Cloud provisioning is a key element in continuous delivery processes, which lies at the heart of DevOps. Engineers are expected to build underlying application environments on demand. It’s part of what makes DevOps fast-paced and exciting, but it can also be stressful and demanding.
DevOps teams need to provision cloud infrastructure quickly, because every project is urgent and every deadline passed yesterday. But they also need to build environments that are robust and secure, facing a constant challenge to balance speed with security.
The good news is that it is possible to meet this challenge, with the help of the right tools and tips. We’ve gathered some useful best practices for improved security when provisioning cloud environments using the infrastructure-as-code (IaC) approach.
Keep It Simple
Sometimes, we can fall in love with complexity. Tech stacks tend to expand and sprawl to include more and more platforms, and each engineer brings in their favorite tool. Checklists can grow long as teams try to add an action for every possible eventuality.
All of this comes from good intentions, but we know where those lead. Complex workflows get skipped, even if you’d like to believe otherwise, and that can allow vulnerabilities to creep into the code. Security-focused DevOps tools need to be easy enough for a beginner to use at the end of a long day of coding, debugging and deploying.
Jit.io, for example, makes secrets management simple, helping teams ensure that no tokens or passwords ever need to appear in source code. Elsewhere, GitLab CI/CD provides code lifecycle management tools that integrate directly with GitLab so there’s minimal context switching. With Ansible, meanwhile, you can automate configuration management using the YAML language. You can learn more about safely using YAML for IaC in this Ansible tutorial.
Manage Your Infrastructure with Care
It’s vital to apply effective cloud inventory management throughout the infrastructure lifecycle. It’s not just about labeling and logging every resource when commissioning new environments. You need to approach decommissioning with the same efficiency, erasing every configuration, deleting all your data, and removing all resources from runtime and inventory.
Effective inventory management contributes to immutability of infrastructure, which is a core element for secure cloud provisioning. It means building components to exact specifications, without any changes or deviations. If it needs updating, you’ll provision an entirely new set of infrastructure and decommission the old items.
It might seem like more work, but it’s the best way to ensure consistency and reduce configuration drift. Using fresh components every time also helps minimize security vulnerabilities.
Automate Security Checks
Automation is fundamental for good DevOps. The more you automate, the more you reduce the risk of human errors weakening your code and infrastructure.
Automated code analysis can spot and address vulnerabilities throughout the development lifecycle, regardless of if your resources are hosted in production environments or in sandboxes. Integrated development environment (IDE) plugins like TFLint, Checkov, and Docker Linter can automate security assessments from the very beginning.
Embedding security checks into your CI/CD pipeline allows you to analyze each code change, ensure compliance with relevant regulations, and remove the need for manual interventions. Open-source tools like Jenkins, DefectDojo, and OWASP Glue can work together to build an automated security-aware pipeline with easy-to-read dashboards to track the results of your checks.
Get Strict About Least Privilege
The principle of least privilege is central for access management, which protects your code and cloud environments from attacks. It’s important to apply least privilege to all users – machine identities and apps as well as humans – to minimize the risk of unauthorized infrastructure changes or access to sensitive information.
Define which team members and services are authorized to create, update, run, or delete scripts and inventory, and then enforce that definition.
Users who are authorized to access your code should only be able to reach the resources they need for their specific tasks. User access review (UAR) should be automated to run on a regular basis, to prevent privilege creep and ensure that users aren’t retaining credentials to which they’re no longer entitled.
Monitor Everything, All the Time
Version control is a given, but monitoring needs to keep going throughout provisioning, beyond the initial development stages. Security and audit logs help you assess risks to sensitive assets and carry out faster root cause analysis. Continuous monitoring solutions can detect security and compliance violations and deliver instant alerts when they spot a genuine anomaly, so you can respond more quickly.
Dynamic analysis, using tools like Burp and GVM, helps evaluate existing environments and services for vulnerabilities that can arise when different systems interact. This way, you can introduce new deployments without worrying about incompatibilities leading to security issues.
It’s also important to implement runtime threat detection solutions, which can identify unexpected application behavior and alert you to runtime threats. Some tools can automatically block detected threats during runtime, which enhances application security.
Swift Provisioning Can Include Strong Security
There’s no need to feel that you have to make a trade-off between speed and security when it comes to cloud provisioning. With a security-first mindset, you can find the right tools and best practices that build security into the lifecycle, remove complications that can give rise to vulnerabilities, and automate IaC security just like you automate other parts of the pipeline.
Thomas Hyde
Related posts
Popular Articles
Best Linux Distros for Developers and Programmers as of 2024
Linux might not be the preferred operating system of most regular users, but it’s definitely the go-to choice for the majority of developers and programmers. While other operating systems can also get the job done pretty well, Linux is a more specialized OS that was…
How to Install Pip on Ubuntu Linux
If you are a fan of using Python programming language, you can make your life easier by using Python Pip. It is a package management utility that allows you to install and manage Python software packages easily. Ubuntu doesn’t come with pre-installed Pip, but here…