Infrastructure as Code (IaC) turned the de facto commonplace for managing infrastructure assets for a lot of organizations. Based on Markets and Markets, a B2B analysis agency, the IaC market share is poised to succeed in USD 2.3 Billion by 2027.
What Is Infrastructure as Code?
Earlier than IaC, a developer would use the cloud supplier GUI, clicking by completely different configurations and settings to provision a useful resource like a Digital Machine. When you could provision a single occasion, that is straightforward, however trendy workloads are multiple single machine, 1000s of VMs, and tons of of storages — to not overlook that is for one area. To attain excessive availability, the identical stamp must be created in a number of areas and availability zones. A method organizations automated this course of is, by scripts, although it had challenges like versioning and, most significantly, the redundancy of every workforce repeatedly creating scripts from scratch.
Infrastructure as Code got here as an answer to those issues. The time period was first launched in 2009 by “Puppet,” stating new methods are required to scale infrastructure and adapt to rising software system complexity.
Instance of IaC code template:
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "[parameters('storageAccountName')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS"
},
"kind": "StorageV2",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"allowBlobPublicAccess": true
},
"resources": []
},What we see above is an ARM (Azure Useful resource Supervisor) Template to provision a Storage account in Azure. Equally, GCP and Amazon have their templates. With multi-cloud gaining lots of traction, vendor-agnostic merchandise like Terraform are getting used extensively.
We solved the size and complexity downside, however the safety downside stays. Based on Gartner, by 2025, 99% of cloud safety failures shall be attributable to buyer misconfigurations.
Safety Dangers With IaC
Elevated Assault Floor
- As a result of the Templates are shared rising reusability, a small bug in it impacts all of the deployments.
- For instance: Within the above JSON, permitting public entry is about to
true, which suggests any deployment utilizing the template can have public entry which is usually a safety threat.
Extreme Privileges
- When deploying infrastructure assets, excessive privileges are required. If this identification is compromised, risk actors may acquire privileged entry to the atmosphere.
So how can we assist organizations hold their infrastructure safe?
Infrastructure as Code Safety
Essentially the most fundamental approach of figuring out misconfigurations is thru Static Code Evaluation. Let’s take into account an instance,
Think about there’s a baseline that states storage assets shouldn’t have public entry.
| Management Area | ASB Management Title | Steering | Accountability |
| Community Safety | Safe cloud companies with community controls | Disable public community entry by both utilizing Azure Storage service-level IP ACL filtering or a toggling change for public community entry. | Buyer |
The baseline could be transformed to code.
class StorageAccountDisablePublicAccess(BaseResourceValueCheck):
def __init__(self) -> None:
title = "Ensure that Storage accounts disallow public access"
id = "DISABLE_PUBLIC_ACCESS"
supported_resources = ("azurestorageaccount",)
tremendous().__init__(
title=title,
id=id,
classes=classes,
supported_resources=supported_resources,
)
def get_inspected_key(self) -> str:
return "allowBlobPublicAccess"
def get_expected_values(self) -> listing[Any]:
return [False]
examine = StorageAccountDisablePublicAccess()And your group makes use of Terraform to handle this useful resource.
useful resource "azapi_resource" "symbolicname" {
kind = "Microsoft.Storage/storageAccounts@2023-01-01"
title = "string"
location = "string"
identification {
kind = "string"
identity_ids = []
}
physique = jsonencode({
properties = {
allowBlobPublicAccess = "true"
}
})
}Static Evaluation
The Terraform useful resource provisioning is assessed towards a baseline to make sure compliance, and this course of could be built-in into construct checks in order that unsecured configurations will not be deployed in manufacturing. What we have carried out is a shift-left method, notifying groups of misconfigurations throughout growth quite than after deployment. This permits threat mitigation earlier than modifications are deployed.
The above diagram describes a extra refined method the place there may be an “IaC Security Service” that does the analysis. In different phrases, the construct course of uploads the artifacts to the storage account and requests the safety service to examine for misconfigurations. The service then evaluates the artifacts towards the baselines and notifies the construct if the configuration is compliant.
What we’ve mentioned until now could be Static Evaluation. Open Coverage Agent (OPA) permits run-time coverage dedication.
Dynamic Evaluation
OPA permits defining insurance policies towards which your Enter is evaluated. The results of the analysis is an enable or deny.
Rego Coverage, which OPA will use:
bundle storage_account_public_access
# Deny if public community entry is enabled
deny[msg] {
enter.useful resource.kind == "azurerm_storage_account"
enter.useful resource.config.public_network_access_enabled == true
msg := "Public network access to the storage account must be disabled."
}The JSON output from the plan is distributed to OPA which checks if the “public network access enabled” is about to true. Whether it is, the motion is denied.
Cloud Safety Posture Administration
Whereas code scanning will assist to a sure extent, infrastructure assets can nonetheless be deployed utilizing GUI, scripts (with out utilizing IaC), and different venues. For these situations, we want instruments that constantly scan the group’s Cloud atmosphere and alert groups about misconfigurations. As per a current survey, utilizing a CSPM instrument can scale back safety incidents attributable to misconfigurations by 80%.
Suppliers like AWS and Microsoft provide companies that monitor cloud environments and prioritize threat based mostly on assault floor. With the multi-cloud workload rising, prospects are searching for provider-agnostic instruments. Prisma Cloud and Tenable have choices on this area.
When choosing an answer on this area, it is preferable to decide on one with an agentless providing. An agentless answer scans the infrastructure by the cloud supplier’s API, quite than deploying an agent on the assets.
Advantages of Agentless CSPM
- Decrease overhead: As a result of there are not any brokers, agentless options don’t introduce additional compute or reminiscence utilization on cloud assets, lowering operational complexity.
- Larger protection: These options can scan the next variety of infrastructures and companies with out being restricted by the restrictions or the scope of brokers.
Different options to look out for in CSPM are:
- Automated remediation: Some instruments transcend simply detection and provide automated or semi-automated remediation workflows, lowering guide toil for the groups.
- Customization and scalability: No single answer can tackle all of a corporation’s wants. Due to this fact, choosing a platform that permits for customized coverage creation to increase its performance could be helpful.
Conclusion
The rising adoption of cloud companies has expanded the risk floor for organizations. Now, greater than ever, it’s essential to put money into safeguards that forestall insecure configurations in your infrastructure, defending your prospects and your group from cybersecurity threats.