Implementing Continuous Security through DevOps

DevOps can be defined as a cultural change in work or a set of technology practices. It focuses on building a quality code, enabling automated testing based on a culture of continuous improvement eventually leading to improved stability and throughput and moving new features to customers quickly. Although DevOps is not a particular set of tools, but implementing DevOps practices leads to using certain tool sets.

-      The Version control systems track changes to the files and allow collaboration between teams. This leads to comparisons and merging of versions and rollbacks of issues. 

-      The Configuration management system automates new systems, enforces consistent application installation and configuration of system and application across different classes of servers. 

-      The ‘infrastructure as  code’ can be versioned and tested, ensuring that identical configurations are in place. This improves the odds that the software that was tested fine in the staging system will be fine in the production system as well. 

-      The automated system which helps to move through the build, deploy, test and release phase in the key component. 

Apart from the efficiency provided by DevOps, it can also create challenges in the implementation of security control infrastructures. Deployment through cloud reduces the control over the visibility of hardware and network layers. Further, it also complicates the tracking of hardware assets over time. DevOps blurs the limitations of the developers and operations and their duties are not well segregated.

Security teams need to be engaged early in the DevOps process in order to ensure continuous deployment. The following critical controls may be enforced in order to reduce potential security risks.

1. Inventory of Authorized and Unauthorized Devices: In DevOps environment, the very idea of ‘devices’ and servers is obscured in layers of deployed containers and virtual machines. Hence, cloud provider portals and APIs can provide verification of automated inventory along with cloud assets as well.
2. Inventory of Authorized and Unauthorized Software: The common practices of DevOps limit the servers to an approved list of the installed software. The configuration management tools can also be used to restrict to block software versions with known vulnerabilities.
3. Secure configurations for Hardware and Software on Servers: Installing and running only the required softwares, keeping them updated and configured is one of the best ways minimizing attacks. Once the configurations for OS and applications are developed, DevOps greatly simplifies the process of syncing these configurations throughout the system.
4. Continuous Assessment of vulnerability and Remediation: Keeping up with new vulnerabilities is a challenge. However, the DevOps environment provides a strong foundation for testing new patches. Deployment related security scans verify that all updates are addressed and reaches all intended targets.
5. Security of Application Software: The DevOps automated deployment pipeline performs  the code review, static analysis and web application scanning before the new software is deployed in production. Further, security testing such as security related functionality, vulnerability scanning and application security scans can be run in parallel to acceptance testing within the staging environment.
6. Controlled use of Administrative privileges: In a DevOps model, the code itself acts as a privileged user. Administrative privileges are used by configuration management that install new software, make configuration changes as per events and alerts. These credential secrets must only be used by orchestration systems and should not be made available to any unauthorized access.

As the DevOps movement matures,  security can no longer be considered as an afterthought, rather the best security practices need to be implemented into the DevOps evolution. Recently, there has been a considerable development of tools which help in securing DevOps environment. They range from repository firewalls, new application scanners, security functional test infrastructures to new SSH management solutions.

Conclusion

DevOps practices come with both advantages as well as disadvantages when Critical control based control infrastructure is implemented. The DevOps team needs to implement security early in the process to ensure a seamless deployment. The new security tools that is enforced for DevOps provides a new level of visibility and automation for security control implementations.

12 considerations for Cloud Security

A cloud refers to an IT environment which has been designed for remote access of IT resources. The term Cloud originated as a metaphor of the Internet which is a network of networks providing access to a remote set of decentralized IT resources. A cloud is accessible through the Internet and there are many different clouds that are accessible through the Internet.

Cloud computing provides several benefits for organizations and users. They are as follows:

-      Almost any type of computing resources can be provisioned on demand.

-      Organizations can scale up and scale down the used resource as per requirement.

-      Users are required only to pay for what resources and workloads have been used.

Whether using any type of cloud service provider, Cloud Security is very essential to assess the security of your operating systems and applications running on cloud. To ensure the ongoing security in the cloud requires a highly equipped cloud instances with defensive security controls to assess the ability and withstand to the latest data breach threats.  

Here are the following points can help secure a cloud based deployment.

1. Understand your shared responsibility: While the cloud security provides a greater part of the virtualization and physical infrastructure, the rest of the responsibility for the infrastructure falls on the organization users. Depending on the services used, it is the user’s responsibility to enforce Application Security, Policies, Configuration etc.

2. Network Protection: Use in depth defense and secured services like

- Virtual private Networks(VPN)

- Routing Rules

- Network ACLs

- Proxy Servers: Nginx

- Stateful Firewalls

- Network Address Translation(NAT)

- Application: modsecurity

                                          i.    Host: iptables

                                         ii.    Network : pfSense

3. Protection of the Cloud Machine Images

- Harden machine images

- Change default passwords

- Disable insecure ports and services

- Install the AV Software

- Use a baseline (STIGs) – System specific checklist

- Learn Security Content Automation Protocol(SCAP): which provides multiple tools for assisting administrators and auditors by enforcing security baselines.

4. Protection of Data at Rest: Data at rest refers to the inactive data stored digitally. For protecting such data

- Understand the different mechanisms of cloud storage and their security implications.

- Review the options of encryption primitives.

- Consider Secure Archival and data disposal

- Tools: Luks, dm-crypt, Gnu-Shred 

5.  Protection of Data in transit: Data in transit refers to that which in flowing through a public or a private network.

- Always use secure application protocols like the TLS (Transport Layer -Security), SSH(Secure Shell), RDP(Remote Desktop Protocol).

- When the application does not secure protocols for communication, securely Tunnel traffic – IPSEC, SSL VPN, SSH.

- Consider using a Key Management System.

- Tools: OpenVPN, OpenSwan.

           6.  Protection and Patching of Instances

- Use a Configuration Management System to patch all the cloud based instances.

-  for Zero Days and classify risks.

- Tools: OpenVAS

7.  Protection of Instance Access:

- Manage your access to cloud instances by using a directory service.

- Create Individual User Accounts(IAM)

- Based on business needs, grant least privileges.

- Enable MFA(Multi Factor Auth) for the privileged Users.

- Audit all the User activities.

- Refrain from using Root Cloud Accounts.

8.   Application protection

- Get AAA(Authentication, Authorization and Auditing) implemented.

- Understand the OWASP Top 10 Security Flaws.

- Follow the best practices for Secure Development

- Tools: Jenkins, PMD, FindBugs

9.    Auditing and monitoring the cloud

- Gather the monitoring data in a separate secure network.

- Establish baselines and monitor all layers and protocols.

- Deploy IDS(Intrusion Detection System) behind the Network Firewall.

- Fine tune the alert levels and use redundant channels for alerting.

- Tools: Nagios, ELK Stack, Watcher, Snort.

10.   Validate protection

- Periodically test the Network, Applications and Infrastructure for security vulnerabilities.

- Check for Input validation, Session Manipulation, Authentication and leakage of information.

- Wherever possible use 3^rd party tools.

- Tools: Metaspliot, Kali Linux, OpenVAS.

11.   Automation: Automated provisioning helps in documentation, Disaster Recovery and Planning and change management.

- Make use of a configuration management system like Chef/Puppet  to manage configuration centrally.

-Consider infrastructure as Code.

- Implement Continuous Integration and Continuous Delivery.

- Tools: Docker, Ansible and Chef.

12.   Update security policy

- Define the scope and boundaries of security.

- Implement proper Risk Assessment Methodology, Identification and -Addressing Methodology.

- Align policies with the contractual obligations of the cloud provider.

- Make use of the Compliance Management Tools: OpenFISMA, PTA, SOMAP, GLPI.

Conclusion 

There are some things that are easier and some things that harder in the Cloud. The steps listed above will however get you started on your improvement cycle for continuous security. Before you get stared and implement a cloud application on  grounds of time and cost, it is very essential to understand about the data and security breach threats. 

Whenever an organization is moving to new application or positioning it, it will either drive the sales up or drive down your operational costs or do the both. By making well-informed choices, cloud computing can offer business value, choice and litheness to you which will be the most undoubted reasons for implementing a new application on cloud.

For more details on Cloud security, Please visit: http://www.gallop.net/cloud-application-security-testing