Weaveworks 2022.03 release featuring Magalix PaC | Learn more
Weaveworks 2022.03 release featuring Magalix PaC | Learn more
Infrastructure-as-Code (IaC) has become an essential counterpart to Development/Operation (DevOps) processes by enabling the automation of cloud deployment and provisioning processes. This approach allows infrastructure changes to evolve, adapt and keep pace with rapid development cycles, enabling end-to-end automation of the entire process.
IaC also moves infrastructure planning and configuration left in the development cycle to integrate development processes rather than a siloed bolt-on afterthought. The benefit is that businesses can consider complex infrastructure security issues as part of DevOps security practices.
We have seen the benefits of integrating security into DevOps workflows and the Continuous Integration and Continuous Development (CI/CD) pipeline. Treating infrastructure security using the same techniques and methods has the identical potential to increase robustness while reducing costs.
IaC offers businesses the ability to provision and manage infrastructure using a code-based configuration language. The key benefits are repeatability, maintainability, and transparency. These benefits come from applying standard development practices to the code created to provision and manage infrastructure.
These practices can include network monitoring and management, load balancing, virtual machine deployment, and the creation of Kubernetes clusters using automated and configured processes to oversee these actions.
The downside of IaC is that if the infrastructure configuration is not entirely secure, all instances will consistently include the same vulnerabilities. Automation offers fast deployment but requires effort to ensure that it is secure. This includes cognizance of a changing threat landscape and the identification of new vulnerabilities that may result in a previously secure infrastructure configuration becoming vulnerable.
Resolving vulnerabilities requires corrective action to the IaC configuration code rather than the instances generated from the configuration code. This is a change in philosophy for security teams who traditionally patch and reconfigure infrastructure rather than the code that produces the infrastructure.
The application of IaC for temporary or short-lived deployments has discouraged a robust approach to security in some sectors with the belief that the short life cycle will sufficiently reduce the probability of external attack.
Automated scanning and reconnaissance processes mean that the time from deployment to infrastructure discovery is short. An advanced persistent threat can quickly launch attacks on insecure infrastructure to exploit weaknesses to gain access and complete lateral movement beyond the transitory infrastructure to attack the underlying business systems.
A benefit of IaC is that should the security team detect evidence of an attack, they can quickly destroy the compromised infrastructure and redeploy a new, uncompromised version. This allows the business to maintain services while the security team undertakes parallel investigations into the nature of the infrastructure compromise.
Processes to identify and incorporate corrective measures into the infrastructure configuration and security controls can then follow to improve security posture and prevent any reoccurrence of that attack.
For businesses adopting the IaC philosophy, implementing this practice can introduce threats into the deployed infrastructure.
While infrastructure security will vary from business to business, the following generic best practices guide the issues to consider:
Figure 1: Security Practices in the IaC Process
There are various options for implementing infrastructure security. However, given the fundamental purpose of IaC is to realize the business benefits of automated deployment and provisioning, the security controls need to be automated and integrated into the process. Any requirement to manually configure security controls after provisioning will impede deployment processes and create a window of opportunity for attackers to exploit in the process. Therefore, to be effective, integration and automation of security controls into the IaC processes are essential.
The automation that policy-as-code practices deliver allows the implementation of security best practices without adversely impacting the speed and quality of the infrastructure provisioning and development process. In addition, it will enable uninterrupted security and compliance processes across the entire end-to-end continuous development workflow.
Policy-as-code enables organizations to define and manage security policy using standard development processes and techniques. This creates the ability for the security policy to integrate seamlessly into the development and deployment processes. As a result, managing security becomes a routine part of the development process.
This integration prevents siloed workflows where IaC deployment and security configuration work in isolation. The imposition of additional controls to manage threats to infrastructure after provisioning may impact the ability to meet program deadlines. This can lead to their deferment, where program time pressure overrules security requirements.
Policy-as-code also supports automated audit processes, enabling continuous compliance monitoring and deviation reporting, even when deployment uses non-persistent infrastructure.
Policy-as-code provides a single central solution for implementing automated security best practices in applications, development pipelines, and deployed infrastructure. This offers total protection across end-to-end development processes from product conception to operational deployment.
It's important to note that implementing policy-as-code is not a one-time activity. Following the initial achievement of compliance, a continuous compliance monitoring process will be necessary to maintain compliance. Every iteration of the IaC provisioning and deployment process can trigger a policy violation.
Magalix provides a solution that detects and prevents such violations before deployment, making management more straightforward for organizations. In addition, this service includes the provision of hundreds of out-of-the-box policies and templates to speed up implementation. These include checks for violations against common compliance standards such as the Payment Card Industry Data Security Standard (PCI DSS) and Center for Internet Security (CIS) Standards.
You can find more information in our Product In-Depth Guide: Security Best Practices at Build and Deployment.
The deployment of Kubernetes follows the same principles as IaC, so they integrate seamlessly together. It allows versioning of the infrastructure model and commitment into the Kubernetes repository. Deployment is automatic and platform-agnostic, eliminating manual configuration errors while maximizing flexibility.
IaC provides the means to employ dynamic infrastructure that allows the creation, replacement, relocation, and destruction of resources as necessary to meet changing needs. In addition, Kubernetes manifest files provide the mechanism to configure and construct the required architecture in a controlled manner by applying the development quality management practices, including review, test, audit, and configuration management.
A key characteristic of IaC is its repeatability properties, the consistent creation of multiple infrastructure instances across the same or different platforms with the guarantee that the configuration will be identical. This eliminates human error from misconfiguration risks, improving the reliability and availability of deployed applications.
Kubernetes offers developers unique opportunities to implement good security practices into development and deployment processes. If you're a Kubernetes user, look at our top Kubernetes security best practices.
For organizations utilizing Kubernetes for container orchestration, this brings advantages in simplifying the adoption of IaC. Kubernetes can automate the implementation and management of service delivery, replication, load balancing, and auto-scaling.
Secure infrastructure requires a robust configuration, so we've provided valuable guides to prevent Kubernetes network policy misconfigurations with Policy as Code, as well as the six common Kubernetes configuration mistakes to avoid.
One of the security reinforcement approaches for IaC is running compliance checks against CIS benchmarks for Kubernetes as part of the deployment processes. You can read more in our guide for enforcing cloud-native security with CIS Benchmarks for K8s using Policy-as-Code.
Policy-as-code brings significant benefits to the security and compliance of IaC processes. It can achieve this will an efficient, scalable, and repeatable solution that fits the IaC philosophy, acting as a security enabler.
Magalix empowers organizations to integrate security-as-code into IaC processes. This service allows businesses to enforce their security policy and reduce risks across the infrastructure. Additionally, it will enable infrastructure monitoring that quickly detects and responds to security issues.
Contact us to learn more about how we support your IaC requirements.
Self-service developer platform is all about creating a frictionless development process, boosting developer velocity, and increasing developer autonomy. Learn more about self-service platforms and why it’s important.
5 mins read
Explore how you can get started with GitOps using Weave GitOps products: Weave GitOps Core and Weave GitOps Enterprise. Read more.
4 mins read
More and more businesses are adopting GitOps. Learn about the 5 reasons why GitOps is important for businesses.
5 mins read
Implement the proper governance and operational excellence in your Kubernetes clusters.
“We are on a mission to add intelligence to applications and infrastructure so you can focus on what truly requires human intelligence.”
back
Comments and Responses