#HowTo: Bolster Infrastructure as Code Security

Written by

A single bad line of code can have a ripple effect throughout an entire project. Security processes face the same dilemma, especially when using Infrastructure as Code (IaC) processes and tools. Any vulnerabilities or misconfigurations in IaC artifacts are amplified in cloud architecture. Collectively, source code, IaC artifacts and container images are foundational to digital services. Any problems quickly propagate within digital supply chains.

Mitigating code-level issues requires that organizations factor security into engineering processes. This ‘shift-left’ approach helps engineers identify and eliminate vulnerable code before deployment and reduce the window of exposure to threats. The approach requires scanning continuously during code creation, code commit and within CI/CD pipelines. To make this approach work, start with these six focus areas:

1. Address Kubernetes Security

Kubernetes has become the de facto standard for running containers at scale. It can be challenging to manage, so teams often put off addressing security until they think they’re ready for production.

Instead, practitioners must check their installations earlier in the development cycle and look out for issues during runtime, such as misconfigurations. This ensures there are fewer security gaps that lead to incidents or breaches.

2. Create Security Feedback Loops

Ensure that security tooling is well-integrated into security workflow and, more importantly, engineer workflow. Developers can prevent risky configurations from entering production by scanning IaC artifacts. Scanning early during build and delivery prevents vulnerable images and configurations from being deployed. Tools like cloud security posture management (CSPM) and Kubernetes security posture management (KSPM) help maintain security, enable engineers to auto-remediate IaC configurations, close the loop from production to source and prevent runtime security issues.

3. Support Policy as Code Efforts

Practitioners enforce compliance and governance in their Kubernetes environments based on open policy agent (OPA), a policy as code and enforcement engine that works alongside Kubernetes admission control. DevOps teams can automate compliance and governance using OPA policies to scan IaC artifacts and container images pre-deployment and detect drift in runtime. Issues can be remediated at the source with a simple pull request, prioritized based on application context.

This approach enables engineers to enforce security baselines across all key aspects of their Kubernetes clusters. It also greatly reduces the likelihood of operator errors that can result in exploitable misconfigurations.

4. Include Risk-Based Prioritization

Being able to filter and prioritize risks based on what’s actually running is critical to operationalizing a security strategy. The goal is to focus remediation efforts on the most critical risks first. This concept is foundational with all security program work and certainly Kubernetes security strategy. Security control implementations are either passed or failed. There’s no magic to it, but the reasons behind a control failure can vary. 

As a common example, consider a container permitting root control. This is a risk because it allows privileged access to the host. If this type of container is compromised, an attacker can access other workloads and environments beyond the container confines. This setting can be easily audited for and blocked.

Knowing the reasons why a control failed may seem unimportant. However, by evaluating the nuances of these control failures, you can uncover knowledge gaps, process gaps, or other organizational structure problems. Common root causes are not designating enough time in design or development, not planning ahead for a deployment, insufficient knowledge of security risks and lack of resource optimization. When organizations examine their failures, they’re more equipped to address them strategically.

5. Promote Automation Wherever Possible

When remediating failed controls, teams prefer to integrate with their engineering tools and workflow to streamline efforts. Teams can map Kubernetes security violations to the IaC manifest that defines the impacted Kubernetes resource and originating code repository. Using this approach narrows the attack surface at runtime and ensures those changes are reflected in your IaC manifest so they don’t re-appear.

Engineering teams should see what the issue is and be presented with suggested or contextualized code fixes. Then they are better equipped to choose how to best apply the correction. This can be done manually, where engineers copy the corrected code into the production manifest. Ideally, the process is automated, where you remediate at the source by creating a pull request that integrates the fix into the manifest for deployment. 

6. Apply Industry Best Practices

It’s important to apply industry best practices around Kubernetes security, such as those from CIS, NIST and service providers, and they should be automated as much as possible. Verify implementation of the best practices in code early in the design and development stages (or shift-left). Enforce best practices in production with runtime security controls (or shield-right). Security tooling must be designed for cloud and container environments that are abstracted and ephemeral. When the strategy is implemented effectively, organizations are better equipped to quickly detect and respond to security incidents in cloud and cloud-native environments.

What’s hot on Infosecurity Magazine?