The power and convenience of the cloud has changed the landscape for startups and big companies alike. It introduced new models that offered new business opportunities that’s unheard of, in terms of infrastructure, agility, elasticity, and cost effectiveness. Some of the biggest benefits to cloud is agility - the ability to move fast, shortening time to market, and the ability to be more adaptive and agile.
It wasn’t too long ago that a new product was launched once a quarter, a big bang release. Now companies in the cloud, such as Amazon and Netflix, have tens and even hundreds of deployments a week, making new product launches more frequent.
When you move fast, you deploy things often and it means things get broken often as well. Your stability might suffer because you are making a lot of changes. So how do you balance the two? How do you move fast yet not break things? How do you make frequent deployments yet not compromise security?
Famous security breaches, like the Capital One incident, have shown us how costly it can be, and how security must be a prerequisite, and can’t be an afterthought. This is what Security-as-code is all about - moving fast and yet still have guarantees about your security.
What is Security-as-Code?
Teams, be they Developers or Ops or security, have been operating in silos. In the past it was the Dev team and the Ops team operating independently, giving rise to the DevOps where both Devs could do some of the Ops work and vice versa.
Now there’s a need for the DevOps and security teams to work collaboratively, where some of the DevOps mindset, ideas, and agility can be brought to the security forefront. There’s an utmost need to bring security into basically the pipeline starting off from the development all the way to deployment - from code to cloud.
By doing so, security is not an afterthought, it doesn’t come at the tail-end of development, it's non-intrusive, and doesn’t hinder or slow down development. Security-as-code is all about breaking down silos between Ops teams, Devs, and Security teams so everyone is security conscious and all work with each other, as opposed to working against each other.
A brief definition of security-as-code would be:
“It’s about codifying your security policies and workflows, baking security practices into the development process, automatically and continuously detecting vulnerabilities and security violations before they are delivered to the cloud.“
Where is Security-as-Code Applied?
What you want to do is apply and integrate security-as-code within the development life cycle. You don't want to be intrusive, but you want to be integrated into a process. The best case scenario, and that’s what the shift left movement is all about, is moving the policy checking and validation to the left so that issues can be prevented from happening in the first place.
For example, when you commit your changes to your Helm Charts, your Terraforms, why don't we also run the policies, that we just codify those security-as-code policies that we just codified? Why don't we also run that check as early as possible?
And the beauty of this, the prevention here, this is the developer or the ops, or whoever is making the change, is getting the feedback right away when things are still fresh and they are more able to do the changes quicker to fix the issue, as opposed to detecting something a week or two later in production. And then having to context switch again, and having to find the right person and put the time and the sprint or in the queue for that thing to be fixed. And this is really the power of automating your security-as-code policies, so you can streamline the whole plot process and create that basically DevSecOps culture.
Why Do DevOps Need Security-as-Code?
1. Enforcing Policies Across the Decentralized Infrastructure
The move to the cloud, especially the cloud-native, revolves around decentralization. You now have a microservices architecture, you have more workloads running than before, you have multiple teams, and the ownership of who does what is not clear anymore. Your whole organization is decentralized, which also means the decision -making in your organization is also decentralized.
What that means is different teams could be establishing their own standards and you, as an organization, will lose control very quickly about your infrastructure and any standards you have, such as security and compliance standards. And certain concepts - such as security, reliability, and compliance, - can’t withstand decentralization and the chaos it comes with. These things have to be baked into the system as a whole.
2. You are as Secure as Your Weakest Link
These are system properties, quality of the whole system. So, you want a way to manage your standards. Something you want to enforce then because policies that are not enforceable are not really policies or standards, and security is not ‘a nice to have’ feature. This is something that could make your business or your company a headline in the news, and we've seen this especially recently when people take security lightly. And it's about the weakest link. It's not how much is secured. It's how much is in-secured. And that's where the attackers will go, is after the weakest link. So, you are as secure as your weakest link.
3. The Complexity of Cloud Infrastructure
The thing that we know that is going to continue to happen or take place is, the complexity of the cloud infrastructure is going to keep increasing. The landscape of cloud technologies continues to evolve: from servers, containers, serverless, Platform as a Service (PaaS), and Infrastructure as a Service (IaaS), among many others. There are now so many assets, applications, and services that the single company can use even if they're just a small shop of maybe 10 to 15 engineers. And all these services are now expressed as code. And it's not really possible to manage all the non-provisioning aspects of that infrastructure otherwise. So, security needs to be codified.
According to an IDC survey, 67% of breaches are due to misconfigurations, misconfigurations that could have been prevented. Security-as-code will play a vital role in tightening system security and making all your teams - DevOps, SecOps, Devs- security-conscious. Magalix can help you start with shifting security left, codifying security, and enforcing policies across your SDLC.