Introduction to Infrastructure as Code and Security
With the rapid adoption of DevOps by organizations worldwide, IaC has become a critical DevOps practice that has strengthened the software development methodology. Amidst the growing concerns over information security and data privacy, DevSecOps has gained popularity and Infrastructure as Code Security has been accepted as one of the most essential considerations in DevSecOps environment.
Its goal is to ensure that security best practices and compliance requirements are built into the IaC template files. These best practices and compliance requirements cover various aspects of information security such as data encryption, network segmentation, access control requirements, log collection and retention, and several others.
The consequences of ignoring its security can be severe and can lead to exposure of sensitive data to unauthorised users, data leakage, unauthorised access to business critical assets and resources, and increased attack surface. This can be evidenced from the Cloud Threat Report byPalo Alto Networks Unit 42 report
199,000 potential vulnerabilities have been discovered in IaC templates. Also, more than 43% of cloud databases are currently unencrypted, and only 60% of cloud storage services have logging enabled which in itself is a serious concern.— Palo Alto Networks Unit 42 report.
It is a crucial pillar that aligns DevOps, Security, and Compliance for Infrastructure Management processes. It enables the organizations to Shift Left security in the development pipeline, including infrastructure security management. The IaC templates that are used for building any infrastructure can be tested for security and compliance checks before being deployed. When this practice is integrated into CI/CD pipeline and versioning is enabled, it helps the organization to enhance the security posture and maintain security and compliance over time while making constant changes as per their business requirements. Therefore security risks, non-compliance, policy violations, and misconfigurations can be prevented before runtime and in production environments. It also helps to decrease security posture drifts.
What are the best practices of IaC security?
Here is a list of Best practices to follow for the Implementation of Security in Infrastructure as Code in an Enterprise
The developers of IaC templates may use insecure default configurations and/or components with known vulnerabilities in the template/script that could pose a threat to the entire environment. Other sources of vulnerabilities may include operating systems or container images from unknown sources.
Secrets Management is one of the leading security risks involved with it. This issue's root cause is not the secret but how the developers store and manage these secrets. In most the cases, it has been observed that secrets are hard-coded, left in plain-text, or base63 encoded. These secrets involve authentication keys, passwords, access keys, SSH secrets, and access tokens. In a few cases, it has been witnessed that these secrets are even pushed to git public repos.
The Communication Channels
Most of the Infrastructure as Code configuration management tools use master-node architecture where the master is the controller and contains all specifications and configuration files. Security risks are significantly involved if the master is not secured. The communication between master and other nodes is not encrypted and layered security mechanisms have not been implemented from scratch.
User Access Management
When implementing it, you don't require root privileges. Security issues arise when Role-Based Access Controls (RBAC) and principles of least rights are not appropriately implemented. Credential sharing is also one of the significant issues that impacts user access management.
Drifts in Configuration
Sometimes, there arises certain situations where configurations need to be changed directly in the production environment. In such cases, there is a reasonably positive chance that security risks are introduced into the environment as a result of resulting drifts in configuration from the defined security posture.
Untagged assets and assets that are not correctly tagged can result in the creation of ghost resources which make it challenging to monitor and track resources. If compromised, these resources may take very long to be detected and can be potentially dangerous in some cases.
Risks related to Data Transmissions
Securing data in transmit is equally important as securing data in rest. SSL certificates when not configured properly can significantly raise the security risks. Another major security risk associated with it is insecure VPN connections and configurations.
Using Infrastructure as Code for deployment poses a major security threat if logging and monitoring components are not deployed to keep an eye on the security risks.
How to implement infrastructure as code security in it?
When considering Infrastructure as Code Security, IaC templates are given the highest priority and organizations mainly focus on the misconfigurations and policy violations in the template. Still, several other factors are involved in its security. One of the most important factors that organizations must consider is the least privilege principle. It plays a significant role in limiting damages from poorly configured resources or maliciously modified templates/scripts. The least privileges can be applied to IaC at three different levels.
- Define who is authorized to run the scripts/templates.
- Limit the permission to authorized users based on need to know and perform their task basis.
- Implement checks and policies to ensure that created resources have the least required privileges to properly carry out the workload and compliant configurations.
Security Policies and Configuration Checks must be developed and implemented
- Check for network exposures in IaC templates. Insecure IaC templates can expand the attack surface and pave ways for critical attack vectors. Security Groups, open ports, publicly accessible services and internet wide accessible storage databases are some of the critical things that must be checked.
- Check for vulnerabilities in container images referred to in the IaC template and disallow images from untrusted registries.
- Check for the use of privileged accounts and other snippets that could lead to privilege escalation.
- Check for immutability of infrastructure. Every change must be provisioned through the security pipeline and no configuration changes should be directly made.
- Check for tags and labels. Untagged or unlabelled resources must not be deployed.
- Check for compliance violations. The policy checks and configuration checks should be in accordance with various compliance standards such as ISO 27001, GDPR, SOC2, PCI DSS, HIPAA, etc.
- Check for data security and data storage configurations. Data encryption is only one aspect of data security. Other misconfigurations in storage services and storage clusters can lead to data exposure.
- Check for hard-coded secrets and plain-text passwords in IaC templates.
- Check that logging and monitoring components are enabled across the environment.
- Check that components from untrusted and unverified sources are not being used. Follow whitelisting approach instead of blacklisting.
How to ensure Security in IaC?
Below are the steps to ensure security in Infrastructure as Code:
Automated IaC Governance
The policies and configuration checks should be automated to save time and to avoid manual evaluation and human error. For a single IaC template/script there may be more than 100 policies to be checked. Finding misconfigurations and policy violations manually will leave security gaps and weaken the security posture.
Governed in Code, secured in Code
The most important key to implement infrastructure security as Code is to implement the right tool to identify the issues with IaC templates/scripts and use the same approach to fix them .i.e. fixes and updates must also be applied through Code. The aim of infrastructure security as Code should be to automate the governing process of the entire infrastructure with the help of Code by setting policies and configuration checks to govern the infrastructure workflow.
Its security should be embedded into the tools and day-to-day processes. The most common method to maintain continuous workflow with infrastructure as Code will be to setup CI/CD pipelines with policies and configuration checks to validate each pull request and commit. It will help you to easily identify new violations and new misconfigurations can be prevented which will eventually help you to avoid cloud drift.
IaC Security Benefits
These are the three major benefits of its security-
- Continuous Compliance
- Continuous Risk Assessment and Threat Modeling
- Data Encryption as a Requirement
- Automated Monitoring and Alerts
Achieving continuous compliance while using it is a fundamental requirement. When security policies and configuration checks are written in Code, putting security compliance controls in place becomes much easier and security processes become more streamlined. Automating these configuration checks and policy requirements by using CI/CD pipelines makes the security flow even more streamlined. By using this approach, continuous compliance can be achieved with very minimal manual intervention.
Continuous Risk Assessment and Threat Modeling
Continuous Risk Assessment and Threat Modeling help to continuously assess security loopholes with different levels of risk and any required preventive action can be taken immediately. It eventually helps to minimize the attack surface and discover the possible attack vectors. Continuous Risk Assessment and Threat Modeling should cover all the environmental components and this entire process must be automated for optimal risk assessment and threat modeling. Infrastructure Security as Code helps to closely evaluate the public-facing features or services and limit the exposure to malicious and unauthorized access and cyberattacks.
Data Encryption as a Requirement
Data encryption is one of the key requirements that can be achieved with Infrastructure Security as Code. Business critical data and Personal Identifiable Information (PII) must be encrypted by default. Data in transmit must also be encrypted as it is vulnerable to attacks and sniffing. Infrastructure Security as Code helps to ensure that data encryption is enabled by default on data in rest and data in transit uses encryption with secure protocols and robust cryptographic algorithms.
Automated Monitoring and Alerts
In any environment, monitoring and alerts play a vital role. One of the major requirements that must be fulfilled in complex environments is automated monitoring and alerting. Automated monitoring and alerting not only helps to identify attacks and weaknesses but also helps to identify threats in their early stages. Deploying Infrastructure Security as Code in an environment helps to monitor critical infrastructure and generate near real-time alerts based on evaluation frequency which can be hourly, daily, or weekly, and makes the entire workflow more efficient and secure.
Infrastructure Security as Code is a new concept, and the biggest challenge that organizations face while adopting and implementing Infrastructure Security as Code is the proper integration and workflow development. The main reason behind this issue is that the security policies and configuration checks have to be written as Code which isn't straightforward in complex and interconnected environments. There are security gaps and adopting Infrastructure Security as Code takes planning, time, and collaboration between different teams and is not as simple as it seems. These gaps lead to confusion, which affects the organization's security posture. The only thing that organizations need to focus is correctly determining how and where the resources need to be provisioned, governed and secured.
If deployed efficiently and effectively, Infrastructure Security as Code will eventually help you determine and find issues before they're deployed, help you implement continuous compliance, and automate your monitoring and alerting process for all existing and new resources.