5 Steps to Securing Infrastructure as Code with Policy as Code Frameworks
April 25, 2024

Dotan Nahum
Check Point Software Technologies

Remember that troublesome Terraform misconfiguration that leaked sensitive keys?

Security incidents like that are the stuff of developer nightmares.

Safeguarding our Infrastructure as Code (IaC) becomes a non-negotiable part of the DevSecOps game. Policy as Code (PaC) steps in to assist us in staying ahead of the curve with the sheer volume of IaC templates, scripts, and modules. To help you understand how to marry the two, here are five steps to securing IaC with PaC.

Step 1: Understand the Changing IaC Threat Landscape

IaC has undeniably streamlined provisioning and deployment, but it's a double-edged sword. Configuration errors were once tedious manual mistakes and now have the potential to scale at a terrifying pace through automation. Hardcoded secrets within IaC templates can quickly end up in public repositories or get accidentally shared during collaboration. Overly permissive IAM roles defined in IaC grant attackers undue access if compromised, opening lateral movement paths for attackers.

Malicious actors can target your IaC tooling itself. Think zero-day vulnerabilities in popular IaC frameworks or supply chain attacks where compromised third-party modules slip into your trusted codebase. To combat this, developers and DevOps teams need to go beyond understanding individual misconfigurations, shifting their focus to the broader patterns and systemic risks that IaC introduces.

Step 2: Embrace the Shift-Left Mentality with PaC

Shift-left security is vital because the earlier we address vulnerabilities, the less costly and disruptive they become. PaC fully embodies this philosophy by seamlessly integrating security into the very act of defining your infrastructure. Compliance requirements and best practices become a codified extension of your IaC.

Traditionally, IaC undergoes scans and audits after being written. PaC flips this model. By embedding policy checks directly into CI/CD pipelines, developers get near-instant feedback on whether new infrastructure changes adhere to your security standards. Predefined policies analyze IaC for risky configurations like overly permissive networking or unencrypted data stores. This feature empowers developers to fix potential security problems at the design stage, not when frantic alerts go off in production.

Step 3: Choose Your PaC Strategy with Technical Considerations

A PaC strategy requires a careful analysis of your organization's specific needs, resources, and level of customization. For example, general-purpose languages like Python, coupled with libraries like PyTerraform, Terraform-compliance, or various cloud provider SDKs (like AWS), provide exceptional flexibility. You can tailor checks to even the most nuanced risk scenarios and complex infrastructure designs. However, be aware that this path burdens development expertise more.

Alternatively, Domain-Specific Languages like Open Policy Agent's Rego offer a solution designed explicitly for authoring and managing policies. Rego's declarative syntax lets you define rules in a way that closely resembles plain-language security requirements. The active OPA community often provides a rich repository of pre-written policies, streamlining your initial setup. Tools like Styrakos with visual interfaces extend PaC accessibility to less code-savvy team members.

Embedded frameworks like Checkov, Terrascan, or tfsec prioritize developer experience and rapid integration into existing IaC workflows. These tools boast vast libraries of pre-built checks aligned with industry benchmarks and cloud security best practices. The trade-off is that while they reduce initial time investment, extensive customization might be more limited compared to a full-fledged, general-purpose programming language approach.

Step 4: Define Your Policies with Precision

Industry-standard benchmarks like those provided by the Center for Internet Security (CIS) or OWASP offer a solid foundation for your PaC policies – but you should tailor them to mirror your organization's risk profile. Begin by pinpointing your most important assets, such as the infrastructure components containing your most sensitive data or critical business logic. Simultaneously, consider the regulatory landscape relevant to your industry. PCI DSS for payment processing, HIPAA for healthcare, or SOC 2 for SaaS providers will shape your policy requirements.

For example, enforcing comprehensive resource tagging might seem mundane, but it's a cornerstone of cost control and security incident response. Another valuable policy could restrict the range of EC2 instance types developers can launch. Policies like this prevent accidental resource over-provisioning and reduce the potential attack surface. PaC policies can also forbid hardcoding credentials and secrets in IaC templates, instead mandating dedicated secrets management solutions like AWS Secrets Manager or HashiCorp Vault.

Step 5: Automate, Automate, Automate

The heart of PaC lies in relentlessly automating away manual security checks. Embed policy evaluations seamlessly into your existing CI/CD pipelines for maximum value. Every pull request proposing an IaC change should automatically trigger validation against your meticulously defined rules. Tools like Jenkins X coupled with OPA Gatekeeper offer excellent integration capabilities. Configuring Gatekeeper as an admission controller enforces your policies at the Kubernetes level, preventing misconfigured deployments from reaching your clusters. Similarly, Terraform Cloud with Sentinel allows you to define pre-run policy checks, ensuring compliance even before infrastructure changes are applied.

A genuinely robust implementation goes beyond just pipeline enforcement. Consider complementing your CI/CD safeguards with IaC testing frameworks like Terratest or Kitchen-Terraform. Paired with a tool like Checkov, you can write tests that verify the syntactical correctness of your IaC and its adherence to your security policies.

The Future of IaC is Secure

IaC and PaC are a powerful combo. Treating security as code allows you to gain agility without sacrificing peace of mind. Of course, tools are only part of the equation. Fostering a DevSecOps culture where security is everyone's responsibility is the real key to long-term success.

Dotan Nahum is Head of Developer-First Security at Check Point Software Technologies
Share this

Industry News

May 16, 2024

Pegasystems announced the general availability of Pega Infinity ’24.1™.

May 16, 2024

Mend.io and Sysdig unveiled a joint solution to help developers, DevOps, and security teams accelerate secure software delivery from development to deployment.

May 16, 2024

GitLab announced new innovations in GitLab 17 to streamline how organizations build, test, secure, and deploy software.

May 16, 2024

Kobiton announced the beta release of mobile test management, a new feature within its test automation platform.

May 15, 2024

Gearset announced its new CI/CD solution, Long Term Projects in Pipelines.

May 15, 2024

Rafay Systems has extended the capabilities of its enterprise PaaS for modern infrastructure to support graphics processing unit- (GPU-) based workloads.

May 15, 2024

NodeScript, a free, low-code developer environment for workflow automation and API integration, is released by UBIO.

May 14, 2024

IBM announced IBM Test Accelerator for Z, a solution designed to revolutionize testing on IBM Z, a tool that expedites the shift-left approach, fostering smooth collaboration between z/OS developers and testers.

May 14, 2024

StreamNative launched Ursa, a Kafka-compatible data streaming engine built on top of lakehouse storage.

May 14, 2024

GitKraken acquired code health innovator, CodeSee.

May 13, 2024

ServiceNow introduced a new no‑code development studio and new automation capabilities to accelerate and scale digital transformation across the enterprise.

May 13, 2024

Security Innovation has added new skills assessments to its Base Camp training platform for software security training.

May 13, 2024

CAST introduced CAST Highlight Extensions Marketplace — an integrated marketplace for the software intelligence product where users can effortlessly browse and download a diverse range of extensions and plugins.

May 09, 2024

Red Hat and Elastic announced an expanded collaboration to deliver next-generation search experiences supporting retrieval augmented generation (RAG) patterns using Elasticsearch as a preferred vector database solution integrated on Red Hat OpenShift AI.

May 09, 2024

Traceable AI announced an Early Access Program for its new Generative AI API Security capabilities.