Emma Button, COO at nubeGO, discusses how DevOps Toolchain enhances compliance, security and operational standards.
At nubeGO, we understand that for our clients in highly regulated industries (such as Financial Services, Government or Healthcare) compliance with security and operational standards is imperative. DevOps tooling can help to streamline the process of delivery for software and infrastructure and reduce the impact of regulatory or operational compliance procedures on your speed and efficiency of delivery. The Amazon Web Services suite of DevOps tools can help achieve operational compliance within a software delivery lifecycle - here are 5 ways in which the AWS DevOps Toolchain can help.
AWS CodeCommit Enforces at least 4-Eyes Review
Using a Git-based source code repository such as AWS CodeCommit to store application, infrastructure and configuration code is a great starting point for securing and backing-up your resources. Additionally, AWS CodeCommit supports the enforcement of a code review process that requires an additional reviewer to examine the source code before it is permanently stored in the main source repository. Git Pull Requests (PRs) are a review mechanism that requires manual or automated intervention to review code prior to inclusion into the main branch of code.
A code reviewer’s comments and observations can be recorded within the CodeCommit console to provide contextual feedback. Only once the reviewer is happy with the code can it be merged into the main branch of code. You can find out more about working with Pull Requests in the CodeCommit user guide: https://docs.aws.amazon.com/codecommit/latest/userguide/pull-requests.html
AWS CodeBuild and AWS CodePipeline Encourage Automated Testing and Screening
Amazon’s fully-managed build and deployment tooling helps to streamline functional and security testing of applications by making it easy to integrate suites of tests or security screening tools. AWS CodeBuild builds and tests software components for fast feedback loops but when combined with their end-to-end Continuous Integration tooling, AWS CodePipeline, additional testing phases can be layered in. Use AWS CodePipeline to call into suites of functional or behavioural tests such as Cucumber of Gherkin scripts to perform rapid regression testing independently of development. Before deployment you integrate static code analysis tools or security screening tools such as SonarQube with the OWASP security rules enabled. Rapid feedback from early security screening prevents deployment of code that presents security risks to your company.
AWS CodeDeploy Facilitates Hands-off Deployment
One of the primary compliance concerns in a highly-regulated environment is the enforcement of access restrictions to environments. Using a managed and automated deployment tool allows access to environments to be restricted based on role, and significantly limits the need for human intervention on live environments. AWS CodeDeploy provides hands-free deployment of applications, configuration and scripts to environments which helps to limit the attack surface. CodeDeploy can be combined with the other DevOps tools through AWS CodePipeline as part of an end-to-end Continuous Delivery lifecycle for hands-off deployment of code and services.
IAM Facilitates Separation of Responsibility
As with all of the Amazon Web Services capabilities, the AWS DevOps tools are securable using IAM roles and permissions which help separate responsibility within your development and deployment lifecycle. Separate roles can be created that govern access to source code over access to deployments. Using a fully automated deployment tool such as AWS CodeDeploy ensures that access to deploy changes to production environments is restricted to just those people and services who require the permission, when they require it. IAM permissions to code commit, build and deploy are fine grained so that you can customise them to your business’ working methods.
Enhanced Record Keeping, Auditability and Traceability
Every activity that your engineers perform within the AWS ecosystem can be audited for traceability. The AWS CodeBuild, CodeDeploy and CodePipeline web-based user interfaces provide a convenient record of the build, test and deployment activities within your CI/CD pipelines but AWS also provides enhanced auditing and traceability. Using CloudTrail to record each interaction with the AWS tooling supports sophisticated profiling and threat detection for malicious change to configuration through use of alerting. Amazon CloudWatch is the AWS metrics and monitoring solution that provides insights and alerting for events and actions within your DevOps toolchain - want to get notified each time someone deploys a change to a production environment? Want to monitor how many software builds fail throughout the day? Capture and process the data using Cloudwatch metrics and reports.
The AWS DevOps toolchain supports automated compliance from commit through build, test and deploy. nubeGO’s DevOps engineers and Cloud Solution Architects can help you to plan and shape your Continuous Integration and Delivery strategy. Contact us to find out more.
[email protected] 0203 901 8501