Piyush Sharma, VP of Engineering at Tenable, is a seasoned technologist and entrepreneur behind multiple technology startups over the past two decades. Previously, he led global teams across engineering, product, and research at Symantec Corp to bring numerous enterprise security innovations to market. Piyush has filed multiple patents, contributed to other patents and invention committees, and serves on the technical oversight committee of the Cloud Native Computing Foundation (CNCF) including the security special interest group (SIG).
Cloud breaches have become commonplace ever since organizations across the world began rapidly switching to cloud-native technologies. Globally, 80% of organizations experienced a cloud data breach in the last 18 months alone. Cloud breaches are hard to detect and take a long time to fix. It took organizations an average of 231 days to identify and 98 days to contain a cloud-based breach.
Public clouds ushered in an era of unprecedented agility but it also resulted in several misconfigurations, which are costly to fix at runtime. In most cases, these vulnerabilities remain in the cloud — making them easy targets. But cloud adoption did bring with it one silver lining — Infrastructure as Code (IaC). While IaC tools such as Kubernetes went mainstream, security didn’t keep up with the speed of the cloud. IaC configurations can contain dangerous errors, which makes it critical that organizations secure IaC templates prior to deployment.
Here are the steps to securing cloud infrastructure:
Policy as Code: Securing the software development process
Even before the first line of code is written, organizations need to think about security. The first step is understanding the type of application being built. For instance, apps that do not collect any input from the user are very different from banking or healthcare apps. Understanding the type of information the app handles, how users will interact with it, and the types of threats it might face can help organizations build a comprehensive threat model.
With the right technology, organizations can automate this process of building a threat model, scan for policy violations before code is committed and embed the policy into the software development pipeline for automated compliance checks and targeted monitoring. Scanning for violations is a proactive step, aimed at actively identifying violations and removing them before deployment.
Structural integrity: Securing container images
Securing the process used to build apps is not adequate. Organizations need to secure the structure — the containers within which the apps will run. Container images consist of the application itself including the customer code and the code sourced from open-source third-party libraries along with runtime configurations, which have several security concerns.
Incorporating container scanning tools can help identify misconfigurations. Paired with reactive information and capabilities embedded in the images, it can prove useful for securing the container images at runtime.
Security as Code: Securing connections
Often securing connections and relationships that define how the different components of the application interact are overlooked. It is important to ensure that these services are operating in the proper security context. This is also an area where the information codified in the IaC can enable security teams to start securing environments earlier in the development process. Security as Code takes Policy as Code a step further, ensuring security teams evaluate the resilience of the infrastructure. With the right tools, this process can be automated. Security as Code is a proactive way to assess and remediate misconfigurations before runtime.
Runtime: Securing the environment
Unlike application security, in which the risk of dangerous post-deployment runtime changes is low, cloud infrastructure environments are subject to unapproved changes post-deployment. Security teams cannot battle the numerous misconfigurations arising out of post-deployment errors. IaC security tools can help identify vulnerabilities and misconfigurations before runtime.
Organizations need to plan how they will react when new vulnerabilities are disclosed. In most cases, implementing a fix by applying a configuration change, updating, rebuilding, and redeploying can become expensive. Organizations need to be able to dynamically patch the runtime environment ensuring the fix works through the software development pipelines.
IaC security solutions are still coming into maturity in India, so organizations should be automating the process of identifying vulnerabilities and misconfigurations in cloud environments. Most importantly, it isn’t going to be enough to simply locate misconfiguration errors. They will need to be remediated quickly in order to prevent a breach. This requires tools explicitly designed to support both developer and security teams to avoid creating a bottleneck in the software development process.