Preventative beats reactive: Modern risk management for infrastructure vulnerabilities

We know that identifying and patching vulnerabilities is crucial to the overall infrastructure security strategy. However, organizations often overlook the various places where vulnerabilities reside. One of which is the building blocks of modern infrastructure: system images. Images (such as AMIs for Amazon EC2, virtual machines, Docker containers, and more) lay the foundation for infrastructure, and most would be surprised to hear that upwards of 87% of container images in production have been found to possess critical vulnerabilities, with the average age of a vulnerability being 277 days.

This post will explain why organizations must modernize their image practices to meet the security demands of cloud environments. A key part of this process is vulnerability and patch management, i.e. the mitigation, identification, and prioritization of vulnerabilities and the operational process of removing them. Without proper tooling and processes, vulnerability and patch processes can become increasingly complex and tedious. Legacy workflows are insufficient for keeping up with the quantity of changes organizations face when scaling their cloud footprints.

»Modern infrastructure, modern security risks

The cloud provides an environment where developers can create and deploy applications rapidly by outsourcing the task of running a datacenter to the experts at Amazon, Microsoft, Google, etc. Over the last decade, most organizations have adopted the cloud to run some or all of their applications and have made strides in improving speed and agility when provisioning supporting infrastructure. However, when convenience and moving fast are the only two concerns in cloud migration, organizations often encounter a set of new security challenges.

The distributed and dynamic nature of cloud environments makes risk management substantially different compared to traditional on-premises datacenters. Organizations adopting cloud typically face infrastructure security challenges in areas such as:

1. Visibility: To know your potential risk, you first need to know what infrastructure resources you possess. However, this is not as straightforward for organizations that lack widely used standards for deployment and have assets that are ephemeral/constantly changing. In those organizations, a comprehensive list simply does not exist.
2. Updating: To maintain security, compliance, and use new features, organizations also need to keep their infrastructure resources up to date. If these updates require manual processes, scaling becomes very expensive. Manual updates are often error-prone and slow down time-to-remediation when security incidents arise.
3. Scaling: Without points of leverage and control, such as central automation platforms for infrastructure lifecycle management, scaling results in a high number of changes that outstrip the manual capacity to act across security and IT operations teams. It becomes too hard to keep up.

When these areas and their underlying processes aren’t modernized for hybrid-cloud and multi-cloud environments, there are inconsistencies in how security and compliance are enforced across an organization’s infrastructure. The end result of this is more vulnerabilities. In particular, we see organizations face issues with vulnerable infrastructure such as:

• An increased risk of vulnerabilities during initial deployment
• The inability to identify vulnerabilities in existing infrastructure
• Time-consuming and manual remediation processes to patch vulnerabilities

These issues call for a re-evaluation of the tools, processes, and workflows that underpin infrastructure creation and management to meet the needs of the new landscape.

»Protect your organization from vulnerable images with HCP Terraform and HCP Packer

At HashiCorp, we have the opportunity to work with some of the world’s largest organizations to tackle challenges like these and help others do cloud right. We have found that one way to address vulnerabilities in infrastructure is to implement an industrialized, immutable approach to patching your system images. According to a recent study, 32 days is the mean time to exploit a vulnerability. Considering this, our suggested workflow is a continuous 30-day repave cycle for all system images.

So how exactly do we achieve this efficiently? You may have heard of Terraform, HashiCorp’s infrastructure as code solution that helps organizations provision and manage infrastructure. HCP Terraform is a managed offering hosted on the HashiCorp Cloud Platform that helps organizations run Terraform consistently in a stable, remote environment and add integrations directly into infrastructure workflows. In the same way HCP Terraform helps codify and manage infrastructure, HCP Packer helps codify and manage system images. When integrated, they can form a comprehensive workflow to reduce vulnerabilities in infrastructure through* preventative risk management.*

In this workflow, initial images are built with security and compliance baked into their configurations, and metadata is published to a centralized artifact registry in HCP Packer. From here, images can then be discovered and validated in HCP Terraform. If any changes to these underlying images take place over time, they are flagged by HCP Terraform’s drift detection. The two products then work together to provide an easy way to revoke outdated images and update all downstream dependencies. To see this workflow in action, watch the demo video below:

While implementing reactive security methods such as vulnerability scanning tools that check existing infrastructure is an important last line of defense in cloud security, you can think of our approach as proactive, like locking your door before you leave your house. By working to better secure infrastructure before deployment you also alleviate the burden on reactive methods, as there will be fewer vulnerabilities overall for security teams to deal with.

By continuously repaving with our vulnerability and patch management workflow, organizations can:

1. Prevent vulnerabilities from getting out into their infrastructure in the first place
2. Reduce the window for exploitation, continuously updating images before they reach the mean time to exploit

»Resources and next steps

Looking to learn more about preventative risk management with HCP Terraform and HCP Packer? Check out our HashiCorp Validated Pattern for vulnerability and patch management or recorded webinar Address vulnerabilities with preventative risk management.

Sign up for free on the HashiCorp Cloud Platform to start using HCP Packer and HCP Terraform to address vulnerabilities in your infrastructure today.

To learn more about how vulnerability and patch management with HCP Terraform and HCP Packer fit into a larger unified platform approach for reducing risk, read our solution brief: Securing and governing hybrid and multi-cloud at scale with The Infrastructure Cloud.