10 Practical Security Tips for DevOps (Part 2)

DevOps Approach to Security

The evolution of cloud computing, SaaS and mobile applications has accelerated the transformation of how software is developed and released. It has highlighted the requirement for leaner, more agile ways of working collaboratively across all key teams in the development lifecycle to release competitive, stable products and software release updates on a shorter, more frequent timescale. The DevOps paradigm has done just that: it has broken down operational and communication silos between Developers and Operations to establish a shared culture of trust and automate infrastructure and workflows to create a continuous delivery model in which new features are rolled into live software as they are created. But whilst organizations are embracing DevOps to realize compelling business benefits, security and compliance monitoring practices have not kept up and often represent the single largest remaining hurdle to continuous delivery.

In continuation of last week’s blog, lets deep dive into the next 5 practical security tips for DevOps for security professionals.

6. Harden your CloudDeployment (standard AMIs, Security Groups, IAM roles, MFA tokens)

Cloud services can deliver incredibly secure infrastructures if done correctly.  However, it is also very quick and easy to open up significant security holes.  You need to review how your company is using the cloud; this includes the segregation of roles – do your developers have the rights to change the production environment? If so, why?  I am sure you do not let your server administrators walk around using Domain Admin accounts; so why should people have root access in the AWS Console?  You need to review everything from the development environment through to production.

ACTION: Review how teams are accessing the console and what permissions that they have. People should only have the permission they need to do their job, and if they have significant permissions they should be using two factor authentication.

7. Deployment of security tools

Once you get to deploying applications to production, are you going to be able to keep up with multiple teams deploying multiple applications to production? In the same way you can use automation to ensure that security is as you require it, you can ensure that your security tools are deployed at the same time.

You should be looking at deploying network detection for threats on your network, monitoring of HTTP for attacks as well as monitoring log files.  With solutions such as Alert Logic Cloud Defenderyou can monitor these three different feeds at the same time and have a 24×7 SOC investigate the threats and escalate if required.

ACTION: Script the deployment of your security tools so that all environments have a baseline coverage.

8. Vulnerability scanning of OS and applications

One of the most common attack vectors is for people to exploit the vulnerabilities in the OS or applications that are running on the servers.  As part of a DevOps pipeline, servers can be checked for vulnerabilities; this ensures that you know what state your servers are at any point. In addition, with solutions such as Alert Logic Cloud Defender, this information feeds into our analytics engine, allowing potential attacks to be rated with the additional data from what software you are using; this will help reduce false positives.

ACTION: Run regular vulnerability scans against the environments and remediate any vulnerabilities.

9. Phoenix Upgrades

Phoenix Upgrades are when each time you deploy an update, instead of applying that to an existing server, you terminate that server and build a fresh one each time. This not only increases your agility to roll out new versions, but also increases your ability to rapidly respond to security issues. You can deploy a new patched version across your entire cloud environment rapidly and safely; with the Phoenix Upgrade strategy, you also reduce the risk of technical debt and configuration drift.

ACTION: Work with the DevOps team to support them using Phoenix Upgrades and ensure this gives you the ability to patch security issues and roll them out.

10. On-going and real time audit of production environment

Visibility post-deployment often comes down to the level of auditing that has been put in place. You should have standard auditing levels across different server roles and applications. Your goal is to get a level of auditing that can be fed into a security tool to give the data that is needed, but not swamp your servers with too much auditing.

Once all of these elements are in place, it will allow you to audit production to ensure that at any point in time you understand what state production is in, and if it has drifted from it defined security profile.  The cloud is often referred to as a programmable datacentre – Developers can use this to create huge IT systems in very short timeframes – you can use this same power to audit these systems multiple times a day.

ACTION: Work with the development team to set logging levels and use a tool like Chef to ensure that your configuration does not drift.

The evolution of DevOps should be extended to embrace Security – providing speed and agility to securing critical applications, assets and services in a more predictable, auditable and secure way.

(Part 3) DevOps: The Security Gap

The 3rd post in our DevOps blog series features the results of a recent Alert Logic online survey of 73 UK DevOps practitioners and the role they believe security could, and should, play within the software development lifecycle. 

Additional resources:

On-Demand Webinar hosted by Alert Logic and Chef – DevSecOps: Taking a DevOps Approach to Security
https://www.brighttalk.com/webcast/11587/147557 

Webinar slides
http://www.slideshare.net/AlertLogic/alert-logic-and-chef-dev-ops-webinar

Alert Logic Cloud Defender
http://www.clouddefender.com/