An Approach for Efficient Identification and Treatment of Common Risks in CI/CD and Cloud-Based Enterprise Solution Ecosystem

Abstract

Operational technology (OT) encompasses the software and hardware for managing large-scale industrial systems. In order to implement such systems, companies often adopt the DevOps approach, which offers flexibility and facilitates the rapid deployment of new features. This methodology includes practices such as continuous integration and delivery/deployment (CI/CD), which ensure that software changes are promptly incorporated into the solution while minimizing the risk of compromising quality. However, adopting DevOps, particularly in information security, presents heightened complexities compared to more traditional methodologies. Aligning development efforts with industry standards in this domain has proven challenging. The objective of this Master's thesis is to examine a DevOps environment that relies on CI/CD practices and results in a cloud-based enterprise solution. The initial step involves conducting a comprehensive gap analysis to assess the current state of information security within this context. Subsequently, the observed environment is thoroughly evaluated to identify areas characterized by high-security risks. These vulnerabilities are then carefully analyzed, prioritized, and matched with appropriate mitigation measures. To provide a formal structure for these measures, they are aligned with pertinent security standards recognized as best practices in the field. Notably, this includes the International Organization for Standardization's (ISO)/IEC 27001:2022, the National Institute of Standards and Technology's (NIST) Cybersecurity Framework (CSF), and the Cloud Security Alliance's (CSA) Cloud Controls Matrix (CCM).

The outcome of this thesis is a comprehensive guide that effectively assists in identifying and mitigating common risks within a CI/CD environment. Organizations can enhance their security posture by following the guidelines and effectively combat the aforementioned risks.