Infrastructure-as-Code series - KPMG UK: IaC's critical role in cybersecurity

The Computer Weekly Developer Network (CWDN) continues its Infrastructure-as-Code (IaC) series of technical analysis discussions to uncover what this layer of the global IT fabric really means, how it integrates with the current push to orchestrate increasingly cloud-native systems more efficiently and what it means for software application development professionals now looking to take advantage of its core technology proposition.

This post is written by Chris Astley in his role as partner and head of engineering at KPMG UK.

Astley writes as follows…

Once hailed as the future of infrastructure management and now the de-facto best practice, Infrastructure-as-Code (IaC) is a process that automates the provisioning and management of compute resources with machine-readable templates. In a cloud context it is the clear choice for automation and is making inroads into private datacentres as well.

Prior to IaC, system engineers had the laborious task of manually provisioning and configuring their compute infrastructure. With cloud providers in particular updating features and capabilities daily, this had become an overwhelming task. With IaC, engineers now have the means to better manage version control, deploy and improve their enterprise’s cloud infrastructure faster, cheaper and more efficiently than ever before.

What is less understood is IaC’s role in security.

But, despite that being so, organisations should be quick to integrate this technology into their cybersecurity strategy, as it has a role in both the prevention and remediation of cyber-attacks. Furthermore, with security teams already stretched – nearly half (43%) of digital leaders saying they have a talent shortage in this area, according to research by Harvey Nash – IaC is something that can help automate some security tasks, therefore lightening their workload and allowing InfoSec teams to focus on more business critical issues.

IaC as a preventative tool

IaC is incredibly important in preventing cyber incidents from happening in the first place, primarily because of the increased control it offers an organisation around change and ongoing maintenance and management of their infrastructure.

Whereas previously engineers had to manually provision and configure their cloud, using input scripts through IaC offers a single source of truth. The positive effect of this is the removal of possible human error when any changes to infrastructure are made, drastically reducing the potential for the opening of a new exploitable vulnerability for threat actors to take advantage of. It is also possible to view all code misconfigurations in one place and therefore faster to manage and remediate them.

Moreover, the automation offered by IaC means that any updates from cloud providers can be made instantly. When new and secure iterations of cloud tools are released, there is minimal delay to updates, reducing their risk exposure.

One of the greatest benefits of IaC is that when done right it is a 100% accurate and up-to-date documentation of the live environment itself. InfoSec teams will find this invaluable in performing threat assessments (indeed, doing them automatically based on the code), understanding common vulnerabilities, and having a documented response and improvement process to action those findings.

IaC can support disaster recovery

IaC is also vital to an organisation’s recovery after a cyber incident – especially with regards to common exploits like ransomware. With IaC, requirements of resources are already codified, which makes it ideal for incident response and disaster recovery.

If an attack should occur, with IaC it is now possible for IT teams to perform disaster recovery by rapidly generating a new, identical environment from the IaC scripts and the previous backups. Being able to restore to a known working state in minutes is critical to fast recovery from that scenario.

How to make IaC a reality

KPMG’s Astley: Codified power in IaC delivers key functions and roles in cyber strategies.

The benefits of IaC are clear, but to make it work in practice, security teams need to have a deeper knowledge of how IaC and software development in general works – often moving away from a more ‘architectural’ role into being much more involved in the day-to-day activities of the teams building information systems. 

In particular, shifting from a point-in-time check to make sure that an environment looks secure, to governing the full Software Development Lifecycle (SDLC) to include IaC. Teams need to ensure that the process is a good one, rather than just one execution of the process looking right.

As with a lot of new technology, the first step is one of collaboration and communication between development and security teams, such that they can take advantage of the benefits IaC brings from a security perspective – and knowing that there are huge operational benefits as well. It will be the role of IT leaders to drive this communication so that the full benefits of IaC can be realised.

IaC is by no means the panacea for cybersecurity. In reality, it presents some potential security risks of its own, such as an unpatched vulnerability in an IaC tool, misconfigurations in IaC tools and the risk of exposing sensitive data. However, with the number of cyber attacks rising exponentially, combined with the enduring cybersecurity skills gap, it’s inevitable that IaC will play a vital role in organisations’ cyber security arsenal in the future.  

About the author

Chris Astley has over 16 years experience in building and managing enterprise workloads in multiple scenarios. For the past 10 years he has focused on deploying applications and services in public cloud environments whilst retaining a strong security posture. Chris is responsible for the connected engineering practice for KPMG UK. The team has numerous capabilities around DevOps, cloud, application development and automation.

Data Center
Data Management