Recent advances in computing technology have empowered IT professionals to increasingly rely on abstraction, freeing them from the burden of managing infrastructure and allowing them to focus their energies on delivering quality software as fast as possible. Just as cloud computing eliminated the hassle of managing data centers and virtualization meant that chief information officers (CIOs) no longer had to worry about maintaining physical servers, Infrastructure as Code (IaC) has revolutionized how servers and infrastructure are provisioned.
ONE OF THE BEST WAYS TO ELIMINATE MANUAL ERRORS IS THROUGH AUTOMATION AND BY APPLYING THE SAME DEFECT-REVIEW PROCESSES PRESENT IN SOFTWARE RELEASES TO INFRASTRUCTURE DEPLOYMENT.
Understanding IaC
Even though cloud computing has the ability to spin up virtual machines in minutes, provisioning mistakes resulting from human error are always possible, especially when provisioning complex infrastructure in the cloud. One of the best ways to eliminate manual errors is through automation and by applying the same defect-review processes present in software releases to infrastructure deployment.
As its name implies, IaC is the provisioning and management of infrastructure via declarative source code, meaning that entire servers, databases and networks can be deployed using lines of code via machine-readable “blueprints,” instead of wasting time doing manual configurations via management consoles. IaC typically follows a declarative model in which a desired configuration is stated, and the provider carries out the necessary steps to configure the environment based on the requirements. IaC has caught on like wildfire. Cloud giants such as Amazon Web Services (AWS)1 and Microsoft Azure2 provide their own native implementations, as does Terraform from HashiCorp.3
Advantages of IaC
The benefits of IaC are immediately obvious. They include the following:
- Better quality control—IaC allows for the treatment of infrastructure templates just like source code, allowing these complex architectures to be reviewed, tested and audited to the same degree as any software.4 An enterprise’s infrastructure can be captured via a documented and clearly defined “snapshot” that is maintained in code and visible, just like application code. This results in increased transparency, as the entire architecture can be read, and configuration changes can be captured via version control. If an error occurs, the entire infrastructure blueprint can be “debugged,” just like any configuration file for common errors or misconfigurations using static code analyzers.
- Reduced dependency on the system administrator—The system administrator has historically been responsible for provisioning infrastructure, which has sometimes led to bottlenecks and delayed releases. IaC empowers developers to provision infrastructure via code without worrying about the underlying complexities of the provider. This results in faster delivery time while freeing system administrators to focus on more value-driven tasks.
- Increased speed and consistency—IaC can create an entire complex architecture and utilize the same configuration in all environments, resulting in fewer chances of error or security misconfigurations (although in reality, this might not always be the case).
Risk Factors Related to IaC
The rapid adoption of any new technology comes with new risk factors, and IaC is no exception. The same speed of deployment made possible by IaC can prove to be a problem for security professionals as they struggle to keep pace with the challenges introduced by IaC. One of the most prevalent problems is the skill gap, as IaC knowledge is sorely lacking among security professionals. Teams that are accustomed to scanning servers with vulnerability scanners suddenly find themselves reviewing architectures defined in a JavaScript Object Notation (JSON) file or working with unfamiliar tools such as Puppet or Terraform. Manually reviewing thousands of lines of code captured in IaC templates looking for security flaws can be a nightmare and can cause delays, which is the exact opposite of what IaC is supposed to achieve.
This learning curve is not restricted to cybersecurity and IT teams that rush into “codifying” their production workloads. They might be faced with piles of infrastructure code that no one truly understands and with no proper documentation to explain it. This is the case because IaC processes have not yet achieved the same level of maturity as their software-based counterparts such as the Capability Maturity Model Integration (CMMI)5 and International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 25010,6 to name just two. The end result might be a huge pile of infrastructure code that no one is willing to touch for fear of causing a production outage. It is a good idea for enterprises to first adopt a hybrid approach and move noncritical workloads into IaC scripts, instead of going all-out and converting the entire infrastructure.
ONE OF THE KEY ADVANTAGES OF IAC—THE EASY READABILITY OF IAC TEMPLATES—CAN BECOME A SECURITY ISSUE IF PROPER CONTROLS ARE NOT PUT IN PLACE.
Another problem that can be magnified in an IaC world is security misconfigurations. A vulnerable server running in production is a common nightmare for security professionals, and unfortunately, IaC can intensify this problem if code is not checked properly. Security misconfigurations can rapidly be propagated into production, and any one of them might be enough to compromise an entire cloud infrastructure, leading to many sleepless nights for security professionals. The same speed and ease with which IaC can provision infrastructure could lead to an inexperienced professional making potentially lethal changes in production. A recent report highlighted some alarming real-word statistics, including the discovery of more than 200,000 insecure IaC templates with high and medium vulnerabilities.7 Additionally, more than 76 percent of cloud infrastructure was found to be exposing Secure Shell Protocol (SSH) ports, and 69 percent was exposing Remote Desktop Protocol (RDP) ports, over the Internet, which is an open door to attackers. This problem is only expected to increase as more and more enterprises migrate to the cloud and adopt IaC principles.
Finally, one of the key advantages of IaC—the easy readability of IaC templates—can become a security issue if proper controls are not put in place. If these templates are not secured, they could be read and understood by any person with sufficient knowledge, leading to the leakage of critical configuration data. Also, the ease with which IaC can provision infrastructure could lead to an unauthorized person implementing or changing key production infrastructure unless access is tightly controlled.
How to Secure (and Embrace) IaC
Despite the potential risk, IaC also brings many security benefits to the table. Code review techniques to validate software releases can now be applied to infrastructure, allowing security testers to obtain a high level of assurance with regard to infrastructure changes being made via IaC.
Static code analysis tools can be used to ensure that these templates pass preconfigured security checks before they are committed to production, making security an essential part of the process. This can prevent common vulnerabilities in IaC templates such as open ports, lack of logging or missing encryption, from being moved into production. There are many open-source and commercial tools on the market to help security professionals carry out these checks.
IaC also embodies the concept of immutable infrastructure, which allows cloud teams to standardize and “freeze” parts of the infrastructure in a way that traditional deployments did not. If security teams using IaC can ensure that every virtual machine in their cloud portfolio has the same network configuration running, this provides an enormous amount of confidence about the security posture and allows consistent and predictable security standards to be applied without the risk of security misconfigurations. Using immutability, teams can ensure that the infrastructure is never modified or changed once it is put into production; instead, it is rebuilt from the ground up every time a change is necessary.8 If a configuration change is needed to address a security issue, IaC tools can create a new deployment and destroy the existing one, meaning that the IT team does not have to worry about hundreds of configurations done over a period of time. Similarly, for enterprises that follow strict patching cycles, immutable infrastructure eliminates the need to patch hundreds to thousands of servers; instead, these servers can simply be replaced, with the required patches incorporated from a new master build. This can be a godsend for IT teams. They do not have to worry about any post-patching issues, as all the machines have been spun from the same master image that already contains the patch. If any issues arise, the previous version of the IaC template can be used to revert to a safe version of the infrastructure.
Conclusion
The benefits of IaC are many, and its adoption will only increase over time, given its greater speed and flexibility compared with traditional provisioning methods. Although industry standards are currently lacking for securing IaC, cybersecurity professionals will need to update their skill sets and familiarize themselves with different IaC technologies and providers in order to identify any security risk factors present.
AS INFRASTRUCTURE DEPLOYMENT TRANSITIONS TO A SOFTWARE-BASED APPROACH, SECURITY PROFESSIONALS MUST APPLY THE LESSONS LEARNED ABOUT SECURING APPLICATION CODE TO IAC.
Just as IaC allows teams to define an entire infrastructure as code, it stands to reason that security teams must also learn to define security as code. Security teams and technology teams must collaborate, allowing the easy integration of their respective tools for rapid feedback during new builds and deployments. Security baselines must become templates that technology teams can easily incorporate into their IaC, and the templates should be scanned before and after deployment to prevent any security mishaps. As infrastructure deployment transitions to a software-based approach, security professionals must apply the lessons learned about securing application code to IaC. None of the risk factors highlighted should discourage organizations from adopting IaC. Instead, they should be empowered to adopt risk-based approaches to implementation, making sure teams are well informed and well trained in this new technology before they start migrating production workloads.
Endnotes
1 Amazon, AWS CloudFormation, https://aws.amazon.com/cloudformation/
2 Tang, R.; “IaC on Azure,” Microsoft, 11 February 2017, https://techcommunity.microsoft.com/t5/azure-developer-community-blog/iac-on-azure-an-introduction-of-infrastructure-as-code-iac-with/ba-p/336095
3 Terraform, Terraform by HashiCorp, https://www.terraform.io/
4 AWS Online Tech Talks, “Infrastructure as Code Testing Strategies With AWS CloudFormation,” YouTube, 21 May 2019, https://www.youtube.com/watch?v=JSfqUCIK_OA
5 White, S. K.; “What Is CMMI? A Model for Optimizing Development Processes,” CIO, 16 March 2018, https://www.cio.com/article/2437864/process-improvement-capability-maturity-model-integration-cmmi-definition-and-solutions.html
6 International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO/IEC 25010 Systems and software engineering—Systems and software Quality Requirements and Evaluation (SQuaRE)—System and software quality models, 2011, https://www.iso.org/standard/35733.html
7 Unit 42, “Unit 42 Cloud Threat Report: Spring 2020,” Palo Alto Networks, 5 February 2020, https://unit42.paloaltonetworks.com/cloud-threat-report-intro/
8 Stella, J.; “An Introduction to Immutable Infrastructure,” O’Reilly, 9 June 2015, https://www.oreilly.com/radar/an-introduction-to-immutable-infrastructure/
Taimur Ijlal, CISA, CISSP
Is an experienced information security professional with more than 18 years’ experience in cybersecurity and IT risk management. He is currently overlooking the cloud security and DevSecOps portfolio for one of the largest payment solutions providers in the Middle East. He has served as the head of information security for several large organizations in the Middle East and has been the recipient of numerous industry awards. He has also been responsible for single-handedly setting up IT audit and information security departments for some of the leading organizations in Pakistan. In addition to speaking on various information security platforms and conferences, he has also written for the e-security section for Spider, one of the leading technology magazines in Pakistan.