Accurics Secures Cloud Infrastructure Through Policy-as-Code
The CEO and co-founder Accurics, Sachin Aggarwal talks about “immutable security,” which might seem at odds with the ever-changing nature of cloud native technology
It’s based on the idea of immutable infrastructure, where rather than making changes to a deployment, you fire up a new instance.
As Mike Liedike, manager, Deloitte Consulting’s Innovations and Platforms team, described immutable infrastrcuture in a recent edition of The New Stack Makers podcast:
“Immutable infrastructure gives you the ability to have a consistent environment, across your entire fleet of systems, which gives you a simpler and more predictable deployment. It allows you to do the testing more consistently and promote your environments from development to test to prod.”
Accurics’ platform harnesses infrastructure as code to standardize policy, security and remediation across the full cloud native stack including serverless, containers, service mesh and more.
From Code to Production
Founded in 2019, Pleasanton, Calif.-based Accurics came out of stealth in April, announcing $5 million in funding from ClearSky, WestWave Capital, Firebolt Ventures and Secure Octane.
It’s part of a rash of startups taking on the security and governance challenges of the new infrastructure, including Guard Rails; Octarine, acquired by VMware; and EnvO. San Francisco-based Atomist, for one, is taking on the problem of cloud drift.
Accurics’ customers include peer-to-peer lending site Lending Club, IT services provider Unisys, field service technology vendor ServiceMax, and shipping tracking firm Roambee.
“What I mean by immutable security is two things: You need to address the full stack. It should not be thought of as a patch solution or a point solution. But it should be thought about as … your infrastructure layer, your network storage and compute, your orchestration platform, your server layer and service mesh layers,” Aggarwal said.
“Then, second thing is that you should think about security from the code to cloud because as we know, people are using infrastructure automation tools, such as Terraform, Ansible, and [others.] So you must do the assessment of the code and governance on your code and the cloud.
“And once you’ve established trust in code in the cloud, then you should not drift from that posture, which means that when people make changes, the trust from code to cloud is maintained.”
Alcide co-founder and CTO Gadi Noar recently pointed to the different security needs of continuous integration (CI) and continuous delivery (CD), making the case for using Kubernetes’ security features in CD.
Aggarwal maintains that security must start with the code and continue in production with continuous monitoring to ensure applications do not drift from the baseline code and policy guardrails.
Setting a Baseline
Accurics initially creates real-time topology across the full stack defined as code, which identifies issues to be addressed. Once they are, that becomes the baseline used to enforce security and governance policy.
Accurics calls it policy-as-code.
“Policy as code is where you define all your security requirements and you codify them in a way that you can assess [security and governance issues] right when your development teams are writing the code. You’re giving them feedback right when they’re writing their infrastructure as code so they’re able to remediate the code as part of the development life cycle,” explained Caesar Rodriguez, Accurics’ head of developer advocacy.
With its configuration management database, Accurics continuously scans code files such as Terraform, Kubernetes YAML, Dockerfile, and OpenFaaS YAML for misconfigurations and violations of common compliance and cybersecurity practices, including SOC 2, GDPR, PCI, HIPAA, ISO, CIS Benchmark, AWS Best Practices.
It also identifies identity access and management roles and flags instances that are too permissive.
The company’s recent State of DevSecOps report noted that companies are addressing only 4% of cloud misconfigurations, a problem that Verizon, in its latest data breach report, found to be growing and among the leading issues leading to exploits.
Aggarwal attributes that low rate to the time and expense of making fixes, but also fear that changing one thing will break something else.
It most recently has been touting its remediation as code capability as well. In addition to alerting developers to issues early on, it continuously monitors the application running on AWS, Azure or Google Cloud Platform for configuration changes. The system maps the change against the IaC baseline, assesses its risk, and alerts the appropriate person.
The alerts — sent using Slack, JIRA, Splunk, webhooks or email — identify not only the issue, but the code that will fix the problem. It’s designed to help alleviate the fear of breaking something while making the fix, Aggarwal said.
The human still must determine whether it was a good or bad change, then can either update the baseline code to reflect legitimate production change or roll back to the last known secure version.
Rodriguez has some experience with the need for rapid reversals:
“On a project a few years ago, our focus was on making sure that security controls were applied automatically in the cloud environment,” he recalled. “And since we did not care what the development teams were trying to do, we were just changing the cloud directly.
“One of the controls that we were trying to implement was encryption at rest and we deployed it automatically. We accidentally deleted a production database, which was a huge deal, though we were able to recover quickly.”
Providing feedback to the development team is a much better approach, he says, one that can integrate directly into the tools developers are using as well as security orchestration and automation tools.
Remediation with Context
“If you automate remediation, but you don’t do that within the context of what you’re trying to build, it can be dangerous,” he said. “If you’re generating the code on how this can be applied to your infrastructure, it provides a better picture for the development team. It’s a learning [experience]. In the long run, it’s going to help your company be better because you’re not going to be doing changes that could possibly injure your environment.”
The platform also features breach path prediction, using threat models developed by analyzing vulnerability feeds, access privileges, and other data to detect and close potential exposure paths in infrastructure code.
Going forward, Aggrawal said the company plans to focus in three areas: going deeper into every layer of the stack, providing more risk management based on the customer’s architecture and improving breach prediction by giving users a better understanding of the relationships and dependencies between different resources.
Piyush Sharrma, Accurics’ co-founder and chief product officer, recently contributed posts on the top security risks with infrastructure-as-code.
“Securing cloud infrastructure is highly complex because an increasing number of dependencies are involved, and different actors using different tools play a role in protecting it,” said Paula Musich, research director at Enterprise Management Associates. “While a number of startups and established security vendors are attempting to solve specific issues, such as scanning reusable code for vulnerabilities or managing access to applications and data, piecemeal approaches that require different consoles only increase the chaos.”
“What’s needed is a single tool to manage risks and policy violations early in the DevOps lifecycle and ensure that the original configuration intended by the developer remains true (and secure) once it leaves their hand and goes into production. This is the broader problem Accurics is solving, and it should give IT executives greater confidence in their ability to properly secure cloud infrastructure.”
Accurics is a sponsor of The New Stack.
Feature Image: “Fireworks” by Brad Parrett. Licensed under CC BY-SA 2.0.
At this time, The New Stack does not allow comments directly on this website. We invite all readers who wish to discuss a story to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email: firstname.lastname@example.org.