Infrastructure as Code (IaC) Security in 2024

Learn about balancing Security and Scalability for your infrastructure as code

Thank you for reading Cloud Security Newsletter

Thank you for the very warm support for the new look newsletter, it has been very encouraging to see the feedback and so many new subscribers. We are going to continue to try and make this better

Incase, this is your 1st Cloud Security Newsletter! Welcome, we are a Weekly newsletter from the team behind Cloud Security Podcast & AI CyberSecurity Podcast deep diving into top of mind topics in emerging technology to make sure collectively we feel confident securing things in this every changing world of Cloud, AI and whatever comes next.

Who else is here reading with you? Ashish & Shilpi, from the weekly show Cloud Security Podcast, friends and colleagues from companies like Netflix, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb & more who subscribe to this newsletter. If you are reading this - thank you for supporting us.

Cloud Security Topic of the Week Infrastructure as Code Security

In this issue, we are deep diving into Infrastructure as Code (IaC) security, with insights from Armon Dadgar, Co-Founder and CTO of HashiCorp whilst revisiting our past episodes with Mike Ruth, Senior Staff Security Engineer at Rippling and Barak Schoster Goihman, previously CTO & Co-Founder at Bridgecrew and currently a Partner at Battery Ventures

?? Definitions and Key Concepts

Infrastructure as Code (IaC) has revolutionized cloud deployments, enabling organizations to manage infrastructure through code rather than manual processes. This has saved hours for many Platform and DevOps teams across many organizations.

As IaC adoption grows, so do potential security risks. This week's newsletter explores key concepts, challenges, and best practices for securing infrastructure as code, with a focus on Terraform and insights from industry experts Armon Dadgar, Barak Schoster, and Mike Ruth

Key Definitions

• Infrastructure as Code (IaC): The practice of managing and provisioning infrastructure through machine-readable definition files, rather than manual processes.
• Terraform: An open-source IaC tool created by HashiCorp that allows users to define and provision infrastructure resources across multiple cloud providers.
• State File: A JSON file used by Terraform to map real-world resources to your configuration, keep track of metadata, and improve performance.
• Software Supply Chain: The series of steps and processes involved in creating, distributing, and maintaining software, including third-party components and tools.
• Zero Trust: A security model that assumes no trust by default, requiring continuous verification of identity and access rights.

Practitioner's View

The Evolution of IaC and Terraform

In his chat with us, Armon, co-founder and CTO of HashiCorp, shared the story of Terraform's evolution:

1. Open Source Beginnings: Terraform started as an open-source CLI tool, used directly from developer workstations.
2. Enterprise Adoption: As organizations scaled, HashiCorp introduced Terraform Enterprise (self-hosted) and Terraform Cloud (SaaS) to address scalability and security challenges.
3. Standardization: Platform teams began using Terraform to create standardized, secure deployment patterns for infrastructure across their organizations.

Barak Schoster, previous co-founder of Bridgecrew, during his interview with us spoke about importance of IaC in cloud security:

"Cloud security for the first time means that you can enforce security using APIs all across the way." - Barak Schoster

The Importance of Platform Teams

"For almost every large enterprise, I think the answer is you should have a platform team from the beginning, because it's one of these things where it's like an ounce of prevention is worth a pound of cure." - Armon Dadgar

Platform teams can:

• Standardize deployment patterns
• Manage shared services
• Enforce security controls consistently
• Shield application teams from infrastructure complexities

Identity-Centric Security and Zero Trust

Both Armon and Barak stress the shift towards identity-centric security in cloud environments:

1. Beyond Network Perimeters: Traditional network-based security models are becoming less relevant in cloud environments.
2. Machine Identity: While human identity is well-understood, machine or application identity presents new challenges.
3. Automation is Key: As Armon puts it, "Unless you're using something like infrastructure as code that you can automate the delivery of the secrets, if a human has to manually log in, by definition, it's not going to be very secure."

Supply Chain Risks in Terraform Deployments

Mike Ruth, senior staff security engineer at Rippling, shared his findings from his research on Terraform supply chain risks:

1. Secret Ex-filtration: Malicious pull requests could potentially exfiltrate secrets and environment variables during the plan phase.
2. State File Access: Vulnerabilities allowed un-authorized access to state files across different workspaces, potentially exposing sensitive information.
3. Apply on Plan Bypass: Researchers found a way to perform a Terraform apply within the context of a plan, bypassing code review processes.

Mike spoke about the difficulty in detecting these issues (Full Episode link at the bottom of the email):

"The logs don't actually have the run results because obviously sensitive things are potentially ending up in there, or it's a little too verbose."?- Mike Ruth

Mitigation Strategies and Best Practices

Drawing from all three experts, here are key strategies to improve IaC security:

1. Access Control: Carefully manage permissions for Terraform workspaces and associated repositories.
2. Policy Enforcement: Implement policy-as-code solutions like HashiCorp Sentinel or OPA to enforce security standards.
3. Static Code Analysis: While challenging to implement effectively, static analysis can help catch some vulnerabilities in your IaC.
4. Secure Modules: Develop and use secure, standardized modules for common infrastructure patterns which can be easily utilized by the anyone in the organization.
5. Continuous Education: Stay informed about potential vulnerabilities and best practices in the rapidly evolving IaC landscape.
6. Consider Trade-offs: Be aware of the balance between security and developer experience. For example, disabling speculative plans can increase security but may hinder productivity.

The Future of IaC Security

"If it gets 10x easier to write infrastructure as code, it needs to get 10x easier to govern that security, because otherwise you're gonna create a bunch of vulnerabilities." -?Armon Dadgar

Key Insights

• IaC security requires a holistic approach, considering the entire workflow around infrastructure definitions.
• As organizations scale, having standardized patterns and dedicated platform teams becomes crucial.
• Zero trust principles are highly relevant to IaC security, with a focus on identity and least privilege access.
• Supply chain attacks targeting the IaC workflow are a growing concern that organizations need to actively mitigate.
• The balance between security and developer experience is an ongoing challenge in IaC implementations.

?? Related Resources

• HashiCorp Terraform Documentation
• Terraform Security Best Practices
• OWASP Top 10 for Infrastructure as Code
• Bridgecrew - Infrastructure as Code Security

?? Related Podcast Episodes

The Evolution of Infrastructure as Code so far - 2024 Edition

Software Supply Chain Controls for Terraform

Infrastructure as Code Security

?? Are you interested in AI Cybersecurity?

Then you should definitely checkout our sister podcast AI Cybersecurity Podcast that is hosted by Ashish Rajan and Caleb Sima.

??????Cloud Security Training from Practitioners!

Want to learn more about Cloud Security or know someone who wants to, we got you !

If you have been following our journey for a while, you would know that one of the big reasons we started Cloud Security Podcast was to make cloud security knowledge accessible for anyone wanting to learn it.

Have you joined our FREE Monthly Cloud Security Bootcamp yet. There are paid online and corporate trainings available for those looking to hit their Cloud Security goals this year!

We would love to hear from you?? for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community??

Hope you are enjoying this new look Cloud Security Newsletter, there’s plenty more to come.

Peace!

Shilpi Bhattacharjee

Was this forwarded to you? You can Sign up here, if this was helpful for you.

Want to sponsor the next newsletter edition! Lets make it happen