How to Implement Secure and Compliant IaC

Last updated at Fri, 01 Dec 2023 21:38:05 GMT

Success lies in security

True separation of developer and security teams is becoming a thing of the past. Today’s cloud environments enable deployments at previously unheard-of speed and scale; there simply isn’t time to build infrastructure, then code, then hand it all off for security cross-checks before deploying. Where can organizations find the time? In the land of left… shifting left, that is.

As security quickly becomes everyone’s responsibility, shifting left empowers developers to take ownership of certain parts of the process. But security organizations must do their part to keep developers on track, not overburden them, and help create a new cycle so that everyone can continue to do their jobs while catching and remediating vulnerabilities earlier in the process—not at runtime.

A key enabler of this shift is Infrastructure as Code (IaC). With IaC, security teams can start to build controls and checks into the development process with templates.

Shaky ground

Automated security tests, versioning control, automated vulnerability scanners: These are the hallmarks of an organization aggressively attempting to shift security into the development process. In this way, teams begin to catch code vulnerabilities earlier.  

But oftentimes, DevSecOps operations ignore—willfully or not—the need to address the foundational infrastructure on which their code is written. If that ground is shaky, even teams that successfully shift some operations left will find themselves in a continuous loop of addressing code problems after the fact, as opposed to shoring up the foundation so they can stop many of those problems before they start. Enter IaC (from stage left, of course) to templatize the creation of infrastructure so that it is a shared, programmatic, and reproducible process.

Feedback → guidance → CI/CD

A successful endpoint, so to speak, of implementing IaC would actually come in two parts:

• Developers are ultimately able to determine if their IaC templates contain security or compliance risks.

• Security practitioners are continuously providing developers with guidance on how to resolve vulnerabilities and risks.

The latter point typically kicks off a conversation around communication. Any and all issues are time-sensitive when it comes to 1) stopping a vulnerability from turning into a threat and 2) working quickly to deploy.

Automatic Slack notifications are one way to alert security teams to any changes that might affect the integrity of an application’s infrastructure. For example, a change is made by a developer that triggers a Slack alert for a potential misconfiguration. A security team member sees this and knows to do a quality check to ensure everything in the Continuous Integration/Continuous Deployment (CI/CD) pipeline is secure. In this way, no time or productivity hours are lost, plus no in-depth conversations need to be had in a conference room or over Zoom.

How are these alerts triggered when using IaC? Existing developer systems for application security testing work well in shifting security into the CI/CD pipeline.

• Static analysis looks at code in isolation, calling out compliance risks only relevant to the IaC template.
• Dynamic analysis typically examines any cloud environments or services on which the IaC template will run.  

Incorporating both is ideal, but this is a big change to the way traditional “throw-it-over-the-wall” systems function.

Don’t call them training rails

If an organization does not currently employ a holistic process with IaC, a good way to start would be creating guardrails to help developers with any process-related security concerns. It would also enable a development team to focus on executing its primary function. This kind of framework can incorporate checks that secure multi-cloud infrastructures, enforce consistent security policies during build and runtime, and deliver clear guidance to developers on how to resolve vulnerabilities and risks.

In choosing the right IaC security and compliance tools, it’s important to know which CI/CD orchestration tools developers use. If security isn’t “in the know” as to which tools are in use, or if those tools change without advance notice, security will be playing catch-up—which can create new vulnerabilities. As ever, transparent communication and partnership are key in staying compliant and continuing to drive value for the business.

The full lifecycle

Whether it’s an IaC tool like Terraform or ARM, remember that using multiple platforms will always complicate security and compliance. Of course, it all depends on the needs of the organization and business, but keeping it simple also creates better team alignment.  

Rapid7's InsightCloudSec combines both preventive and reactive approaches, helping teams achieve full-lifecycle cloud security operations. Implementing IaC in the drive to shift left then becomes part of a more holistic process in service of protecting the business.  

Want to learn more about how IaC can help revolutionize the CI/CD pipeline? Read the article below for deeper insights into how security and development can scale faster, with teams benefiting themselves and the business by making complex deployments simpler.