DevOps security skills

DevOps security becomes paramount in the world of remote work and online customer interactions. We list IT Svit DevOps security skills based on our projects.

Vladimir Fedak
5 min readJun 5, 2020

--

The outbreak of COVID-19 has put many industries on hold for quarantine and forced many companies to reassess the way they work and interact with their customers. Working remotely and interacting with customers online quickly becomes the mainstream for all businesses and organizations that can function that way. However, working under the Waterfall project management model no longer suffices, as you have to adapt quickly to rapidly changing customer preferences.

DevOps workflows provide the needed functionality, but DevOps, as an approach to software delivery and cloud infrastructure management, is a double-edged sword. DevOps methods allow configuring and managing cloud resources at scale with ease — but a chance of misconfiguration and mishandling your data and system is greatly increased. This is why infrastructure security audit is one of the most frequent requests IT Svit has to deal with — and we have compiled pretty thorough expertise in all aspects of enabling DevOps security with AWS, GCP and other infrastructures.

Below are IT Svit DevOps security skills and tasks we apply them to:

  • Static code analysis. Our engineers use SonarQube, PEP (Python), and PSR (PHP) for the early discovery of bugs and vulnerabilities and following the code design best practices.
  • Multi-Factor Authentication. We use Pritunl VPN for configuring secure and personalized infrastructure access.
  • Firewall configuration. We have ample experience in using IP tables, various Cisco, Mikrotik, and PfSense tools for setting up explicit access to internet-facing components, filtering, routing and port forwarding.
  • Cluster firewall. We are well-versed in configuring Kubernetes cluster network policies for enabling granular network access restriction.
  • AWS Firewall. We had ample experience in using AWS Security Groups and Network ACL for setting up explicit access to internet-facing components and providing granular network access restriction.
  • AWS Web Application Firewall. This tool is useful for checking HTTP headers and creating ACL for the protection of an application or API.
  • Intrusion Detection and Intrusion Prevention. This can be done using snort for discovering and preventing possible network intrusion points.
  • Intrusion detection. We are actively using sysdig Falco for discovering OS intrusion attempts. These can include attempts of starting new processes, editing files within unwanted locations (/etc, /var/lib, etc.), executing bash commands, etc.
  • Updates and configuration management. IT Svit is using Ansible for this. We store configuration in Git-based repositories and use Ansible Vault for sensitive data encryption. Alternatively, we can use OpsWorks to store configuration in Git-based repositories and provision AWS Stacks of EC2 hosts.
  • Storage encryption. This can be done using LUKS. We enable storage encryption for cloud and non-cloud environments and use AWS KMS for encrypting access to EBS, S3 and other AWS services.
  • Environment management. This is the core task for any enterprise using Active Directory and LDAP. The user profile is saved on the network storage, so when the user logs in from any PC in the same domain — he/she receives the user data: Downloads, Documents, Browser history, emails, etc.
  • K8s RBAC + KeyCloack + LDAP. This toolchain is useful for enabling authentication and authorization services (LDAP + GitLab/Jenkins/Redmine/Youtrack/Grafana, LDAP + Windows7, LDAP + LinuxUbuntu Setup IAM credentials to containers running inside a Kubernetes cluster based on annotations (kube2iam))
  • AWS Identity and Access Management. We are using it with Active Directory for configuring password policies and credentials rotation.
  • RBAC using AD Groups. This provides explicit access to resources.
  • RBAC using Kubernetes Roles. This helps grant explicit privileges to users and system processes on components.
  • RBAC using AWS IAM Roles. We have experience in assigning roles with least-privilege default access so users gain permissions only after assuming a specific role. This also enables configuring explicit permissions on resources.
  • RBAC using AD and LDAP. We can configure Single Sign-On feature and password policies (complexity, rotation). It is useful for explicit access management.
  • Credentials management. This can be done using Hashicorp Vault or AWS Secrets Manager. We can secure explicit credentials access from applications.
  • Subnets management. Using Private, Public Subnets and NAT Gateway we can secure internal infrastructure.
  • Secure network access to internal infrastructure. We do this using Windows AD and Cisco ASA to enable Single Sign-On at the VPN level. Alternatively, this can be done using bastion hosts as an SSH Proxy hosts. There is no direct access to the bastion host from outside.
  • Secure network access through a VPN. This is done through Public Key Infrastructure. Users have certificates within their clients with a specific TTL. When TTL expires or user access is revoked using CRL — the user loses the option to connect to a VPN host.
  • Reverse proxy and load balancing. We do it using AWS: Classic Load Balancer, Application Load Balancer, Network Load Balancer. Otherwise, this can be done using Nginx to ensure load distribution and availability.
  • AWS Cognito. We can set up it as the authentication and authorization service for distributed mobile applications with AWS API Gateway.
  • AWS Directory Service. Another way to provide authentication and authorization is through configuring VDI infrastructure and using a Directory Service.
  • Email encryption. We provide this service using PGP for secure email exchange.
  • Antivirus management. IT Svit uses Kaspersky Endpoint Security for centralized antivirus management.
  • Subnets management. We are experienced with using separate network layers (physical, VLAN) for separating different traffic e.g. public, private, backup, etc.
  • Updates and configuration management. IT Svit uses the AD Group Policy for managing host settings and access rights for the distributed enterprise systems.

As you see, IT Svit can handle all aspects of DevOps security configuration in a variety of software ecosystems. If you want to benefit from IT Svit DevOps security skills — let us know your project specifications, and we would be glad to assist!

--

--

Vladimir Fedak
Vladimir Fedak

No responses yet