Infrastructure as Code (IaC) turned the de facto normal for managing infrastructure assets for a lot of organizations. Based on Markets and Markets, a B2B analysis agency, the IaC market share is poised to achieve USD 2.3 Billion by 2027.
What Is Infrastructure as Code?
Earlier than IaC, a developer would use the cloud supplier GUI, clicking by means of completely different configurations and settings to provision a useful resource like a Digital Machine. When it’s essential to provision a single occasion, that is simple, however trendy workloads are a couple of single machine, 1000s of VMs, and a whole bunch of storages — to not overlook that is for one area. To realize excessive availability, the identical stamp must be created in a number of areas and availability zones. A technique organizations automated this course of is, by means of scripts, although it had challenges like versioning and, most significantly, the redundancy of every crew repeatedly creating scripts from scratch.
Infrastructure as Code got here as an answer to those issues. The time period was first launched in 2009 by “Puppet,” stating new methods are required to scale infrastructure and adapt to growing software system complexity.
Instance of IaC code template:
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "[parameters('storageAccountName')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS"
},
"kind": "StorageV2",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"allowBlobPublicAccess": true
},
"resources": []
},What we see above is an ARM (Azure Useful resource Supervisor) Template to provision a Storage account in Azure. Equally, GCP and Amazon have their templates. With multi-cloud gaining lots of traction, vendor-agnostic merchandise like Terraform are getting used extensively.
We solved the size and complexity drawback, however the safety drawback stays. Based on Gartner, by 2025, 99% of cloud safety failures will probably be resulting from buyer misconfigurations.
Safety Dangers With IaC
Elevated Assault Floor
- As a result of the Templates are shared growing reusability, a small bug in it impacts all of the deployments.
- For instance: Within the above JSON, permitting public entry is ready to
true, which implies any deployment utilizing the template can have public entry which generally is a safety danger.
Extreme Privileges
- When deploying infrastructure assets, excessive privileges are required. If this identification is compromised, risk actors may acquire privileged entry to the atmosphere.
So how can we assist organizations hold their infrastructure safe?
Infrastructure as Code Safety
Probably the most fundamental manner of figuring out misconfigurations is thru Static Code Evaluation. Let’s think about an instance,
Think about there’s a baseline that states storage assets shouldn’t have public entry.
| Management Area | ASB Management Title | Steerage | Duty |
| Community Safety | Safe cloud providers with community controls | Disable public community entry by both utilizing Azure Storage service-level IP ACL filtering or a toggling change for public community entry. | Buyer |
The baseline will be transformed to code.
class StorageAccountDisablePublicAccess(BaseResourceValueCheck):
def __init__(self) -> None:
identify = "Ensure that Storage accounts disallow public access"
id = "DISABLE_PUBLIC_ACCESS"
supported_resources = ("azurestorageaccount",)
tremendous().__init__(
identify=identify,
id=id,
classes=classes,
supported_resources=supported_resources,
)
def get_inspected_key(self) -> str:
return "allowBlobPublicAccess"
def get_expected_values(self) -> listing[Any]:
return [False]
examine = StorageAccountDisablePublicAccess()And your group makes use of Terraform to handle this useful resource.
useful resource "azapi_resource" "symbolicname" {
kind = "Microsoft.Storage/storageAccounts@2023-01-01"
identify = "string"
location = "string"
identification {
kind = "string"
identity_ids = []
}
physique = jsonencode({
properties = {
allowBlobPublicAccess = "true"
}
})
}Static Evaluation
The Terraform useful resource provisioning is assessed towards a baseline to make sure compliance, and this course of will be built-in into construct checks in order that unsecured configurations will not be deployed in manufacturing. What we have applied is a shift-left method, notifying groups of misconfigurations throughout improvement slightly than after deployment. This enables danger mitigation earlier than modifications are deployed.
The above diagram describes a extra subtle method the place there may be an “IaC Security Service” that does the analysis. In different phrases, the construct course of uploads the artifacts to the storage account and requests the safety service to examine for misconfigurations. The service then evaluates the artifacts towards the baselines and notifies the construct if the configuration is compliant.
What we have now mentioned until now’s Static Evaluation. Open Coverage Agent (OPA) permits run-time coverage willpower.
Dynamic Evaluation
OPA permits defining insurance policies towards which your Enter is evaluated. The results of the analysis is an permit or deny.
Rego Coverage, which OPA will use:
bundle storage_account_public_access
# Deny if public community entry is enabled
deny[msg] {
enter.useful resource.kind == "azurerm_storage_account"
enter.useful resource.config.public_network_access_enabled == true
msg := "Public network access to the storage account must be disabled."
}The JSON output from the plan is distributed to OPA which checks if the “public network access enabled” is ready to true. Whether it is, the motion is denied.
Cloud Safety Posture Administration
Whereas code scanning will assist to a sure extent, infrastructure assets can nonetheless be deployed utilizing GUI, scripts (with out utilizing IaC), and different venues. For these situations, we’d like instruments that repeatedly scan the group’s Cloud atmosphere and alert groups about misconfigurations. As per a latest survey, utilizing a CSPM instrument can scale back safety incidents resulting from misconfigurations by 80%.
Suppliers like AWS and Microsoft supply providers that monitor cloud environments and prioritize danger based mostly on assault floor. With the multi-cloud workload rising, prospects are on the lookout for provider-agnostic instruments. Prisma Cloud and Tenable have choices on this area.
When choosing an answer on this area, it is preferable to decide on one with an agentless providing. An agentless answer scans the infrastructure by means of the cloud supplier’s API, slightly than deploying an agent on the assets.
Advantages of Agentless CSPM
- Decrease overhead: As a result of there are not any brokers, agentless options don’t introduce additional compute or reminiscence utilization on cloud assets, lowering operational complexity.
- Increased protection: These options can scan the next variety of infrastructures and providers with out being restricted by the restrictions or the scope of brokers.
Different options to look out for in CSPM are:
- Automated remediation: Some instruments transcend simply detection and supply automated or semi-automated remediation workflows, lowering handbook toil for the groups.
- Customization and scalability: No single answer can handle all of a corporation’s wants. Due to this fact, choosing a platform that enables for customized coverage creation to increase its performance will be helpful.
Conclusion
The growing adoption of cloud providers has expanded the risk floor for organizations. Now, greater than ever, it’s essential to put money into safeguards that stop insecure configurations in your infrastructure, defending your prospects and your group from cybersecurity threats.