Originally Posted on Medium on Apr 14, 2021

💣 The Problem

Changes are Slow.

Traditionally, the IT change management process was long and tiresome. It required a manual submission of tickets, review by multiple teams, planning, and approval.

Changes are manual.

As they say, it’s only human to make mistakes. From environment access causing data exposure to a small hyphen out of place, manual changes are among the most significant drivers for environmental malfunctions and breaches.

Changes are not consistent.

While environments might serve the same purpose, they may differ due to inconsistent change management. Inconsistencies drive various security challenges, including increased attack surface, recovery challenges, and transparency across the risk management program.

Security authors change requests, not changes.

Security authoring processes focus on the change request and its potential impact but do not observe the actual change, creating a gap between the approved change and the real change.​

Security design documents are stale.

Security designs are mostly an archeological reference for future teams to see the original system design but have very little to do with the environments’ actual posture or structure. With every change, the gap becomes more extensive, and most organizations are not keeping the original document up-to-date with those changes.

💡 The Opportunity

Variance is dead; long live uniformity.

IaC provides the framework for organizations to enforce consistency across the technology stack. Uniformity ensures security configuration and controls are coherent across different environments and deployments.

Make “secure by design” a reality.

Being a big challenge for every security team, IaC drives security closer to the business at the design time, enabling better alignment, granularity, and in-depth security configuration.

Write enforceable policies.

Enabling security engineers to write security rules declaratively helps the IT teams understand the security constraints, create consistency across components, and flag changes that require further inspection.

Enhance runtime protection.

With IaC, runtime protection is observed from an infrastructure understanding eye rather than anomaly driven. The security team can verify the structure, identify differences from the defined state, and immediately react to unsanctioned changes.

Infrastructure as code fundamentally changes how security engages with the product and IT teams, enabling further control and more significant security impact throughout the technology (e.g., products, environments) lifecycle.

🔮 The Predictions

The next big thing in security and for security.

Consistency — check; Getting security closer to the business — check, Enabling preemptive security — check. IaC checks all the boxes for the CISO and will play an active role in the next significant security transformation.

IaC adoption by security marks a change in the personas.

IaC requires more development capabilities than traditional infrastructure/policy knowledge. Consequently, IaC will drive CISO’s to recruit engineers with development capabilities and train them for security rather than the other way around.

The change management will change.

Instead of change management committees, tickets, and cumbersome approvals, infrastructure changes will occur on the code level, funneled through the CI/CD pipeline, and automatically released to production.

IaC will drive security giants out of their comfort zone.

Security vendors generally promoted detection (and follow-up remediation) over preemptive whitelisting and blocking anything but the business necessity as traditional security could not enforce whitelisting. Infrastructure-as-code will enable security teams to tighten their security and reach whitelisting, making most of the vendors’ features and advantages obsolete.

IaC opens the door to Security-as-Code.

Security-as-Code will be at the forefront of the security transition from a generic document provider to a technology savvy, engineering-driven unit. Through the declaration of security, CISO’s will gain from the ability to track their posture from the policy to asset, from compliance demands to dynamic enforcement based on risk.

🕵️ The CISO View

Define a strategy for the adoption of Infrastructure-as-code.

The adoption of infrastructure as code has a cross-organizational impact on the security unit, including:

Product Security

• Secure software development lifecycle -> for technology organizations or organizations with internal development, SSDLC is a vital part of software development. IaC may impact the threat modeling, data flow diagrams, security controls, and boundary protection aspects.

• Security design documents and controls will need to accommodate for a dynamic environment specification that evolves as the environment changes.

Compliance & Change Management

• As change management may move from the ticketing systems to code repositories, the security team may need to adapt to the new change approval process and change deployment mechanisms.

• Evidence collection for compliance purposes may change and require special attention to ensuring compliance (e.g., defining the difference between major and minor changes consistently and technically).

Detection & Response

• Add logging and auditing capabilities to all components in the CI/CD pipeline.

• Create a practice for converting manifests to detection rules within the SIEM & SOAR systems.

• Create operational playbooks to react to discrepancies between the manifests and the runtime environments.

Security engineering/operations

• Networking and infrastructure security teams will need to learn how to read and potentially write infrastructure manifests.

• The vulnerability management lifecycle will need to account for updating components and deploying them automatically through manifests or reducing the risk rating due to compensating controls / the vulnerability’s applicability.

Identify the initiative champion on the business and the IT side.

The big concern for CISO’s is to be left behind while the business adopts infrastructure-as-code. Keeping a handle over the organizational process will help verify security is taking an active part in the discussions and transition with them to the new form of operations.

Train employees to learn how to state a control declaratively.

Security will need to adapt to defining rules and controls systematically rather than word files or wiki pages. Get training to employees in the language agreed within the organization (e.g., terraform, cloudformation) and drive the team to start using it to define controls.

Create a database of controls written declaratively.

A database of controls will assist in creating consistency and reuse patterns built. The structure also enables creating nesting or policies and rules to allow vital controls to enforcement across the board with additive requirements based on the solution/environment.

Leverage an authoring tool for manifests.

Reading through potentially hundreds of lines of code to find security misconfigurations will be a challenging task. Identify the right authoring tool for the organization and validate it is connecting and scanning the manifests.

Integrate the IaC manifests with the CSPM (Cloud Security Posture Management) tool.

Validate that the runtime environments are consistent with the manifests written and that no manual or unauthorized changes took place by using a CSPM tool to protect the runtime environments.

🏁 The Bottom Line

The next big thing for security

CI/CD in general and IaC specifically are as big as the changes from physical to virtual and on-premise to the cloud for cybersecurity. IaC provides the technical foundation to reach the holy grail of security, enforceable whitelisting driven by the business needs.

We’re not there yet, but get ready.

IaC is not a commodity yet, but the usage pattern of IaC is increasing substantially. Security organizations must stay ahead of the curve and realize what changes will need to occur as they will be substantial and cannot happen overnight.

Start hiring DevSecOps Engineers.

Talent is scarce but finding DevOps engineers that know security is even more challenging. Early hiring of specialized talent can help put the foundations for CI/CD security and start migrating tribal security knowledge to actionable and declarative controls.

Don’t wait for the security giants.

The market is currently dominated by startups, driving many organizations to wait until the big players step into the ring. Nonetheless, the accelerating pace of the technology adoption might cause security to be too late.