Infrastructure as code and your security team: 5 critical investment areas

Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.

The promises of Infrastructure as Code (IaC) are higher velocity and more consistent deployments — two key benefits that boost productivity across the software development lifecycle.

Velocity is great, but only if security teams are positioned to keep up with the pace of modern development. Historically, outdated practices and processes have held security back, while innovation in software development has grown quickly, creating an imbalance that needs leveling.

IaC is not just a boon for developers; IaC is a foundational technology that enables security teams to leapfrog forward in maturity. Yet, many security teams are still figuring out how to leverage this modern approach to developing cloud applications. As IaC adoption continues to rise, security teams must keep up with the fast and frequent changes to cloud architectures; otherwise, IaC can be a risky business.

If your organization is adopting IaC, here are five critical areas to invest in.


MetaBeat 2022

MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.

Register Here

Building design patterns

Constantly putting out fires from one project to the next has created a challenge for security teams to find the time and resources to prioritize building foundational security design patterns for cloud and hybrid architectures. 

Security design patterns are a required foundation for security teams to keep pace with modern development. They help solution architects and developers accelerate independently while having clear guardrails that define the best practices security wants them to follow. Security teams also get autonomy and can focus on strategic needs.  

IaC provides new opportunities to build and codify these patterns. Templatizing is a common approach that many organizations invest in. For common technology use cases, security teams establish standards by building out IaC templates that meet the organization’s security requirements. By engaging early with project teams to identify security requirements up front, security teams help incorporate security and compliance needs to give developers a better starting point to build their IaC.

However, templatization is not a silver bullet. It can add value for select commonly used cloud resources, but requires an investment in security automation to scale.

Security as code and automation

As your organization matures in its use of IaC, your cloud architectures become more complex and grow in size. Your developers are able to rapidly adopt new cloud architectures and capabilities, and you’ll find that static IaC templates do not scale to address the dynamic needs of modern cloud-native applications.

Every application has different needs, and each application development team will inevitably alter the IaC template to fit the unique needs of that application. Cloud service provider capabilities change daily and make your IaC security template a depreciating asset that becomes stale quickly. A large investment in governance to scale is required for security teams, and it creates significant work for your SMEs to manage exceptions. 

Automation that relies on security as code offers a solution and enables your resource-constrained security teams to scale. In fact, it may be the only viable approach to address cloud-native security. It allows you to codify your design patterns and apply security dynamically to tailor to your application use-case.

Managing your security design pattern using security as code has several benefits:

  • Security teams do not need to become IaC experts.  
  • You get all the benefits of having a version-controlled, modular, and extensible way to build these design patterns.  
  • Security design patterns can evolve independently, allowing security teams to work autonomously. 
  • Security teams can use automation to engage early in the development process.

The ratio of developers to ops to security resources is sometimes something like 100:10:1. I recently talked to an organization that has 10,000 developers and 3 AppSec engineers. The only viable way for a team like this to scale and prioritize their time efficiently is to rely on automation to force multiply their security expertise.

Visibility and governance

Once you reach sufficient maturity in your IaC adoption, you’ll want all changes to be made through code. This allows you to lock down other channels (that is, cloud console, CLIs) of change and build on good software development governance processes to ensure that every code change gets reviewed.

Security automation that is seamlessly integrated into your development pipeline can now assess every change to your cloud-native apps and provide visibility into any potential inherent risks, avoiding time-consuming manual reviews. This lets you build mature governance processes that ensure security issues are remediated and compliance requirements are met. 

Drift detection

Along your journey to IaC maturity, changes will be made to your cloud environment through IaC, as well as traditional channels such as the CSP console or command-line tools. When developers make direct changes to deployed environments, you lose visibility, and this can lead to significant risk. Additionally, your IaC will no longer represent your source of truth, so assessing your IaC can give you an incomplete picture.

Investing in drift detection capabilities that validate your deployed environments against your IaC can ensure that any drift is immediately detected and remediated by pushing a code change to your IaC.

Developer and security champions

Security teams should put emphasis on the developer workflow and experience and seek to continuously reduce friction to implement security. Having developer champions within security that understand the challenges developers face can help ensure that security automation is serving the needs of the developer. Similarly, security champions within development teams can help generate awareness around security and create a positive feedback loop to help improve the design patterns.

The bottom line

IaC can be a risky business, but it doesn’t have to be. Higher velocity and more consistent deployments are in sight, as long as you’re able to invest in the right places. By being strategic and intentional and investing in the necessary areas, the security team at your organization will be best positioned to keep up with the fast and frequent changes during IaC adoption.

Are you ready to take advantage of what IaC has to offer? There’s no better time than now.

Aakash Shah is CTO and cofounder of oak9

Originally appeared on: TheSpuzz