Infrastructure as Code (IaC) has emerged as an innovative approach for managing, provisioning and configuring an organization’s IT infrastructure using human-readable configuration files. This approach enables end users to build, change and manage the infrastructure in a consistent and repeatable manner, generating the same result every time the configuration file is applied, thereby delivering cost-savings with faster execution and reduced manual intervention.
With IaC, end users employ the configuration file to specify multiple properties for the targeted components. However, the downside is that faulty or incorrect definitions of these configuration files are considered a security misconfiguration that can lead to insecure deployments. Further, these misconfigurations pose a security concern in cloud environments, including IaC tools. The lack of security awareness in the IaC pipeline could potentially compromise the entire infrastructure.
A new research report from Unit 42: Palo Alto Networks shows nearly 200,000 IaC configuration files containing insecure configuration properties. Operating those templates can lead to severe vulnerabilities that put the cloud infrastructure and the data it holds at risk. The same report states that “While IaC offers security teams a systematic way to enforce security standards, this powerful capability remains largely unharnessed” Take a look at some of the report’s other key findings:
of cloud databases are not encrypted
of cloud storage services have logging disabled
of cloud workloads expose SSH (port 22)
of organizations expose RDP (port 3389)
To optimize IaC for better, more secure IT management, we first must address these misconfigurations. Here’s how.
Streamline inventory management (or addressing resource ghosting)
Resource ghosting can be challenging to detect and may incur unnecessary charges and security risks if a proper monitoring process is not in place. The best method to prevent this scenario is through meticulous inventory management. Every resource deployed should be tagged, tracked and logged. Resource deletion should always be performed correctly through IaC templates, while ensuring that all data related to the targeted resources will be removed from the runtime and inventory management.
Identify and correct environmental drift
An environmental drift represents a scenario where the configuration for different deployments falls out of sync with the deployment templates. The development, staging and production environments in drifted states can be challenging to fix and may even cause business downtime.
Tools are already available to detect such scenarios, making them easier to fix quickly. However, one of the most efficient preventive methods is to restrict access and only allow automated systems to make changes in the infrastructure.
Unfortunately, it is still common to have hardcoded credentials in IaC code, or accidentally deploy insecure resources. Running regular security scans on IaC is a powerful way to detect misconfigurations before they can become harmful. The CI pipeline should be configured to have automated scans before applying templates to the live environment and, when possible, attempt to automatically remediate such issues. Committing to a regular schedule and automated pre-testing can help streamline the pipeline.
One of the first steps to secure IaC is a well-defined development process with the right IDE and plugins for an early security assessment of your configuration files.
Additionally, all environment-related credentials should be appropriately managed by secret vaults. The branching model should be well-defined, and the main branch should always be protected. The code should be versioned, and the principle of least privilege should be implemented, reducing the chances of anyone tampering with the code.
Logging and monitoring
Security enablement and audit logging are critical for risk assessment. Using logs, we can identify potential threats and conduct root cause analyses in case of breaches. Several automated threat models can be run against records. Continuous monitoring helps identify security and compliance violations. Some solutions use anomaly detection, machine learning technologies and AI to identify and mitigate threats. Alerting is also essential for monitoring, since deviations from normal are difficult to spot. A good example of monitoring in IaC would be changes to tagged resources made in a non-automated manner.
In addition to the points above, it is essential to define the security policies and configuration checks that apply to your organization. A few general checks are as follows: data security, privileged user scanning, tag-related checks, compliance violations and dependency checks — to ensure third-party or open-source packages are security-compliant, verifications on logging and monitoring status, and dynamic analyses of virtual environments.
Securely adopting Infrastructure as Code in an organization can be lengthy, cumbersome and difficult without appropriate planning and cooperation from the relevant teams. This can cause gaps that lead to confusion, which impacts the organization’s security posture. Organizations must focus on accurately determining how and where the resources must be provisioned, governed and secured.
If executed efficiently and effectively, secure IaC will help you determine and discover security issues before deployment, allowing you to implement continuous compliance and automate your monitoring and forewarning processes for all current and future resources.
About the authors
Big Data and Cybersecurity Architect, Atos
Corina has a lot of experience in the Big Data area, combining big data with machine learning and artificial intelligence. As the Lead Architect for the Atos Prescriptive Security Operations center (SOC) project, she came to be fascinated by cybersecurity as well. Corina thinks cloud is the future so she is currently leading a DevSecOps team with a focus on AWS Security while also working closely with Cloud Enterprise Solutions (CES) and Portfolio teams to make sure the latest cybersecurity technologies are available both for customers and Atos itself.
Cloud Security Architect, Atos
Madalina Balazs is a global Cloud Security Architect, part of the BDS Cybersecurity Cloud Threat Management team. Madalina is responsible for leading the engineering and automation initiatives related to Cloud Security. She is actively involved in shaping Atos value proposition from delivery perspective together with external and internal partners on trending domains such as SIEM or Cloud Native Security offerings for the Atos BDS Global Portfolio. Focused on development and growth Madalina is the co-inventor of the Atos Cloud Security patent, developed in collaboration on Google Cloud Platform.