Enterprise organizations used to buy computers. Actual physical machines that came in shiny boxes in various sizes. Some of those machines were called servers and they were either put in the corner, or (in the more technically advanced operations) they were given their own special room with air conditioning and special blinking lights. Other machines made it to employees’ desks and were known as ‘desktops’, with the field operations team also getting laptops and other remote working devices.

It was a happy time; employees mostly saved their work when they needed to on their machines and then performed backups on the IT infrastructure their organization depended upon. That infrastructure was located in the server room, or occasionally it was to be found on the box in the corner, the one with the coffee cup and the half-eaten Snickers bar on top.

Enterprise organizations obviously still do buy computers, but something has changed in the basic client [machine]-server construct at a base level. The birth of the web and the cloud computing model of service-based IT means that infrastructure is now often located in a datacenter and provided remotely.

Infrastructure responsibility still exists

But even in the automated world of cloud and web, IT infrastructures don’t just happen. There is no off-the-shelf small, medium and large infrastructure selection pack per se; it is still usually down to an organization’s own IT department to architect, establish, provision, create, deploy and manage the chosen infrastructure, at least initially, even if a lot of the ongoing maintenance if carried out by other Infrastructure-as-s-Services (IaaS) providers.

This enduring responsibility means that IT infrastructure development can be done well and delivered in a slick and performant fashion. Conversely, it can also be executed with what the tech purists would call a ‘misconfiguration of resources’, which is almost a techie euphemism for a goof-up, or insert chosen profanity of your choice.

President and CEO of cloud-based IT, security and compliance solutions company Qualys is Sumedh Thakar. Explaining that we have now moved into an era where tech foundations need to be thought of as dynamically orchestrated entities that need fine-grained engineering controls to bring them into life, Thakar has driven his firm to now provide Infrastructure-as-Code (IaC) security as a core capability in the Qualys CloudView application.

What is Infrastructure-as-Code?

Arguably up there among the hotter technology terms for 2022 and beyond (you could add serverless, headless, API-centricity and as much Kubernetes as you can handle) is Infrastructure-as-Code. But what is it and what does it mean?

Infrastructure-as-Code is obviously not wholly dissimilar from software application code used to build apps i.e. it is a ‘descriptive model’ for defining and provisioning the structure of an IT network plus all its data storage capacities and capabilities, server structures and other associated base elements such as load balancers and more. Rather than our old notion of a physical piece of server hardware existing in the office, an IT infrastructure is now established through the use of IaC files, which are typically text files written in various languages such as Terraform, CloudFormation etc.

In the Infrastructure-as-Code model of IT, there are no cables and wires. Instead, there are descriptive model source code files that define connection topologies. It’s just like a computer, but it’s all virtualized software, running on a cloud service.

So to Qualys then. As a company known for its system-wide security and compliance skills, it makes a lot of sense for the firm to bring this function forward in its core product. The new capability is designed to shift security left (i.e. look for problems before they happen) by detecting security risks in cloud resource configurations in advance of them actually being are deployed.

Shift left: remediation of misconfigurations

Putting Infrastructure as Code (IaC) scanning into the Qualys CloudView application is designed to enable detection and remediation of misconfigurations early in the development cycle, removing risk in the production environment. As noted in the (ISC)2 2021 Cloud Security Report , security professionals’ biggest threat with public clouds is the misconfiguration of resources.

“With the addition of IaC assessment to CloudView, Qualys is extending its cloud security posture management (CSPM) solution to handle shift-left use cases,” said Thakar. “Leveraging the Qualys Cloud Platform and its integrated apps, customers can now insert security automation into all stages of their application lifecycle ensuring complete visibility into both runtime and build-time posture via a unified dashboard.”

A software engineer by trade himself, CEO Thakar explains that misconfigurations are often detected post-deployment, leaving companies with a much larger attack surface and more vulnerable to exploits.

“Increasingly, organizations are using IaC to deploy cloud-native applications and provision their cloud infrastructure. Thus, it’s important to shift security left to identify and remediate misconfigurations at the IaC template stage. Detecting security issues earlier in the development cycle accelerates secure application delivery and fosters greater collaboration between DevOps and security teams. More importantly, it enforces better security policies in the production environment,” said Thakar.

The rise of safe-to-fail technology

Industry analysts like to call this type of IT construct the development of safe-to-fail environments. Using this approach, an organization’s software application development engineers are supposed to be able to get on with creating useful stuff (IT vendors like to call them ‘innovations’) in the form of apps and data services with functionalities that actually help businesspeople. If you hear people talk about ‘intelligent security tooling for continuous delivery pipelines’, then they’re probably going to mention Infrastructure-as-Code as a key component.

This is all about identifying unsafe IT workloads before they are executed – and by unsafe IT workloads we mean ones that use data services, connected applications, Content Management Systems (CMSs), Application Programming Interfaces (APIs) or any other part of the planet’s IT ecosystem that has cybersecurity or operational effectiveness vulnerabilities in it. In short, there is more complexity out there in all environments, the world of uniforms technologies like it used to.

“Qualys CloudView allows complete visibility and security control of public cloud workloads and now assesses IaC templates for misconfigurations. IaC assessments are integrated into the software development cycle to ensure that only code conforming to the organization’s security standards is deployed,” explained Thakar and team.

What’s your security posture?

Alongside back posture, organizations should now also be thinking software runtime and build-time posture. The Qualys’ Cloud Platform approach here is aligned to provide visibility of both runtime and build-time posture and the drift between the two into a single view.

The firm says CloudView IaC Security provides a Command Line Interface (that’s developer code, basically) to perform a security assessment locally. It will ‘gate’ (form barriers or stops so unsecured or unsafe code scripts can be kept out of the software code pipeline) deployment if misconfigurations are detected and plug-ins for source code repositories at check-in and Continuous Integration & Continuous Deployment (CI/CD) platforms are also available.

Enterprise organizations still buy computers, but the way they buy their IT backbone has changed. It’s good news, but we all still need to sit up straight and stop slouching… and that means virtually and In Real Life (IRL).

Comments are closed, but trackbacks and pingbacks are open.