nobeastsofierce - Fotolia
Enterprises invest heavily into a DevOps approach as they try to deliver software at a faster pace. For many enterprises, making DevOps a reality takes more than getting software developers and operations engineers to work together; they must completely alter cultural philosophies and adopt new practices and tools. And rethinking security is an important part of this transition.
Organizations often have information security teams that hold strict requirements about how to implement technology within the company. These requirements often are obstacles to rapid innovation. By combining DevOps and security at scale, DevSecOps can minimize this hurdle.
DevSecOps practices incorporate code testing, automating builds and releasing software; it adds security automation into the DevOps pipeline. This allows organizations to quickly innovate and deliver software while allowing IT teams to detect and remediate security issues.
Linking DevOps and security in the enterprise
Many IT teams are still in the early stages of DevOps implementations. For those still getting started, this is a good opportunity to create a culture where everyone, including developers and operations engineers, understands that DevOps and security are equally important.
There are typically three stages to building a continuous delivery pipeline on AWS. First, an IT team commits code to version control, which kicks off an automated build. Next, they run unit and integration tests, if needed. Then they release the software or the software is in a state where it can be released to production at any given time. DevSecOps should validate these stages without slowing down the process.
There are a couple of ways to approach combining a DevOps and security model. IT teams should secure the pipeline through automated AWS Identity and Access Management policies that implement the principle of least privilege. A build server, such as Jenkins running on an Elastic Compute Cloud (EC2) instance, should be hardened and locked down.
Next, the IT team should implement security automation within the pipeline. One way to do this is to use open source tools to prevent committing passwords or other sensitive information into Git repositories. Additional automated checks can ensure that CloudFormation templates do not launch insecure infrastructure. For example, an IT team can put a control in place to identify overly permissive IAM policies, weak security group rules or a lack of encryption options that exists within templates. As part of the DevOps process, an integration stage within a pipeline might validate that an environment is capable of going into production. This integration stage can perform deeper security checks and analysis to identify vulnerabilities, and it could perform penetration testing against a web application.
Combining services and security automation
IT teams can use a variety of native Amazon services to automate security on AWS.
AWS Config is a fully managed service that provides resource inventory and configuration change notifications to enable security and governance. AWS Config Rules can automatically check that AWS Config inventoried the AWS resource configuration. This allows teams to react and correct deviations in security compliance.
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of AWS applications. With Inspector, teams can define standards and best practices for applications. If those policies aren't in place, team members can fix issues before they are rolled out into production.
AWS CloudTrail audits every API call made within an AWS account. IT teams can create metric filters to trigger alarms based on patterns found in CloudTrail Logs. IT teams can also get notifications about who logged in to the console without using AWS Multi-Factor Authentication, or they can use CloudTrail Logs to perform forensic analysis to determine who invoked a particular API action, as well as when and where.
IT teams can use CloudWatch Events and AWS Lambda to take actions or triggering countermeasures. For example, teams can subscribe to platform events or use other services to identify suspicious activity. IT teams can also invoke Lambda functions to disable access keys for an IAM user, isolate or power off an EC2 instance, or disable requests from a particular IP address. Lambda functions can include custom logic that responds and takes countermeasures against threats on an IT infrastructure.