What is the operational system risk imposed by the infrastructure deployment pipeline workflow?

Real-time data monitoring of systems and system forensics is an essential aspect to keeping your data security platform safe when relying on the use of Infrastructure as Code (IaC) and the potential vulnerabilities associated with its continuous deployment (CD). Many organizations are facing an information overload and are inadequately prepared for understanding and designing a cyber incident response plan with near-real-time monitoring, including detection, analysis of system event logs, user activities, and system access tracking.

A generalized infrastructure deployment pipeline (IDP) reference architecture is presented to assist with risk assessment and mitigation. An experiment was conducted to determine if application of the National Institute of Standards and Technology (NIST) cybersecurity framework (CSF) can mitigate the risks inherent to the IDP workflow process. The author concludes that while the NIST CSF does largely mitigate IDP cybersecurity risks, additional controls are still required to fully assure cybersecurity for the CD process.

This document also describes the benefits of IaC and how to leverage the capabilities in support of DevOps (combined Development and Operations) initiatives. IaC is an emerging and evolving concept for automating the provisioning of infrastructure services and managing infrastructure platforms such as virtual machines, networks, load balancers, and connection topology. The practice of IaC could be used as a catalyst/tool to increase organizations’ abilities to deliver applications and services at a high velocity.

Additional guidance is provided for development teams to accelerate processes to enable rapid code production and deployment and assist in developing a vigorous agile strategy geared to deliver secure capabilities faster when relying on the IDP process. Moreover, this report describes several research studies that have addressed cybersecurity topics relating to IaC and IDP, and it details risk statements with architectural relationships of typical code signing solutions. Finally, it provides references on cloud computing services and scalable infrastructure resources.