Challenge

A number of government clients expressed concern over a lack of focus on security in automatically provisioning of infrastructure and applications in the cloud.  The problems that needed to be addressed included

  • How to ensure agility but maintain a high level of security within a DevOps pipeline
  • Addressing new cloud security risks including inadvertent misconfiguration and malicious code injection.
  • How to minimise the blast radius of multiple products using the cloud as a target
  • How to separate security concerns from applications concerns in the pipeline
  • How to ensure that developers were granted the minimum set of privileges to ensure they could perform their work.

 

TBF Consulting worked with its own cybersecurity experts and those of its clients to devise

Outcomes and Benefits

The outcomes achieved were

  • A secure DevOps pipeline that solved all of the stated client problems and concerns
  • A repeatable process to scale out to multiple teams and products
  • A clear separation of security concerns without limiting productivity and the benefits of agility
  • A well documented solution with significant levels of collaboration.

Approach

The design and implementation of a Secure DevOps pipeline that solved all of the problems through

  • High levels of static code analysis to ensure that code was secure
  • The use of PGP Encryption to provide integrity over specific builds and releases
  • The ability to build once and deploy many times increasing the integrity of the solution.
  • The ability to separate out deployment pipelines into Security, Approved solution templates and developer pipelines