we can create multi-stage deployments of application workloads to the Azure cloud. Azure DevOps supports templates that let us define reusable content, logic, and parameters so we can share them across our organization’s projects to be reused. Here is a sample structure of templates in Azure DevOps:

To increase security, we can define enforcements to make sure that a pipeline extends from a particular template defined in our organization. In this way, we can build a consistent approach to application deployment automation.

We can utilize the same approach with GitHub. With reusable workflows we don’t need to copy and paste our workflows from one repository to another. Organizations can build up a library of reusable workflows that can be centrally maintained and utilized by different teams. This is why based on our experience, we collected commonly used CI/CD templates in our Modular DevSecOps accelerator. They can be easily expanded according to our clients’ needs.

We feel comfortable with our Azure environments, compliance, and workloads deployments however we need to improve general security around our DevOps processes

Security has become more of a concern as threats have increased around the world. We have seen a heightened threat in Financial and Insurance, Healthcare, and Life science or Energy. We believe this is due to the sensitive nature of their business. This is why it is crucial to improve the security posture of DevOps processes and cloud environments.

When talking about security in DevOps very often the shift-left term is used. It is a practice of moving testing, quality, and security evaluation earlier in the software development process. However, in the holistic secure DevOps approach, we should not only look at the security of the source code and application workload but also monitor the security posture of DevOps platforms like Azure DevOps or GitHub, and Azure cloud environments.

This is why with Formula5’s Modular DevSecOps, we implement secure DevOps practices focused on key parts of the solution:

1. Local development environments security.
2. DevOps platforms (Azure DevOps and GitHub) security.
3. Source code security including open-source packages auditing.
4. Infrastructure code security monitoring accordingly to Azure Security Benchmark.
5. Azure cloud environment security monitoring utilizing tools like Microsoft Defender for Cloud, DevOps, and Microsoft Sentinel.

Summary

Creating secure Azure environments and workloads deployments requires careful planning, implementation, and proper automation tools. In the next articles, we will dive into conceptual, and technical details related to all the above parts to better understand the role of secure DevOps for each of them.