This is a continuation of previous posts on Infrastructure-as-code aka IaC for short.  There’s no denying that IaC can help to create and manage infrastructure and that they can be versioned, reused, and shared – all of which helps to provision resources quickly and consistently and manage them consistently throughout their lifecycle. Unlike software product code that must be general purpose and provide a strong foundation for system architecture and aspiring to be a platform for many use cases, IaC often varies a lot and must be manifested in different combinations depending on environment, purpose and scale and encompass complete development process. It can even include CI/CD platform, DevOps, and testing tools. The DevOps based approach is critical to rapid software development cycles. This makes IaC spread over in a variety of forms. The more articulated the IaC the more predictable and cleaner the deployments. 

IaC is not an immutable asset once it is properly authored. It must be maintained just as any other source code asset. Part of the improvements come from fixes to defects, design changes but in the case of IaC specifically, there are other changes coming from drift detection and cloud security posture management aka CSPM. This article talks about that.

CSPM provides us with hardening guidance that helps to improve the security of the cloud deployment and is provided through the user interface for the Microsoft Defender for the cloud which is a cloud native application protection platform with a set of security measures and practices designed to protect cloud-based applications from various cyber threats and vulnerabilities efficiently and effectively. In addition to CSPM, Defender provides solutions for DevSecOps as security management at code level across cloud subscriptions and multiple pipeline environments. Defender also provides a Cloud workload protection platform aka CWPP with specific protections for servers, containers, storage, databases, and other workloads.

The CSPM capabilities are free. It includes asset discovery, continuous assessment and security recommendations for posture hardening, compliance with Microsoft Cloud Security Benchmark (MCSB) and a secure score which measures the status of the organization’s posture. Optional CSPM plan options include attack path analysis, cloud security explorer, advanced threat hunting, security governance capabilities, and tools to assess security compliance with a wide range of benchmarks, regulatory standards, and any custom security policies required by the organization, industry, or region.

Azure Policies are routinely deployed by organizations as a catch-all when IaC does not enforce consistency or when changes beyond IaC introduce security risks. CSPM allows us to define security conditions that customize a security policy. The policy translates to recommendations that identify rsource configurations that violate the security policy. Summarizing all the security postures based on the security recommendations results in a Secure score. It also provides a dashboard to see the weaknesses in the security posture.

Fixes for the recommendations that come from CSPM can work their way into the IaC at the pace that suits the organization. Care must be taken to rank the recommendations and their fixes based on priority and severity. Each recommendation is not a hard-and-fast rule and organizations may take steps to achieve the same result as what’s prescribed in the recommendation by other means. For example, many resources may be asked to turn on dedicated private networking, but organizations may find it simpler and easier to retain public networking but reduce callers to be within a set of IP ranges as called out by CIDRs. Another approach that works for organizations is to find out the set of fixes that boost the Secure score so that those fixes can be made earlier than others.

While going through all the recommendations may be exhaustive and time consuming, it is preferable to address those that are high priority or severity. There are many aspects that can determine these and a buy-in from all the stakeholders might be helpful in this regard.