PROTECTING CRITICAL RESOURCES IN CLOUD ENVIRONMENTS THROUGH SECURITY AS CODE APPROACHES: SOLVING THE PROBLEM OF MISCONFIGURATIONS

Authors

DOI:

https://doi.org/10.18372/2225-5036.30.18579

Keywords:

Security as code, Infrastructure as code, DevSecOps, DevOps, Cloud environments, secure software development cycle, CI/CD

Abstract

Cloud technologies are becoming increasingly popular among organizations as a means of ensuring scalability, flexibility, and efficiency of IT infrastructure. However, the widespread adoption of cloud solutions also opens up new challenges in the context of information security, particularly those related to improper configurations of critical resources that can lead to unexpected data leaks, service availability breaches, and other security incidents. This article addresses the issue of protecting critical resources in cloud environments, with a special focus on challenges related to improper configurations. The authors offer an effective solution to this problem by using Security as Code (SaC) approaches, which allow security requirements to be integrated directly into the development and deployment processes of cloud resources, thus implementing preventative control and ensuring a "Shift left" approach in cybersecurity. The article thoroughly analyzes typical cases of improper configurations of cloud resources and their potential impact on the security of information systems. Furthermore, based on current research and practical experience, the authors illuminate how the application of SaC can help automate the process of detecting and remedying such vulnerabilities at early stages of the development lifecycle. Particular attention is given to the tools and technologies that can be used for implementing SaC. The article calls for further research in the use of SaC to ensure the security of cloud environments and proposes directions for future developments in this area, including the automation of configuration error detection, the development of universal security policies, and the creation of standards for integrating security into the software development process. To support the research, a broad analysis of literature and articles providing information about methodologies like DevOps, DevSecOps, Shift-left, which serve as the foundation for the Security as Code approach, was conducted.

References

Rakesh Kumar, Rinkaj Goyal (2021). When Security Meets Velocity: Modeling Continuous Security for Cloud Applications using DevSecOps (https: // link. sp¬ringer.com/chapter/10.1007/978-981-15-9651-3_36).

Mary Sánchez-Gordón, Ricardo Colomo-Palacios Security as Culture: A Systematic Literature Review of DevSecOps (https: //dl.acm.org/doi/10.1145/ 33879¬40.3392233).

Valentina Casola, Alessandra De Benedictis, Carlo Mazzocca, Vittorio Orbinato, Secure software development and testing: A model-based methodology, Computers & Security, Volume 137, 2024, 103639, ISSN 0167-4048, https: // doi.org / 10.1016/j.cose.2023.103639. (https: // www.sciencedirect.com / science /article/pii/ S0167404823005497).

Pal Alto Unit42 Cloud Threat Report volume7 (https: // www.paloaltonetworks.com / content / dam/ pan/en_US/assets/pdf/reports/unit42-cloud-threat-report-volume7.pdf).

K. Carter, "Francois Raynaud on DevSecOps," in IEEE Software, vol. 34, no. 5, pp. 93-96, 2017, doi: 10. 1109/MS.2017.3571578 (https://ieeexplore.ieee.org/document/8048652).

FORT MEADE, Md. The National Security Agency (NSA) is releasing “Top Ten Cloud Security Mitigation Strategies”, Cybersecurity Information Sheet, Enforce Secure Automated Deployment Practices through Infrastructure as Code (2024) (https://media.defense. gov/2024/Mar/07/2003407857/-1/-1/0/CSI-CloudTop 10-Infrastructure-as-Code.PDF).

V. Gazdag. A Guide to Improving Security Through Infrastructure-as-Code. 2022. https://research.nccgroup.com/2022/09/19/a-guide-to-improving-security-through-infrastructureas-code/.

Chhavi Adtani, Aaron Bawcom, Jan Shelly Brown, Rich Cracknell, Rich Isenberg, Kaz Kazmier, Pablo Prieto-Munoz, and David Weinstein (2022). Security as code: The best (and maybe only) path to secur-ing cloud applications and systems (https: // www.mckinsey.com/capabilities/mckinsey-digital/our-insights/security-as-code-the-best-and-maybe-only-path-to-securing-cloud-applications-and-systems).

Sarthak Das (2023). Security as Code 1st Edi-tion.

Vakhula O., Opirskyy I., Mykhaylova O. Re-search on Security Challenges in Cloud Environments and Solutions based on the "security-as-Code" Ap-proach (2023). CEUR Workshop Proceedings, 3550, pp. 55-69.

Xuejiao Zhang (2021). Cloud governance and compliance on AWS with policy as code (https://aws. amazon.com/ru/blogs/opensource/cloud-governance-and-compliance-on-aws-with-policy-as-code/).

Becki Lee (2022). Using Open Policy Agent (OPA) to Apply Policy-as-Code to Infrastructure-as-Code (https: // cloudsecurityalliance.org / blog /2020/04/02/ using-open-policy-agent-opa-to-apply-policy-as-code-to-infrastructure-as-code/).

CIS Amazon Web Services Foundations Benchmark v2.0.0 - 06-28-2023.

Policy language documentation https://www. openpolicy-agent.org/docs/latest/policy-language/.

Guest Expert on GitGuardian (2022) What is Policy-as-Code? An Introduction to Open Policy Agent (https://blog.gitguardian.com/what-is-policy-as-code-an-introduction-to-open-policy-agent/).

Published

2024-05-15

Issue

Section

Software & Hardware Architecture Security