Embed IaC security at the earliest stage in development
May 24, 2022
What is Infrastructure as Code?
Infrastructure as Code (IaC), or the automated provisioning of cloud infrastructure, is often described as a set of “blueprints” that define your cloud infrastructure. IaC enables teams to design, build and maintain their cloud infrastructure with the same level of precision and care that one would use for their dream home. Or to use an example with more at stake, think about the engineering specifications for an airplane. You want to make sure the windows were designed with the right thickness of glass and correct engine controls before it gets built. When it comes to deploying the infrastructure that powers your business’s revenue-generating applications, there is much to consider.
Why does IaC matter?
Services must be deployed faster and more efficiently to meet ever-growing customer demands. Therefore shortening time to market is of the essence. Infrastructure as code means that CTOs and engineering leaders can optimize infrastructure delivery for the best speed and scale that the business needs. They can spur innovation by making sure DevOps teams can iterate quickly with fast infrastructure delivery throughout the application lifecycle.
With IaC, developers no longer need to manually install and configure software on an individual basis, carry out dozens of manual clicks in the cloud service provider’s UI or write hundreds of lines of custom code, all of which can be inherently error-prone. Instead, developers can automate the provisioning of cloud infrastructure via written code. Within the code are all the configurations that underpin cloud infrastructure: images/OS, compute, storage, networking, security, and more. Upon executing the IaC, code is sent to the cloud provider’s API to automate the provisioning. This means DevOps teams can reclaim time and ultimately drive more consistency in configurations and version control. And CTO’s can move beyond infrastructure management to drive technology innovation and digital product development, faster.
What is the impact of not securing your IaC?
Advances in automation can also introduce risk. You want to make sure any inconsistencies in the plane’s design – particularly in automated flight controls – were caught before the first flight. IaC enables faster innovation but increases the chance of misconfiguration mistakes. Misconfigurations in IaC templates can lead to compliance violations, vulnerabilities and drift. With the scale of IaC, even a single misconfiguration can propagate across hundreds of deployments. This can result in time-intensive and costly remediation in build time. And when you consider the speed at which cloud native applications are built, it’s very challenging to fix misconfigurations once the infrastructure running in the application is already deployed.
This is where IaC security comes in. IaC security or scanning capabilities check the plane’s systems before it is even constructed; IaC is essential in resolving security issues before you configure your cloud infrastructure. CISO’s and security leaders can reduce the risk of security incidents in production by taking advantage of IaC security. It reduces the chance of misconfigurations and compliance violations to remediate. Security teams can also avoid having to spend time on IaC code issues outside of their expertise. On the development side, CTO’s and engineering leaders can reduce expensive build time remediation costs, as well as free up and reallocate developer time previously spent on manual code review and remediation of misconfigurations.
Shine a light on misconfigurations before build time
Whether your team already uses a form of IaC security, has IaC but are not yet securing it, or perhaps doesn’t even use IaC, Lacework meets you where you are in your cloud journey. We’ve been committed to empowering DevOps to develop faster, while staying secure. With Lacework IaC Security, you can unlock even more visibility in Lacework Polygraph® Data Platform by fixing misconfigurations in IaC before they become a problem in build time.
We scan IaC templates such as Terraform files, AWS CloudFormation, or Kubernetes manifests/Helm charts and illuminate insecure configurations and compliance violations that could make you vulnerable. For example, you could have a Kubernetes manifest that requests privileged access to the file system of a node or a hard-coded secret.
Deployment with Lacework IaC Security is fast and requires minimal configuration or DevOps/SRE involvement. You can simply connect Lacework IaC Security directly to your Git Provider and/or CI/CD Provider for continuous monitoring of IaC. We also just announced Atlassian Bitbucket support.
We scan your IaC automatically and continuously against 600+ policy checks for potential misconfigurations. Once a misconfiguration is surfaced, developers receive automated and immediate guidance on what actions to take. This actionable, prioritized feedback on security issues allows developers to quickly and easily fix IaC issues on their own, reducing the burden on the security team. And development teams can reclaim time previously spent on remediation.
The security team can reduce risk and embed security controls at the earliest stage of development, all without having to worry about insecure IaC or slowing down development. DevOps realizes efficiency gains in time and cost from reducing the toil of having to address problems in the build phase. These efficiency gains in time, cost and lowered risk accelerate software development. And our platform makes insights more accessible across your organization since Security, Compliance and DevOps teams can view violations, reports, dashboards all within the same UI. Lacework IaC Security is the connective tissue that helps forge a stronger and more collaborative relationship between security and development teams.