Prevention is better than cure is a well-used phrase attributed to the Dutch philosopher Desiderius Erasmus some 500 year ago and has now become the fundamental principle behind modern healthcare. We’ve all seen and experienced recently how unexpected events can cause immense damage and we have to use all our resources, at great expense, to limit that damage and try and cure the infection. Only later, are we able to focus on the underlying causes to prevent this occurring again.
We can see parallels in cloud security. There has been migration en masse to the cloud for its multitude of benefits, which has been accelerated with new working conditions and the need to work remotely and/or at home following the events mentioned above. Security though has often been overlooked in the rush resulting in misconfigurations and vulnerabilities that can be exposed by ever more sophisticated security threats. With the average cost of a security breach running into the millions of dollars, many enterprises have turned to cloud security platforms that can provide the insight and visibility to secure their cloud infrastructure and prevent any damage before it is done.
But now in cloud security we need to take a step back, or more accurately, to the left.
Infrastructure as code (IaC) is most widely adopted by organisations to easily manage and provision their infrastructures on cloud and automate their deployment process. As a new technology, it is quickly evolving and this is only matched by the pace it is being adopted by organisations – up to 90% of companies use IaC in some form.
The ease and speed in which IaC provisions infrastructure is impressive and one of the main reasons for its popularity, but it can be a double-edged sword. That same speed and ease accentuates the possibility of making mistakes. The saying `More haste, less speed` comes to mind, but cloud is a fast-moving environment and with the constant changes IaC presents, security professionals are struggling to cope.
These challenges mean IaC can contain numerous errors, vulnerabilities and misconfigurations which can be an open invitation for today’s complex security threats to expose an organisation’s cloud environment. For example, recent analysis of IaC templates identified 200,000 files that contained insecure configuration options, 43% of data warehouses weren’t encrypted and 65% of cloud storage services didn’t have logging enabled.
There now exists a real urgency to prevent infrastructure misconfigurations at the IaC level. Organisations need to prioritise shift-left security – to find security and compliance vulnerabilities at the earliest point in the build process and secure IaC templates before deployment.
Their primary requirement is the need for continuous security assessment and monitoring to prevent bad infrastructure from actually getting created in the first place. But must also include areas such as maintaining coding standards and ensuring compliance is assessed and met, to name but a few.
Incidentally, Security Administrators in most enterprises are struggling with the number of security alerts with upwards of 25,000 generated from the cloud. Some of these alerts constitute a risk, whereas some are cloud compliance best practices and as an organization expands its footprint in the cloud – more cloud accounts, multi-cloud, etc – the number of security alerts will compound. Risk prioritization can help identify high-risk alerts, but who really wants to deal with 25,000+ open alerts, or more every day?
The best and most effective way to solve this would be to take the same set of controls that would be enforced on live cloud infrastructure and apply it on IaC templates. That one process will drastically cut down the number of security alerts that get to a Production or live cloud environment.
So we could argue that the traditional security tools and processes available lack the competency to address the complex task in hand in the IaC domain. To successfully secure IaC, security tools must inform, guide and simplify. Any solution should investigate the cause of issues and provide developers recommendations on how to repair their IaC vulnerabilities, whilst not hindering their work but act as the guardrail every security team needs.
With an effective IaC security solution following these principles that can detect security and compliance concerns early in the build process and prevent the creation of flawed infrastructure, should mean your cloud infrastructure will be fighting fit at deployment and won’t need to be nursed back to health in its infancy.