Category: Uncategorized

Shift Security Left with Policy as Code

This article originally appears on You can read the original here. It has been re-posted with permission from Indellient.

Original Author : Rafael Battesti DevOps Solutions Engineer

Across all organizations, IT departments have been delivering infrastructure to support the business, in one way or another. Initially, on-premise infrastructure was the rule and IT departments were stuck with hardware procurement, device and network maintenance, physical security of data centres, and the list goes on.

With the advent of the cloud, many businesses started their “Cloud Transformation” journey, migrating their workloads to data centres no longer owned by the company, but by the public cloud provider, who became responsible for absorbing all the above-mentioned infrastructure costs and responsibilities.

With the Cloud, Infrastructure as Code (IaC) slowly became the best practice for how IT Cloud Architects deploy and manage their infrastructure. As the opportunity to create hyper-scale infrastructures increases with automation, it also brings more challenges in terms of testing and asserting compliance with benchmarks such as ISO 27000 series, CIS, HIPPA, PCI, GDPR, among others. A misconfigured asset provisioned in bulk using automation propagates across fleets, significantly increasing the attack surface. While the public cloud providers deliver overall cost benefits, the overall security posture of the business can dramatically impact the ROI of moving to the cloud. Gartner states that 95 percent of all security breaches are due to misconfigurations, and those mistakes cost companies nearly $5 trillion between 2018 and 2019 alone.

Chief Information Security Officers (CISOs) responsible for the overall security posture of their organizations implement policies, track non-conformity and trigger actions for architects to apply fixes to address vulnerabilities. In many cases, there is a lot of custom tooling created for the purpose to support this workflow:

  • IT Cloud Architect/Developer answers a series of questions about their infrastructure.
  • Answers are assessed (automatically or not) by the CISO.
  • CISO initiates the remediation for nonconforming controls, based on the answers provided, which may or may not be the same as the infrastructure that’s been provisioned.
  • IT Cloud Architect tackles the remediation work and provides evidence of conformity back to the CISO for approval.

This manual process can be very lengthy, and cumbersome and more often than not, does not meet the business objectives at any level. We must bridge the gap between CISO and Product teams to ensure an organization’s software development and delivery processes are not negatively impacted.

On September 6th, Indellient’s Rafael Battesti discussed the role of Policy as Code (PaC) in the creation of Infrastructure as Code (IaC) with DevOps Toronto. You can watch that discussion here:

Shift Security Left with Policy as Code

In this talk, they discussed the role of Policy as Code (PaC) in the creation of Infrastructure as Code (IaC), which is one way to shift security left and close the gap between the CISO and the Product teams. PaC best practices and tooling can bridge the gap by guaranteeing compliance with established control benchmarks such as CIS, or even custom internal policies, with continuous assessment of the infrastructure assets.