Cloud Security Moving at the Speed of Code

Tenable

Heather Peyton, Director, Product Marketing, Cloud and OT Security, Tenable


As the cloud becomes integral to modern business, security is top of mind for executives, developers, and security leaders. With a cloud-native architecture and provisioned infrastructure, application teams can change and update running apps at an unprecedented rate, which increases the risk, scale and velocity of cloud breaches. Between 2018 and 2020, over 30 billion records were exposed in 200 breaches due to cloud infrastructure misconfigurations alone.

The key to achieving this level of security is to define security policies as code. It means adopting a Cloud-Native Application Protection Platform (CNAPP) that enables your security team to extend vulnerability management to cloud workloads by defining policies as code to continuously assess underlying infrastructure for security weaknesses.

While you can remediate problems after deployment, it's not ideal, as this leaves gaps in security and configurations that attackers can exploit. To avoid cloud misconfigurations, security must be applied during the build process; otherwise, cloud applications will continue to be configured incorrectly throughout deployment and production. Defining security policies as code enables DevOps teams to automate the process of protecting your infrastructure as the cloud changes rapidly.

Transforming your cloud security to a policy-based Infrastructure as Code (IaC) model takes time and planning. Follow these best practices continuously to establish your cloud security as code with Tenable.

  1. Define Policy as Code
    Assess and detect violations across IaC at build time and through CI/CD by applying security and compliance policies, such as the CIS Benchmarks, as code.
  2. Governance as Code
    Automate security governance decisions within IaC and leverage code repositories for workflows and audits.
  3. Drift as Code
    Continuously detect infrastructure changes, flaws, policy violations, and potential breaches as IaC.
  4. Security as Code
    Identify and understand potential breach paths and vulnerabilities to prioritize risk resolution by assessing the blast radius.
  5. Remediation as Code
    Automatically push security fixes to developers through pull requests that include the IaC code to fix the identified vulnerability.

Infrastructure as Code offers numerous benefits to securing cloud environments, such as faster deployment and remediation, quality improvement, and overall risk reduction. As developers embrace IaC, it becomes the foundational bedrock of your cloud security, shifting your VM, CSPM, and CIEM left. This "everything as code" approach makes IaC ubiquitous across the entire cloud development lifecycle.

Sustaining Partners