Infrastructure-as-Code series - Tenable: The joy of enforced immutability

The Computer Weekly Developer Network (CWDN) continues its Infrastructure-as-Code (IaC) series of technical analysis discussions to uncover what this layer of the global IT fabric really means, how it integrates with the current push to orchestrate increasingly cloud-native systems more efficiently and what it means for software application development professionals now looking to take advantage of its core technology proposition.

This piece is written by Piyush Sharma is his capacity as VP of cloud security engineering, Tenable – the company is a specialist in cloud-base vulnerability management technology 

Sharma writes as follows…

Infrastructure as Code (IaC) enables faster, more consistent and automated provisioning of infrastructure to DevOps teams, but the greatest impact of IaC may be in its ability to transform the processes used to develop, deploy and operate immutable infrastructure. 

Whether or not development and DevOps teams realise it, the tools and approaches they adopt to solve engineering challenges have impacts across the business. 

IaC in particular holds the key to modernising manual processes in security and operations, breaking down organisational silos and delivering more value. Some say that software is eating the world… and it’s increasingly true that developers are driving the business.

IaC is popular for both virtualised and cloud infrastructure. 

It provides a way to describe infrastructure in the form of source code, which can be used to automate the provisioning of that infrastructure in the datacentre, private or public cloud. There are many different tools to fit different needs. For example, CloudFormation specialises in one specific environment (Amazon Web Services) and tools such as Terraform support many different public cloud and even hybrid, environments.

Enforced immutability

IaC enforces immutability into runtime infrastructure which means each component of the architecture is built using an exact configuration. This capability reduces the possibility of infrastructure drift, which could move it away from the desired configuration(s). 

Tenable’s Piyush Sharma.

Where IT provisioning processes have traditionally required long waits and manual effort, IaC enables teams to provision the infrastructure they need in a matter of minutes, at the press of a key. Even better, modifying, scaling, or duplicating the environment is as simple as modifying the source code and reprovisioning. 

It’s a key technology in the cloud, where applications need to scale automatically and ecosystems have developed around approaches such as Atlantis, Kubernetes and GitOps. Operational tasks are reduced to code commits that trigger automated processes that reconcile the runtime configuration with the committed changes.

IaC helps manage cost & risk

Considering the complete application lifecycle, there are a few other places where unpredictable, manual processes can create delays. For example, many organisations limit cloud resource configurations to control costs and/or security risks. The IT teams that provision infrastructure manually are trained to adhere to cost policies and security teams need time to triage findings from assessments and penetration tests. 

It turns out that IaC can enable similar benefits for these processes as well.

IaC codifies infrastructure, including instance types, configurations, security groups, relationships between resources, network accessibility and more.  Before IaC, the only authoritative source for this information was the configuration of the runtime environment itself.  If problems weren’t found or fixed before the provisioning stage, then the company would need to bear that cost or risk.

IaC creates an opportunity to analyse these complex systems before they are actually provisioned.

Processes such as architecture review, cost analysis, threat modeling and security assessment can be performed earlier, enabling teams to proactively find and fix problems before deployment…. and before unexpected costs or security problems arise.

IaC enables automation

Ultimately, IaC is automating the cloud infrastructure. 

From a developer’s perspective, that means eliminating the manual steps that impede effective CI and, especially, CD processes. Codifying infrastructure and configurations in the source code repository creates a single source of truth for the application and enables more codification.  Tools such as Policy as Code can then analyse the IaC with an eye toward cost policies, configuration policies, security policies and more — moving late, manual controls to early, automated ones.

Modern software development already leverages automation extensively and that trend is only accelerating. 

Manual operational and security steps interrupt the innovation pipeline. IaC enables automation of these processes during development, effectively shifting them left and eliminating bottlenecks while improving the team’s ability to respond to findings.  In other words, while improving efficiency for the DevOps team, IaC also delivers benefits to the entire organisation in the form of faster innovation, better control over costs and improved security.