This is a conversation with Accurics CTO, Om Moolchandani, about Infrastructure as Code security.

Here are some of the topics we covered:
Q: How much role does Zero Trust play in the immutable security landscape?
Q: Security is no longer an afterthought, it’s becoming a number priority for companies.
Q: State of DevSecOps report findings?
Q: Are people really taking security seriously?
Q: Complexity due to hybrid cloud
Q: Accurics solutions

Summary: Cloud infrastructure is much more than just traditional network storage or compute. The current cloud infrastructure also includes technologies such as serverless, containers, Kubernetes, Servicemesh, and so on. These technologies are being provisioned more and more through code. Time has gone when folks were deploying these technologies manually on the cloud; all these technologies are getting deployed through code. That code is what is called infrastructure as code. So in order to install your operating systems, or configure applications, you need to be able to do this infrastructure as code.

A lot of organizations are adopting this new paradigm. This paradigm has also enabled organizations to adopt a strategy of infrastructure deployment, which is known as an immutable infrastructure strategy, where the infrastructure actually is never modified after it has been deployed. If something needs to be changed, the change has to first happen in the code. And then you can go ahead and provision these new changes in the cloud.

The question arises how do we secure this infrastructure is code when the entire infrastructure code is actually presenting a transient situation. So despite organizations adopting a lot of cloud security tools, only 4% of issues are actually being reported for these tools. The resolution of tracing the issues back to the infrastructure record is not available in the market today. So if you want to fix an issue that you have found in the cloud, you actually have to be able to fix it in infrastructures code. There is no solution out there that solves this problem.

“At Accurics we believe that the only way to secure immutable infrastructure is to adopt the paradigm of immutable security,” said Moolchandani, “Organizations need to embed security earlier in the development lifecycle by continuously scanning the infrastructure code for risks, and fixing them, even before the cloud infrastructure is provisioned. That’s what we do at Accurics – manage your infrastructure code from a security point of view. We assess your infrastructure code, present you with risks that are present in that, and tell you if your cloud would have been born secure or not, even before the cloud was built.”

You may also like