Bolstering Security with Infrastructure-as-Code

The rapid-paced innovation of cloud technology has prompted significant changes to infrastructure deployment and management practices. Distributed cloud workloads require careful deployment orchestration and management consideration, particularly workloads supporting critical infrastructure industries such as healthcare, telecommunications and financial services. Enforcing change control integrity through traditional change control methodologies can present a significant challenge to organisations of all sizes, where unaudited configuration modifications can result in operational and security risks.

The solution to such challenges has presented itself in an already well-understood concept - code. Infrastructure-as-code (IaC) has become a heavily adopted and highly productive form of configuration management in the cloud. IaC is the practice of deploying and managing infrastructure, services and their associated configuration through code. The process allows engineers to deploy and manage cloud services such as virtual machines, networking, security, and much more through markup languages such as JSON or YAML.

While IaC presents significant benefits in infrastructure management and deployment efficiency, the less-mentioned benefit is the capability to introduce an enhanced level of security. In the following sections, I will walk you through several security benefits that (when architected appropriately) an IaC deployment and management pattern can provide.

Enforcement of Security Controls

Traditional infrastructure deployment presents challenges in enforcing alignment to security control standards, as security professionals are commonly required to confirm security control adoption retrospectively across a specific target area.

IaC pipelines provide the capability for security controls to be integrated before and throughout the deployment process, allowing for prospective infrastructure evaluation. Common IaC deployment architectures include a dedicated CI/CD pipeline where all infrastructure code segments must traverse before deployment. The IaC originates at the engineer's integrated development environment (IDE), is processed through the pipeline, and reaches the final production build - throughout this process, each code segment must traverse a series of control gates.

Control gates are the perfect point for security control integration and provide oversight and segregation of duties before deployment into production. A wide breadth of security controls can be integrated, such as:

  • Security plug-ins within developer IDE environments.
  • Automated security evaluation (discussed in the next section).
  • Manual review by security engineers (or security champions within their respective development teams).
  • Deployment into pre-production environments before acceptance into production.

These security gates provide technical feedback to the developer upon security misconfiguration and enforce security standard compliance for all infrastructure bound into the production environment.

Automated Security Capabilities

IaC allows for the seamless integration of automated security capabilities. Automated security tooling (such as IaC code scanners) can integrate into the CI/CD deployment pipeline and evaluate infrastructure code for security vulnerabilities and adherence to industry best practice frameworks. The security tooling can break the pipeline workflow upon preconfigured security rule threshold violation. In comparison to traditional deployment methodologies, which rely on manual or (at best) script-based deployment, IaC offers security tooling integration that evaluates all code bound for production, significantly reducing administrative overhead across various teams.

Control of Infrastructure and Cloud Services

In a mature state of IaC deployment, all infrastructure components (where possible) should be deployed and managed through a centralised IaC pipeline. Enforcing infrastructure deployment through a centralised IaC pipeline can significantly enhance auditability and control of infrastructure. By introducing granular access control for code repository and pipeline deployment mechanisms, organisations can restrict unauthorised users from making changes while also introducing segregation of duties for deployments where more than one team member must validate each deployment.

Infrastructure control benefits gained through a mature IaC deployment pipeline include:

  • Compliance verification checks as control gates within the deployment pipeline workflow.
    • As part of the IaC deployment pipeline, security teams (or automated mechanisms) can ensure that deployed components adhere to various compliance or policy requirements.
  • Considerably less effort assessing cloud security posture.
    • Compared to traditional discovery methodologies, providing an auditor/assessor access to the respective environment code repository allows seamless triage and context gain. For such a methodology to be successful, IaC must be the primary method for infrastructure deployment (where possible).
  • Granular traceability of changes performed and rollback to previous versions.
    • Deploying infrastructure through IaC inherently benefits from utilising Source Code Management (SCM) Software. The SCM will provide granular insight into who performed the code commit, the time of the change, any specific comments for the change, and a detailed history of previous versions for seamless rollback.

Security Hardened Service Catalogs

Defining infrastructure through code allows engineers and security teams to work together in developing a service catalog (or catalogue) offering. Service catalogs are curated repositories of pre-approved and security-validated infrastructure components, configurations, services or holistic preconfigured (plug-and-play) environments. Offering a curated selection of pre-validated infrastructure components and configurations allows organisations to promote efficiency and consistency in development workflows while enhancing security posture.

Service catalogs provide various security benefits, including:

  • Consistency and strong understanding of all infrastructure components deployed through the service catalog pattern.
    • Technical teams will have a clear understanding of the standardised patterns offered within the service catalog and can promptly address security events or service disruptions.
  • Reduction in potential security misconfigurations.
    • Engineers can restrict the modification of security configuration in line with minimum security requirements.
  • Preconfigured and enforced security service and tooling integration.
    • Templates offered as part of the service catalog should have all appropriate integration with security services established out-of-the-box. Integrations could include preconfigured SIEM log ingestion, utilisation of golden images with installed security tooling (such as endpoint protection software) and more.

Disaster Recovery and Cross-Region Portability

Operating a mature IaC deployment pattern with preplanned automation and data replication considerations allows cloud teams to redeploy identical infrastructure to a secondary region in minutes. Through an active-passive multi-region IaC strategy, an organisation can significantly improve their disaster recovery preparedness and cross-region infrastructure portability capability.

As an alternative to operating active-active architectures across regions, availability-sensitive applications can leverage a scaled-back pilot light multi-region deployment. The pilot light deployment only involves continuous data replication to the target secondary region with infrastructure components not being deployed. Upon the requirement of the secondary region, the IaC pipeline can initiate the deployment of an identical application environment within minutes. DNS services (such as AWS Route53) can distribute traffic across the active regions or fully migrate traffic to the secondary region if necessary.

Conclusion

The various examples briefly addressed in this article only scratch the surface of the capability potential offered through IaC. Further refinement and customisation of pipelines, deployment patterns, security controls, and service catalog mechanisms can provide additional capabilities to support an organisation's specific technology requirements and secure infrastructure management and deployment processes.

Continued technological innovation and adoption of IaC has allowed cloud hyperscalers to develop sophisticated IaC tools that can abstract cloud infrastructure deployment into various formats. An example of such is the AWS Cloud Development Kit (CDK). The CDK is an abstraction of AWS's CloudFormation service, allowing developers to define cloud infrastructure in modern programming languages, including TypeScript, Python, C#, and Java. This abstraction supports developers in their cloud education process and introduces consistency across the organisation's technology stack, resulting in a more familiarised and secure development process. Looking into the future, the rapid advancements in cloud technology and artificial intelligence will facilitate further enhancements to the security of IaC through a new generation of context-aware security remediation mechanisms, advanced code analysis, and proactive threat mitigation.

In conclusion, by developing and mandating security-integrated IaC pipelines as the primary cloud infrastructure deployment method, organisations can significantly improve their security posture and reduce the risk of security breaches. With further innovation on the horizon through technologies such as AI, organisations can leverage IaC to future-proof and (through continuous refinement) bolster their security deployment and management processes.