Back to all blog posts

What Is Infrastructure as Code (IaC), and How Does It Make for a More Resilient DevSecOps Team?

Written by Raj Datta
March 10, 2021

Nearly every company on the planet is wading through the proverbial ocean of apps and platforms to deliver faster, smarter, and better solutions to their end-users. According to a recent GitLab survey, 59% of companies are deploying multiple times a day. After years of hype, most devs have embraced agile and settled into their DevSecOps life. In fact, DevSecOps delivered better code quality on shorter timelines for nearly all mature adopters, and they also deploy code more continuously — with many moving into a daily cadence.

But there’s a disconnect. Those same DevSecOps teams are also reviewing code on a daily cadence, and many are still handling manual tasks like infrastructure configurations and provisioning. So, how do you reconcile the agile nature of DevSecOps with the pesky manual nature of traditional infrastructure management? After all, the goal of DevSecOps is to bring more secure apps at-scale. But infrastructure requirements can quickly hinder that process by resurfacing old demons and pushing Dev and Ops back into their silos.

To solve this issue, many organizations are turning towards Infrastructure as Code. But what is IaC? And how does it fit into the DevSecOps ecosystem?

 

Traditional Infrastructure Management: A Need for Change

The traditional methods of configuring environments involve plenty of manual touchpoints by system admins. Whether you’re setting up test servers or deployments, going in and configuring networks, creating routing tables, and installing DBs for each infrastructure need, it’s tedious and time-consuming. Fortunately, system admins of the past didn’t have to provision a ton of infrastructure at-scale. The age-old ticketing system and point-and-click structure worked for years — especially when app launches lasted years and took place on relatively static on-premise servers.

Times have changed. You need to spin up and spin down new infrastructure constantly (usually daily) to meet the demands of agile DevSecOps teams, and the elasticity and scalability provided by the cloud also impacts the longevity of resources, the complexity of interconnected app stacks, and the way we interact with apps in an API-driven development ecosystem. In other words, it’s unfeasible to manually configure infrastructure changes in a world where these changes need to happen across hundreds or thousands of apps daily. 

Worse yet, the containerization of apps — while reducing hardware demands on sysadmins — has increased the overall speed of deployment, which requires sysadmins to now spin up and down infrastructure at will to meet these CI/CD demands. It’s virtually impossible to manage infrastructure consistently in this new rapid-fire ecosystem. The result? Poorly implemented infrastructures, mismatched test and deployment environments, and major security gaps as sysadmins bleed productivity and energy trying to catch up with tickets and SDLC demands.

 

What Is Infrastructure as Code (IaC)?

Unlike traditional infrastructure configuration — which is largely manual — Infrastructure as Code (IaC) allows you to codify and automate your infrastructure deployments. Instead of custom-configuring each infrastructure spin up/spin down, you can create configuration specifications and deliver them the same way you would any source code via programming scripts. So, you define the end state of your infrastructure, and the rest of the configuration is handled for you. 

Typically, this involves orchestration tools like AWS CloudFormation or Terraform, as well as configuration tools like Saltstack and Chef. All the installation of software and versioning is completely automated. Not only does this make it faster and more cost-effective to deploy infrastructure, but it breeds consistency and helps you deploy a pitch-perfect environment, every time.

 

How Infrastructure as Code Builds DevSecOps Resiliency

In the world of hyper-aggressive shift-left DevSecOps, the idea of traditional infrastructure deployment seems a little… silly. You want to breed agility into your SDLC and break down those ever-so-fragile barriers between Sec and Ops. But infrastructure can quickly become the pain point that divides teams and leaks productivity. For CI/CD and shift-left security to work, you need continuous monitoring across environments. 

Worse yet, these environments, which are likely containerized on an elastic cloud server, are constantly shifting and spinning up and down. 

Trying to tackle infrastructure manually leads to disconnects between teams and wasted productivity by sysadmins — who should be heavily involved in the entire SDLC. Instead, sysadmins are stuck trying to wade through a never-ending pile of config docs as they attempt to keep pace with the rest of the team. It just doesn’t make sense.

IaC keeps infrastructure consistent across environments, reduces time burdens, improves end-to-end productivity, and fosters more holistic and agile-driven work ecosystems. But there’s a hidden issue boiling under the surface of IaC. How do you handle container attacks and security vulnerabilities in an IAC-driven CI/CD ecosystem? After all, you still need to test for security issues across containers, Kubernetes, and IaC deployments.

 

IaC & Security

The Sec in DevSecOps is critical. 60% of organizations experience container-based attacks. And over half of organizations delay moving apps into a production environment due to concerns over the security of their containers or Kubernetes. IaC puts your infrastructure deployments in hyper-drive, but it also puts your security concerns into the same gear. Going in and performing manual code reviews defeats the point. 

You need to bake continuous monitoring into your IaC pipeline, and you need constant visualization across your entire IaC infrastructure to automatically spot and remediate IaC security concerns.

In practice, security is the downfall of IaC. The dreams of rapid infrastructure management are quickly dashed by clunky security protocols and manual pour-over. Suddenly, the benefits of shift-left security erodes, and you’re left with the same-old clunky SDLC cycle you had to begin with. We can help.

 

oak9 + IaC: Enabling DevSecOps

At oak9, we bridge the gap between IaC, security, and execution. Our robust IaC security platform automates security design changes, sniffs out security vulnerabilities, and continuously monitors across IaC environments. In addition, we help you visualize your IaC layer to give you a holistic view of your security design while providing you with drag-and-drop design changes. 

We’re integration-friendly, built on easy-to-use security blueprints, and driven by DevSecOps processes. Are you ready to automate infrastructure provisioning while still breeding shift-left security into your SDLC? Contact us.