Interesting things are afoot in the security world.  Established vendors from segments such as application security, cloud security posture management (CSPM), and software composition analysis are starting to focus on infrastructure as code (IaC).  There are some obvious explanations, but I’m more interested in the broader implications of IaC on security.  We may be witnessing the opening stages of nothing less than a revolution in cloud security that enables organizations to finally, effectively manage security risk!

Business as Usual?

A large part of the interest is probably driven by the rise of the cloud.  Where companies have traditionally secured physical infrastructure, the cloud requires them to manage infrastructure via the services and controls exposed by the cloud providers.  Instead of provisioning servers and storage by purchasing and connecting hardware, we now subscribe virtually to new services and resources.

Cloud development teams increasingly leverage automation to manage these services, and to take advantage of the elasticity of the cloud. When an application needs to automatically scale up or down based on load, a tool such as IaC becomes critical – relying on human operators to change configurations is simply too slow.  IaC and orchestration such as Kubernetes enables teams to automate configuration changes for immediate responsiveness.

As teams adopt these technologies, it only makes sense that security vendors want to help them address security concerns.  IaC is a type of source code, and application security vendors can scan it for vulnerabilities like other source code.  IaC builds cloud infrastructure, and scanning it allows the customers of CSPM vendors to identify security problems before the infrastructure is provisioned.

The obvious explanation is that vendors are following their customers and adding capabilities to enable their users to better manage the risks they face.  Will they simply scan IaC and be satisfied with finding more potential vulnerabilities?  Or will they embrace the opportunity to address more significant problems?

Or a Not-so-silent Security Revolution?

There have been some incredible funding stories in the cloud security startup world over the past year or so, and while those new vendors have not focused exclusively on IaC, there is a common theme of integrated or holistic security.  These companies seem to recognize that existing security approaches have some significant limitations.  Specifically, even as they leverage tools to find risks, organizations struggle to effectively identify and address the risks that represent the biggest threats to their business.  Organizations simply lack the resources to address all of the findings, and they need a way to triage and prioritize them according to the risk each represents.

Market analysts have also recognized this need and have started to consolidate some of the previously distinct categories into integrated platforms that better address security needs.  While this is currently just an organizational change, it hints at new ways of thinking about security solutions.

The primary reason this prioritization problem is so difficult is lack of context.  Application vulnerabilities may or may not be important depending, for example, on whether the application is exposed to users or is protected by controls in the infrastructure.  The importance of vulnerabilities in third-party dependencies and container images is similarly dependent on their reachability and location in the application topology.

And this is where things get interesting: IaC provides that context.  It exposes the infrastructure topology, the resources, the relationships.  As organizations struggle to gain a holistic view of security risk, IaC may be the missing link.  We have an opportunity to not only scan IaC for risks, but to leverage the information it contains to better understand the context of findings identified by other tools.

Security of the Future?

There’s a lot of buzz about DevSecOps and “shift left” as approaches that can help organizations better address security.  They are both an important part of the conversation, but they often leave unaddressed, the question of how to accomplish the goal.

DevSecOps focuses on the cultural changes necessary to manage risk in modern development workflows, and lack of communication/visibility is a large part of the cultural challenge.  Tools which help teams connect the dots and make informed, automated decisions will certainly help.

“Shift left” captures the notion that teams need to address security earlier, so security becomes baked into the architecture and problems are rooted out earlier.  I appreciate the sentiment, even if I feel that “extend left” might better capture it since we still need to secure on the right.  In order to accomplish this, teams need tools and approaches that identify and resolve security problems early in the life cycle – even before products are complete and testable.

Imagine a security tool that can leverage IaC to understand the topology of your application even before it is provisioned.  It recognizes how traffic will arrive from the outside world, how load balancers and firewalls are configured, how API endpoints connect to applications, services, and serverless resources.  Moreover, it can ingest information from IaC and application scanners such as SAST, DAST, and IAST; from SCA and container security tools, to understand where potential vulnerabilities exist.

Such a tool could help organizations understand which findings are exposed and exploitable; whether attackers have a path to sensitive data, and if so, where such a chain could be broken. While much of this work has required manual effort in the past, IaC enables automated approaches that start as soon as coding begins and that fit exceptionally well into automated workflows such as CI/CD and GitOps.

With effective risk-based prioritization of security findings and the ability to work within fully-automated workflows, IaC may be ushering in a new generation of security tools that promise continuous, consistent enforcement based on real-world risk across the entire lifecycle and supply chain.  I can’t wait to see how that impacts productivity and innovation!

To hear more about cloud native topics, join the Cloud Native Computing Foundation and cloud native community at KubeCon+CloudNativeCon North America 2021 – October 11-15, 2021