How to Use Infrastructure as Code Securely and Avoid Cloud Misconfigurations

Moving applications to the cloud delivers clear competitive advantages, but organizations must have the right strategies, access rights and policies in place to do this successfully. Cloud adoption was already expanding before it was super-charged by the pandemic and there are no signs of this trend abating. The consumption of cloud continues to expand across all industry verticals and disrupt the way in which IT teams provision, manage and orchestrate resources.

But cloud adoption requires organizations to shift from provisioning and managing static infrastructure to deploying dynamic infrastructure across their environment. The implementation of dynamic infrastructure means IT operations and security teams must now provision and manage an infinite volume and distribution of services, embrace ephemerality, and deploy onto multiple target environments. 

A challenging environment

This leads to many challenges, including appropriately managing access permissions, being able to identify and prioritize risks, and then proactively mitigating cloud misconfigurations and vulnerabilities. At the same time organizations must facilitate greater collaboration between security, DevOps, and engineering teams, because in a cloud environment, lines of responsibility are not so clearly drawn.

In today’s heightened cyber-attack landscape, organizations must also work out how to reduce their cloud attack surface, while simplifying compliance requirements, and find new ways to innovate and scale their business in a secure manner.

This is easier said than done

One of the great benefits of cloud is how easy it is to spin up resources. Lines of business don't have to request IT to allocate resources, they just click a button to run any Infrastructure as Code (IaC) template and they have an application running in minutes. However, every cloud account has thousands of entitlements that need to be managed and maintained. Unfortunately, many have excessive permissions that put cloud assets, the data stored, or the whole cloud account at risk. Analyst organization, Gartner, predicted: "By 2023, 75% of security failures will result from inadequate management of identities, access and privileges, up from 50% in 2020."

An increase an IAM solutions

This has prompted an increase in IAM (identity and access management) solutions purporting to solve the problem of managing identities in cloud environments. However, modern tools like CIEM and CSPM are based on heuristic rules which means they often advise and detect when it is too late, and don’t offer a tailored solution based on the genuine risk to the application.

As a result, CISOs, AppSec, and DevOps teams are overwhelmed with notifications; they need help in identifying which alerts to prioritize. For example, they might be alerted to a misconfigured AWS Lambda function which doesn’t pose a serious threat to their application. They need accurate context to determine which risks to ignore and which to action. The reality is that they can’t fix every misconfiguration, therefore they must focus on the most important business critical risks. 

Alongside the problem of alert fatigue, there is often tension with Dev/Ops teams who just want to move fast and use all their admin and access privileges. Additionally, organizations are not always aware of all their data and sensitive resources in the cloud and many security permissions are not always necessary and can cause account and data leakage.

One size fits all approach doesn't work

One option is to manually analyze the infrastructure layer and the applications running on it. This might work for smaller organizations, but for larger organizations with a dynamic environment, where developers create new cloud accounts for every dev team, a manual approach is nigh on impossible to scale. Additionally, when it comes to audits, it is hard for the organization to keep track and prove compliance. 

In a bid to get around these issues, organizations are creating repositories of standard policies to use. But these are generic; they don’t name the specific resource that every component needs to access. Some organizations use these same policies for all their cloud functions. Think about it, this is like using the same key to open every individual apartment door in an apartment block, how secure would that be?

How Checkmarx One can help

Reducing software risk and boosting developer and AppSec team productivity is central to Checkmarx’s mission. Our Checkmarx One™ Application Security Platform identifies code vulnerabilities and integrates seamlessly into the tools developers already use. Our aim is to help organizations improve software security without compromising their ability to innovate—making life easier for developers and application security teams at the same time.

Our partner Solvo shares our vision of a world running on secure code and we are pleased to announce a new Solvo integration into the Checkmarx One platform that will help our customers overcome many of the IaC security challenges outlined above. 

Hitting the IaC security sweet spot

Solvo is incredibly easy to onboard, and the outputs are actionable meaning this application-aware cloud security platform helps R&D, DevOps and security teams discover, monitor, and remediate misconfigurations.  

Solvo is an adaptive cloud infrastructure security platform that enables organizations to innovate at cloud speed and scale. Leveraging real-time monitoring and analysis across cloud infrastructure, applications, data and users, Solvo automatically creates customized, constantly updated least privileged access policies based on the level of risk associated with entities and data in the cloud. 

The prioritized findings deliver the remediation organizations need, uniquely created for every component, which is highly complementary to Checkmarx AppSec capability. Checkmarx One finds the IaC misconfiguration, and Solvo informs organizations not only how to remediate, but also how to do this in the best possible way, by automating IAM on a least-privileged basis.

Helping developers deliver secure code

Today we see a lot of responsibility shifting to developers, where they are becoming the single stakeholder for all things cloud. Therefore, they simply don't have the time or the knowledge to understand the complexities of all these environments. As a result, developers often adopt a trial-and-error approach which can cause issues in production. One simple change in a code file can have the ripple effect of blocking user access to resources and causing production downtime. Or worse still they are bombarded with so many misconfigurations that they simply ignore them, which opens the attack surface for hackers. And while security should be everyone’s responsibility, unfortunately developers are measured on delivering the next feature, and not how secure the application is. 

This is why our partnership with Solvo is so important, because Solvo provides customers with an Infrastructure-as-Code template meaning developers can use Solvo's integration recommendations seamlessly via the Checkmarx One platform. 

Learn more

To find out more, view the recoding of our recent webinar with Solvo, Teaming Up to Tackle Cloud Security Misconfigurations.

Skip to content