If you are an organization building cloud-native applications, odds are you are already using or considering using Terraform. For the uninitiated, Terraform is HashiCorp’s infrastructure as code offering. It is an open source framework that allows you to express cloud infrastructure designs using the HashiCorp Configuration Language (HCL).
Terraform offers a number of key advantages to organizations that enable them to achieve higher business velocity and agility. Cloud architectures are complex and Terraform helps cloud developers address critical pain-points by automating & simplifying their infrastructure provisioning. They can achieve repeatable, scalable, version-controlled deployments across different cloud service providers with the push of a button. Most importantly, Terraform enables cloud developers to easily update the cloud infrastructure.
Many organizations initially adopted Terraform to manage infrastructure configurations and the related industry buzzword was “configurations-as-code.” Today, that Terraform code represents something much more than just infrastructure configurations. For our customers, a typical cloud-native application has 10-30K lines of Terraform code and it represents the entire application architecture. By using Terraform, our customers are iteratively delivering their cloud-native infrastructure capabilities and they can quickly react to changing customer and business needs by evolving their application architecture. However, this also creates challenges for security teams.
Security architecture and engineering teams that need to review application architectures are now faced with the challenge of reviewing anywhere from 10-30k lines of Terraform code that is changing from release to release. This is an infeasible proposition for any security team. When security teams cannot engage and provide timely guidance, often applications get deployed with security gaps that can lead to significant impact for businesses. Cloud security incidents continue to rise with over 70% of companies reporting public cloud incident.
Most developers are not security experts, and security for cloud-native architectures is incredibly complex. One prevalent practice is for developers to copy-and-paste Terraform code from examples or public code repos as they build their own. Our analysis across hundreds of such public repos shows that these examples do not adequately consider security.
Issues range from table-stakes security hygiene such as:
But they also include security design gaps such as:
This is partly because these templatized examples focus on the functional capabilities, not security. And even if they did, outside of basic security hygiene, such static examples cannot possibly address the evolving needs of different businesses.
There are clearly new challenges that security teams face when developers adopt IaC like Terraform. However, this also introduces an opportunity for security organizations to adapt and keep up with the speed of modern development. Here are a few key steps to improving cloud security with Terraform.
For common technology use-cases, you can establish standards by building out templates that meet your security requirements as a starting point. By engaging early with project teams to identify security requirements upfront, you can help them select the right template. This gives developers a better starting point to build their Terraform from.
However, be careful of treating such approaches as a silver bullet. Templatized approaches can add value for select commonly used cloud resources. However, they are inherently static and cannot scale to address the dynamic needs of modern cloud-native applications. Every application has different needs, and each application development team will inevitably alter the Terraform template to fit the unique needs of that application. Cloud service provider capabilities change daily and very soon after a template is published, it becomes stale. Templatized approaches require a very large investment in governance to scale beyond simple use-cases that use common cloud resources.
The proposition of reviewing 30K lines of evolving Terraform for an application or building & maintaining templates across all the organization’s application use-cases is not feasible for any security team. Just as development teams have been empowered to achieve incredible velocity with automation, the only practical approach to enable security to scale with automation that analyzes the infrastructure-as-code.
This automation should enable developers and security teams to work autonomously, make it easy to incorporate security and collaborate effectively. Developers want automation that seamlessly fits into their existing workflows & CI/CD pipeline, doesn’t slow them down while enabling them to build applications that are secure. Security teams want intelligent automation that can assess every update to the Terraform code – not just for misconfigurations but for security design gaps in the architecture that the IaC represents.
This will help you shift security left in the development lifecycle and design security and compliance into your application. You’ll avoid the risks of releasing applications with inherent security issues and the costs of identifying and addressing issue post-deployment.
Once you deliver applications that are secure and compliant by design, it is important to ensure that they remain in that state. If you are adopting Terraform, you want to ensure that the IaC remains the source of truth for your applications. However, cloud developers will often make changes via the cloud console or the command line interface. You want to ensure that you have the ability to detect any security-relevant drift and immediately remediate any security related drift right back through the pipeline through automation.
This ensures that the Terraform code is always the source-of-truth and that all changes flow through the pipeline. It ensures that applications in production remain in a secure by design state.
Terraform brings the promise of delivering applications faster and maintaining them more effectively. However, when security cannot keep up, it negatively impacts the velocity and organizations must accept significant security risks. Our goal at oak9 is to give you the ability to shift security left, check IaC as you build it, to produce secure cloud-native architectures without disrupting your workflow.
Contact us to learn more about strengthening cloud security with continuous monitoring.
(Photo by: https://icons8.com/)