5 Steps to Securing Infrastructure as Code with Policy as Code Frameworks
April 25, 2024

Dotan Nahum
Check Point Software Technologies

Remember that troublesome Terraform misconfiguration that leaked sensitive keys?

Security incidents like that are the stuff of developer nightmares.

Safeguarding our Infrastructure as Code (IaC) becomes a non-negotiable part of the DevSecOps game. Policy as Code (PaC) steps in to assist us in staying ahead of the curve with the sheer volume of IaC templates, scripts, and modules. To help you understand how to marry the two, here are five steps to securing IaC with PaC.

Step 1: Understand the Changing IaC Threat Landscape

IaC has undeniably streamlined provisioning and deployment, but it's a double-edged sword. Configuration errors were once tedious manual mistakes and now have the potential to scale at a terrifying pace through automation. Hardcoded secrets within IaC templates can quickly end up in public repositories or get accidentally shared during collaboration. Overly permissive IAM roles defined in IaC grant attackers undue access if compromised, opening lateral movement paths for attackers.

Malicious actors can target your IaC tooling itself. Think zero-day vulnerabilities in popular IaC frameworks or supply chain attacks where compromised third-party modules slip into your trusted codebase. To combat this, developers and DevOps teams need to go beyond understanding individual misconfigurations, shifting their focus to the broader patterns and systemic risks that IaC introduces.

Step 2: Embrace the Shift-Left Mentality with PaC

Shift-left security is vital because the earlier we address vulnerabilities, the less costly and disruptive they become. PaC fully embodies this philosophy by seamlessly integrating security into the very act of defining your infrastructure. Compliance requirements and best practices become a codified extension of your IaC.

Traditionally, IaC undergoes scans and audits after being written. PaC flips this model. By embedding policy checks directly into CI/CD pipelines, developers get near-instant feedback on whether new infrastructure changes adhere to your security standards. Predefined policies analyze IaC for risky configurations like overly permissive networking or unencrypted data stores. This feature empowers developers to fix potential security problems at the design stage, not when frantic alerts go off in production.

Step 3: Choose Your PaC Strategy with Technical Considerations

A PaC strategy requires a careful analysis of your organization's specific needs, resources, and level of customization. For example, general-purpose languages like Python, coupled with libraries like PyTerraform, Terraform-compliance, or various cloud provider SDKs (like AWS), provide exceptional flexibility. You can tailor checks to even the most nuanced risk scenarios and complex infrastructure designs. However, be aware that this path burdens development expertise more.

Alternatively, Domain-Specific Languages like Open Policy Agent's Rego offer a solution designed explicitly for authoring and managing policies. Rego's declarative syntax lets you define rules in a way that closely resembles plain-language security requirements. The active OPA community often provides a rich repository of pre-written policies, streamlining your initial setup. Tools like Styrakos with visual interfaces extend PaC accessibility to less code-savvy team members.

Embedded frameworks like Checkov, Terrascan, or tfsec prioritize developer experience and rapid integration into existing IaC workflows. These tools boast vast libraries of pre-built checks aligned with industry benchmarks and cloud security best practices. The trade-off is that while they reduce initial time investment, extensive customization might be more limited compared to a full-fledged, general-purpose programming language approach.

Step 4: Define Your Policies with Precision

Industry-standard benchmarks like those provided by the Center for Internet Security (CIS) or OWASP offer a solid foundation for your PaC policies – but you should tailor them to mirror your organization's risk profile. Begin by pinpointing your most important assets, such as the infrastructure components containing your most sensitive data or critical business logic. Simultaneously, consider the regulatory landscape relevant to your industry. PCI DSS for payment processing, HIPAA for healthcare, or SOC 2 for SaaS providers will shape your policy requirements.

For example, enforcing comprehensive resource tagging might seem mundane, but it's a cornerstone of cost control and security incident response. Another valuable policy could restrict the range of EC2 instance types developers can launch. Policies like this prevent accidental resource over-provisioning and reduce the potential attack surface. PaC policies can also forbid hardcoding credentials and secrets in IaC templates, instead mandating dedicated secrets management solutions like AWS Secrets Manager or HashiCorp Vault.

Step 5: Automate, Automate, Automate

The heart of PaC lies in relentlessly automating away manual security checks. Embed policy evaluations seamlessly into your existing CI/CD pipelines for maximum value. Every pull request proposing an IaC change should automatically trigger validation against your meticulously defined rules. Tools like Jenkins X coupled with OPA Gatekeeper offer excellent integration capabilities. Configuring Gatekeeper as an admission controller enforces your policies at the Kubernetes level, preventing misconfigured deployments from reaching your clusters. Similarly, Terraform Cloud with Sentinel allows you to define pre-run policy checks, ensuring compliance even before infrastructure changes are applied.

A genuinely robust implementation goes beyond just pipeline enforcement. Consider complementing your CI/CD safeguards with IaC testing frameworks like Terratest or Kitchen-Terraform. Paired with a tool like Checkov, you can write tests that verify the syntactical correctness of your IaC and its adherence to your security policies.

The Future of IaC is Secure

IaC and PaC are a powerful combo. Treating security as code allows you to gain agility without sacrificing peace of mind. Of course, tools are only part of the equation. Fostering a DevSecOps culture where security is everyone's responsibility is the real key to long-term success.

Dotan Nahum is Head of Developer-First Security at Check Point Software Technologies
Share this

Industry News

December 19, 2024

Check Point® Software Technologies Ltd. has been recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for Email Security Platforms (ESP).

December 19, 2024

Progress announced its partnership with the American Institute of CPAs (AICPA), the world’s largest member association representing the CPA profession.

December 18, 2024

Kurrent announced $12 million in funding, its rebrand from Event Store and the official launch of Kurrent Enterprise Edition, now commercially available.

December 18, 2024

Blitzy announced the launch of the Blitzy Platform, a category-defining agentic platform that accelerates software development for enterprises by autonomously batch building up to 80% of software applications.

December 17, 2024

Sonata Software launched IntellQA, a Harmoni.AI powered testing automation and acceleration platform designed to transform software delivery for global enterprises.

December 17, 2024

Sonar signed a definitive agreement to acquire Tidelift, a provider of software supply chain security solutions that help organizations manage the risk of open source software.

December 17, 2024

Kindo formally launched its channel partner program.

December 16, 2024

Red Hat announced the latest release of Red Hat Enterprise Linux AI (RHEL AI), Red Hat’s foundation model platform for more seamlessly developing, testing and running generative artificial intelligence (gen AI) models for enterprise applications.

December 16, 2024

Fastly announced the general availability of Fastly AI Accelerator.

December 12, 2024

Amazon Web Services (AWS) announced the launch and general availability of Amazon Q Developer plugins for Datadog and Wiz in the AWS Management Console.

December 12, 2024

vFunction released new capabilities that solve a major microservices headache for development teams – keeping documentation current as systems evolve – and make it simpler to manage and remediate tech debt.

December 11, 2024

CyberArk announced the launch of FuzzyAI, an open-source framework that helps organizations identify and address AI model vulnerabilities, like guardrail bypassing and harmful output generation, in cloud-hosted and in-house AI models.

December 11, 2024

Grid Dynamics announced the launch of its developer portal.

December 10, 2024

LTIMindtree announced a strategic partnership with GitHub.