ControlMonkey today added a risk index dashboard to its automation platform for managing code created using infrastructure as code (IaC) tools based on open-source Terraform software.
Company CEO Aharon Twizer said the IaC Risk Index dashboard, in addition to surfacing vulnerabilities, provides insights into how infrastructure was delivered and whether it has been provisioned using code.
That latter issue is especially critical because, despite any tendency developers have to misconfigure infrastructure using Terraform tools, it turns out that ControlMonkey research finds unmanaged infrastructure is twice as likely to have security risks that have not been addressed, said Twizer.
In total, the amount of infrastructure that has been provisioned using IaC tools is on average 30 to 40% less than most IT teams estimate, he added.
The overall goal is to make it simpler for both cloud infrastructure and security teams to collaborate by providing a common view of risks and plan remediation strategies, said Twizer.
For every vulnerable resource, the Iac Risk Index identifies how it was delivered and its current state. The ControlMonkey platform via a single click can then be used to invoke Terraform, remediate vulnerabilities using a secure-by-default fix, a capability that enforces policies and resolves any configuration drift issues by applying a patch.
At the core of the ControlMonkey platform are multiple types of deterministic and generative artificial intelligence (AI) technologies that generate Terraform code that is tailored for specific cloud computing environments, said Twizer. That approach not only reduces the amount of time application developers spend on configuring cloud infrastructure, but it also improves the quality of the code being used. Many of the cybersecurity issues that organizations encounter can be traced back to misconfigurations of cloud infrastructure that, for example, left a port open through which data could be exfiltrated.
Automating the generation of that code enables, for example, a platform engineering team to more easily provide self-service capabilities to application developers.
It’s not clear how aggressively DevOps teams are looking to centralize the management of provisioning on cloud infrastructure. However, many application developers, in the name of expediency, assumed responsibility for it, as part of an effort to accelerate the pace at which applications are built and deployed. Unfortunately, application developers have limited cybersecurity expertise, so misconfiguration of cloud infrastructure services is now rampant. Rather than requiring application developers to manually write better Terraform code, ControlMonkey is making a case for an AI platform that has been trained using best practices to consistently generate more reliable code. That capability also provides the foundation upon which disaster recovery processes can become more automated.
Each IT team will need to determine what level of automation to apply to cloud infrastructure. However, as the number of incidents mounts, the time required to address them only increases. Each organization will need to determine what level of automation they require, but the more code there is, the more challenging it becomes to manually manage in an era where mean time to resolution is one of the most important key performance indicators used to measure the efficiency of any IT team.
