<img src="https://ws.zoominfo.com/pixel/JHVDdRXH2uangmUMQBZd" width="1" height="1" style="display: none;">

Magalix Introduces the Cloud-Native Application Policy Pack

Exit icon Learn More

Product In-Depth: Secure IaC - Validation and Remediation

Policy as Code Security as Code
Product In-Depth: Secure IaC - Validation and Remediation
Policy as Code Security as Code
 

Magalix - Validation and Remediation

Policies, Workflows, and Analytics

When working with policy-as-code there are 3 distinct areas that create the entire Policy-as-code ecosystem. Those 3 areas are policies, workflows, and analytics. It starts with the codified policy, when and how those policies are enforced, and knowing what is in violation. Let’s walk through a real-world scenario of how these 3 come together to ensure compliance is handled appropriately.

A Real World Scenario

Magalix - Validation and Remediation

A screen capture of the Top Violating Policies found on your Magalix Console Dashboard.

One of our most essential Policies is preventing Containers from running as the root user. When containerizing a microservice, unless specifically defined, the container will run as the root user. Technologists who are not concerned with security probably don’t realize this, but if you are security conscious, creating a policy to block this behavior across your entire stack makes a lot of sense.

Magalix - Validation and Remediation

With Magalix, you will get a sense of just where these vulnerabilities exist out-of-the-box. Using this information, the next step is to resolve all cases where applicable and then implement a long-term solution to prevent new instances of this violation from occurring. But, without the right education and tools, you’ll never catch up with the multitude of deployments that happen every day that go unchecked and misconfigured.

 
apiVersion: apps/v1
kind: Deployment
metadata: 
     name: demoservice
spec: 
     replicas: 1
		spec:
		   containers:
		   - name: demoservice
		     command: [“node”, “app.js”]
		     image: demoservice:latest

An example Kubernetes deployment running as root

Continuing with our example, running as root is actually easier than not running as root because the root user is used by default. Misconfiguration, or a lack of configuration, in this case, is likely to occur. Now imagine having to check (or fix) this every time a service is deployed. Interestingly, this is a typical driver for those looking to adopt a policy-as-code solution. There’s a need to catch these violations before they enter the environment.

Magalix - Validation and Remediation

Incorporating policy checks into your SDLC, or Workflows, alleviate some of the challenges with continuously having to fix the same entities causing the same violations again and again. Magalix simplifies the “shift left” process with our “write once, apply everywhere” model. The same Policies used to detect violations in your run-time environments are the same Policies used in your CI/CD jobs. Any entity that is prepared to enter the stack will be subject to compliance early in the Workflow so the responsibility of being, and remaining compliant, are also accountable for those who are developing.

To provide the necessary visibility in your compliance posture, a robust and detailed breakdown of the state of each Policy will cover Analytics. The Magalix Dashboard gives you an overall view of compliance across all of your clusters, regardless of where your clusters are hosted, and who is managing them.Magalix Dashboard

The Magalix Dashboard

To complete our scenario, Magalix provides verbose information about each Policy, the number of violations, and when those violations occurred. We can further drill down into the Container Running as Root Policy Violation and find the list of violating entities and historical data. Having the ability to assess one policy across multiple clusters can help your overall risk assessment. Are these violations indicative of a larger issue or are they one off? Does something in the process need to change? It’s not just about Policy Violation remediation, but also understanding  violation trends and having the necessary insights (and capabilities) to prevent those same violations from triggering in the future.

Magalix Policy Dashboard

Container Running as Root Policy Violation

Conclusion

Security, governance, and compliance are requirements everyone must consider in their day-to-day but we’re human, and as a group, sometimes it takes a few iterations of getting it wrong to finally start getting it right. In my own experiences, this type of effort in an extremely large organization can take up to several years. The steps to being proactive aren’t just implementing new CI/CD steps but also educating the team and shifting the culture a bit.

With Magalix, we turn those years of effort into minutes. Without any additional configuration, immediately learn about your security posture using our built-in Policy library. When you get a handle on your run-time environments, shift those same policies left by incorporating them into your Workflow. With the provided dashboard and reporting features, gain insights with our rich Analytics. When encountering an error, examine in-depth details so you can know what’s happening immediately.

Start Shifting Left with Magalix

Comments and Responses

Related Articles

What Is Zero Trust Architecture and How Does It Work?

In an enterprise environment with containers and micro-segmentation, zero-trust architecture helps enhance security protocols. Learn more.

Read more
Cloud Asset Management and Protection: Storage Assets

Learn useful strategies to manage cloud storage assets and get the most value for your investment.

Read more
4 Reasons Why Companies should Codify their Security

The move to the cloud has significantly increased the operational and security complexity. Codifying security policies can help mitigate the potential risk

Read more