To react or to prevent?

The term “cure” is generally a positive one. However, in cloud security, it assumes a reactive position to some vulnerability or breach that’s already taken place. When it comes down to it, DevOps and Security teams—we all hope—are working together toward a culture of prevention. But it’s no easy task.

Business demands mean that security and compliance are usually coming from a reactive position, working at a feverish pace to detect runtime cloud infrastructure issues like misconfigurations and compliance violations. This drives risk up and up, with stakeholder demands essentially forcing the business to gamble on the hope that there won’t be many post-deployment issues and the customer experience will generally be what they hoped.

However, in the extreme likelihood this isn’t the case, the above scenario more often works against the bottom line, costing the business not only money after the fact, but also countless productivity hours and employee morale. The challenges aren’t as simple as intense business stakeholder demand to pick up the pace, though. To put it simply, there are many challenges on the road to the goal of a super-efficient working relationship between DevOps and cloud security/compliance. Let’s take a look at 4 of those challenges and how security organizations can leverage Infrastructure-as-Code (IaC) templates to go from a reaction culture to a prevention culture.

[Related blog] How Infrastructure as Code (IaC) Amplifies DevOps Through the Inclusion of Security

Runtime risks

Unforeseen mistakes, problems, and challenges (MPCs) will always, always, always come up, even in the most optimized sense of teamwork between DevOps and cloud security/compliance. But the fact remains that most organizations are still reacting to risks and misconfigurations at runtime as opposed to preventing them during build.

How can IaC help? Developers can leverage IaC to create statements that define the infrastructure that will be necessary to run the code they’ll write. Working with templates like JSON or YAML enables developers to truly enable a DevOps culture. They can write and subsequently test the infrastructure to ensure it’s good to go. This ultimately helps to drastically reduce runtime risks.

Developer deflation

Challenging devs to address vulnerabilities at runtime is the wrong time. No matter who the fault lies with, it ultimately becomes very inefficient for the business as a whole. And no one wants to be responsible for putting the company in the red. Runtime issues can often be fleeting or vague, resulting in developer churn and productivity loss.

How can IaC help? Templates are efficient because they are, well, templatized. However, if a security or compliance issue exists in the template itself and isn’t cross-checked by security, then developers will repeatedly address the same root issue at runtime. By partnering with the security organization for quality control early in the process, DevOps can leverage IaC templates to their fullest.

Security + developers = inefficiency?

Speaking of potential developer productivity loss due to late-breaking requests, that just might be the beginning—or continuation—of a breach. Not the security kind of breach, but the teamwork-between-groups kind. This friction leaves open the possibility that developers might circumvent the security process, leaving security personnel to harbor growing animosity for dev teams. The ultimate loser in this scenario is, of course, the customer.  

How can IaC help? With tools like HashiCorp Terraform, AWS CloudFormation, and Google Cloud Deployment Manager, devs can perform many of the same application testing and monitoring processes on cloud infrastructure. The missing piece to this is having the right security and compliance controls along the way, so that checks from those teams become a part of the continuous integration/continuous delivery (CI/CD) pipeline—without slowing anything down.

Security teams can be proactive in this process by creating IaC templates for developers. This will help to create secure and compliant cloud infrastructure from the start.

To connect, it must comply

Cloud environments are constantly changing, but they’re also growing and being used in different contexts. Each time a developer spins up a new instance, more than likely it’s connecting to an existing patchwork. The instance might be secure on its own, but it suddenly isn’t secure or industry compliant (HIPAA, PCI-DSS, etc.) when the full context is considered. These dynamic environments are extremely common, but it takes both process and sharp-eyed personnel to ensure they’re secure. Even the most proficient security team has difficulty keeping pace with development, and teams need to leverage the right tools and automation capabilities to scale with developers.

How can IaC help? Application security testing is common for developers. Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools integrate with CI/CD pipelines to test and monitor code. This same process can be leveraged for IaC. A dynamic IaC analysis extends beyond a template on which a developer might be working. It will also evaluate existing cloud environments and services that will interoperate with the new instance.

An example of dynamic IaC analysis: The process finds that a properly configured server (that passed static analysis) still violates Payment Card Industry Data Security Standard (PCI-DSS) requirements due to the server going into a Cardholder Data Environment (CDE) without a proper firewall.

IaC your way to shifting left

By leveraging features typically used in a code development setting, DevOps practitioners can also define the infrastructure on which an application’s code lives. As this has become not only possible but easier in the recent past, security teams can more quickly perform cross-checks on a developer’s work prior to runtime.

Organizations using a solution like DivvyCloud by Rapid7 can leverage the programs’s IaC security to implement controls earlier in their CI/CD pipeline. So what does this mean for business? The dream of getting products to customers faster—without compromising security—is now achievable. You can read this article to learn more about the challenges of and potential solutions to integrating security and compliance earlier in the development cycle.