Reducing Risk by Automating Security with Continuous Delivery
Dec 7, 2021 by Stephen Atwell
Risk avoidance has become a cardinal principle of modern enterprises. Companies like Armory have arisen to help modern organizations meet this principle.
In this article, we’ll highlight the risks that an organization faces with each deployment, how to test for them, and, ultimately, how to prevent them from happening. We’ll demonstrate how Armory can help minimize these risks by automating each deployment’s security and compliance checks. With Armory, your IT teams save money and time while outperforming human-based compliance.
Before discussing Armory’s risk avoidance process, let’s recap what most organizations do to tackle the challenges of compliance and security in their DevOps pipelines. Then, we’ll discuss how Armory can help companies smoothly perform all these checks automatically, with every deployment.
Understanding Risk in Deployments
Risks associated with deployment can come in different forms. Perhaps the Ops team did not properly handle configurations. Or, maybe deployments aren’t using secure vaults to store and provide secrets and API keys.
Your IT team should be able to control the behavior of your applications. This applies to runtime behavior as well. You can use feature flagging to control the behavior of your applications by enabling/disabling features at deploy time.
Additionally, you can mitigate risk through separation of duties. Use role-based access control (RBAC) to restrict certain application release tasks to specific roles.
You can also create a better disaster recovery plan so that your customers can continue to use your service even if there is a crash in the infrastructure.
Organizations generally hire experts in security, infrastructure, automation, and engineering to take care of these challenges. However, these teams are often undertrained to tackle these modern problems. Or, if they are sufficiently trained, they rely on legacy systems such as audit alerts and monitoring dashboards only. Also as each team focuses on its part of the problem, vulnerabilities appear in the overlap because neither team can address it on its own.
Methods like feature flagging and RBAC help you remediate modern problems and tackle the challenges they pose, but they slow down the overall deployment process. Even with a slow and cautious deployment process, the application will still not be compliant with some policies, and there is no guarantee that you can control your deployments. This is where an automated process can help your organization.
Modern organizations must adopt the use of automated security and compliance to stay competitive. Armory helps organizations stay on top of the challenges modern architectures pose — and solve them with a single solution that doesn’t require a large compliance or IT team. Our Policy Engine helps you solve all of these challenges with a single mechanism.
Most companies already have a compliance process in place, founded on maintaining specific controls. For example, there’s likely a division of responsibility. In this case, the person who writes the code isn’t the same person who deploys it. These division of responsibility controls may get in the way of software developers directly deploying and operating their own code, common in the DevOps revolution, and developers may try to get around this restriction.
Right now, companies usually rely on manually reviewing audit trail systems. A scheduled security scanner tool sends an alert when it detects an event that fails to meet the requirements of the control. The system then triggers an incident response standard operating procedure. However, all of this happens after the fact. With Policy Engine, you can prevent workers from ever deploying a noncompliant application.
Policy Engine also helps with some more traditional access controls. Similar to what a policy does in AWS IAM, it gives you control over access to resources. And, it can be finer-grained than the access controls in Spinnaker.
Using Policy Engine
Policy Engine helps organizations reduce the risk of security and data leaks in continuous deployments. It’s available from Armory Enterprise as a proprietary solution for organizations that want to control and regulate the entire software delivery pipeline. Policy Engine uses Open Policy Agent (OPA) and automation documents to write and run policy checks against deployments.
Policy Engine helps you in many ways. For example, you can add checkpoints to validate policies and compliance throughout your entire software development lifecycle. It provides example policies for security and compliance so you can get started quickly. Policy Engine also enforces policies like testing and verifying every deployment, preventing human error in the process. With Policy Engine RBAC, you can control who can do what in the pipeline, and with OPA’s decision logs, you can easily audit the changes made to the infrastructure.
Beginning to tackle security and risk reduction when developers are writing the code gives them an early start on securing the application. If any policy fails during the entire pipeline, Policy Engine prevents the deployment. Then, based on your business requirements, you can either prevent the deployment from reaching the production environment or reject the code push from the developer altogether.
The integration of Policy Engine is simple using the Policy Engine plugin for Armory Enterprise. This plugin quickly enables you to automate policy as part of your Spinnaker deployment pipeline. You can then write your own policies that control the flow of deployment. Automated policies ensure that your deployments are always compliant with the required regulations.
One thing your policies can control is ensuring secrets store your sensitive variables, such as API credentials, passwords, or connection strings. Policy Engine can enforce running automated tests to validate your deployments’ security. Additionally, Spinnaker can run specific tools such as OWASP scanners on your deployments as part of your pipelines. Policy Engine can ensure such scanners run and pass before deploying code to a production environment. Moreover, you can ensure the personnel involved in the deployment phase have been authorized to do so. You can check this using the role-based access control.
With these automated controls, your developers can push the changes to a staging environment, run scanners and automated tests, and have someone from the correct role approve changes before deploying to production. More than this, Policy Engine can connect to external services to request approved and blocked resources. Open Policy Agent (OPA) enables you to pull data, which helps you query external systems when validating the policy compliance.
Policy Engine not only checks the current state of your deployment but also helps you understand the history of your deployments to your production environment. Policy Engine stores the logs of every deployment whenever a policy runs and logs where the policy runs in OPA’s decision logs. You can query these logs using the API offered by OPA. This allows historic manual audit-based controls to still run while automating those manual processes and leveraging automatic policy enforcement.
Armory can also help you with disaster recovery (DR) on your infrastructure. Armory Spinnaker can switch your traffic from the active platform to a passive infrastructure in case of any disaster. These disasters could range from a solution crash to a data center failure. For an in-depth, practical approach to DR in Amazon Web Services (AWS) with Armory, review our disaster recovery documentation.
Organizations face many challenges with their software releases. DevOps and automated pipelines are not enough to ensure the security and compliance of your solutions. Some organizations try to solve these challenges by setting up teams and departments to manually prevent these risks in the system but fail to do so due to their slow pace and human error.
Armory helps you automate these risk evaluations to enforce compliance without slowing the pace of development. Using Armory Policy Engine, you can configure and set up policies for your automated deployments. To learn more about leveraging Armory in your environment, you can review our extensive documentation.