The most straightforward way for enterprises to get started using secure infrastructure baselines may seem counterintuitive: give developers complete freedom in their development process in order to innovate. As they are working, they may create environments that may not adhere strictly to all security policies but are helpful for them to accomplish business goals. For example, they may set overly permissive IAM or network policies to quickly create functioning environments.
As soon as developers have created something tangible in their development environment, they should use automated tools provided by the Security or Compliance team to determine whether the infrastructure meets policy. Security and compliance are necessities that are not going away. It is better to empower developers to automate policy checks early on in the software development life cycle instead of at the very end to avoid potentially rearchitecting or rewriting certain components that violate policy.
Start with a Few Security Requirements
The simplest starting point is to begin with one or a few security requirements and gradually enforce more as application functionality evolves. For example, the security team could start immediately in ensuring that databases are encrypting data-at-rest with customer-managed keys.
As developers add logging functionality to various components, the security team can enforce that logging is always enabled on each one. And as multiple components or services communicate with one another, the security team can enforce that HTTPS is used instead of HTTP.
Developers should use automated tools to scan infrastructure for policy violations as a step in the development process, ideally in a CI/CD pipeline. Any violations are logged as errors that can potentially abort the infrastructure deployment process.
A simple introduction to baselining is to first scan your development environment for policy violations, then scan your production environment soon afterward. Scans of your cloud environment can be completed in as little as 10 minutes. These scans can reveal policy violations in the development sandboxes and if they are deemed alarming, a scan of the production environments should be completed. Inevitably some of these same violations will exist in production and can expose your organization to unforeseen risks.
Fugue can help you get started with baselining. Sign up for a complimentary compliance check as the first step.