Page 88 - Cyber Defense eMagazine December 2022 Edition
P. 88
Infrastructure is not just about production workloads. It is something required to support the entire
development process. The great thing about IaC is that everyone can specify what resources are needed
at every stage of the SDLC: spawn a few isolated environments at the development stage, replicate the
production conditions for testing, etc. IaC is the standard language for describing these resources and
how they should be configured.
This yields incredible benefits for go-to-market strategies: infrastructure becomes as flexible as the
software it supports and faster to execute thanks to reusable modules, and more consistent at the same
time. Maintenance costs are lowered, as is the risk of human error when done right.
Of course, as requirements become more complex, so do IaC declarations. But this is where this
technology shines: having a textual "single source of truth" (meaning what's written in the files
corresponds at all times to what is deployed and how it is configured), version-controlled (allowing people
to inspect changes and collaborate easily) saves engineers a lot of time and headaches.
This paradigm has a name: GitOps. It allows faster and more reliable cloud-native deployments by using
the same approach for managing infrastructure configuration files as for software source code. Teams
collaborate more effectively on infrastructure changes and vet configuration files with the same rigor as
software code. Infrastructure definitions are stored in git repositories, are incrementally modified and
reviewed pull or merge requests, and finally tested and applied via CI/CD pipelines.
Since engineers are working directly with code, IaC has made infrastructure workflows shift left.
But as with everything, this comes at a cost. In this case, it is the need to shift cloud security left as well.
Securing the infrastructure with code
Regarding security, IaC has some interesting features: first, it can be used to automate the provisioning
of security controls. This means that you can enforce security policies more consistently and efficiently.
Second, IaC can help you to manage your security posture more effectively. By automating the
provisioning of security controls, you can more easily track and monitor your infrastructure for security
issues. It can help you to identify and resolve any potential security problems quickly.
Finally, IaC can also help you to improve your incident response capabilities. You can more quickly and
easily deploy countermeasures in a security incident. This can help minimize the impact of a security
incident and get infrastructure back up and running as soon as possible.
But protecting the infrastructure is a considerable challenge. By blurring the line between application and
infrastructure security, IaC adoption raises a big question: who should be responsible for it?
Infrastructure-as-Code is a new responsibility
It goes without saying that infrastructure security is paramount. Traditionally, specialized operations
teams supervised this attack surface with many tried and tested tools. But when code manages
Cyber Defense eMagazine – December 2022 Edition 88
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.