Author :

ICS Compute

Category :

HashiCorp Adds Terraform Workflow Tools for IT Ops

Programming Software Code Application Technology Concept

HashiCorp this week moved to templatize automating IT operations by making it easier to share Terraform configuration files which make it simpler to programmatically invoke infrastructure that exposes application programming interfaces (APIs) without knowing how to code.

Available in an on-premises edition or as a software-as-a-service (SaaS) application, HashiCorp Terraform Enterprise is intended for use by IT operations teams. A HashiCorp Terraform Enterprise Module Registry function has been added to enable IT operations teams to implement a publish-and-subscribe mechanism for Terraform configuration files.

Company CTO Armon Dadgar said HashiCorp Terraform Enterprise is designed to enable IT operations teams to respond faster to requests from developers for infrastructure resources without requiring them to develop programming skills. It’s unlikely developers working for traditional enterprise IT organizations will be taking over control of IT infrastructure anytime soon, he said, and Hashicorp Terraform Enterprise allows IT organizations to inject a level of agility into their workflow processes without requiring IT operations teams to completely re-engineer existing processes.

The HashiCorp Terraform Enterprise Module Registry extends that capability further by making it easier for IT operations professionals who have developed expertise employing declarative Terraform configuration files to share those files with other members of the team, Dadgar said.

At the same time, IT operations teams that want to build workflow applications on HashiCorp Terraform Enterprise can use a set of application programming interfaces (APIs) that HashiCorp has exposed. In addition, the company has revamped the user interface for Terraform—workspaces can now be created by combining Terraform files into modular components that can be assigned to specific IT teams. Permissions to access are provided via support for the secure access markup language (SAML) as well as the Sentinel policy management software developed by HashiCorp.

The HashiCorp approach to automating IT operations strikes at the core of the DevOps debate in the enterprise. While web-scale companies typically can afford to hire IT professionals with programming skills to manage IT infrastructure, the average enterprise IT organization still relies on administrators to manage servers, storage and networking. Not only are IT administrators in short supply, most of them would not be in IT operations if they knew how to program—they’d be writing and testing applications instead.

Rival approaches to automating the management of IT infrastructure, despite being around for years, have yet to gain mainstream acceptance, mainly because they require programming skills. Declarative approaches allow IT infrastructure to be managed as code still, with less resistance from IT operations teams that tend to be more comfortable employing declarative tools. In fact, there’s long been a chicken-and-egg debate over the degree to which the transition to modern DevOps practices requires organizations to acquire new tools first or vice versa. The HashiCorp approach strikes a middle ground by providing tools that enable IT operations teams to first become more efficient, which ultimately should enable them to implement new processes that often are much less disruptive to the existing IT culture.

15 DevSecOps Best Practices

To help you stay ahead of the curve, we’ve compiled a list of 15 DevOps security best practices and challenges.

1. Secure your application development process

The first step to securing your DevOps pipeline is to ensure that your application development process is secure. This means ensuring that only authorized developers have access to your code repositories and that all code changes are reviewed and approved by a qualified reviewer before being merged into the main branch. It also helps to have developers that you trust to do the job properly and to observe cybersecurity best practices throughout.

2. Protect your production environment

Your production environment is where your application will ultimately be deployed and used by your customers. As such, it’s important to ensure that this environment is as secure as possible.

One way to do this is to segment your production environment into separate tiers, each with its own level of access and security controls. This way, even if one tier is compromised, the others will remain protected.

3. Implement least-privilege principles

In general, it’s best to follow the principle of least privilege when it comes to granting access to your DevOps resources. This means giving users only the permissions they need to perform their job and no more. The reason this is so important to follow is that your employees constitute your biggest cybersecurity threat. This is not always for nefarious reasons, but often simply because they do not have the knowledge or understanding to keep your business digitally secure at all times.

4. Use role-based access control (RBAC)

Role-based access control (RBAC) is a type of access control that can be used to restrict access to DevOps resources based on the roles of users. For example, you could create a ‘developer’ role that has access to your code repositories and a ‘tester’ role that has access to your staging environment. By using RBAC, you can help limit the damage that can be caused by an insider threat.

5. Encrypt sensitive data

Any data that could potentially be used to identify or harm an individual should be encrypted, both at rest and in transit. This includes data such as social security numbers, credit card numbers and health information.

One way to encrypt data is to use pretty good privacy (PGP) encryption. PGP uses a combination of public key and symmetric key cryptography to protect your data.

6. Use two-factor authentication

Two-factor authentication (2FA) is an additional layer of security that can be used to protect access to DevOps resources. With 2FA, a user is required to provide two pieces of evidence to verify their identity. The first piece is something they know, such as a password, and the second piece is something they have, such as a mobile phone.
Implementing 2FA can help to prevent unauthorized access to resources and systems, even if a user’s password is compromised.

7. Use secrets management tools

A secret is any piece of sensitive information that should be kept confidential, such as a password or an API key. Secrets management is the process of securely storing and managing secrets.

There are a number of secrets management tools available, such as Hashicorp’s Vault and AWS Secrets Manager. These tools can help you to centrally manage secrets and provide access control and auditing capabilities.

8. Train your employees in security awareness

One of the best ways to improve DevOps security is to train your employees in security awareness. This can help them to understand the importance of security and to identify and mitigate risks.

There are a number of different security awareness training programs available, such as the SANS Security Awareness Program. Alternatively, you could create your own program tailored to the specific needs of your organization.

9. Use a web application firewall (WAF)

A web application firewall (WAF) is a type of firewall that can be used to protect web applications from attack. WAFs work by inspecting incoming traffic and blocking requests that contain malicious payloads.

There are a number of different WAFs available, both open source and commercial. Some examples of WAFs include mod_security for Apache, NGINX Plus and F5’s BIG-IP ASM.

10. Perform regular security audits

Regular security audits are an important part of DevOps security. They can help you to identify weaknesses in your system and ensure that your security controls are effective.

There are a number of different types of security audits, such as penetration testing and code reviews. It’s important to choose the right type of audit for your needs. If you are unsure, you can consult with a security expert.

11. Use intrusion detection and prevention systems (IDPS)

Intrusion detection and prevention systems (IDPS) are designed to detect and block malicious activity. IDPS can be used to protect both physical and virtual resources.

There are a number of different IDPS available, both open source and commercial. Some examples of IDPSes include Snort, Suricata and Bro. They are often deployed as part of a security information and event management (SIEM) system.

12. Implement a disaster recovery plan

A disaster recovery plan (DRP) is a document that outlines the steps that should be taken in the event of a disaster, a breach or other security incident. The DRP should contain information such as contact details for key personnel and procedures for restoring systems.

A DRP can help to minimize the impact of a disaster and ensure that your organization is able to recover in a timely manner.

13. Use logging and monitoring tools

Logging and monitoring tools can be used to collect data about the activity on your system. This data can be used to detect and investigate security incidents.

There are a number of different logging and monitoring tools available, both open source and commercial. Some examples of logging and monitoring tools include Splunk, ELK Stack and Nagios.

14. Conduct regular penetration tests

Penetration testing (or pentesting) is a type of security test that simulates an attack on your system. The goal of pentesting is to identify vulnerabilities that could be exploited by an attacker.

Penetration tests can be conducted internally or externally. External penetration tests are often performed by third-party security firms. Internal penetration tests can be conducted by your own staff or by using a tool such as Metasploit.

15. Use access control lists

Access control lists (ACLs) are a type of security measure that can be used to restrict access to DevOps resources. ACLs work by defining a set of rules that determine who is allowed to access what.

ACLs can be used to implement a least-privilege policy and can help to prevent unauthorized access to sensitive data.

Conclusion

There are plenty of threats when it comes to DevOps and DevSecOps and, equally, a wide range of best practices that can be used to improve DevSecOps. By implementing these best practices, you can help to protect your system from attack.