Infrastructure as Code (IaC) is a programmatic way to deploy, provision, install and configure servers and everything around them, such as databases, identities, and access management.
Once upon a time, when you wanted to install servers and support the growing workload of your website or applications, you had to go to a room or data center, install the machines, and configure them - all manually. The creation of the cloud made it so you no longer needed to install the hardware manually, but you still needed to configure them manually.
With the advent of cloud applications came a new way to provision, install, and configure those servers - and everything around them - programmatically instead of manually. You now have the ability to set up rules based on, for example, capacity thresholds: when the application takes up 80% of the server’s capacity, instantly and automatically initiate a new server and share the workload. When the workload decreases dramatically, during off-hours for example, that same rule can deprovision the spun-up server to save cost.
Simply put, DevOps are the people doing Infrastructure as Code - and it’s a relatively new type of developer.
Initially, the people doing IaC weren’t performing true development tasks, nor was it much of a requirement; but as projects grew larger and larger, and configurations became more complex, so too did the language and logic in their space. As a result, more traditional, but specialized, developers began to manage IaC - and have become what we know today as DevOps.
The benefits of Infrastructure as Code can be largely grouped into two buckets: flexibility and cost.
For large enterprises, where your application may not need to scale based on consumption, IaC is also extremely useful in automating repetitive tasks. For example, let’s say the company knows that, because they’re growing rapidly, they’ll need to deploy and configure new servers every 2 weeks. Instead of having to do that manually every other week, the team can create a script that runs every other week automatically. In addition to the lower manual effort, there is less risk because the deployment is more systematic and consistent.
The very nature of Infrastructure as Code - the ability to scale up and down quickly - itself introduces a new risk: a multiplicative effect on your attack surface.
If a mistake arises within the configuration scripts in Terraform, such as improper encryption or access or identities not being set up correctly, this will naturally introduce security vulnerabilities. However, because IaC allows you to scale up and down very quickly, the script mistake you made on one server will instantly duplicate and initiate additional versions of that server when your IaC construct scales up. So what was originally one mistake immediately becomes multiple entry points for hackers. For this reason, Infrastructure as Code security is of paramount importance.
To answer this question, we can largely break enterprise companies into two groups:
Hashicorp, the company behind Terraform, understandably has a number of tools for IaC that you can see here, and Visual Studio Code is a source code editor DevOps uses to build, debug, and version control their code. Brainboard is another tool that offers low code/no code Infrastructure as code so that those who may not know much about IaC can get started on IaC script.
Symbiotic Security offers a plugin that both spellchecks developers’ code for vulnerabilities in real-time, allowing for immediate and prescriptive remediation of insecure code, as well as education and capture-the-flag style challenges as training courses to make that knowledge their own.
