DevSecOps in Azure

Security is a prime concern for business that are storing any sort of custom or client data. The solution that is covering the management and interface of this data should be developed with security in mind. DevSecOps involves utilizing security best practices from the beginning of development, shifting the focus on security away from auditing at the end and towards development in the beginning using a shift-left strategy.

Architecture Diagram Download an SVG of this architecture.

Data flow

  1. Azure Active Directory (AD) can be configured as the identity provider for GitHub. Multi-factor authentication can be enabled for extra security
  2. Developers commit to GitHub Enterprise, driven by work items and bugs tracked with Azure Boards
  3. GitHub Enterprise can integrate automatic security and dependency scanning through GitHub Advanced Security and GitHub Open Source Security
  4. Pull Requests trigger CI builds and automated testing in Azure Pipelines
  5. The CI build in Azure Pipelines generates a Docker container image that is stored to Azure Container Registry, which is to be used at release time by Azure Kubernetes Service
  6. A release on Azure Pipelines integrates the Terraform tool, managing both the cloud infrastructure as code, provisioning resources such as Azure Kubernetes Service, Application Gateway, and Azure Cosmos DB
  7. Azure Pipelines enable Continuous Delivery (CD) to Azure Kubernetes Service, by accessing the Container Registry through a secure service connection
  8. Azure Policy can be applied to Azure Pipelines to enforce post-deployment gateways, and can be applied directly to the AKS engine for policy enforcement
  9. Azure Key Vault is used to securely inject secrets and credentials into an application at runtime, abstracting sensitive information away from developers
  10. End users can authenticate with Azure AD B2C, required to use MFA for extra security, and be routed through an Application Gateway which can load balance and protect core services
  11. Continuous monitoring with Azure Monitor extends to release pipelines to gate or rollback releases based on monitoring data. Azure Monitor also ingests security logs and can alert on suspicious activity

Components

  • Azure Active Directory provides identity and access management services for your organization, allowing control over access to the resources inside Azure, GitHub Enterprise, and Azure DevOps.
  • Source code is hosted on GitHub Enterprise, where developers can collaborate within your organization and the open source communities. GitHub Enterprise offers advanced security features to identify vulnerabilities in the code you write and in open source dependencies
  • Use Azure Boards to plan work and track its progress, using Agile tools such as Kanban boards.
  • Azure Pipelines is a service that provides Continuous Integration and Continuous Delivery jobs, to build and release your application automatically.
  • Host your Docker container images on Azure Container Registry. This service includes container image scanning with the integration with Azure Security Center.
  • Azure Kubernetes Service offers a Kubernetes cluster that is fully-managed by Azure, to ensure availability and security of your infrastructure.
  • Terraform is a third-party product developed by HashiCorp that allows infrastructure automation on Azure, as well as on other environments.
  • Azure Policy lets you create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. It integrates with Azure Kubernetes Service too.
  • You can use Azure Key Vault to store certificates, connection strings, tokens, and other secrets. These are read by your application at run-time, so they're abstracted away from your developers.
  • Azure Cosmos DB is a globally-distributed, multi-model database service, that is fully-managed and compatible with multiple APIs, including MongoDB, Cassandra, SQL.
  • Azure Application Gateway is a Layer-7 load balancer with support for advanced routing rules and a Web Application Firewall (WAF).
  • Using Azure Monitor lets you get insights on the availability and performance of your application and infrastructure. It also gives you access to signals to monitor your solution's health and spot abnormal activity early.
  • Using Azure AD B2C you can provide identity services to consumers (end-users) of your application, even if they're not part of your organization.