by Erin Risk —
Webinar Recap: Security and Access Control with Infrastructure as Code
Thanks to cloud computing and the virtualization of network devices, more organizations are applying DevOps best practices to network infrastructure management. Administrators can design, test, deploy, and manage infrastructure programmatically to improve efficiency and performance. But when modern Infrastructure as Code (IAC) practices rely on old networking paradigms, you get the same old security issues. Modern approaches based on Zero Trust principles integrate with IAC to improve both access and security.
DevOps.com is a media site that focuses on the unique interests of the DevOps industry with articles focused on IAC, automated deployment, and similar topics. Recently, it asked Twingate to help the DevOps.com community understand Zero Trust’s role in IAC.
Alex Marshall, Twingate Co-founder and Chief Product Officer, and Lior Rozner, Twingate Co-founder and Chief Technology Officer, presented “Best Practices for Secure Infrastructure as Code Initiatives” and answered viewer questions. Here are a few insights from the webinar. To get all the details, check out the full video at the bottom of this post.
Implementing old architectures in IAC is not secure
The traditional approach to network architecture was built upon static machines and resources in a single location where all users work. Administrators built a secure perimeter around that network with a limited number of ingress points to support remote users. Even as network technology went virtual and resources migrated to the cloud, this secure perimeter paradigm continues to guide network architecture design.
However, the secure perimeter carries implicit assumptions of safety and trust. If a device or resource is on the internal network, it must be safe. If a user’s identity has been verified, then they and their device can be trusted.
In today’s cyber threat environment, the idea that resources, users, and devices are always safe and trustworthy makes security breaches inevitable. Using IAC practices to deploy architectures based solely on secure perimeters does little to make your organization more secure.
Stop coupling access to infrastructure architecture
Traditional network architectures tightly couple access to the network infrastructure. A limited number of ingress points, usually VPN gateways, open paths through the perimeter to the protected network. This approach has consequences for network security, manageability, and performance.
Coupling undermines security
VPN and other ingress technologies only provide entry to the protected network. Other systems handle the subsequent routing. The implicit assumption of trust means a compromised user device can give cybercriminals free access to the network. Even with segmentation, the hackers can use lateral movement tools to escalate their privileges and do considerable damage.
Another weakness of VPN, RDP, and other access technologies is their visibility on the internet. Within hours, hackers can scan the entire internet for VPN gateways with unpatched vulnerabilities. Any delay by network administrators in patching these vulnerabilities could let hackers penetrate the network defenses.
Coupling makes networks less manageable
Tightly coupling your access control systems with your infrastructure makes networks less manageable. Changing VPN gateways is always difficult and can rarely be done declaratively. Any change to the network infrastructure requires changes to your access control system. All routing rules need to be updated and deployed. And that must happen quickly to minimize impacts on users.
Moreover, the traditional approach to access control interferes with best network security practices. Segmentation can prevent bad actors from moving laterally through a network. Each segment will require its own ingress point and its associated costs. Segments may need to be linked to support every remote access scenario which reopens the possibility of lateral movement. As a result, network architects end up sacrificing ideal network security to meet the needs for access and manageability.
Coupling reduces performance
With only a few ingress points supporting a growing number of remote workers, traditional network architectures are less performant. VPN gateways become bottlenecks through which all user traffic must pass. Often, this includes all traffic from the company’s cloud-based services, Zoom meetings, and users’ non-business activities.
Although the trend towards remote working was well underway before 2020, the pandemic sent it into overdrive. Even as work-from-home requirements eased, many organizations are realizing that most work does not need to be done in the office. However, existing network architectures assume that few employees are remote. Now, most traffic is remote. Maintaining acceptable bandwidth and latency in this new work environment will be expensive.
Zero Trust decouples access from infrastructure
Zero Trust security and access control systems create direct connections between user devices and resources on network segments. There is no dependence on the underlying network infrastructure. Decoupling access from the way infrastructure is architected overcomes many of the issues discussed earlier:
- Direct connections use the most performant routes without bottlenecks.
- Micro-segmentation without the need to restructure networks can protect each resource while allowing access.
- Changes to infrastructure do not impact access control.
- No ingress points are visible on the public internet.
Network architectures based on Zero Trust principles are more secure, more performant, and easier to manage.
Zero Trust integrates with infrastructure-as-code
Administrators can use the same IAC tools they use to manage their networks to manage their software-based Zero Trust solutions. Deploying access control elements and defining the rules for access can be declared programmatically.
As a result, the question of access is natively integrated into the way you manage your networks.
- Production and security needs using IAC best practices define network architectures.
- Segmentation is supported by an unlimited number of ingress points.
- Infrastructure and access updates can be co-deployed programmatically with IAC.
- End-user authorization determines access through granular, software-defined rules.
Many tools help you deal with the complexity of infrastructure-as-code, but few of those tools properly address security and access control. Combining IAC with a Zero Trust solution such as Twingate integrates security and access control with your automated infrastructure management processes.
Watch the full video for more details and to see an illustration of Zero Trust supporting access to cloud-based DevOps network segments.
Watch the event
Click here to watch the entire event, or jump directly to a section of interest:
- 0:19: Panelist introductions & overview of webinar topic
- 2:20: Why securing IaC initiatives is important in today’s environment
- 5:19: Why Twingate is focused on this problem
- 6:22: How network infrastructure has been evolving
- 13:32: How network infrastructure trends to-date hinder access control and security
- 16:50: What is the ideal access control solution
- 20:32: Examples of how people are securing IaC initiatives today
- 31:18: Q&A Session
Interested in deploying a ZTNA solution? Give Twingate a try for free today.
by Jimmy Li —
Simple, Secure & Free Remote Access to your Raspberry Pi + Home Assistant
A step-by-step guide to set up Twingate on your Raspberry Pi and enable secure, remote access to Home Assistant