As infrastructure as code (IaC) adoption rises and more companies come out of the woodwork to address IaC security, we often find ourselves discussing the challenges that come along with IaC.
IaC, similar to any other emerging technology, can introduce new ambiguities about where infrastructure is being provisioned, who owns it, and how it’s being governed. As we’ve learned, those complexities can result in security errors and misconfigurations that can eventually lead to real-world risk. Our goal as a security industry is to help teams mitigate those risks. But we also want to show teams that IaC isn’t just a source of risk, but also a huge opportunity to transform the way teams keep their infrastructure secure.
By transforming manual infrastructure configurations into machine-readable templates, IaC makes it so that all compute, storage, and networking services can be deployed the same exact way every time. That level of consistency across resources and environments enables you to provision resources faster and with fewer resources. It also aids in maintaining high-quality standards, security best practices, and compliance with industry benchmarks.
Codified infrastructure provides the foundation for automation and testing—both of which are crucial for DevSecOps. For today’s multicloud, multiframework teams, it’s unrealistic to expect every infrastructure engineer—or even your security engineers—to stay up to date on every single cloud security policy and best practices.
Implementing policy enforcement through programmatic IaC scanning paves the way for unprecedented depth in security coverage and minimizes the risk of human error. Introducing that scanning into automated testing processes and building pipelines is also a benefit of IaC. By enabling continuous feedback earlier in the development lifecycle, IaC has the ability to turn previously reactive cloud security efforts into proactive IaC security processes.
Cost and time savings
In addition to improving consistency, IaC makes it easier to apply configuration across exponential resources and environments, allowing engineers to spend less time doing repetitive, manual work. With IaC, it’s also much easier to de-provision infrastructure when it’s not in use, decreasing overall computing costs and maintenance expenses.
Those time and cost-savings benefits also apply to IaC security.
Without IaC, cloud security typically happens outside of the development lifecycle; wherein cloud security solutions monitor deployed resources for errors. When issues are surfaced, they get prioritized against new features and customer requests to then are scheduled alongside other bug fixes. That might not be so bad if you’re fixing a handful of issues for an upcoming SOC2 audit. But for teams with robust cloud environments and a CSPM, we’re probably talking hundreds—if not thousands—of misconfigurations that need to be addressed.
Although we know how important that feedback and visibility are, we also know how expensive and time-consuming remediations can be for engineering. By shifting cloud provisioning left, IaC can also shift cloud visibility and security left. Addressing errors before they’re deployed saves you time chasing down bugs in production. Fixing issues earlier in the development cycle also means less context switching and frustration for engineers.
Collaboration between Security and DevOps
When cloud security is shifted left, it also becomes more accessible to engineering and DevOps teams. With IaC, security is becoming more and more of a software challenge. To maintain a strong cloud security posture over time as new infrastructure is provisioned, new features are built and new technologies are adopted, security needs to be a collaborative effort.
IaC encourages collaboration between developers and operators by introducing a common language. By moving infrastructure governance into a centralized place and transforming one-off configuration into repeatable components, IaC helps keep everyone on the same page. IaC also introduces a single source of truth across cloud providers, compliance benchmarks, and security best practices.
It also supports customizability, which is crucial for teams working with infrastructure across disciplines. Each workflow will have different requirements and goals, and each team should be able to govern those workflows on their own.
At this point, it’s clear that IaC adoption is inevitable. Although we’re still figuring out how to fully embrace IaC to keep our infrastructure secure, it’s clear that it presents both opportunities and challenges. Understanding its risks is important, but embracing its benefits is the key to successful cloud DevSecOps.
This post originally appeared on The New Stack.