As infrastructure as code (IAC) technologies enable engineers to version control, deploy, and improve cloud infrastructure, while leveraging DevOps processes but it can also put organisations at risk.
This is according to experts speaking during a Palo Alto Networks webinar on the Cloud Security Automation Stack.
Gordon Bailey-McEwan, Prisma Cloud solutions architect at Palo Alto Networks, said: “A few years ago, to deploy into a cloud environments you would deploy via the web GUI, then they started adopting cloud CLI tools and things got faster, now people are using proper infrastructure as code languages to deploy the infrastructure out as code. The great advantage of cloud automation is that we’re no longer moving at the speed of people, we’re moving at the speed of machines. It’s an absolute must for businesses to respond to change and keep up with the competition. Unfortunately it’s not all roses from a security perspective.”
The security components need to be baked in at every step.
Frans de Waal, Palo Alto Networks.
Frans de Waal, Prisma Cloud sales specialist at Palo Alto Networks, said Palo Alto’s threat intelligence team, Unit 42, had found a significant number of misconfigurations in the IAC templates available for use as the base for production workloads.
“We found 42% of CloudFormation templates insecure, 51% of exposed Docker containers use insecure defaults, 24% of exposed cloud hosts have known vulnerabilities and 43% of cloud databases are not encrypted, so infrastructure as code can expose organisations to massive risk,” he said.
De Waal and McEwan said shifting security left would help to address these risks and alleviate security teams’ concerns about the lack of visibility and security control implemented in development pipelines.
Said McEwan: “Too many people focus on security in the deployment phase. With the adoption of infrastructure as code, they won’t need to spend so much time and money attending to security issues if things are secured right at the beginning.
“Shifting security left will reduce the pain the security teams feel, and will also reduce costs in the long term. It’s important to scan at the build phase, but also in the deploy and run phases. When we push the image into a production cluster, the manifest itself might be insecure. When the application is in runtime it’s also super important to look at what that microservice is doing, monitoring its expected behaviour and raising alerts if it does something outside of normal. We need a security solution that spans the breadth of the pipeline.”
De Waal said: “The security components need to be baked in at every step. Organisations need to gain deep visibility across the environment, implement security guardrails to identify misconfigurations, adopt standardised controls to support automation and achieve control over the workloads with single pane of glass capability.”
De Waal and McEwan outlined how Prisma Cloud embeds IAC security into DevOps tools across build, deploy and runtime, to help create secure, compliant cloud infrastructure from code to cloud.
As part of the Prisma Cloud Native Application Protection Platform (CNAPP), the Cloud Code Security module enables teams to find and fix vulnerabilities and misconfigurations in code, decreasing costs and time to remediation. It offers full stack security from code to cloud and automates security in DevOps tooling, adding security feedback natively in the tools developers and DevOps teams use, and so reduces the burden on security teams.
Share