The past decade has seen great change in the application development space - the move to Agile was huge, and the introduction of DevOps. DevSecOps, is of course, the next evolution of that process.
But there's another concept that's been steadily growing in popularity for the past 10 years which is much simpler to implement than other major digital transformations (like moving to Agile), and could have great benefits to a burgeoning DevSecOps team.
It's called infrastructure as code, but what is it, and what can it do?
Not sure what DevSecOps is? Here's an introduction.
Infrastructure as code (IaC) is a bit of a magic wand for digital professionals looking to establish new virtual machines. It reduces servers to simple configuration files - that is, config files with human-readable text - which can be uploaded to software such as TerraForm to rapidly produce new virtual machines in your chosen cloud service. In fact, you could theoretically have a new server up and running in as little as 15 minutes using a config file.
Infrastructure as Code (IaC)
Reduces servers to simple config files which can be used to rapidly produce new, secure virtual machines in as little as 15 minutes.
IaC config files as a single source of truth
These files act as a single source of truth for all things related to the configuration of the server. There's no logging into a console to manually build, configure, change, or check information. It's all presented there in a readable text format, and this text can be configured right down to the service by service level.
As we explore below, this is going to create a lot of simplicity and consistency for when the DevSecOps teams need to review or debug their apps, especially teams working in highly regulated environments with a lot more complexity.
In DevSecOps, the goal is to be faster and more efficient without sacrificing quality (perhaps even improving it). These teams must be able to set up multiple environments very rapidly - like development environments, testing, etc. - as well as places to host their apps. Such environments have to be consistent and secure.
This is, essentially, what IaC does for DevSecOps teams - it improves both speed and consistency.
Another key consideration is that it's very easy to access IaC. Learning how to use it is not difficult, and then implementing it is generally even easier. So, it's arguably essential in any modern business that is trying to digitally transform; because it's so useful and so easy to implement relative to other transformations, there's almost no excuse for not moving to IaC.
Read more: "How to implement digital transformation"
Note: In order to successfully utilize IaC from a security point of view, your security team members will need to be familiar with reading config files to be able to quickly identify potential problem areas. This may require additional training, or the hiring of personnel with the right expertise.
This all sounds too good to be true, which must mean there's a catch. Well, as with all things in technology there are security challenges to consider with IaC.
When we reduce the configuration of important virtual machines to a config file, we create a single point of failure. If any outside actors should gain access to this file, they gain access to your servers and every detail of their setup. For anyone, this is a massive red flag - for developers working on extremely sensitive or regulated apps, it's even more so.
1. Access management
Good access management is the first bulwark against any outside entity gaining access to your sensitive config files.
Access and identity management (IAM) policies that include all the core best practices can maintain a base level of security that works hard to prevent people who shouldn't be able to touch these files from ever getting near them. Such best practices include:
Download our PDF to learn more: Identity and access management: A guide to best practices
2. Version histories
We mentioned earlier that there is great benefit to storing your config files in a secure git repository. This was so Ops teams could easily review the version histories of everything they are running.
Of course, this has security benefits, too.
When you can easily see who has changed what, when, you can keep an active eye out for tampering, misuse and accidents. This might help you spot criminal activity in your system earlier, understand when criminal activity took place in hindsight (in the event of investigating after a breach), or identify accidental misuse that shows you who in the company requires more training.
In the development of apps, often this repository will be the same as where the project's code itself is stored.
3. Manage rights to the provisioning application
What's left, then, from a security challenge point of view, is managing access rights to the provisioning application, i.e. TerraForm.
Again, you don't want just anyone to be able to access this software and read or implement your config files. Here we would relate you back to our point on access management above - but applying it specifically to TerraForm (or whatever other software you use).
Infrastructure as code is a relatively simple digital transformation that can greatly improve the day-to-day lives of busy DevSecOps teams. It enables server configuration to be consistent, error-free and easier to check when debugging or hunting security vulnerabilities.
Of course, config files also create a single point of failure, and so they must be protected - kept secure in a safe repository, accessible only by privileged few.
For anyone developing, monitoring or securing apps, IaC is vital. This is especially true for those working with highly sensitive information in regulated environments, where even small errors can be far more critical. Knowing you can produce consistency and quality is one more element of peace of mind when it comes to protecting your data.
At dig8ital, we're experts in determining how individual businesses - and all the unique requirements therein - can make the change to a DevSecOps environment and begin utilizing modern practices such as infrastructure as code.
For a free maturity consultation, contact us today.