{{announcement.body}}
{{announcement.title}}
Refcard #342

IaC Security

Using DevOps to Secure Your Infrastructure as Code

The responsibility and accountability for security is rapidly shifting in the direction of DevOps engineers, as they have a view into the broader architecture of processes and systems used to deploy applications. Good DevSecOps makes application deployments, operations, and service monitoring easier and more secure. In particular, DevOps engineers will be responsible for securing the Infrastructure as Code in which they built. In this Refcard, we explore IaC security, how it works, why it's important, and key concepts for success.

Published: Dec. 17, 2020
1,023
Free PDF for easy Reference

Brought to you by

Bridgecrew
refcard cover

Written by

author avatar Larry Gordon Co-Founder, xOps
asset cover
Refcard #342

IaC Security

Using DevOps to Secure Your Infrastructure as Code

The responsibility and accountability for security is rapidly shifting in the direction of DevOps engineers, as they have a view into the broader architecture of processes and systems used to deploy applications. Good DevSecOps makes application deployments, operations, and service monitoring easier and more secure. In particular, DevOps engineers will be responsible for securing the Infrastructure as Code in which they built. In this Refcard, we explore IaC security, how it works, why it's important, and key concepts for success.

Published: Dec. 17, 2020
1,023
Free PDF for easy Reference

Written by

author avatar Larry Gordon Co-Founder, xOps

Brought to you by

Bridgecrew
Table of Contents

What Is IaC?

Challenges of IaC

What Is IaC Security?

How IaC Security Works

Why Is IaC Security Important?

Key Components of IaC Security

How to Secure IaC

Final Thoughts

Section 1

What Is IaC?

Infrastructure as Code (IaC) refers to the technology and processes used to manage and provision infrastructure with software instead of manual operations. First, it has replaced the act of racking physical servers in a data center, and secondly, it has allowed for manually building servers using software programming in the cloud. Infrastructure as Code tools and processes allow engineers to quickly build and destroy servers on cloud platforms using automation tools. The trick now is to make those pieces of software as secure as the rest of the networkapplications, and databases. 

The most common Infrastructure-as-Code tools are Ansible, Terraform, CloudFormation from AWS, and Pulumi. Terraform is the open-source framework by HashiCorp. More than any other framework, Terraform has made Infrastructure as Code limitlessly customizable and accessible, thus paving the way for the surrounding IaC ecosystem.  

A significant portion of technology has to be spent focused on software engineering infrastructure. The blend of workloads, applications, and broad access to resources paired with consistent and secure delivery methods used to support software development is vital. How technology is used is as equally important as to the methods and processes for creating and delivering software code.


This is a preview of the IaC Security Refcard. To read the entire Refcard, please download the PDF from the link above.

Section 2

Challenges of IaC

As with any emerging technology, IaC comes with its own set of drawbacks, mostly related to the lack of cohesive awareness and added complexity. There is undoubtedly a learning curve to adopting IaC, which is at odds with manual infrastructure provisioning by design. Replacing established processes and technologies can be disruptive. 

Although there are many different types of challenges organizations face, three key challenges that seem to be industry-agnostic are: 

  • Infrastructure has grown across a hybrid-cloud environment with deployments in both on-premise and multi-cloud environments. The ability to efficiently manage security across these complex deployments while keeping operations costs in check is essential. 
  • Fewer resources are available to manage the environment as many organizations face cost pressures. This issue becomes a double whammy as the infrastructure grows and the resources to manage it shrink. 
  • An evolving threat landscape challenges you because it is both relentless and seemingly one-step ahead. Your data and intellectual property are valuable; not just to you — it's valuable to attackers as well. 

Because it can run in parallel to manual cloud orchestration, implementing IaC without full visibility and collaboration can lead to confusion as to how and where resources are provisioned. When fully embraced, its immutable nature means that instead of troubleshooting and fixing deployed resources, you simply re-provision it. When manual changes are made to IaC-provisioned resources, you lose that immutability and introduce risk of damaging services or introducing unintended behaviors. 

As is the case when adding any new technology to already complex infrastructure stacks, IaC can introduce risk. Confusion and risk are only exacerbated when several frameworks are in use across teams, as is common within larger organizations. 


This is a preview of the IaC Security Refcard. To read the entire Refcard, please download the PDF from the link above.

Section 3

What Is IaC Security?

Infrastructure as Code presents an incredible opportunity to embed consistent and scalable cloud security coverage.  

 IaC security refers to addressing cloud configuration issues in IaC rather than deployed cloud resources. Because IaC does not represent infrastructure itself, IaC security isn’t “securing IaC” but rather ensuring that it is configured in such a way that it will provision secure resources. IaC security is a modern take on cloud security that has historically addressed configured cloud resources after being deployed and ensuring that periodic manual configuration doesn’t introduce new issues.  

Cloud security issues are often related to securing access to critical services and customer data. Each cloud and resource have its own set of security best practices and corresponding compliance benchmarks. Organizations may also enforce their own policies unique to their infrastructure and business. 

IaC security transfers security monitoring of provisioned cloud resources to the infrastructure code layer. 


This is a preview of the IaC Security Refcard. To read the entire Refcard, please download the PDF from the link above.

Section 4

How IaC Security Works

The most basic form of IaC security is being able to identify misconfigurations and security issues. Scanning IaC enables you to identify all the variables for which the proper settings are either missing or are incorrectly set. Scanning IaC involves checking templates, files, and modules and their variables against known policies. Policy violations occur when proper settings are either missing on variables or the settings are incorrectly set. 

Because IaC is often cloud-agnostic, you may be dealing with hundreds of policies to check against. The best way to get complete coverage across cloud security best practices and compliance controls are through automation. By automating the scanning of IaC, you save time and get coverage not possible with manual work. There are a few open-source tools such as Open Policy Agent (OPA) and Bridgecrew’s Checkov that enable anyone to scan infrastructure as Code files or directories against known policies. 

 


This is a preview of the IaC Security Refcard. To read the entire Refcard, please download the PDF from the link above.

Section 5

Why Is IaC Security Important?

As IaC adoption soars, it’s becoming more important to understand the security risks and complexities involved with it. Because IaC best practices are still being established, there are very few universally recognized resources and processes when it comes to IaC security.  

IaC is designed to make cloud provisioning simpler, faster, and predictable. But in order for teams to recognize those benefits, the same philosophy must be applied to how they approach cloud security. IaC security is the answer to cloud security in IaC-forward environments. It is the only way to get consistent, scalable, and immutable security. If security is not applied at the IaC layer, misconfigurations are inevitable. And when clouds are orchestrated by inherently misconfigured code, they’ll continue to be orchestrated and configured incorrectly in production.  

As the number, severity, and cost of security breaches continue to grow, security is a leading issue for most organizations.  

Some further indications of the growing need for IaC and DevSecOps: 

  • The likelihood of experiencing a breach within two years is 29.6%, up from 22.6% in 2014.  
  • In 2019, the average time to identify and contain a breach was 279 days, up 4.9% from 2018. 

There are many benefits to adopting a platform to support the infrastructure for security operations, response, and remediation activities. Adopting a platform can boost speed and efficiencyIt can also reduce infrastructure as Code complexity and increase security at scale.  

Applying security across your security-automated infrastructure increases consistency and allows you to take a more holistic approach to security. Each staff member can manage more tools, devices, and systems so that you can operate at scale. Automation reduces the risk of human errors, improving accuracy and reducing the risk and cost of breaches, if secured properly.   

Organizations that automate extensively are better able to prevent security incidents and business disruptions. Security automation involves automating the manual tasks associated with maintaining the security posture of your business. It consists of multiple practices, and we have divided these into four general categories: 

  • Automating response and remediation activities and security operations 
  • Response and remediation to event-driven activities that involve security analyst participation, guidance, or both 
  • Security operations including day-to-day processes and policy-driven activities performed on your security infrastructure by technology teams 
  • Security compliance, including activities to ensure infrastructure is compliant with security policies and regulations 
  • Hardening activities to apply custom security policies to infrastructure with the targeted intent and goals 

This is a preview of the IaC Security Refcard. To read the entire Refcard, please download the PDF from the link above.

Section 6

Key Components of IaC Security

Integrate Security Using Automation 

The need to respond to security attacks manually is daunting. Using Red Hat Ansible or HashiCorp Terraform, you can automate and integrate different security solutions that can investigate and respond to threats across the enterprise in a coordinated, unified way using a curated collection of modules, roles, and playbooks. 

Collect logs across firewalls, intrusion detection systems (IDS), and other security systems programmatically, enabling on-demand enrichment of triage activities performed through security information and event management systems (SIEMs). 

Using these tools in a DevSecOps process can automatically tune the level of logging, create new intrusion detection system (IDS) rules, and implement new firewall policies, facilitating the detection of more threats in less time. 

You can also remediate faster automating actions like blacklisting attacking IP addresses or domains, whitelisting non-threatening traffic, or isolating suspicious workloads for further investigation. 

A Two-Phased Approach to Automation 

Whether your organization is just building a new cloud environment, already operating in the cloud with one or more cloud providers, or scaling your environment to meet increasing demand, you can take advantage of a two-phased approach to automate your cloud security processes.  

  • Phase 1: Optimize Operations — Begin to incorporate security into existing, automated deployment workflows, or create new template-based workflows for application deployment with configuration bootstrapped into the template so that your development teams don’t need to manually intervene. 
    For example, bootstrapping can automatically provision a security tool — such as a next-generation firewall with a working configuration, complete with licenses and subscriptions  to any of your cloud environments. 
    Key requirements: For this phase, you’ll need native API support for integration with third-party development and orchestration tools, such as Ansible and Terraform.  

  • Phase 2: Lean on Analytics — In this phase, you should focus on automating security discovery and analysis across your cloud environment to reduce the workload on your staff while improving your overall security posture. 
    For instance, automated analytics can gather and compile relevant data across multiple cloud environments and analyze it to identify, as well as prioritize, potential vulnerabilities and risks. 
    Key requirements: You’ll need a cloud security framework designed for multi-cloud environments, with a mechanism to ingest high volumes of data and perform thorough analysis to identify risks. 


This is a preview of the IaC Security Refcard. To read the entire Refcard, please download the PDF from the link above.

Section 7

How to Secure IaC

Multi-cloud is the new reality for many organizations, whether chosen as a strategy or forced on them through another means – like customer preference, mergers and acquisitions, or government regulations. Forward-looking organizations have accepted that this reality will happen – or has already happened – to their organization. They’re making plans to intelligently manage multiple clouds and proactively put measures in place to ensure continued compliance. 

Some of the risks they need to manage are technical like differences in authentication, for example, and authorization solutions, or how network routing and security are configured. Other risks are on the people side of the organization. A common risk, caused by excessive processes and procedures, can lead to fast-moving parts of the organization going a little rogue and becoming an IT headache. 

  • Automation Is the New Baseline — Starting with a multi-cloud friendly automation product will save an immeasurable amount of time. Since automation is repeatable, there is less time cross-training new team members – whether it is a role as a security admin, or a DevOps engineer. AnsiblePuppet, and Terraform are leading multi-cloud automation frameworks. 
  • Flexible Policies and Procedures — Use an automation framework to handle most of the implementation. This lets you have policies and procedures that are a little more flexible, and allows for the differences between cloud implementations. You’re able to focus on the goal rather than the exact procedure.  
  • Standardize Components as Much as Possible  Even though multiple clouds are in use, it is possible to minimize the number of technologies that are in play. This is done through standardization of as many of the core technologies as possible. Often this involves using third-party components. Whenever possible, stick to solutions that support multiple clouds. This may mean giving up a nice-to-have feature in the case of a very specific point solution. The consistency and efficiencies that are gained more than outweigh the benefits of any one nice-to-have feature. 
  • Multi-Cloud Management for Compliance and Cost Tracking — In multi-cloud environments, it is paramount that insight into costs and security compliance are available on-demand to those that require the information. There is a category of tools that can perform one or both of these activities. They work closely with the largest hyperscale cloud providers to ensure the solutions are up to date. They include the latest security policy enhancements to ensure that when a policy is applied and validated it is as consistent as possible across all clouds in the mix. 
  • Automating Repetitive Tasks  By automating repetitive tasks, such as firewall deployments and security policy updates, you can free up your security staff to work more effectively, improve security, and keep pace with deployments across one or more cloud environments. 
    Companies turning to security automation are finding it:  
    • Reduces manual effort and human error.  
    • Scales security efforts to match cloud deployment needs.  
    • Enforces consistent security controls across multi-cloud environments. 
    • Accelerates incident response and investigations.   
    • Improves compliance with regulations.   

This is a preview of the IaC Security Refcard. To read the entire Refcard, please download the PDF from the link above.

Section 8

Final Thoughts

Generally speaking, the key IaC security components are: 

  1. Automation and workflow: Via CLI, VCS, and/or CI/CD based on different team's needs and preferences 
  2. Depth and breadth of policies: Cover all the frameworks you need, all security best practices, compliance benchmarks, etc. 
  3. Prioritization and remediation: Visibility is only valuable if you can take steps to implement the feedback efficiently 
  4. The broader impact and context of IaC: Understand how it relates to the runtime cloud resources. 

Find an Infrastructure as Code security platform that includes tools and capabilities to help you optimize your automation including Terraform, CloudFormation, and Pulumi. Use analytics to provide insight into how your organization uses that automation. Make sure it lets team members access certified automation content through a centralized repository. Finally, the goal should be to streamline security of the management, distribution, and consumption of automation assets.  


This is a preview of the IaC Security Refcard. To read the entire Refcard, please download the PDF from the link above.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}