Scaling Security as Code on AWS: A DevSecOps Model
As Enterprises adopt modern application architectures, they now find they need the capability to deliver hundreds or even thousands of distinct applications while meeting stringent security and compliance requirements. Scaling the capability to deliver software securely requires a new framework for defining, creating, and delivering infrastructure and application code and brings a new set of challenges:
- How do you define and deploy secure infrastructure on AWS?
- How do you ensure consistency and quality in security controls?
- How can you enforce regulatory compliance and security controls across all deployments?
- How do you achieve compliance without slowing down development?
By defining operating environments and application configurations as software products themselves, DevSecOps teams gain the capability to define, create, iterate, and deliver secure application environments on-demand. Security teams can focus on defining, enforcing, and improving enterprise security controls. Product and development teams can remain focused on delivering secure software while automation allows them to test and deploy effortlessly.
Secure Environment Products
Deployment of an application, from a security perspective, requires defining and provisioning the environment ‘stack’ including infrastructure, operational configuration, application configuration, and the application code itself in a secure manner. Enterprises must establish controls that enforce defined security and compliance requirements. Typically, these controls come in the form of preventative, detective, and remediation controls.
Preventative controls are designed to run checks of environment configuration and application code with the goal of preventing insecure configurations or code being deployed. Preventative controls are typically in the form of static analysis and provide fast feedback to developers or security teams so they can iterate quickly. Preventative controls can be executed utilizing Stelligent’s cfn_nag tool or AWS CloudFormation Guard and are codified as YML.
Detective controls are interactive checks of the deployed environment and application. Detective controls are typically executed in a ‘live’ environment and compare the operating stack to the defined configurations and controls. When a detective control observes an insecure configuration or operation it generates an event with data that can be used to categorize, tag, and route the event for appropriate handling. These security events can then trigger notifications, alerts, security workflows, automated remediation, and audit entries. AWS provides a number of services that implement detective controls including AWS Config, Amazon GuardDuty, and Amazon Inspector and most AWS services can generate configuration events as well. Configuration of those services can be codified as CloudFormation templates.
Remediation controls are automated controls that take corrective actions based on inputs from detective control events. For example, a remediation control could automatically correct unencrypted storage resources or disable compute resources that have been compromised. Remediation controls are typically executed as AWS Lambda functions or a containerized microservice if more complex remediation is needed. Remediation controls are codified as the functional remediation code itself and the configuration code as CloudFormation templates.
Continuous Security in Operations
With your security controls in place, Enterprises must then be able to observe and manage security events and provide audits on-demand. AWS Security Hub can provide a single point of access with visibility into security events. It can correlate those events with your define and deployed control sets providing a seamless security operations workflow. AWS Audit Manager automates the collection of audit events. It then generates audit-ready reports demonstrating compliance with the control requirements defined in your Secure Environment Product.
Publishing Secure Environment Products
As each layer of controls can be codified, you can then package them as a ‘stack’ of controls which becomes your Secure Environment product. Enterprises can handle this just as they would any other software product, using version control and standard development tools to define, create, improve, and deploy Secure Environment products for consumption by application teams for deployment via AWS Service Catalog.
By codifying, validating, and publishing security control sets as a software product, Enterprises can ensure consistent and highly secure AWS environments can be deployed at scale. Application and product teams can deploy into AWS environments on-demand and with confidence that those environments meet the organization’s security and compliance requirements. DevSecOps and security teams can work in an efficient workflow that produces highly secure environments for consumption by product teams. Those environments, along with their security control sets, are codified allowing for defined and consistent controls to be applied and enforced on all AWS environments.
This framework allows for operating those environments with continuous security by automating detection and handling of security events. By utilizing the native AWS capabilities, codifying those configurations, and automating security event handling, this framework provides your enterprise the capability to deliver highly secure environments and applications at scale. Security teams work within the DecSecOps framework to provide an agile workflow and process for delivering secure and compliant software. Enterprises can eliminate the slow and cumbersome manual security workflows of yesterday. Instead, they can adopt an agile approach to integrating security into the software delivery process and achieve an elite level of performance.
If you’re ready to see how Stelligent’s Secure Environment Factory can help you scale security delivery reach out to one of our Solutions Architects today for an analysis of your current security workflow and systems.
Stelligent Amazon Pollycast