Organizations are rapidly adopting Infrastructure as Code (IaC) to automate the process of deploying, configuring, and decommissioning cloud-based infrastructure. IaC helps to avoid configuration drift through automation and increases the speed, consistency, and agility of infrastructure deployments—as compared to traditional IT infrastructure—by allowing it to be defined as code and also enabling repeatable deployments across environments. But, like many new technologies and processes, organizations must follow several best practices to ensure that they don’t introduce new security risks into their cloud deployments with IaC.
As IaC usage grows across teams, the chances of configuration errors and other mistakes are higher, leading to security loopholes. Developers have strong expertise in building applications, but their experience varies in terms of provisioning, testing, and securing IaC use. Minor configuration errors in infrastructure as code can quickly propagate misconfigurations across the entire cloud infrastructure, turning isolated issues into widespread weaknesses. Adhering to several key IaC security best practices is an effective way to secure infrastructure against the risk of cyberattacks and breaches.
Here are some of the security best practices for IaC that can be easily integrated into the development lifecycle:
During IaC operations, it is necessary to identify, tag, monitor, and maintain an inventory of deployed assets. Untagged resources should be carefully monitored as they are difficult to track and cause drift. Whenever the resources are retired, their associated configuration must be deleted and data should be secured or deleted as well.
The most crucial element of IaC is the templates. There is a high likelihood that IaC templates have unsecured default configurations and vulnerabilities. By integrating checks into the developer and DevOps workflows, and regularly monitoring IaC templates for misconfigurations, insecure default configurations, publicly accessible cloud storage, or unencrypted databases, developers can find and remediate potential issues before they make their way into production environments.
The earlier an issue is identified, the faster it can be addressed. Zscaler has built native integrations into development tools, such as VS Code, as well as into a broad range of the most popular version control systems and CI/CD tools. The result? Security alerts are raised as soon as issues are identified, directly in native tools and workflows.
Ideally, configurations across developers’ environments are uniform. But application owners sometimes need to make modifications to their applications and the underlying infrastructure. As those modifications and changes happen, the configuration of the applications and infrastructure changes, leading to a “drift” between the intended state specified in the IaC template and the observed state actually running in the cloud. Without proper monitoring or tools, the unchecked accumulation of these leads to configuration drift which can leave the infrastructure exposed and create gaps in security and compliance. Sometimes, fixing configuration drift is complicated and can be expensive in terms of business downtime. One of the benefits of IaC scanning and CSPM convergence onto a single platform is that it can help identify, remediate, and keep drifts to a minimum.
Sensitive data such as secret keys, private keys, SSH keys, access/secret keys, and API keys hardcoded in IaC can provide easy access to underlying services or operations and help attackers move laterally. Hardcoded secrets are commonly mismanaged and can be easily uncovered with limited effort. Having exposed credentials spread through IaC code, which is committed to source control (e.g. GitHub), can be of great risk for organizations. The best approach is to prevent these hard-coded secrets from ever making it into the version control system by scanning commits before they are merged into the main branch and/or highlighting the presence of these secrets to the developer in the IDE.
Developers' accounts need to be secured from attackers. It is important to harden and monitor developers’ accounts, track changes in IaC configurations, and verify that the changes are sanctioned and intentional. Unauthorized changes can cause IaC template or configuration tampering that may result in a code leak.
Development environments have privileged credentials used by both human users (developers, tool admins, site reliability engineers, cloud admins, etc.), as well as applications, automated processes, and other machine and non-human identities. These environments can be complex and unfamiliar to security teams. Security teams are unaware of how privileged credentials are being used in development environments, and how effectively these credentials are being secured—or not. Attackers targeting DevOps tools and platforms can exploit unprotected credentials and gain access to data and other sensitive resources and launch attacks such as cryptojacking, data exfiltration, and malicious activities like application downtime. Hence, to secure development environments, both human and non-human identities must be secured.
Therefore, security teams need to have a single point of control that enables consistent management of privileged accounts, credentials, and secrets across each of the development and compute environments. It enables them to govern current and future privileged credentials usage, detect access configuration issues with required context, right-sizing of identity access and permissions, and consistent least-privileged policy enforcement.
Don’t wait until it’s too late. Notifications should be configured to send alerts when code checks fail, which allows misconfigurations to be identified early in the development process. The responsible owner and team members should be notified of failures and the process to remediate issues as soon as they occur so that the developers can take care of the problem quickly.
Security teams should enforce cloud-native policy guardrails that incorporate checks to secure multi-cloud infrastructures from configuration drifts and alert on violations, enforce consistent security policies during build and runtime, and deliver clear guidance to developers on how to resolve vulnerabilities and risks. For instance, one may want the CI/CD build to fail, in case a certain security threshold was not met.
The above section covered a high-level description of what IaC is the most common security challenge, and best practices to resolve the associated security risk. Arm your development teams with IaC best practices to help them strengthen IaC security and establish a strong collaboration among development, security, and compliance teams—because when security and development teams work together to defend against attacks, drive operational efficiencies, and satisfy audit and compliance requirements, everyone wins.
Zscaler provides a comprehensive solution for securing infrastructure as code (IaC) that helps prevent misconfigurations, code leaks, environmental drift, and other common issues, all in a single integrated platform. Once integrated into the developer workflow, each commit is scanned for issues including hard-coded secrets or potential misconfiguration. Near-to-real-time alerts and guided remediation is available both through a GUI and within the PR to ensure a faster incident response. Overall, it helps detect potential security vulnerabilities in infrastructure code early, and fix them before they go into production, to minimize risk and maintain cloud compliance.