In the world of IT, DevOps and Security have a reputation of mixing as well as oil and water. DevOps wants to get apps and software out the door as quickly as possible, while security’s goal is to make sure bad actors don’t get in.
The thing is, they’re both right. All the speed of development is useless if it creates misconfigurations or vulnerabilities. Security is rendered less effective if it’s shoved toward the end of the process.
This is just one reason why we are thrilled to announce that Lacework has acquired Soluble. This acquisition expands our coverage to include Infrastructure as Code (IaC), in addition to AWS, GCP, Azure, private and hybrid cloud, Kubernetes, containers, workloads, all of which serve to interlace security at the earliest point in the DevOps cycle.
The rise of infrastructure as code
Historically, deploying and managing IT infrastructure was a manual process. System administrators would set up physical servers and operating systems, database administrators would configure the database, developers would deliver the code, test teams would check and then finally it would be deployed to production. This setup could take hours or days to configure, and required coordination across multiple teams. And time is money.
Infrastructure as code changes all of that and enables developers to simply write code to deploy the necessary infrastructure. When you consider the benefits that brings – speed, efficiency, scalability, standardization, lower costs, etc.— it’s no wonder why so many companies are adopting IaC. But it’s not without its challenges.
Factoring in security of infrastructure as code
IaC puts infrastructure in the hands of developers, which is great for speed but introduces some potential risks. Developers are neither infrastructure nor security experts. But with IaC, they’re given full control over the company’s cloud deployment. Less experienced teams increase the chance of misconfigurations which, if they are in the IaC, will get reintroduced each time the code deploys.
Unfortunately, it’s far more costly and takes more time to fix issues in production, compared to finding and catching them earlier. Organizations need to be able to find and remediate issues as close to the source as possible.
The solution is Soluble
To remedy this, Soluble created a product to find and fix misconfigurations in IaC to automate testing and policy management. Soluble helps correlate cloud misconfigurations to IaC and enables remediation at the source, which empowers you to move quickly without compromising security and reliability.
Soluble supports Terraform, AWS CloudFormation, and Kubernetes, and analyzes IaC with each commit and pull request. Developers are notified of any misconfigurations and provided with actionable instructions or can use automated fixes to address any problems. Soluble is agentless and only takes minutes to configure, providing fast insight into potential security risks in IaC.
We liked it so much that we decided to make our first-ever acquisition in order to bring Soluble’s powerful technology to Lacework’s automated data-driven cloud security platform.
Shifting left is smart security
The addition of Soluble to the Lacework platform puts DevSecOps capabilities into the hands of developers and enriches their existing workflows. By extending the Lacework platform capabilities to first inform and then automate fixes at the source, customers can build proactive practices in Continuous Integration/Continuous Delivery (CI/CD) pipelines to reduce risk and build faster.
To learn more about the Lacework acquisition of Soluble, we invite you to attend our webinar on November 18th: Shift Left Faster: Infrastructure as code (IaC) Security For the Win.
Copyright 2021 Lacework Inc. All rights reserved.