This the 5th part of our series on DevOps.
Recent high-profile security breaches prove the difficulty in assuring the three core tenets of information security – Confidentiality, Integrity and Availability (CIA.) Throw DevOps into the mix of deploying cloud apps, and one begins to question the co-existence of Information Security and DevOps, which fosters a rapid application development culture, that in the past, generally left security on the sidelines to meet the business requirement of rapid release to market.
However, it is important to recognize that when done right, DevOps can actually improve the security posture of an application. This article will cover how DevOps can improve Security and specifically how to do so when deploying with Amazon Web Services (AWS hosting) or utilizing a Managed AWS solution.
First and foremost, it is essential to recognize that Security in an AWS environment is a “Shared Responsibility”, wherein both the consumer and the service provider are responsible for different components of security, and each must be cognizant and fully aware of the boundaries within which they can be held accountable. The Security Best Practices publication by the AWS team is an excellent resource that extensively covers this – we highly recommend that any developer or decision maker read through this first if they are considering leveraging AWS for their business needs. Having said this, let us dive into the benefits of DevOps in improving security.
DevOps shortens the development cycle into manageable feature sets and this makes it possible to include security not only early on in the software development lifecycle, but also as part of any functionality that requires the assurance of CIA. When security requirements are templated and can be included as part of the functionality, the reliance on a security team member to provide manual testing and advice is reduced drastically. DevOps allows for automated data security (data access, data-at-rest protection, data-in-motion security), and automated identity, federation and access management. DevOps makes it possible to introduce and automate static and dynamic code analysis, prior to deployment, thereby incorporating security into the software development lifecycle early, ensuring that the attack surface of the software to be deployed is minimized. Additionally, DevOps makes attacks against code that is yet to be deployed possible and automated, which means that code that is deployed is hacker-resilient. Post-deployment penetration tests, virtual patching and continuous monitoring using audit trail logging can be performed automatically to ensure that production environments are not vulnerable.
Now, with an understanding of how DevOps can improve security, let us focus on the various AWS offerings that ensure the CIA of applications that are deployed using DevOps with AWS.
While access to the AWS CloudFormation service itself is protected using Transport Layer Security using Secure Sockets Layer (TLS/SSL), you can also leverage AWS Identity Access Management (IAM) to restrict users who can create, manage and control the CloudFormation templates. Additionally, the templates can also parameterize security requirements that need to be part of the deployment. IAM also provides identity management, and when it is used in conjunction with Amazon Security Token Service (STS), an organization can implement single sign on (SSO) and federation between multiple parties/providers. Moreover, in order to boost security within IAM, one can configure to use Multi-Factor Authentication (MFA) using a smartphone as a virtual MFA device or purchase a stand-alone hardware MFA device from the AWS offerings. With the increased usage and adoption of Bring Your Own Device (BYOD) within companies, AWS Cognito was launched recently to let organizations securely store, manage and synchronize user identities and application data within the AWS Cloud and multiple devices.
AWS IAM can also be used to control interaction of users with the DevOps solution of Amazon, viz. OpsWorks, to manage stacks and enforce Secure Shell (SSH) connectivity to Amazon EC2 instances. To ensure confidentiality and integrity, the AWS OpsWorks API is accessible only via SSL-encrypted endpoints, to which one must first connect prior to accessing OpsWorks functionality.
Security Groups, Access Control Lists (ACLs), IAM policies and Amazon Bucket policies provide further granular security controls for data access. Data-in-motion security is provided using end-point encrypted channels using TLS/SSL between Amazon S3 storage and Amazon EC2 instances. Data-at-rest security is provided using several options. Customers that are not comfortable with sharing their cryptographic keys for encryption and decryption, with the AWS service provider, can leverage the Amazon S3 Encryption client and manage the keys themselves. For those who would prefer to have Amazon S3 manage the cryptographic keys, they can use the Amazon S3 Server Side Encryption (SSE) solution that AWS offers. With the Amazon Cloud Hardware Security Module (CloudHSM) offering, customers can now securely and privately store their keys for cryptographic operations in a tamper-proof hardware appliance in the cloud, without giving access to these keys to third parties or even the service provider. Additionally, data in Cache Clusters can be restricted to be accessible from specific IP ranges and Network ACLs using the Amazon ElastiCache service.
Templatizing security requirements, federating identities, multi-factor authentication, synchronizing identities, restricting data access, cryptographic protection of data-in-motion and data-at-rest and cache control are all possible using the plethora of services using AWS security solutions, such as IAM, CloudHSM, Cognito, and DevOps solutions such as CloudFormation and OpsWorks. Amazon DevOps makes the automation of security processes possible, such as code analysis and penetration testing, patching and continuous monitoring. When completed with a proper understanding of shared responsibility and the solutions within AWS offering, it can be used to assure confidentiality, integrity and availability.
By Mano Paul