The cloud is a software-defined infrastructure. To manage and automate its deployment, we use the concept of Infrastructure-as-Code (IaC).

Let’s consider, for example, the use of Terraform™, which is software to translate human-readable templates into live cloud deployments. When generating structure this way, all the inputs are still required — subnet size, host OS type, memory size, disks to allocate and firewalling between subnets — but it’s easy to transition from zero to a small test environment. Consider generating all the resources to create a private network using Terraform configurations documented at http://linuxinuse.com/devopsblog/use-terraform-modules/.

To help you in your journey, this blog explores the steps for a turnkey deployment.

  1. Set your variables that define the build: vars.tf
  2. Create a new Virtual Private Container (VPC): vpc.tf
  3. Define the network firewall rules: securitygroup.tf
  4. Build a virtual machine (VM): instance.tf
  5. Execute post-installation scripts on a VM: cloudinit.tf
  6. Run Terraform plan
  7. Run Terraform apply
    Infrastructure-as-Code (IaC): Beyond Terraform

    While the Terraform configuration is readable and creates cloud resources, its ability to apply further logic via the Terraform ecosystem is limited. If your goal is to hard-code values and generate the same environment, you’re limiting your extensibility and won’t be able to answer many of your initial questions. Many resources simply cannot be built without using a cloud API™. Here is an opportunity to expand on IaC.

    By itself, IaC doesn’t restrict use of a particular programming language, but the API tools provided by cloud vendors restrict the choices to Python®, PowerShell™, bash or .NET. My advice: Pick a development platform based on your support team’s skillset, understand the core competency of the API and build logic around it. Terraform is a great start. Just keep in mind that your core build can be somewhat static, but it can be expanded over time. Because development time for an IaC may be limited, go for an initial base solution with incremental changes over time.

    Building logic one block at a time

    The building block of all code is logic functions. To automate a setup, you want to minimize hardcoding static values and make scripts as self-supported as possible. It’s ok to use static values if you’re taking an incremental approach, but going back and instantiating those values will help you make the code usable – and reusable – by less-technical staff. Some good base functions that you can create within Azure® with Terraform utilizing API executions include:

    • Using GNU™ Privacy Guard (GPG) to avoid storing cleartext passwords on disk. GPG is used to encrypt your username and password. Your IaC defines input as your GPG username and password. Automation will retrieve your credentials from the GPG store and log in to a particular subscription. This prevents cloud credentials from being stored as cleartext and solves the problem of an attacker gaining credential access by searching for your default credential store method using files named “.aws/credentials.”
    • Generating storage object access tokens. Object storage containers (Amazon S3™ bucket and blob) and the files within can be accessed using time-expiring tokens to restrict access acutely. Fortunately, generating keys doesn’t have to be manual. A function input is a resource group (called VPC at AWS™), a storage account name, container name, filename and length of expiration. Automation can handle storage key retrieval to produce access tokens. You can feed the resulting token into another routine, securely send to a third party or output to screen for manual use.
    • Determining the IP space of a new engagement. Your function’s input is the cloud data center location and subnet size. If your subnets are static, this input is predestined. Automation will statically map a unique class B subnet to all of your cloud provider’s data centers. Just return the next unused subnet to produce your new IP and subnet. This enables each region to have a non-overlapping and predictable IP space. Keep in mind that if you ever need to connect the two subnets, you will need new routes, network peering and firewall allowances.
    • Performing targeted remote execution using cloud-native methods. Initiate non-default cloud agent installations; enable host, API, or metric logging; full-disk-encrypt endpoints; or run arbitrary code from the host’s native shell. The options continue, but the goal is to avoid human interactivity to maintain repeatability. The web console can still be useful, but what’s done by hand must be documented and repeated by hand. One notable exception to automation is that you cannot retrieve the Azure Workspaces key with the API. The key is used to assign a VM to a workspace for monitoring and patch management.

    Need additional information? Contact a member of our CIFR team 24/7/365 by phone 888-RISK-411 or email CIFR.hotline@accenture.com.

     

    About Accenture

    Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions – underpinned by the world’s largest delivery network – Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 425,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com.

    Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture help organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

    Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

    This document makes descriptive reference to trademarks that may be owned by others. The use of such trademarks herein is not an assertion of ownership of such trademarks by Accenture and is not intended to represent or imply the existence of an association between Accenture and the lawful owners of such trademarks.

    This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates.

    Copyright © 2020 Accenture. All rights reserved. Accenture and its logo are trademarks of Accenture.

     

    Want cloud-based forensics with less turmoil? Here are the top tech tips.

    The first of this three-part blog serries about how to implement and get the most from cloud-based cybersecurity forensics

    Want cloud-based forensics? Consider these technical tips from the trenches.

    The third of this three-part blog series about how to implement and get the most from cloud-based cybersecurity forensics

     

     

     

    Mark McCurdy

    Security Analyst

    Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog