How Microsoft does IT
Sep 26, 2017 | Inside Track – retired stories
This content has been archived, and while it was correct at time of publication, it may no longer be accurate or reflect the current situation at Microsoft.
Microsoft is embracing the cloud and we’re adopting agile methodology—DevOps—for cloud app development. This transition has challenged traditional security methods. To build security into our agile development process and provide a baseline for security in cloud apps, we created the Secure DevOps Kit for Azure. It offers tools and best practices for building security into every stage of cloud app development.
Core Services Engineering (CSE, formerly Microsoft IT) created the Secure DevOps Kit for Azure to help build security best practices into enterprise cloud application development and operations. The kit contains automation, extensions, plugins, templates, modules, and other tools that seamlessly add security to cloud applications during development process. Additionally, the kit helps our engineering teams save time and money, increase security awareness in Azure, and create a simpler, more structured, and consistent security environment in the CSE Azure app infrastructure.
CSE has been on a steady journey to the cloud over the last few years. In fact, we plan to have 90 percent of our IT resources hosted in the cloud as of July 2017. Continual progress in cloud technology and cloud security readiness allows us to migrate to Microsoft Azure and come closer to our cloud-first, mobile-first transformation strategy.
During this period, our engineering teams have adopted modern practices and a DevOps-centric culture, using the cloud as the default platform for IT solutions. DevOps has brought our development and operations teams together and started a grassroots movement that has led to this new, agile culture. Together, we create innovative solutions using cloud technologies with a goal to deliver continuous, rapid, and incremental value to business.
The digital transformation to DevOps in unison with our move to the cloud hasn’t been without challenges for enterprise security. DevOps in the cloud changes the IT ecosystem in ways that significantly affect security. We questioned the future relevance of how we had traditionally developed and managed IT security and risk management, and it became clear to us early on that enterprise security also needed to transform for a smooth and complete transition. There were several challenges to consider, including:
Faced with these DevOps security challenges, we set out to determine how security could be managed in a DevOps ecosystem. We wanted to change our thinking, methods, and tools to adapt to a development environment and culture that was in harmony with the nuances inherent in cloud DevOps. To do this, we adopted a number of imperatives.
Automation gives us a chance to keep pace with the constantly changing cloud environment. DevOps is heavily centered on end-to-end automation, and we need to complement it with automated security. Automated security saves significant time and cost for apps that update much more often than their traditional counterparts, and it allows us to ensure that security configuration and deployment in DevOps can be achieved quickly and consistently.
In an environment where change is constant, we want to empower our engineering teams to make meaningful, consistent changes without a tedious approval process. Our engineers need to be able to build security into their applications from the start. We need security integrated into the DevOps workflow. Developers don’t have to take extra measures to be secure, nor do they need to wait for a central security team to approve an app.
When development and deployment are continuous, everything that goes with them needs to follow suit, including security assurance. The age-old requirements for sign-offs or compliance checks create tension in the modern engineering environment. We want to define a security state and track drift from that state to maintain a consistent level of security assurance across the entire environment. This helps ensure that builds and deployments that are secure at the time they are delivered, stay secure from one release iteration to the next and beyond.
We need to have a clear view of our DevOps environment to ensure that operational hygiene is in place. In addition to understanding operational risks in the cloud, DevOps operational hygiene in the cloud requires a different perspective than the traditional development environment. We need to create the ability to see the security state across DevOps stages and establish capabilities to receive security alerts and reminders for important periodic activities.
The Secure DevOps Kit for Azure is a set of automation, extensions, plugins, templates, modules, and other tools that combine to offer a security-focused development workflow for our DevOps engineering teams working in the cloud. The goal of the kit is to empower our teams to build and use Azure-based solutions in a consistent, repeatable, and efficient manner with security integrated at every stage.
Figure 1 shows how the six main tools in the DevOps toolkit work together to support secure development in the cloud.
The Secure DevOps Kit for Azure is designed to approach cloud development security in the following areas:
To help you understand the nature of the DevOps Kit for Azure, we’ve broken the toolset into six main categories. These components will help facilitate secure development in your Azure environment.
The subscription security component is a package of scripts and programs that help ensure secure provisioning, configuration, and administration of an Azure subscription. Using these capabilities, you can set up and configure a compliant, secure subscription from the very start and have a solid foundation upon which to develop, deploy, and run secure solutions. You can also check the subscription configuration to see if various settings are compliant to an expected level. The primary tools in subscription security include:
The secure development components help ensure that security is integrated into the day-to-day development process. The primary components include:
Build/Release Tasks for CI/CD workflows allow us to check subscription and resource security during automated build/deployment flows. These workflows integrate security coverage within the Visual Studio Team Services (VSTS) CI/CD pipeline via VSTS build/release extensions for security verification tests and other security tools.
Continuous assurance prevents security state drift, helps to stay current with Azure security feature improvements. It also encourages adherence to security best practices such as key rotation and separation of duties. The tools in this section include:
The alerting and monitoring solution for the DevOps Kit uses Operations Management Suite (OMS) to offer a central dashboard where teams can view the security state and trends for their Azure subscriptions and applications, as reported by the different components of the kit. The OMS solution is created from an Azure Resource Manager template that builds all the necessary components needed for security state monitoring. The OMS views include:
The Secure DevOps Kit generates telemetry events from all stages that use automation, scripts, or extensions. The telemetry is routed to an Application Insights account where it’s processed through web jobs that integrate organization mapping information and then viewed on a Power BI dashboard. The telemetry supports a data-driven approach to agile development and DevOps by allowing us to make measured and accurate security improvement decisions in a continuous fashion. Cloud risk governance focuses on three primary views:
We’ve encouraged adoption of the Secure DevOps Kit within CSE for any of our business groups working in Azure. One such team is Field Mobility and Cloud Services (FMCS). The FMCS team, consisting of 200 developers, supports approximately 120 apps hosted in Azure. As part of the transition to DevOps, FMCS uses the Secure DevOps Kit to incorporate secure cloud development practices in the application life cycle. They have realized several benefits:
Dec 15, 2023 | Lukas Velush
Keeping people connected in a hybrid work world is no easy task. But with the right technology, you can help employees in newly reimagined work environments feel energized and engaged, even when coworkers can’t be physically present. That’s exactly what we designed Microsoft Viva Engage to do. To capture those benefits, we rolled out Microsoft…
Dec 15, 2023 | Lukas Velush
You don’t know what you don’t know. In the world of IT, illuminating those hidden areas helps stave off nasty surprises. When elements of IT infrastructure are shrouded in mystery, it can lead to security vulnerabilities, non-compliance, and poor budget management. That’s the trouble with shadow IT—a term for any technical infrastructure that conventional IT…
Dec 14, 2023 | Lukas Velush
At Microsoft, we’ve learned the best way to get accessibility right is to shift left. “We need to think about accessibility before we start any of our work, before we write any line of code, at every step of our development lifecycle,” says Patrice Pelland, partner software engineering director for Microsoft Digital (MSD), the company’s…
Dec 14, 2023 | Lukas Velush
We live in a world where network security is a foundational concern for large enterprises like ours that are trusted with sensitive customer data. This creates an environment where we all need to ensure that we have high patching compliance across our massive array of devices. This complexity requires that we continuously improve our patching…
This content has been archived, and while it was correct at time of publication, it may no longer be accurate or reflect the current situation at Microsoft. It was time for a fresh approach to data analysis at Microsoft, one that would make it easier to track sales and operations activities across regions and roles…. Read more
This content has been archived, and while it was correct at time of publication, it may no longer be accurate or reflect the current situation at Microsoft. For almost 20 years, our Microsoft’s Commerce Transaction Platform (CTP) processed online payments through an on-premises environment, verifying that all transactions had been processed, sales had been finalized,… Read more
This content has been archived, and while it was correct at time of publication, it may no longer be accurate or reflect the current situation at Microsoft. We’ve adopted ServiceNow Vendor Risk Management (VRM) to manage our risk assessment during the procurement process for Internet of Things (IoT) devices across Microsoft. ServiceNow VRM provides a… Read more
Leave a Reply