There is one thing I don’t think that I have ever written about before in
a blog: That is, “Infrastructure as a Code”,
also known as “IaC” for short. It is a
term that is commonly thrown around the world of Cloud lingo, but many people
do not really know what it is about. In
fact, as much as I have written about Cloud, I never really paid too much
attention to it.
So, before we go any further, here is a technical
definition of it:
“Infrastructure as Code (IaC)
is the managing and provisioning of infrastructure through code instead of
through manual processes.”
(SOURCE : https://www.redhat.com/en/topics/automation/what-is-infrastructure-as-code-iac)
Although the intricacies behind it can be
quite complex, long story short, it just gives you another way to manage your
Cloud based deployment (whether it is in the AWS or Microsoft Azure), on an
automated basis, using various programming languages, such as that of Python.
But despite the tools that the Cloud
providers give to manage your IaC environment, many businesses in Corporate America
still fail in configuring it properly.
Consider some of these statistics:
*According
to the “2024 Security Report” from Check Point Software, 82% of
businesses failed to properly configure their IaC environment.
*Back in 2022, because of a misconfiguration,
the ICICI Bank leaked out well over 3.6 million files.
To see the detailed report that was
published by Check Point Software, click on the link below:
http://cyberresources.solutions/blogs/2024-Cloud-Security-Report-CheckPoint.pdf
So, if you decide to make use of an IaC environment to
help run your Cloud deployment, here are a few key tips to keep in mind:
1) Plan:
The first thing that you
need to do is map out exactly what you want
the IaC environment to do, but even more importantly, you need to take
into sincere consideration the security issues that are involved, such as:
Ø Defining
the functional and controls requirements.
Ø The kind
of Cloud environment that you want to have, for example, Private Cloud, Public
Cloud, Hybrid Cloud, etc. and the security
that goes along with all of that.
Ø Use
tools like Terraform or Cloud Formation to build out your IaC environment.
Ø Create
a backup strategy for your images that you create for your Cloud apps (such as
Virtual Machines, Virtual Desktops, etc.).
2) Software
Development:
The primary
goal of the IaC environment is to use code libraries to build it out. Since source code
creation is often forgotten about when it comes to security, keep the following
in mind:
Ø Create
the appropriate rights, permissions, and privileges for everybody that is on the
DevSecOps team.
Ø Keep
a version control of all software builds that go into the IaC environment.
Ø Always
test any Open-Source APIs that you may use in a sandboxed environment first.
Ø Monitor
your Privileged Access Management (PAM) environment very closely.
3) Testing:
Before you put your IaC framework
into the production environment, you should first evaluate it:
Ø Assess
each component of it in a sandboxed environment (as just discussed).
Ø Make
sure that the source code has been completely vetted of any gaps or vulnerabilities. This can very often be done through
Vulnerability Scanning or Penetration Testing.
In fact, according to the “2024 State of
Cloud Security Report” by Orca, over 74%
of businesses failed to detect any issues with the Cloud deployments (as
it relates to the IaC environment that was created). To get more details on this, click on the
link below:
http://cyberresources.solutions/blogs/2024-State-of-Cloud-Security-Report%20(1).pdf
4) Deploy
and Monitor:
After you have implemented your
IaC framework into your Cloud based deployment, you now have made sure that it
is running smoothly. Here are some points
in this regard:
Ø Make
use of SIEM to notify you on a real time basis of any abnormal network activity
or behavior.
Ø Try
to make use of Generative AI to filter out for the False Positives. This will help alleviate “Alert Fatigue” on
your IT Security team.
Ø Have
a Change Management process in place for any updates or reconfigurations that
you need to do for your IaC environment, and make sure that everything is well
documented.
My Thoughts on This:
As Cloud technologies evolve over time, there is no way
that you can keep track of everything on a manual basis. You will need automation, and even lots of
it. This is where IaC will come in very
useful. But remember, it is also prone
to Cyber Threat Variants, as the given how powerful the IaC is, it will soon
become a prized target for the Cyberattacker.
Therefore, keep checking the controls that you have in place
for them, and change/upgrade them as necessary.
Also, we will see IaC being used heavily in Edge Computing. This is where all the data processing occurs
in a location that is close to your device.
This helps to avoid any downtime or network latency when you need your
datasets the most.
No comments:
Post a Comment