Infrastructure as Code and Security – Five Ways to Improve Your Approach

By Paul Baird, Chief Technical Security Officer EMEA, Qualys

When you have a few instances, you can manage them manually. When you have tens, hundreds or even thousands of instances to look after, you have to automate. For DevOps and developer teams, Infrastructure as Code (IaC) provides a route to automate cloud deployments so that each instance is the same, with the right set-up and resources to meet company standards. By turning this process into code, these deployments can be repeated whenever they are needed, and each member of the team can use the same approach.

Paul Baird Qualys
Paul Baird

IaC also makes it easier to review installation images, so any problems can be flagged and problems fixed. At least, that is the theory, yet IaC security can easily be overlooked. while IaC can make it much easier to manage IT infrastructure at scale, it can also introduce potential security issues into your deployments, and then scale that problem to hundreds of instances at a time. Implementing IaC security processes can help you make the most of IaC, and avoid some of the biggest pain points.

Preventing cloud misconfigurations

According to our TotalCloud Security Insights report for 2023, cloud misconfigurations are the most common risk that affects organisations. In our findings, we discovered that around a third ( 31 percent) of Amazon Web Services(AWS) S3 buckets are publicly accessible, exposing them to different potential security vulnerabilities and subsequent attacks. Similarly, 75 percent of database instances running on Microsoft Azure had public network access enabled.

Configurations covers all the control settings applied to both hardware and software elements within a cloud environment. When configured correctly, these systems can communicate effectively and interoperate to deliver the service. When mistakes occur, these misconfigurations can lead to unauthorised access or data breaches. These mistakes can occur due to the complexity of the cloud infrastructure, lack of expertise in the technologies involved, or simple human error. IaC’s rapid deployment approach can also compromise security implementation measures.

So how can you respond? To make cloud environments more secure, monitor your cloud environment more closely for potential issues and misconfigurations. Best practice frameworks like the Center for Internet Security benchmarks for public cloud provider platforms can provide individual controls to apply, but also point to whole areas that you can harden as well. Employing these practices can make it harder for attackers to gain access, and even more difficult for them to move laterally or exploit other issues.

Cloud environments can change over time

Alongside looking for potential misconfigurations in your IaC templates, you should also look at how your existing cloud environments are set up. While many cloud instances will be impermanent workloads set up to meet requirements, others will be permanent or long-term  instances. These latter instances may need updates.

The ideal approach is to keep IaC image templates that are immutable that are scanned and trusted. If any change comes up and the image needs to be updated, then the immutable image should be changed and any existing workloads should be taken down, then restarted. This maintains the integrity of those images, and the workloads that they are used to create.

However, this may not be right for every workload in practice. In many circumstances, developers will add to their cloud workloads in order to meet specific demands for more functionality or for additional tools. These additions will not be in the IaC templates, and so they will not be counted in your IaC security scans. These altered workloads can only be detected while they are running.

Analysing running workloads can flag any ‘drift’ between your current images and what is actually in place. This can flag changes that should be made to your IaC inventory, so your developers don’t have to make those changes again themselves to get things up to date. This can also flag potential security problems, misconfigurations and vulnerabilities that have crept in. Once you can see this drift, you can decide what actions are needed.

Get in the workflow

Implementing IaC security processes will affect how teams work. For security, it is another set of images that have to be tracked for potential vulnerabilities, and changes flagged for remediation. For developers, these changes can be another set of work alongside requests from the business and other fixes that are needed.

However, this can easily become a problem for developers. Having to learn another set of tools to track issues or find the list of problems will affect how developers work, making it harder to get issues fixed. To solve this problem, security can integrate into developer workflows and the tools that they use every day. Developers can automate security scans using APIs from within their developer environments and integrate with the code editors, Git repositories, and CI/CD tools to provide early visibility. These results can then be fed into the developer workflow, flagging potential issues that need to be fixed alongside other requests for work.

Rather than being a separate stream of work that developers have to consciously engage with, security fixes to IaC should be treated just the same as other tasks. These issues can be ranked depending on how much risk they represent.

Support best practice uptake for secure cloud and development

One of the most effective ways to improve security over time is to use best practices around software development, implementation and management. The Center for Internet Security has benchmarks for cloud security and deployment across the leading public cloud platforms so that developers and IT security professionals can follow those best practices.

The Open Web Application Security Project (OWASP) has guidance on IaC best practices, including training developers on threat modelling for their instances. By providing guidance on the approaches and tactics that threat actors take around attacks, security teams can help developers understand what issues they might face.

Alongside these overall approaches, security and developer teams can use their tools to enhance their cloud infrastructure security by taking advantage of any pre-built controls that are available for their systems. These controls should cover a wide range of security domains and common IaC requirements, including identity and access management, network security, data protection, and compliance. By re-using what already exists for their systems, teams can ensure they are ahead of any potential problems and can respond quicker when new issues are discovered.

Work on common goals

Alongside looking at best practices, you should also evaluate how your teams will collaborate with each other. While it is easy to say that IaC security is important, it will mean some potential changes to individual priorities and workflows. This can lead to potential problems with your teams if you do not align your goals correctly.

For example, security and developer teams will both say that they want IaC to be secure. However, with tens, hundreds or even thousands of issues potentially present in IaC templates, the responsibility for carrying out fixes will be on the developers. With these changes their responsibility, developers can resent security for adding to their workload.

How should teams approach this? Security can help by providing more information on these issues and ranking them in terms of priority and risk. Flagging issues that need to be addressed because they are specific risks with known attacks taking place can help developers concentrate and manage their workloads more efficiently, while other issues can be dealt with later. Alongside this, development leaders can look at their team’s goals and ensure that security fixes are treated in the same way as new functionality requests and that they are budgeted for in terms of workloads and team composition.

For senior leaders in the IT team, managing these two teams separately can lead to more conflict. Getting common workflows in place that treat both teams as working to a common set of objectives and standards will help avoid this. It should also be an opportunity to improve communication around IaC and security so that everyone understands the value that gets delivered.

Use your data

Security teams have huge lists of vulnerabilities, misconfigurations and potential issues to track. Developers have backlogs of software faults to fix. Both teams rely on prioritisation and automation to help them achieve their goals.

IaC is a common approach to managing IT infrastructure today. Without the automation and repeatability that IaC provides, implementing and running cloud-native IT is impossible due to the sheer scale involved. However, IaC needs to be secure right from the start across software development and production deployments. By putting security in at the start, your developers and security teams can collaborate on any potential problems faster and stop swathes of issues from affecting your organisation.

Paul Baird is a highly experienced and accomplished IT and cybersecurity professional with over 25 years of industry experience. Currently, he is serving as the Chief Technical Security Officer (CTSO) for Qualys. Throughout his career, Baird has demonstrated a deep understanding of cybersecurity and has been instrumental in building several Security Operations Centres (SOCs). His achievements in the field were recognised in 2021 when he was awarded Fellowship of Chartered Institute of Information Security Professionals (CIISec) for his outstanding work in supporting cybersecurity.