Infrastructure as code and your security team: 5 critical investment areas

Couldn’t attend Transform 2022? Discover all the summit sessions now in our on-demand library! Look here.

The promises of infrastructure as code (IaC) are higher speed and more consistent deployments, two key benefits that drive productivity throughout the software development lifecycle.

Velocity is great, but only if security teams are positioned to keep pace with modern development. Historically, outdated practices and processes have held back security, while innovation in software development has grown rapidly, creating an imbalance that needs to be leveled.

IaC isn’t just a boon for developers; IaC is a fundamental technology that allows security teams to progress in maturity. Yet many security teams are still looking to take advantage of this modern approach to cloud application development. As IaC adoption continues to grow, security teams must keep up with rapid and frequent changes in cloud architectures; otherwise, IaC can be risky business.

If your organization is adopting IaC, here are five critical areas to invest in.


MetaBeat 2022

MetaBeat will bring together thought leaders to advise on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, California.

register here

Build design models

Constant fire suppression from project to project has created a challenge for security teams to find the time and resources to prioritize building foundational security design patterns for cloud architectures and hybrids.

Security design patterns are a necessary foundation for security teams to keep pace with modern development. They help architects and solution developers accelerate independently while having clear guidelines that define the best practices that security wants them to follow. Security teams also gain autonomy and can focus on strategic needs.

IaC offers new opportunities to build and codify these models. Template building is a common approach that many organizations invest in. For common technology use cases, security teams set standards by creating IaC models that meet the organization’s security requirements. By engaging early with project teams to identify security requirements upfront, security teams help integrate security and compliance needs to give developers a better starting point to build their IaC.

However, creating templates is not a silver bullet. It can add value for some commonly used cloud resources, but requires investment in security automation to scale.

Security as code and automation

As your organization matures in its use of IaC, your cloud architectures become more complex and grow in scale. Your developers are able to quickly adopt new cloud architectures and features, and you’ll find that static IaC models don’t scale to the dynamic needs of modern cloud-native applications.

Each application has different needs, and each application development team will inevitably modify the IaC model to meet the unique needs of that application. The capabilities of cloud service providers change daily and make your IaC security model a depreciating and rapidly obsolete asset. A significant investment in governance at scale is required for security teams, and this creates significant work for your SMBs to manage exceptions.

Automation that relies on security as code provides a solution and allows your resource-constrained security teams to scale. In fact, it may be the only viable approach to addressing cloud native security. It allows you to codify your design patterns and dynamically apply security to suit your application’s use case.

Managing your security design model using security as code has several advantages:

  • Security teams don’t need to become IaC experts.
  • You get all the benefits of a modular, extensible, and version-controlled method for creating these design patterns.
  • Security design patterns can evolve independently, allowing security teams to work autonomously.
  • Security teams can use automation to engage early in the development process.

The ratio of developers, operations, and security resources is sometimes on the order of 100:10:1. I recently spoke to an organization that has 10,000 developers and 3 AppSec engineers. The only viable way for a team like this to scale and effectively prioritize their time is to rely on automation to force their security expertise to multiply.

Visibility and governance

Once you’ve reached sufficient maturity in your IaC adoption, you’ll want all changes to be made through code. This allows you to lock down other change channels (i.e. cloud console, CLIs) and rely on good software development governance processes to ensure every code change is reviewed.

Security automation seamlessly integrated into your development pipeline can now assess every change to your cloud-native applications and provide visibility into potential inherent risks, avoiding time-consuming manual reviews. This allows you to create mature governance processes that ensure security issues are addressed and compliance requirements are met.

Drift detection

Throughout your journey to IaC maturity, changes will be made to your cloud environment through IaC, as well as traditional channels such as the CSP console or command-line tools. When developers make direct changes to deployed environments, you lose visibility, which can lead to significant risks. Also, your IaC will no longer represent your source of truth, so evaluating your IaC may give you an incomplete picture.

Investing in drift detection capabilities that validate your deployed environments against your IaC can ensure that any drift is immediately detected and corrected by pushing a code change to your IaC.

Developer and Security Champions

Security teams should focus on developer workflow and experience and seek to continuously reduce friction to implement security. Having developer champions within security who understand the challenges developers face can help ensure security automation meets developer needs. Similarly, security champions within development teams can help raise security awareness and create a positive feedback loop to help improve design patterns.

The bottom line

IaC can be risky business, but it doesn’t have to be. Higher speed and more consistent deployments are in sight, as long as you are able to invest in the right places. By being strategic and intentional and investing in the necessary areas, your organization’s security team will be better positioned to keep up with the rapid and frequent changes when adopting IaC.

Are you ready to take advantage of what IaC has to offer? There is no better time than now.

Aakash Shah is CTO and co-founder of Oak9


Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including data technicians, can share data insights and innovations.

If you want to learn more about cutting-edge insights and up-to-date information, best practices, and the future of data and data technology, join us at DataDecisionMakers.

You might even consider writing your own article!

Learn more about DataDecisionMakers

Comments are closed.