Introduction
Zero trust security is a security approach that implies no user or device can be trusted intrinsically. Instead, before granting access to any resources, all users and devices are validated. Zero trust security is an effective technique to safeguard your infrastructure against a wide range of security threats.
Here we will implement a zero-trust policy in an Infrastructure pipeline by integrating various tools like :
Checkov (it's a static IaC Code analysis tool that detects security risk, misconfiguration, and compliance violations).
OPA ( It can be used as a policy-based control for cloud-native resources).
OIDC (Authentication protocol for user verification for a shorter time), etc.
We integrate them in a GitHub pipeline and apply all possible security in such a way that if any of our credentials get compromised it won’t affect the infra, because the credentials would be temporary and get renewed automatically after a certain amount of time. These tools we discussed above can be integrated with any IaC tool and cloud provider. For this blog post, we will use Terraform, Terrateam, and AWS Cloud but it can be used with other stacks as well like Pulumi, Ansible, Azure, GCP, etc.
What is zero trust security fundamentally?
Zero trust is a cybersecurity tactic based on the idea that nobody and nothing can be trusted. Prior to granting access to important resources, it demands that all users and devices first authenticate and receive authorization.
Authentication and authorization is the main concern of zero trust Security.
Authentication is the process of verifying the identity of the user or device whereas authorization determines what resources a user or device is allowed to access.
In zero trust security authorization must be performed on every access request. And there are many ways to do it.
In this blog post, we will be using OIDC for authenticating Terrateam to grant access to create resources on the AWS cloud, and Checkov to scan the configuration files so that any misconfiguration or security risk can be detected prior to creating the infrastructure. We will also use OPA to make standard policies to prevent unexpected results.
Statistics about zero trust security.
The percentage of organizations with zero trust already in place more than doubled in just one year, jumping from 24% in 2021 to 55% in the 2022 survey issued by identity and access management technology provider Okta.
72% per cent of organizations are either in the process of adopting Zero Trust or have already adopted it.
92% of organizations state that advancing Zero Trust represents one of their top three IT and security priorities.
Zero Trust can reduce the cost of a data breach by roughly $1.76 million.
Zero Trust segmentation efficiencies translate into freeing up nearly 40 person-hours per week.
Organizations that leverage Zero Trust segmentation are 2X more likely to have avoided critical outages due to attacks over the last 24 months
Zero trust security pillars
To increase security, we can adapt the four fundamental pillars of zero trust security. These principles are not only important for general infrastructure deployment but also when it comes to keeping your pipeline safe and secure.
Machine authentication & authorization
Machine-to-machine access
Human access and authorization
Human-to-machine access
Components of zero trust security in infrastructure pipeline
There are several components in the zero trust security in the infrastructure pipeline that we will discuss in this blog.
Identity and Access Management (IAM):
IAM is the process of managing user privileges and the access to the resources. In a zero-trust policy, IAM is used to verify all users and devices before granting access to any resource in the pipeline.
Least Access Privilege:
Minimal permission should be given to any of the resources whether it's a user or device. For example, least privilege to build a pipeline, so that it should only have permission for what it is supposed to do not more than that not less than that.
Security in place: OPA & Checkov
It's a crucial part of zero trust security and we can achieve that in the IaC pipeline via OPA & checkov. We can make policies as per our need to get the expected results. It is important because we can catch vulnerabilities(eg. Public access to the bucket, opening 0.0.0.0/0 CIDR ) and misconfiguration issues before applying.
Manual Gated Pipeline for faster feedback:
Each job in a manual gated pipeline requires manual permission before it can be run. It is highly useful in the IaC pipeline since it allows the user to observe what is going on in the workflow. Is the outcome as expected? The pipeline will then be approved, and the infrastructure will be built. In the event of an unexpected result, the developer can take rapid action to rectify any issues. misconfiguration, and security issues.
Continues Monitoring and Audit:
It's a process where a developer or a team actively monitors the live status of the pipeline, like how much time it takes to run the task?, where the pipeline failed and why it failed how many stages were executed successfully and how many failed, etc.
How Zero Trust Security can be implemented using Terrateam?
OIDC - Authentication
To create infra on any cloud we need to authenticate the build agent( which runs the code in pipeline) to grant access to create infra. For that, we will use OIDC authentication, it's a convenient way for users to single sign-on to access the resources. It is more secure than static credentials because the OIDC is used for shorter-time authentication. To know more click here
Terraform init
On every pull request terrateam automatically triggers terraform init command to initialize the working directory. It will fetch all the providers, modules, and backend mentioned in the configuration files.
Plan
As soon as you make a pull request to your git repository terrateam runs some checks and you are required to comment terrateam plan in the open pull request. It will make the plan according to the configuration files and show us how many resources going to be created or destroyed.
Checkov
In this step, Terrateam automatically passes the terraform plan output to checkov to scan the vulnerabilities in the resources going to be created like S3 cross-region must be enabled, S3 public access should be blocked, etc. Here checkov is enhancing the security of the resources.
OPA
OPA is an essential component in zero trust security with terrateam you get OPA integration. Terrateam takes the terraform plan output and passes it to OPA to match it with specified policies. Here we make custom policy(set rules for infrastructure) to create the infrastructure accordingly and the OPA make sure that the infra matches the specified policies.
Deploy Infrastructure
After all the steps are passed successfully. We require to make comment terrateam apply in a pull request to start the process of infra creation. The process will start as soon as we comment terrateam apply.
Benefits of implementing Zero Trust Security
Here we will discuss the key benefits of implementing Zero Trust Security in your IaC pipeline.
Reduce the risk of data breaches:
Zero Trust Security makes the workflow so difficult for attackers to get unauthorized access to steal, exploit, and manipulate data.
Reducing human error: Terrateam Pipeline can help to reduce human error by automating the deployment and management of infrastructure. That will also help to reduce the risk of security breaches caused by human mistakes.
Improved compliance: Terrateam Pipeline can help you improve your compliance with security regulations and standards by enforcing OPA policies on your infrastructure deployments.
Conclusion
In this blog post, we've delved into the world of Zero Trust Security and how it can be effectively implemented in your infrastructure pipeline using Terrateam. We explored the fundamental concepts of zero trust security, delving into authentication, authorization, and the pillars that underpin this security paradigm.
We provided statistics that highlight the growing adoption and positive impact of Zero Trust Security in the corporate landscape.
We also detailed the various components of zero trust security in the infrastructure pipeline, emphasizing the role of Identity and Access Management, Least Access Privilege, Security tools like OPA and Checkov, Manual Gated Pipelines, and Continuous Monitoring and Audit in ensuring a robust security posture.
We then illustrated how Zero Trust Security can be implemented using Terrateam, showcasing the OIDC authentication, Terraform initialization, planning, Checkov, OPA integration, and infrastructure deployment.
Lastly, we discussed the key benefits of implementing Zero Trust Security, including reduced data breach risks, minimized human errors, and improved compliance with security regulations.