Guide to Automating DevOpsSecurity on Azure

Santhosh Sundarasamy
By Santhosh Sundarasamy

February 13, 2017

In this blog, I am covering some examples of how security controls can be deployed at high speed, using the default automation components available in a cloud environment. I have taken Azure as an example to illustrate automated security control deployments implemented at high speed.

DevOps is all about speed

DevOps enables a faster turnaround time for moving developed components into production. In the waterfall world, security controls were getting pushed to later stages of the SDLC cycle. In the DevOps world it’s critical to have the security controls incorporated into the DevOps framework—a framework which is part of every Sprint.

Since every sprint has a short duration ranging from days to weeks, there is no possibility of delaying the security controls that need to be deployed with each sprint. The Continuous Integration/Continuous Delivery (CICD) model mandates much faster deployment of security controls. Such a speedy deployment of controls requires automation, because it simply cannot be done manually. Today, most DevOps embrace the cloud for its elastic nature in accommodating workload deployment.

The automation of security controls

Let us now look at how security controls can be automated into a DevOps framework for an Azure workload. There are multiple security controls that needs to be deployed when the new VM is created/started. Some of them are given below:

  • Create a VM from hardened image
  • Configure the VM to send logs to the security log monitoring application
  • Include the VM for network vulnerability assessment
  • If the VM is running a web application, include it for web application vulnerability assessment
  • Implement Anti-Virus controls for VM

Let’s also look at how these tasks can be automated natively in an Azure cloud. The way to automate these security controls for Azure is through Azure Automation Run book. To get started, open “Automation Account”

Create a new automation account if you don’t already have one. For quick navigation, you can pin the automation account to your dashboard while creating it.

Browse “Runbooks Gallery” to pick the closest one for the required security control. For example, the “Run tasks on Azure Virtual Machine using custom script extension” template would be ideal to automate the installation of the vulnerability agent, security monitoring, and/or endpoint security.

It uses “Push-AzureVMCommand” to run the command in a remote VM. This can be used to deploy a security agent or implement any security control required for Azure-VM. Remember to use the “Import” option in Gallery Runbook in order to add to your automation account. Once it’s in your automation account, the remote command can be edited to add task(s); required to implement security control.

As another example, to run windows defender full-scan, you could invoke Start-MpScan as shown below.

For patching Unix/Linux based VMs do the following: “Run SSH command to Install Updates” as a template to start with.

To have high priority security updates installed, use the below command for Ubuntu.

To have these automations, your security provider should support API or a command-line based interface. If you want a more effortless process, there are security solutions that have prebuilt templates in order to automate security to your DevOps environment. Paladion OnDemand provides Cyber security as a service with automation being a key driving force behind the way it works. You can contact a PaladionOnDemand expert by clicking here.

Tags: Uncategorized