Cloud
Why IaC Security Should Matter to CISOs
Explore how secure infrastructure-as-code (IaC) enables security leaders to help DevOps teams quickly deliver more business value.
Speed is the name of the game for organisations building in the cloud. And in order to meet increasingly demanding deadlines, many DevOps teams are turning to infrastructure as code (IaC) to spin up new projects at scale—but are they doing so securely? This article looks at IaC security challenges and how CISOs can choose the right cloud security tool to support quick development and drive innovation.
What is IaC?
Infrastructure as code (IaC), as the name suggests, is the creation and managing of infrastructure through code—essentially establishing a pre-configured infrastructure template that can be consistently deployed to build apps. This is an evolution from the “old days”, where system admins were tasked with manually managing and configuring all the needed hardware and software to run apps.
IaC security challenges
There’s a reason—in fact, several—why IaC continues to grow in popularity for cloud builders; speed, control, and consistency just to name a few. But since anything using the internet can be exploited, that means IaC poses security risks as well. Here are two key challenges:
1. Complex environments and compliance requirements
Enterprises using a hybrid- or multi-cloud environments face unique challenges and security teams often lack the visibility needed to track and manage IaC templates across different environments and cloud providers.
While IaC is great for spinning up new infrastructure at scale, it’s pertinent these templates are configured to abide by the compliance requirements of that specific cloud/on-prem environment’s as well as the location of the builders. For example, if one team is building in Europe and another in Asia, the same IaC template cannot be deployed and considered secure or compliant due to differing compliance regulations.
2. IaC drift
Misconfigurations can not only lead to compliance gaps, but drift as well. IaC drift is when configurations change from predetermined build-time states, unbeknown to those DevOps and SecOps teams. This can be due to developers deploying and changing the template in a testing environment and forgetting to “reset” it back to its original state before using it in production. The smallest undetected change to a template gives malicious actors the opportunity to infiltrate the exposed cloud asset.
Solving IaC security challenges
Yes, there are several products that only address IaC security, and while this is great, adding another point product to your security stack will further complicate visibility. Look for a unified cybersecurity platform with capabilities that address multiple security concerns such as IaC. Think of it like two birds, one stone, but less morbid.
Convincing the board to invest can be challenging, so try to speak their language by showing how security enables business. By investing in a cybersecurity platform, you’re not just stopping threats, but enabling a DevOps culture which will inherently minimise risks and maximise efforts to meet business objectives.
Okay, so what should you look for in a cybersecurity platform? Look for capabilities that help you better understand, communicate, and mitigate cyber risk within the three phases of an effective security strategy (detection, correction, and prevention) without impacting or interrupting security and development teams.
Phase 1: Detection
The goal of this phase is to understand potential risks by establishing the “what” and “who” of your environment. You need comprehensive visibility to notify security teams of critical misconfigurations. Key word: critical. The platform should use extended detection and response (XDR) capabilities to collect and correlate data across all the components in a IaC template, therefore reducing false alerts and enabling security teams to drill down into top priority concerns.
Phase 2: Correction
In this phase, the platform should leverage auto-remediation to quickly fix configurations without burdening security and development teams. Customizable APIs and post-scan actions are crucial to encouraging collaboration and communication between teams. Remember, the platform shouldn’t be seen as a gatekeeper, but as an enabler for more efficient risk management.
Phase 3: Prevention
You can never stop a cybercriminal from attempting to attack you, but you can mitigate associated risks by making it more difficult. Make sure the platform takes a start left approach by scanning templates before they’re pushed to production, allowing security and development teams to make any necessary changes. The scans should not only alert teams of any misconfigurations, but also auto-check templates against relevant compliance requirements and industry best practises. Lastly, look for a platform that provides real-time feedback to engineers as they create IaCs to help them learn as they go and fine-tune their skills.
Next steps
For more insights on how a cybersecurity platform can help you understand, communicate, and mitigate risks, check out these resources: