Agile software development demands agile security, and yet for many businesses driving a software-led transformation in the cloud, security is stuck in the past. While DevOps has accelerated software development and innovation, security often struggles to keep up, leading to compromises and potential vulnerabilities.
New Zealand’s largest locally-owned life insurer Fidelity Life is one year into a multi-million dollar, five-year transformation to reimagine life insurance for New Zealanders. Microsoft Azure is front and centre in a programme to recast the insurer’s products, services, and experiences for a new generation of digital customers. Building on its progress in the cloud, Fidelity Life turned the spotlight to security standards and controls to maintain application development at full speed, without inviting risks.
Traditional security outpaced by agile development
Software developers today combine agile approaches with clever tools and orchestration in Azure. However, when the faster pace of modern software development is stifled by traditional approaches to security, developers are more likely to take shortcuts and sometimes even show willful ignorance that can leave cloud environments vulnerable.
Fidelity Life was making good use of Azure Platform and Azure DevOps to build, deploy, and host its core line of business applications. However, multiple vendors developing business applications in Azure followed their own approaches to security and controls. The lack of consistency created potential holes and pitfalls in infrastructure code, applications, and Azure itself, slowing development and inviting unnecessary risk.
Gauge, fix, and harden
CCL’s cloud transformation services business unit, Leaven, was commissioned to review Fidelity Life’s security posture in Microsoft Azure, applying a three-pronged approach – called DevSecOps – to gauge, fix, and then harden the insurer’s cloud platforms.
Leaven engineers scanned Fidelity Life’s Azure subscriptions to identify and grade potential security issues, before jointly agreeing items for remediation. Using tools including RBAC controls from Microsoft Azure AD, Azure policy, Azure ARM templates, and Azure DevOps, Leaven applied secure ‘front door’ fixes to secure a baseline position in a matter of hours.
With the front door of Fidelity Life’s Azure Platform now securely closed, attention turned to protecting application code. Leaven’s verification testing and scans detected vulnerabilities in application and infrastructure code as it was checked in to Azure DevOps.
“We’ve improved our security posture and driven a mind-shift to embed security as a normal part of development work and cycles – not as an afterthought.”Joel Anderson, Head of Architecture and Security, Fidelity Life
The approach ensured Fidelity Life’s developers understood necessary code changes early in the process of software development, rather than at the end of a project lifecycle, further shortening development timelines.
The final hardening stage established best practices and controls to govern Fidelity Life’s Azure DevOps organisation, protecting critically important code repository and pipelines for deployment. Automated reports provide intelligence and visibility to maintain a security-hardened Azure platform and DevOps environment that evolves continuously with application development and rollout.
Making security agile
Leaven’s DevSecOps service is a leap forward from milestone-based approaches to security. Whereas traditional approaches to remediation involve extensive engineering, which extends project timelines, DevSecOps applied front door fixes to Fidelity Life’s Azure platforms in hours rather than days.
Joel Anderson, Head of Architecture and Security at Fidelity Life, said the company’s Azure-based architecture was now a systemic part of application development, baked into rapid-release cycles that are typical of modern application DevOps.
“In the new world of DevSecOps we maintain shorter and more frequent development cycles, and integrate changes with less disruption to normal operations,” he said.
The shift enabled Fidelity Life to bridge the gap between development and security teams to the point where security processes are automated and managed with quick-fire reporting and scheduled chats between experts at Leaven and Fidelity Life’s development team. The days of releasing new versions of software every few months to accommodate quality assurance and security testing are now long gone.
The newly agile security regime has also directly impacted Fidelity Life’s development programme, leading to rolling releases and agile development practices where new features and code are continuously pushed into production. The new approach has also boosted the knowledge and skills of Fidelity Life’s entire development team, ensuring they confidently test and fix code during daily development work.
“We’ve improved our security posture and driven a mind-shift to embed security as a normal part of development work and cycles – not as an afterthought,” said Anderson. “The business is now much more confident about our technology. We hear a lot in the media about security attacks and their consequences – it’s a monstrous evil world out there – so our approaches to the public cloud are always under the spotlight. DevSecOps has changed our IT landscape and ensures the business trusts the technology and remains confident about its ability to function securely.”