sdecoret - stock.adobe.com
On-demand cloud computing platforms, like AWS, Microsoft Azure and Google Cloud Platform, enable their clients to review the security and compliance reports, certifications, accreditations and other third-party attestations that validate the implementation and operating effectiveness of the security controls used to secure their products and services. For example, AWS Artifact is a self-service portal for on-demand access to AWS' compliance reports, and Microsoft offers similar access to reports via its Trust Center and Service Trust Portal.
Not only do these reports and resources help clients track and manage their own regulatory compliance activities within the cloud, they also provide valuable insights into the physical, infrastructural and operational controls that are necessary to meet various security standards and regulations. While these providers' IaaS and PaaS resources may conform to industry best practices, they do not guarantee that a client's use and own implementation of them will meet the same standards. In fact, there is a danger that some network engineers responsible for designing and building their organization's cloud-based services are committing the same mistake that so many software developers make: copying and pasting code examples straight from the web into templates that are intended for use in production.
Security benefits of infrastructure as code
Infrastructure as code is the management of an IT infrastructure through machine-readable scripts or definition files, rather than relying on manual configuration processes, using the same versioning techniques for the source code as software development teams. An infrastructure-as-code model generates the same environment every time by representing the desired state of the environments via code, enabling teams to deliver stable, consistent environments, rapidly and at scale. This automation can remove the security risks associated with human error and prevent runtime issues caused by configuration drift -- as long as the code results in a secure IT infrastructure.
Many of the user and developer guides, API references and tutorials provided by cloud platform providers include example configurations and code snippets, but they are often not written with security in mind and tend to be simplified in order to explain how a function or feature works. Third-party and independent code examples and how-tos also tend to use insecure infrastructure configurations, such as enabling SSH access to resources from any IP address, to avoid overcomplicating step-by-step instructions. Although many documents and articles include warnings that the settings used are insecure and are unsafe for production environments, without proper training and code reviews, there is a real danger that weak or insecure security configurations can make it through to production environments.
Include security in the code
Those responsible for a project's security need to ensure there is a strong framework for incorporating security practices in the entire application development process, including the development of the code to create, configure and deploy the infrastructure that the application or service will run on. Security misconfiguration has long been in the Open Web Application Security Project Top 10 Most Critical Web Application Security Risks, and if development teams cut and paste examples without reading the security implications of a particular setting or configuration in the relevant documentation, the problem will only get worse.
AWS introduced over 1,000 new features to its fleet of services in 2018, so providing ongoing training for software developers and IT infrastructure administrators involved in a cloud project is essential. Code walk-throughs, where developers detail the structure and purpose of their code and the rationale behind it to the rest of the team, are a great way to ensure everyone understands how the IT infrastructure is being built and secured, as well as providing opportunities for errors or oversights to be spotted and corrected. Using a code repository for a project's infrastructure code is also essential, as it provides version control and tracking for changes to code and ensures better code management pre- and post-deployment, with rollback options if there is a problem.
Software projects and applications are getting more complex, as are the infrastructures they run on, so it's vital that secure coding standards are enforced throughout, on all aspects of the project's code base. Infrastructure-as-code models could benefit standardization efforts.