The adoption of cloud technology has brought with it many benefits, most importantly, an increase in development and deployment velocity. Gone are the days when a developer had to wait days for a virtual machine to be provisioned, and then spend a considerable amount of time installing necessary components like message queues and databases. Virtual machines and associated platforms as a service (PaaS) can be spun up in a matter of minutes within a cloud account.
But giving development teams unfettered access to manually instantiate cloud services and mutate the configuration results in unpredictable states of the infrastructure can lead to software failures and an increase in attacks due to a larger, more exposed attack surface. As a result, infrastructure as code (IaC) has been rapidly adopted, allowing developers to create immutable infrastructure from declarative configuration files and have confidence that the infrastructure is in the desired state in all stages of the software lifecycle.
But what happens when the desired state introduces security risks? There are hundreds of different cloud services, and each service has a distinct set of configuration variables available, making it quite easy to unintentionally introduce a misconfiguration. This is compounded by the fact that in an agile environment, many changes are automatically pushed out on a regular basis, and it becomes a daunting task to ensure the security posture of your cloud services.
Do you slow down the release cycle and perform manual security checks and deal with delays as the development teams scramble to remediate issues, or do you allow misconfigurations to be shipped into production, increasing the risk that a breach will occur? There has to be a better way.
The Zscaler Posture Control and Terraform by HashiCorp integration: How does it work?
The Zscaler Posture Control platform solves these challenges by enabling developers to apply security best practices earlier in the software development lifecycle, often referred to as shifting security left. Posture Control has an IaC scanner which will parse files, such as Terraform templates, and identify misconfiguration within the files, providing developers with information about the violation, as well as remediation steps.
A key component of shifting security left is providing an easy way to integrate these security checks into the normal development workflow. For developers leveraging Terraform Cloud to deploy their infrastructure, the Posture Control platform’s IaC scanner integrates as a run task, analyzing Terraform plan output to identify misconfigurations.
Within a workspace’s run, the results of a scan are available, and can show the number of violations, broken out by severity level, that were encountered in the configuration files as part of this run. A link is then provided to log in to the Posture Control platform to view detailed information about the violations, and how to remediate them. The Posture Control platform provides the ability to fail the run (mandatory run task) based on the severity level of the violations, or run in advisory mode where it will show the findings but allow the run to pass.
Fig: Posture Control Terraform integration
How to leverage the Posture Control and HashiCorp integration
The Terraform Cloud and Posture Control integration takes minutes to set up. Simply add your Terraform cloud token to the Posture Control platform, then leverage the fine control by selecting the organization and workspaces you would like to protect, and Posture Control will enable the Zscaler IaC Scan run task in your workspaces.
Learn more about Zscaler and HashiCorp integration: Register for the webinar
Achieving Scalable, Dynamic Security Across Multi-clouds with Zscaler and HashiCorp
December 07 | 9 a.m. PST