Why IaC Security Should Matter to CISOs

February 28, 2022 TH Author Trend Micro CISO : Article, Trend Micro CISO : Cloud, Trend Micro CISO : Compliance, Trend Micro CISO : Expert Perspective

Speed is the name of the game for organizations building in the cloud. And in order to meet increasingly demanding deadlines, many DevOps teams are turning to infrastructure as code (IaC) to spin up new projects at scale—but are they doing so securely? This article looks at IaC security challenges and how CISOs can choose the right cloud security tool to support quick development and drive innovation.

What is IaC?

Infrastructure as code (IaC), as the name suggests, is the creation and managing of infrastructure through code—essentially establishing a pre-configured infrastructure template that can be consistently deployed to build apps. This is an evolution from the “old days”, where system admins were tasked with manually managing and configuring all the needed hardware and software to run apps.

IaC security challenges

There’s a reason—in fact, several—why IaC continues to grow in popularity for cloud builders; speed, control, and consistency just to name a few. But since anything using the internet can be exploited, that means IaC poses security risks as well. Here are two key challenges:

1. Complex environments and compliance requirements

Enterprises using a hybrid- or multi-cloud environments face unique challenges and security teams often lack the visibility needed to track and manage IaC templates across different environments and cloud providers.

While IaC is great for spinning up new infrastructure at scale, it’s pertinent these templates are configured to abide by the compliance requirements of that specific cloud/on-prem environment’s as well as the location of the builders. For example, if one team is building in Europe and another in Asia, the same IaC template cannot be deployed and considered secure or compliant due to differing compliance regulations.

2. IaC drift

Misconfigurations can not only lead to compliance gaps, but drift as well. IaC drift is when configurations change from predetermined build-time states, unbeknownst to those DevOps and SecOps teams. This can be due to developers deploying and changing the template in a testing environment and forgetting to “reset” it back to its original state before using it in production. The smallest undetected change to a template gives malicious actors the opportunity to infiltrate the exposed cloud asset.

Solving IaC security challenges

Yes, there are several products that only address IaC security, and while this is great, adding another point product to your security stack will further complicate visibility. Look for a unified cybersecurity platform with capabilities that address multiple security concerns such as IaC. Think of it like two birds, one stone, but less morbid.

Convincing the board to invest can be challenging, so try to speak their language by showing how security enables business. By investing in a cybersecurity platform, you’re not just stopping threats, but enabling a DevOps culture which will inherently minimize risks and maximize efforts to meet business objectives.

Okay, so what should you look for in a cybersecurity platform? Look for capabilities that help you better understand, communicate, and mitigate cyber risk within the three phases of an effective security strategy (detection, correction, and prevention) without impacting or interrupting security and development teams.

Phase 1: Detection

The goal of this phase is to understand potential risks by establishing the “what” and “who” of your environment. You need comprehensive visibility to notify security teams of critical misconfigurations. Key word: critical. The platform should use extended detection and response (XDR) capabilities to collect and correlate data across all the components in a IaC template, therefore reducing false alerts and enabling security teams to drill down into top priority concerns.

Phase 2: Correction

In this phase, the platform should leverage auto-remediation to quickly fix configurations without burdening security and development teams. Customizable APIs and post-scan actions are crucial to encouraging collaboration and communication between teams. Remember, the platform shouldn’t be seen as a gatekeeper, but as an enabler for more efficient risk management.

Phase 3: Prevention

You can never stop a cybercriminal from attempting to attack you, but you can mitigate associated risks by making it more difficult. Make sure the platform takes a start left approach by scanning templates before they’re pushed to production, allowing security and development teams to make any necessary changes. The scans should not only alert teams of any misconfigurations, but also auto-check templates against relevant compliance requirements and industry best practices. Lastly, look for a platform that provides real-time feedback to engineers as they create IaCs to help them learn as they go and fine-tune their skills.

Next steps

For more insights on how a cybersecurity platform can help you understand, communicate, and mitigate risks, check out these resources:

You May Also Like

Defend Against Cyber Espionage Attacks

Accelerating Security Risk Management

How CISOs can Mitigate Cryptomining Malware