At the Gartner Data Center, Infrastructure & Operations Management Conference this week in Las Vegas, I presented a new session called, “Infrastructure as (Secure) Code.” This talk tackled the benefits and challenges of having most of your infrastructure represented as code of varying forms.
This is a scenario that’s playing out in even the most conservative enterprises. It can creep up on your operations and security teams, but it’s a trend that’s worth taking advantage of.
An infrastructure that can be represented as code enables some truly exciting possibilities. We’re seeing a lot of these play out in the public cloud space, but they are just as applicable (with a little more elbow grease) in a traditional data center.
You can get started by raising your awareness of the three major areas of this transition:
- the code itself
- how to secure the codebase
- how your security controls must change to work in code
Here are the keys for each area.
If you’ve undertaken efforts to automate the majority of your infrastructure then your probably have actual code or scripts to take care of. For others just starting along the path, the first steps are usually a collection of configuration files.
In either case, there is a three-step process to a mature infrastructure automation practice:
- the folder
- version control
Each of these steps expand the ways you can leverage your infrastructure code while increasing the rigour and process (while not impacting overhead) of maintaining the codebase.
None of this should be a surprise to anyone with a development background, but for an operations or security team, it can be a revelation.
Given the lower overhead of implementing a version control system (step 2), there’s really no excuse not to roll one out today.
Security OF Code
The key moves here are:
- strict access control
- behavioural analysis & monitoring of the traffic to/from the repository
- educating your team on the risks of the code
You have to treat this code as a critical asset for your organization. It’s the equivalent of a treasure map in the hands of an attacker.
With a little due diligence focusing around these three steps, you can mitigate the risk and reap the significant rewards that come with automating your infrastructure.
Security IN Code
Now that you’ve got the foundation in place, you’re going to have to ensure that your security controls can function properly in the dynamic environment that is now possible with an automated infrastructure.
The keys for your security practice are:
- controls that are scriptable or programmable
- adaptive monitoring
- moving identity to immutable attributes
While the first two points are somewhat self-explanatory, the third can be quite a challenge.
We usually use IP or hostname assignment as a identity token within our organizations. In dynamic environments, this no longer works. Early adopters of public cloud infrastructure have been feeling this pain for a while.
The short version is that IPs/hostnames can be re-assigned on a rapid basis (e.g. minutes or hours, not days or weeks) which leads to some operational challenges.
Unfortunately, most monitoring tools were designed for more traditional environments and are just now catching up and dealing with the issue. For more details on the challenges of identity in dynamic environments, you can check out my talk from last year, “Frayed Edges; Monitoring a perimeter that no longer exists”.
There are significant advantages to automating your infrastructure. The operational efficiencies alone justify the initial and continued investment in adding this aspect to your security practice.
For more details, read through the slides from my talk below.
Interested in talking more about this? Hit me up on Twitter where I’m @marknca.