Hadi Jaafarawi, Managing Director – Middle East, Qualys, discusses how organizations need to approach security when it comes to Infrastructure-as-code (IaC).
One of the things that sets the GCC apart is its refusal to take a breather when times get tough. Its governments and businesses steamed through crisis after crisis since 2008 by finding ways to do more with less. Organizations here were early adopters of the cloud and now the Gulf is home to many hyperscale providers, paving the way for yet more innovation.
Now that the region has settled down to a life in the cloud, it must manage the implications to reap the optimum rewards. Infrastructure as Code (IaC) is the means by which cloud environments allow repeatability of deployed assets. The more cloud services one uses, the more automation and repeatability one must expect to see. IaC is the inevitable manifestation of the software development lifecycle as DevOps teams take control of their build environments.
The lifecycle is plain enough. You commission and deploy a service. IaC turns this process into code, so that once the organization establishes the best practices of rollout, the process can be captured and repeated as many times as is required without having to worry about human error. Any potential issues will show up in installation images and can therefore be addressed safely. Of course, nothing digital escapes the eye of the cybergang, which is always mindful of the next opportunity. The IaC environment must therefore be secured as tightly as any database or file server.
The fundamentals
The baseline goal with IaC security is to provide clear visibility of the development environment from tool setup to live environment. Any capability should cover the whole cloud infrastructure and flag every misconfiguration and non-standard deployment. It should monitor changes to the environment as the years roll by and flag any drift from compliance and any problems with accounts regarding privileged access.
IaC is a no-brainer for admin and development teams. It can facilitate full version control over cloud infrastructure deployments. And, of course, that allows it to keep a tight rein on the deployment of the infrastructure over time. The downside is, if a security issue emerges in a version, IaC guarantees its replication through templates. Development, deployment, and production are all compromised. Security analysts overseeing IaC must therefore look at how it is used throughout the software development pipeline, otherwise they could address an issue only to have it pop up somewhere else, and problems could scale up quickly.
And we must make sure we empower developers. IaC may allow them to be more efficient in their roles, but now they must be a cog in the security apparatus too, taking them outside their comfort zone. Security teams must play their part by providing DevOps with lists of security issues along with priority rankings.
Teaming up
This collaboration between developer and security operations is a key step in effective risk management. But it only works if security processes are integrated with developers’ tools, especially those used to create and manage IaC images. These developer tools come from repositories such as GitHub and BitBucket and include continuous integration/continuous delivery (CI/CD) solutions like Bamboo and Azure DevOps that transition workloads from one stage of development to the next. Security tools must be available in integrated development environments (IDEs) like Visual Studio Code, so DevOps teams can check IaC images for misconfigurations via the same screen through which they build solutions. This is not only a welcome convenience but an aid to memory. If integration of security takes place by using APIs, then the DevOps team will be able to see real-time guidance from their tools on the potential impacts of cloud misconfigurations. This allows remedies to be put in place in advance of the production stage.
Once this integration is implemented, developers can also be provided with real-time coaching on how to apply patches to IaC templates. This coaching will come in the form of a list of any software flaws or misconfigurations, accompanied by risk assessments that allow the DevOps team to use their resources optimally and fix the time-sensitive or most impactful vulnerabilities first. This guidance will also be useful when scheduling requests for new functionality.
IaC security should employ the same replication of policy as IaC itself does for cloud infrastructure deployments. Once authored and approved, these security policies can then be enforced uniformly across the entire software development lifecycle and beyond.
Runtime remedies
Policies must not just apply to DevOps environments; they must govern runtime environments. IaC security policies must extend to configuration and feature changes administered post-production. IaC is a great replicator. It lets you automate deployments through templates embedded with predetermined requirements. But the requirements set for a deployed image may change. For example, it may become necessary to update the version of the software used to set up the container from a software repository, thereby avoiding having to constantly add and manage updates to IaC templates. But any new version of any constituent part of the environment may come with security issues.
Runtime security is critical to the reduction of risk presented by misconfigurations or changes made after deployment. Static scans may be insufficient to pick up on such flaws. Instead, you must check for drift between approved images and current infrastructure. Of course, making changes to IaC images will fall on developers as an extra responsibility, but it can save the organization a lot of trouble further down the road.
IaC makes IT infrastructure construction easily repeatable. But when using it, it is worth taking the time to think about how a threat actor might perceive your environment. In the absence of an effective security process, subsequent deployments can spread an issue across the IT environment. Developers must join forces with security teams on these issues, so that the advantages of IaC can shine through without being overshadowed by potential threats.