SlideShare a Scribd company logo

Control Freak: Risk and Control in Azure DevOps

Download as PPTX, PDF
AgileThought, profile picture
AgileThought

This document discusses controls for audit and risk management in Azure DevOps. It covers controls for environments, code, data at rest, and data in motion. For environments, it recommends using ARM templates, VSTS branch policies, and deployment pipelines. For code, it suggests using GitFlow, branch policies, and deployment pipelines with approvals. For data at rest, it proposes encryption with TDE, Always Encrypted, and Storage Service Encryption. For data in motion, it advises using TLS and virtual networks. The document also outlines logging, monitoring, and response controls using tools like Application Insights, Azure Policy, and Security Center.

Technology
Related topics:
Insights on Software Development
1 of 29
Downloaded 18 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
P re s e n t e d b y Control Freak: Risk and Control in Azure DevOps Barkha Herman South Florida Code Camp ‘18
What will be covered: • Audit and Controls for Environments • Audit and Controls for Code • Audit and Controls Data at Rest • Audit and Controls Data In Motion • Monitoring and Response
Audit and Control for Environments
Some sample Controls: 1. Logical and physical Segregation of Environments 2. Lifecycle Methodology for Deployments 3. Process set for Approvals and review
Implementation 1. Use ARM Templates to create PaaS and IaaS Applications 2. Use VSTS Branch Policies to control changes to Templates 3. Use a deployment Pipeline to control Environment Changes
Use ARM Templates to deploy 1. Azure Resource Manager templates automate Deployment. 2. Creating environment becomes repeatable. 3. Creating environments can be scripted.
1.Use VSTS for Templates 1. Use VSTS to maintain ARM Templates and standardize changes to environments. 2. Use gitflow Pull Request Process to validate and audit any changes to the environments.
1.Use Pipelines for Deployments 1. Use Deployment Pipelines for Deployments. 2. Use SPNs for environments; devops cannot deploy directly to an environment. 3. Approvers setup for each environment – QA approvers differ from PROD approvers.
Demo…
Audit and Control for Code
Some Sample Controls 1. Code is located in a secure location 2. Access to modify code is restricted 3. Code is reviewed, tested and scanned etc. 4. Code deployment is “gated” and “Audited”
Implementation 1. Git Flow & Branch Policies in VSTS 2. Build once, deploy several for consistency 3. Deployment Pipeline with Approvals for “Gates” and audits
Git Flow + Controls 1. Use GitFlow 2. Pull Requests for Merges, required reviews and Work Items 3. Developer code lives in PR branches, merged into Develop 4. Master keeps release versions 5. Code must compile before merge to develop 6. Builds run tests, scan for issues 7. Deployments are gated
Deployment Pipelines 1. Build artifacts are created once 2. Continuous deployment ensures compile, unit tests, etc. 3. Deployment to any environment from CD requires approvals 4. Create different groups for approvals to different environments
Demo..
Audit and Controls for Data at Rest
Some Sample Controls 1. Ensure that Data is Encrypted at rest 2. Access to static data is controlled and audited 3. Ensure that Data is “Highly Available” 4. Ensure Data is Restorable, i.e. Loss Prevention 5. Ensure Data is auditable, i.e., Retention Policies
Implementation - SQL 1. TDE is available for Azure SQL. Uses Key Vault for Encryption Keys. 2. Always Encrypted Option available.
Implementation – Storage Blob / Files 1. Storage Service Encryption is also available. 2. Key Management using Key Vault.
Implementation - CosmosDB 1. Encrypted by default. 2. Backup to Blob is also encrypted.
Demo…
Audit and Control for Data in Motion
Some Sample Controls 1. All end points use TLS 2. Authentication and Authorization is Implemented 3. All communication is secure in transit – not only from client to server, but within a data center
Implementation 1. TLS is default in PaaS Services 2. ASEs can be setup web apps and web api for performance, virtual networks, isolation 3. Azure site-to-site VPN 4. Azure Point-to-site VPN 5. ExpressRoute
Monitoring and Response
Some Sample Controls 1. All end points have logs for auditing. 2. All end points have monitoring available. 3. Alerts are set for disaster as well as security related events. 4. Diagnostics are available for all services.
Logging and Analysis Tools available 1. Application Insights 2. Azure Policy 3. Security Center 4. Azure Monitor 5. Others…
Demo…
Stay Connected If you have questions or would like more information, feel free to contact me via email barkha.herman@agilethought.com • www.agilethought.com • www. linkedin.com/company/AgileThought • @AgileThought

More Related Content

PDF
Software Testing - Defect/Bug Life Cycle - Complete Flow Chart of Defect States
eVideoTuition
 
PDF
Microsoft Windows Server 2022 Overview
David J Rosenthal
 
PPTX
Test Automation - Everything You Need To Know
BugRaptors
 
PDF
Google Cloud Platform Training | Introduction To GCP | Google Cloud Platform ...
Edureka!
 
PPTX
Managed Test Services - Maveric Systems
Maveric Systems
 
PDF
DevTestOps
Paul Mateos
 
PDF
Az 104 session 5: Azure networking
AzureEzy1
 
PPTX
Testing web application
jayashreesaravanan
 
Software Testing - Defect/Bug Life Cycle - Complete Flow Chart of Defect States
eVideoTuition
 
Microsoft Windows Server 2022 Overview
David J Rosenthal
 
Test Automation - Everything You Need To Know
BugRaptors
 
Google Cloud Platform Training | Introduction To GCP | Google Cloud Platform ...
Edureka!
 
Managed Test Services - Maveric Systems
Maveric Systems
 
DevTestOps
Paul Mateos
 
Az 104 session 5: Azure networking
AzureEzy1
 
Testing web application
jayashreesaravanan
 

What's hot (20)

PPTX
Java Full Stack Developer.pptx
Itpreneur
 
PDF
Root Cause Analysis for Software Testers
TechWell
 
PDF
Cloud for Kubernetes : Session4
WhaTap Labs
 
PDF
Zero to 60 with Azure Cosmos DB
Adnan Hashmi
 
PPTX
Azure DevOps
Michael Jesse
 
PDF
Advanced SQL - Database Access from Programming Languages
S.Shayan Daneshvar
 
PDF
Migrate to Microsoft Azure with Confidence
David J Rosenthal
 
PPTX
DevOps - The Key to Rapid Productization (Introduction to the 5C's of DevOps)
Cygnet Infotech
 
PPT
ISTQB / ISEB Foundation Exam Practice - 5
Yogindernath Gupta
 
PPT
Agile QA presentation
Carl Bruiners
 
PPTX
Software Quality Assurance
ShashankBajpai24
 
PPTX
Software testing
mkn3009
 
PDF
Intro to GitHub Actions
All Things Open
 
PDF
Introducing Amazon EKS Anywhere On Apache CloudStack
ShapeBlue
 
PPTX
Azure App Service Deep Dive
Azure Riyadh User Group
 
PDF
Introduction to Development for the Internet
Mike Crabb
 
PPTX
Azure AD Presentation - @ BITPro - Ajay
Anoop Nair
 
PDF
Azure Training | Microsoft Azure Tutorial | Microsoft Azure Certification | E...
Edureka!
 
PDF
Quality at Speed - Penny Wyatt
Atlassian
 
PDF
Deployment Methodology
David Messineo
 
Java Full Stack Developer.pptx
Itpreneur
 
Root Cause Analysis for Software Testers
TechWell
 
Cloud for Kubernetes : Session4
WhaTap Labs
 
Zero to 60 with Azure Cosmos DB
Adnan Hashmi
 
Azure DevOps
Michael Jesse
 
Advanced SQL - Database Access from Programming Languages
S.Shayan Daneshvar
 
Migrate to Microsoft Azure with Confidence
David J Rosenthal
 
DevOps - The Key to Rapid Productization (Introduction to the 5C's of DevOps)
Cygnet Infotech
 
ISTQB / ISEB Foundation Exam Practice - 5
Yogindernath Gupta
 
Agile QA presentation
Carl Bruiners
 
Software Quality Assurance
ShashankBajpai24
 
Software testing
mkn3009
 
Intro to GitHub Actions
All Things Open
 
Introducing Amazon EKS Anywhere On Apache CloudStack
ShapeBlue
 
Azure App Service Deep Dive
Azure Riyadh User Group
 
Introduction to Development for the Internet
Mike Crabb
 
Azure AD Presentation - @ BITPro - Ajay
Anoop Nair
 
Azure Training | Microsoft Azure Tutorial | Microsoft Azure Certification | E...
Edureka!
 
Quality at Speed - Penny Wyatt
Atlassian
 
Deployment Methodology
David Messineo
 
Ad

Similar to Control Freak: Risk and Control in Azure DevOps (20)

PPTX
Wellington MuleSoft Meetup 2021-02-18
Mary Joy Sabal
 
PDF
Getting to Walk with DevOps
Eklove Mohan
 
PPTX
SecDevOps: The New Black of IT
CloudPassage
 
PPTX
OWASP OTG-configuration (OWASP Thailand chapter november 2015)
Noppadol Songsakaew
 
PPTX
Mastering the DevOps Certification: CI/CD, Governance & Monitoring Made Simple
shubhamsharma994585
 
PDF
Best practices in Deploying SUSE CaaS Platform v3
Juan Herrera Utande
 
PDF
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
garrett honeycutt
 
PPTX
Open Policy Agent for governance as a code
Alexander Tokarev
 
PPTX
Super chargeyourcontiniousintegrationdeployments
Nikola Gotsev
 
PPTX
Supercharge Your Continuous Integration Deployments
Nikola Gotsev
 
PPT
Context Driven Automation Gtac 2008
Pete Schneider
 
PDF
Improving Batch-Process Testing Techniques with a Domain-Specific Language
Dr. Spock
 
PPTX
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
PDF
Jose Luis Soria - XP2014 - Designing a Release Pipeline
Jose Luis Soria
 
PDF
KoprowskiT_Session2_SDNEvent_SourceControlForDBA
Tobias Koprowski
 
PPT
The QA/Testing Process
Synerzip
 
PDF
Test Driven Development with Sql Server
David P. Moore
 
PPTX
Geek Sync | Handling HIPAA Compliance with Your Data Access
IDERA Software
 
PPTX
Kubernetes and container security
Volodymyr Shynkar
 
PPTX
12 Securing Windows Servers by Using Group Policy Objects.pptx
HassanAhmadAbubakar1
 
Wellington MuleSoft Meetup 2021-02-18
Mary Joy Sabal
 
Getting to Walk with DevOps
Eklove Mohan
 
SecDevOps: The New Black of IT
CloudPassage
 
OWASP OTG-configuration (OWASP Thailand chapter november 2015)
Noppadol Songsakaew
 
Mastering the DevOps Certification: CI/CD, Governance & Monitoring Made Simple
shubhamsharma994585
 
Best practices in Deploying SUSE CaaS Platform v3
Juan Herrera Utande
 
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
garrett honeycutt
 
Open Policy Agent for governance as a code
Alexander Tokarev
 
Super chargeyourcontiniousintegrationdeployments
Nikola Gotsev
 
Supercharge Your Continuous Integration Deployments
Nikola Gotsev
 
Context Driven Automation Gtac 2008
Pete Schneider
 
Improving Batch-Process Testing Techniques with a Domain-Specific Language
Dr. Spock
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
Jose Luis Soria - XP2014 - Designing a Release Pipeline
Jose Luis Soria
 
KoprowskiT_Session2_SDNEvent_SourceControlForDBA
Tobias Koprowski
 
The QA/Testing Process
Synerzip
 
Test Driven Development with Sql Server
David P. Moore
 
Geek Sync | Handling HIPAA Compliance with Your Data Access
IDERA Software
 
Kubernetes and container security
Volodymyr Shynkar
 
12 Securing Windows Servers by Using Group Policy Objects.pptx
HassanAhmadAbubakar1
 
Ad

More from AgileThought (6)

PPTX
Adventures in Agile Testing
AgileThought
 
PPTX
From Device To Cloud
AgileThought
 
PPTX
Operationalizing Machine Learning
AgileThought
 
PDF
Patterns Are Good For Managers
AgileThought
 
PDF
The Agile Journey
AgileThought
 
PDF
Psychology In UX
AgileThought
 
Adventures in Agile Testing
AgileThought
 
From Device To Cloud
AgileThought
 
Operationalizing Machine Learning
AgileThought
 
Patterns Are Good For Managers
AgileThought
 
The Agile Journey
AgileThought
 
Psychology In UX
AgileThought
 

Recently uploaded (20)

PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Encapsulation theory and applications.pdf
gurumoop
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Approach and Philosophy of On baking technology
30anthuong17
 
KodekX | Application Modernization Development
KodekX
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 

Control Freak: Risk and Control in Azure DevOps

  • 1. P re s e n t e d b y Control Freak: Risk and Control in Azure DevOps Barkha Herman South Florida Code Camp ‘18
  • 2. What will be covered: • Audit and Controls for Environments • Audit and Controls for Code • Audit and Controls Data at Rest • Audit and Controls Data In Motion • Monitoring and Response
  • 3. Audit and Control for Environments
  • 4. Some sample Controls: 1. Logical and physical Segregation of Environments 2. Lifecycle Methodology for Deployments 3. Process set for Approvals and review
  • 5. Implementation 1. Use ARM Templates to create PaaS and IaaS Applications 2. Use VSTS Branch Policies to control changes to Templates 3. Use a deployment Pipeline to control Environment Changes
  • 6. Use ARM Templates to deploy 1. Azure Resource Manager templates automate Deployment. 2. Creating environment becomes repeatable. 3. Creating environments can be scripted.
  • 7. 1.Use VSTS for Templates 1. Use VSTS to maintain ARM Templates and standardize changes to environments. 2. Use gitflow Pull Request Process to validate and audit any changes to the environments.
  • 8. 1.Use Pipelines for Deployments 1. Use Deployment Pipelines for Deployments. 2. Use SPNs for environments; devops cannot deploy directly to an environment. 3. Approvers setup for each environment – QA approvers differ from PROD approvers.
  • 10. Audit and Control for Code
  • 11. Some Sample Controls 1. Code is located in a secure location 2. Access to modify code is restricted 3. Code is reviewed, tested and scanned etc. 4. Code deployment is “gated” and “Audited”
  • 12. Implementation 1. Git Flow & Branch Policies in VSTS 2. Build once, deploy several for consistency 3. Deployment Pipeline with Approvals for “Gates” and audits
  • 13. Git Flow + Controls 1. Use GitFlow 2. Pull Requests for Merges, required reviews and Work Items 3. Developer code lives in PR branches, merged into Develop 4. Master keeps release versions 5. Code must compile before merge to develop 6. Builds run tests, scan for issues 7. Deployments are gated
  • 14. Deployment Pipelines 1. Build artifacts are created once 2. Continuous deployment ensures compile, unit tests, etc. 3. Deployment to any environment from CD requires approvals 4. Create different groups for approvals to different environments
  • 16. Audit and Controls for Data at Rest
  • 17. Some Sample Controls 1. Ensure that Data is Encrypted at rest 2. Access to static data is controlled and audited 3. Ensure that Data is “Highly Available” 4. Ensure Data is Restorable, i.e. Loss Prevention 5. Ensure Data is auditable, i.e., Retention Policies
  • 18. Implementation - SQL 1. TDE is available for Azure SQL. Uses Key Vault for Encryption Keys. 2. Always Encrypted Option available.
  • 19. Implementation – Storage Blob / Files 1. Storage Service Encryption is also available. 2. Key Management using Key Vault.
  • 20. Implementation - CosmosDB 1. Encrypted by default. 2. Backup to Blob is also encrypted.
  • 22. Audit and Control for Data in Motion
  • 23. Some Sample Controls 1. All end points use TLS 2. Authentication and Authorization is Implemented 3. All communication is secure in transit – not only from client to server, but within a data center
  • 24. Implementation 1. TLS is default in PaaS Services 2. ASEs can be setup web apps and web api for performance, virtual networks, isolation 3. Azure site-to-site VPN 4. Azure Point-to-site VPN 5. ExpressRoute
  • 26. Some Sample Controls 1. All end points have logs for auditing. 2. All end points have monitoring available. 3. Alerts are set for disaster as well as security related events. 4. Diagnostics are available for all services.
  • 27. Logging and Analysis Tools available 1. Application Insights 2. Azure Policy 3. Security Center 4. Azure Monitor 5. Others…
  • 29. Stay Connected If you have questions or would like more information, feel free to contact me via email barkha.herman@agilethought.com • www.agilethought.com • www. linkedin.com/company/AgileThought • @AgileThought