Scaling in the cloud? IaC and DevSecOps are here to help

The cloud presents a ton of opportunities for flexibility, performance and scale.

With scale, however, comes a whole new type of challenge.

As you start to work at scale in the cloud, you’ll undoubtedly encounter challenges with agility, complexity, resource constraints and risk. But when you use technologies and processes like infrastructure as code (IaC) and DevSecOps in tandem, you can simultaneously address those challenges and adopt a secure by default approach to cloud development.

Let’s walk through how IaC and DevSecOps best practices can help you efficiently scale in the cloud. But first, let’s take a step back and talk about the automation benefits of IaC.

Infrastructure as code: The secret to cloud scale

One of the first problems you’ll encounter as you scale is how to efficiently and reliably manage cloud resources. Traditional approaches to cloud development require manually configuring cloud resources using your cloud service provider’s console. As your team spins up more and more cloud resources, this manual approach becomes impractical, if not impossible.

With IaC, you can automate this process so that you no longer have to manually configure cloud resources. Instead, you can write the specifications for your resource configurations in code to automatically spin up resources across multiple instances and environments, all while ensuring that all those resources are configured exactly the same way each time.

The best part about IaC is that you can leverage it for more than just improving your deployment efficiency. When paired with DevSecOps best practices, IaC can help you proactively tackle security problems that come with working at scale in the cloud, like agility, complexity, efficiency and risk.

Let’s dive into how that works.

Strengthen your agility as you work at scale

For fast-moving teams, agility is critical. But remaining agile while expanding your cloud operations can be difficult—especially because your risk profile changes significantly as you scale. To manage these challenges, it’s important to proactively adopt streamlined processes to keep your team nimble as you grow. That’s where IaC comes in.

One way IaC enables agility is through automated resource tagging. Resource tags provide valuable information that aids in managing the cloud. But as you add more cloud resources to your organization, it’s easy to get overwhelmed and disorganized without an automated tagging strategy. Tagging is especially important if you use IaC because it enables you to trace resources from code to cloud. With automated tagging tools—such as our open source tool Yor—embedded into your DevOps workflows, it’s easy to consistently and automatically tag your resources across all your repositories and organizations.

IaC also enables agility through open source. Public, open source repositories such as the Terraform Registry allow teams to integrate reusable modules into their codebase so they don’t have to reinvent the wheel. Open source modules help reduce the amount of time it takes you to stand up infrastructure and therefore deploy resources more quickly and are a best practice for remaining agile in the cloud.

However, open source modules have one big drawback—they are not typically written and shared with security in mind. Research from Unit 42 found that 63% of open source IaC templates contain misconfigurations, so any team looking to use open source modules needs to be strategic about working through these security issues. Adopting IaC and DevSecOps best practices is a great place to start to help teams systematically address misconfigurations. We’ll get into the details later.

Because IaC blurs the lines between applications and infrastructure, it puts more cloud security responsibility on developers. With the right approach, IaC security is mutually beneficial and ultimately can reduce friction between teams as they scale in terms of accountability and headcount. And if you’re able to build and maintain a team culture that values continuous improvement as you work at scale in the cloud, you’ll be well prepared to handle any issues that come your way.

Simplify security with IaC and DevSecOps best practices

Scaling in the cloud is easier than buying more servers or racks, but as you create more and more resources, you’ll soon see that as your cloud environment becomes more complex, so too does your security. To get a handle on this changing landscape and build a strategy that simplifies your cloud security, you’ll need to leverage IaC and DevSecOps.

To start, you’ll want to define how you will manage your IaC. Because IaC is code (it’s in the name 😜), it can be version controlled and tested just like any other code. Employing version control is a must as more developers join your team and as you expand your cloud operations. Version control systems (VCS) like GitHub and GitLab not only allow you to easily track who is making changes and when, but also provide a solid foundation for adding testing such as security scanning. As you use both IaC and DevSecOps, your goal is to iteratively test and automate deployments to ensure quality. But if an issue does make its way to production, version control also makes it easy to roll back to your secure cloud configurations.

When leveraging IaC, it’s also best practice to follow the principle of GitOps wherein your Git repository is the single source of truth for all of your cloud resources. As your cloud development team grows, it’s important to have a single, version controlled and secure mechanism to provision and manage cloud resources. When changes are made out-of-band from IaC, you create a disparity known as drift between cloud resources and the IaC resources that initially provisioned them. You’ll want to avoid these out-of-band changes, since they undermine the benefits of IaC.

Make security more efficient with DevSecOps best practices

Moving to the cloud promises benefits like increased flexibility and—if done right—cost savings. But cloud security involves additional steps that can be manual and repetitive, especially when IaC is involved. Not having an automated or strategic approach to your IaC security can introduce challenges like the IaC misconfiguration snowball effect, in which one IaC misconfiguration can snowball into tons of policy violations (and, thus, security alerts) across deployments and environments. Scaling teams need to adopt an efficient and proactive approach to managing these challenges if they want to remain flexible in the cloud. This is where shift left security, or DevSecOps, comes in.

Adopting DevSecOps best practices and principles while working at scale in the cloud will enable you to fix misconfigurations and vulnerabilities as early in the DevOps lifecycle as possible. At the end of the day, the goal of shifting left is to enable your team to identify and remediate misconfigurations before they are deployed into the cloud. DevSecOps best practices also introduce efficiencies while working at scale, but you’ll only see their full benefits if you embed them into your existing processes.

When paired with DevSecOps best practices, IaC security aims to automatically integrate IaC scanning into your team’s day-to-day. With IaC scanning tools like our open source IaC scanner Checkov, you can scan IaC files for misconfigurations via IDE plugins, CLI tools, VCS integrations or CI/CD steps. When you scan your IaC files at each phase of the DevOps lifecycle, you get iterative feedback and can help your team avoid costly fixes later in the development lifecycle.

Automating as many security tasks as possible is your main priority as you expand operations in the cloud. As you scale, your developers will have less time to remediate security issues and therefore any actions you can take to reduce the friction they face while remediating issues is key. If you shift left by embedding security into developer tools and surfacing feedback when code is written, you’ll be able to streamline your security processes and see efficiency gains.

Reduce your risk by improving your cloud visibility and security

The unfortunate reality of working at scale in the cloud is that as you expand your cloud footprint, you also grow your attack surface. With more and more resources in the cloud, there are more potential weaknesses and attack entry points across your software supply chain. Employing some basic best practices to gain visibility and harden your pipelines can help you avoid major supply chain security risks.

Ultimately, your goal is to have complete visibility from code to cloud so that you can properly assess and manage risks. Identifying all potential weaknesses within your cloud enables you to proactively harden your infrastructure, but getting code to cloud visibility can be challenging. To get started, you’ll want to analyze each component of your codebase and cloud infrastructure to identify potential sources of weakness. In addition to your IaC files, components include your Kubernetes manifests, container images and other open source dependencies. Once you’re able to assess potential weaknesses in each of these areas, your team can develop a plan to address weaknesses in build-time before they become runtime security issues.

In addition to weaknesses in code components, the pipelines—VCS, CI/CD pipeline and registries—required to manage IaC and deliver resources at scale can also be a target. For example, if your VCS does not enable multifactor authentication, single sign-on (SSO), signed commits or branch protection rules, then your VCS is vulnerable and could be exploited by bad actors to access your IaC files. Bad actors could also exploit overly permissive roles in your CI/CD pipeline if you don’t enable roles scanning and right-sizing.


Adopting IaC and DevSecOps best practices while your team scales its operations in the cloud is essential if you want to build an efficient, well-managed cloud security strategy. With this approach, you can shift security left and ship code that’s secure by default.

Interested in learning more about how to foster collaboration between security and development teams? Check out this panel discussion, where the industry’s leading experts in security talk DevOps and automating cloud security at scale.