Microsoft’s transition of its corporate resources to the cloud required us to rethink how we integrate security into the agile development environment. In the old process, we often worked on 6- to 12-month development cycles for internal products. The security operations team was separate from the application development team and was responsible for ensuring that applications met security requirements. There was time to troubleshoot security between the two teams. Once we shifted to a shorter development cycle, we had to compress the new process to bake security into DevOps.
Our experience has led us to adopt four best practices that guide our thinking about integrating security with DevOps:
This post walks you through these tenets with some advice we hope you can apply to your own organization.
Cloud subscriptions are so easy to spin up that many organizations don’t have a comprehensive understanding of which teams are using which services. This makes it challenging to manage your costs and enforce security policies. If you are uncertain which services you are currently paying for, billing is good place to start.
Once you understand your cloud inventory, you can begin the work of making sure your investments align with your business strategies. This may mean limiting which services your organization uses to maximize the ones that will help you meet your business goals. Then, align your organization to your cloud strategy by defining a governing structure:
The only way to effectively enforce security policies in a short development cycle is to integrate security into the application development process. Early in our evolution, we dropped security team members into application development teams to create a single team with shared goals. This revealed cultural challenges and unexamined assumptions. Initially, both the application developers and the security team expected to conduct their jobs as they had in the past. Application developers wrote code and then security operations queued up issues to address. This proved unworkable for two reasons. Security analysts were queuing up too many security tasks to fit within the cycle. The application developers were often confused because security operations underestimated how well they understood the nuances of security.
The only way to meet our goals was to shift accountability for security to the DevOps teams. We wanted application developers to try to solve security issues as part of their process. This required education, but we also implemented some practices that encouraged the team to take on that responsibility:
We experimented with eliminating a central security team entirely, but ultimately, we realized that we needed a centralized team to monitor the big picture and set baselines. They establish our risk tolerance and measure security controls across subscriptions. They also automate as much of the security controls as they can. This includes configuring the Secure DevOps Kit for Azure. This team also needed training to better understand the vulnerabilities of the cloud. Tabletop exercises to talk through possible attacks with red teams was one way they got up to speed.
As our evolving process suggests, our biggest challenge was shifting culture and mindset. We recommend that you take time to define roles and start with a small team. You can expect to continuously discover better ways to improve teamwork and the security of your process and your applications.
For more details on how we evolved our security process for the cloud, watch the Speaking of security: Cloud migration webinar and get the Secure DevOps Kit for Azure.
The Microsoft Incident Response team takes swift action to help contain a ransomware attack and regain positive administrative control of the customer environment.
With the coming wave of AI, this is precisely the time for organizations to prepare for the future. To be properly ready for AI, Zero Trust principles take on new meaning and scope. The right endpoint management strategy can help provide the broadest signal possible and make your organization more secure and productive for years to come.
Learn how to manage multicloud security risk with Microsoft's native multicloud protection for three of the industry’s main cloud platforms.
Matt Suiche of Magnet Forensics talks about top security threats for organizations and strategies for effective incident response.
Microsoft is a leader in cybersecurity, and we embrace our responsibility to make the world a safer place.
Leave a Reply