8 Security and compliance

 

This chapter covers

  • Choosing protections for credentials and secrets in infrastructure as code
  • Implementing policies to enforce compliant and secure infrastructure
  • Preparing end-to-end tests for security and compliance

In previous chapters, I alluded to the importance of securing infrastructure as code and checking its compliance with your organization’s policy. Your company’s policy ensures that systems comply with security, audit, and organizational requirements. In addition, your security or compliance teams often define policies based on industry, country, and more.

Imagine you work for a retail company called uDress. Your team has six months to build a new frontend application on Google Cloud Platform (GCP). The company needs it available by the holiday season. Your team works very hard and develops enough functionality to go live. However, a month before you deploy and test the new application, the compliance and security team perform an audit - and you fail.

Now, you have new items in your backlog to fix the security and compliance issues. Unfortunately, these fixes delay your delivery timeline or, at worst, break functionality. You might wish that you knew about these from the very beginning, at least so you could plan for them!

8.1      Managing access and secrets

 
 

8.1.1   Principle of least privilege

 
 

8.1.2   Protecting secrets in configuration

 

8.2      Tagging infrastructure

 
 

8.3      Policy as code

 
 

8.3.1   Policy engines and standards

 

8.3.2   Security tests

 
 

8.3.3   Policy tests

 
 
 

8.3.4   Practices and patterns

 
 

8.4      Summary

 
 
 
 
sitemap

Unable to load book!

The book could not be loaded.

(try again in a couple of minutes)

manning.com homepage
test yourself with a liveTest