* By Fernando Cardoso
Infrastructure as Code (or IaC) is the new norm when it comes to creating and building new cloud environments using computer-readable data or code templates. Hardware in your physical structure may require appropriate rack configurations before you start using it - which usually takes weeks or months to run a new server. With IaC, you can create a complete infrastructure for your cloud application in less than an hour. And why is it important to integrate security into Infrastructure projects as a Code? According to consultancy Gartner, by 2022, 95% of cloud security breaches will be the user's responsibility.
Before the Infrastructure as Code model, IT teams had to add the server to the datacenter manually, installing the operating system and making the appropriate settings before running it. In some cases, teams used automated scripts to help with some tasks - although it did not make them fully automated. Five years ago I remember working on some projects in the banking sector, in which it was necessary to wait a month or two to have the necessary infrastructure to start some projects. Today, it is possible to create this in a few hours or minutes, following all the compliance parameters that are needed.
With IaC, the infrastructure takes the form of code templates. Assuming that the code is a text file, it is easy for you to edit, copy and share it with your team. It is even recommended to place the file under the source control, just as we do with any source code file, using repositories such as GitHub, GitLab or Bitbucket. I list here the three main benefits of using IaC:
Speed - Allows you to quickly configure a new infrastructure only when using codes or scripts.
Control - Assuming that you view the IaC template like any other source code file, it is possible to have full traceability through the code repositories of the changes that each template has had.
Consistency - Anyone is susceptible to making mistakes. IaC prevents these errors when using configurable files having a single faithful source, thus guaranteeing the same configuration for the entire environment.
Nowadays, there are a large number of tools that allow you to create Infrastructure as Code. Here are the most popular:
• Terraform
• AWS CloudFormation
• Azure Resource Manager or ARM Templates
• Pulumi
• Google Cloud Deployment Manager
• Ansible
• KOPS
According to Sam Guckenheimer, who works on the Microsoft Azure DevOps team: "Teams that implement IaC can deliver more stable environments in a fast and scalable way. Teams avoid manual configurations of these environments and reinforce consistency, presenting the desirable state of their environments through code.The deployment of the infrastructure with the IaC is repeatable and prevents runtime problems caused by configuration slips or lack of dependencies.
Due to configuration errors in cloud infrastructures, it is essential to implement a way that ensures real-time visibility and feedback for IaC developers before they can build cloud environments that contain security or compliance flaws that can lead to headaches. for the company. It is important to ensure that the creation of a new cloud infrastructure follows best architectural practices such as AWS Well-Architect Framework and Azure Architecture Framework.
Most errors in Infrastructure as Code are generated by:
• Human errors
• Insufficient time to review the IaC due to the business's urgent demand to get the app or solution up and running as soon as possible
• Configuration error due to lack of knowledge in cloud services
• Multi-cloud challenges with the lack of standardization in different environments
The Cloud Secure Posture Management (CSPM) security tool helps to quickly detect these issues, remedy and bring visibility into the multiple cloud environments your company may have.
Three ways to ensure security and compliance in Infrastructure projects as Code
Integrated Development Environment (IDE) - Security plug-in
The IDE security plugin is designed to quickly provide real-time feedback to developers in Infrastructure as Code and application development. In this way, a developer can scan and correct errors in the Integrated Development Environment themselves without the need for other security tools. This is the fastest way to bring security to your projects, thus reducing friction and increasing the adoption of developers for better security validation and compliance rules.
Scanner templates
The scanner templates directly use the APIs with Cloud Security Posture Management (CSPM) to integrate customized tools or specific use cases in continuous integration and continuous delivery (CI / CD) projects. This can provide real-time checks every time new code is used, and the results can be shared with developers and cloud architects - who can check for potential risks before production. If the scanners encounter a "high risk" or "extreme" problem, this can be configured to stop the process and notify the development team through communication channels like Slack, for example.
Cloud security posture management (CSPM)
CSPM is a security tool that detects configuration errors at multiple cloud service providers. This technology can help with major security implementation challenges in the DevOps pipeline in some companies. The solutions are also able to assist in the automatic resolution of problems in cloud infrastructures. This helps companies to visualize a coherent scenario of security and compliance risks through multiple cloud environments. The CSPM includes security tools that can be used in cases such as:
• Compliance monitoring
• Visibility in cloud configuration errors
• DevOps integration
• Incident response
• Risk assessment
• Risk visualization
Conclusion
Infrastructure as code has numerous benefits in our daily routines, especially when creating a new environment or closing some environments in the cloud and in data centers with technologies such as NSX and Kubernetes. However, it is important to consider security concerns with regard to the infrastructure being created to ensure best practices in this regard, in addition to your company's compliance rules.
When choosing security solutions for IaC, make sure that it is the most appropriate technology for your objectives and that it fits perfectly with your projects in order to avoid loss of automation and agility in your daily work routine. Remember that detecting security flaws or configuration errors in the initial stages of building new infrastructures can guarantee huge savings in financial resources, as well as a great reduction in security risks.
* Fernando Cardoso is a solution architect for Trend Micro, a leading global cybersecurity company.
Notice: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies
EN 
PT 
