How to Secure Environments with Infrastructure Automation
I had an interesting conversation with a senior FSI cloud architect, and towards the end of the conversation he made a funny observation. “Do you know what could help Dev and Ops collaborate? A common enemy. They both hate security”.
He was kidding, but there’s some truth to it. Attempting to automate can create major security risks. Engineers with automation skills aren’t always security experts, and it’s easy to forget security best practices when automating. And what’s worse, by automating we make things faster, which means security violations are harder to control. Trying to adopt speedy automation we can easily end up with a heap of security issues—from hard coded keys in GitHub to exposed customer data in unintentionally-public development/testing S3 buckets and misconfigured cloud services.
But there’s another side to it—automation can actually help with security. In a world where we want to empower engineers and enable a you-built-it-you-run-it approach, infrastructure automation has an important role in securing operations throughout the Value Stream.
5 Ways to Secure Environments Using Infrastructure Automation
Assure security best practices with automation
Leveraging infrastructure automation in cloud environments used for dev, test and staging can help make sure that security best practices are met throughout the lifecycle of pre-production environments.
Organizations often overlook the pre-production aspect of cloud security, which becomes a serious risk as we adopt cloud (check out this nice write up by Neil Chilson, which covers this topic—it’s from 2018, but I find that it’s still very relevant).
When we use automation to setup environments, it’s possible to guarantee network and security configuration. For example—ensure that environments are isolated, and private, and make sure that all environments follow security best practices. Provisioning environments automatically, if the setup sequence actually follows best practices, can prevent human errors and eliminate the need to transfer security knowledge to all team members.
Get rid of sitting ducks
With automation, we can enforce the use of dynamic secrets for all environment components: virtual machines, containers, applications, databases, services—anything that we provision. No more hard-coded credentials (did anyone say Admin/Admin?!). This is a great way to harden environments.
Automatic tear-down of environments and encouraging the use of dynamic environments means that cloud resources don’t just sit around—they are frequently spun up and torn down, which makes them moving targets and less exposed to attacks.
Don’t forget RBAC
An interesting find from the “Threat Report 2020: Addressing Security Configurations Amidst a State of Constant Change” from Oracle and KPMG:
an astounding 59% of research respondents shared that members of their organization with privileged cloud accounts have had those credentials compromised by a spear-phishing attack
A scalable infrastructure automation product includes built-in capabilities that can make automated environments more secure. A critical capability to look for is Role Based Access Control (RBAC), which makes it easy to control who can provision what infrastructure, and who can access which environments. It can also help keep cloud credentials secure.
Secure production environments
The same principals can be carried also to production, when you start using automation for deployment to production. Reusing automation best practices makes a lot of sense. In production, elements like RBAC are critical. Breaking silos and automating shouldn’t mean all team members need to get access to production.
Automation is not Magic
There are many ways that infrastructure automation can help assure security guardrails without slowing teams down. But automation is not magic, and just because someone can code, doesn’t necessarily mean they can build automation that adheres to the required security standards.
If security is a priority, we shouldn’t assume infrastructure automation is secure—our security team should be able to contribute to infrastructure automation and guide it.
Adopting a horizontal Platform Ops approach and using technologies that allow non-coder security experts to be part of infrastructure automation and Infrastructure-as-Code initiatives can help facilitate that.
This post is an update to an original post that appeared on LinkedIn.