Policy as Code, how to automate cloud compliance verification with open-source tools

Container infrastructures, along with the use of the cloud, represent a new paradigm of application development and release that has become widespread in recent years. Although, on the one hand, such infrastructures bring benefits in scalability, management, and application compatibility, on the other hand, they are not to be considered "secure-by-default." Security enforcement in these environments is a complex task if approached with the "old" methodologies. Technologies are therefore evolving, and a new approach was born: "Policy as Code." This approach allows to abstract security policies into code that can then be executed to automate compliance verification of cloud applications and infrastructure. Furthermore, it permits the management of policies as normal source code, enabling the implementation of all proven software development best practices such as version control, automated testing, and automated deployment. This thesis work analyzes the state of the art of Policy as Code and investigates the different open-source solutions proposed in the market, their effectiveness, and how they can be integrated into a continuous integration continuous delivery pipeline. The work starts with an overview of cloud compliance, why it is important, and what issues arise with its manual implementation. Subsequently, it investigates how the subject can be integrated into the DevSecOps methodology by analyzing how and in which steps of the development process it can be implemented in order to automate cloud compliance. Thereafter, there is an analysis of the implementation of a proof-of-concept that has been developed specifically for this purpose. It is used to perform a security assessment and test the effectiveness of the tools against proof-of-concept behavior and default configuration. Specifically, tfsec and Regula are the tools analyzed with regard to infrastructure as code security, Cloud Custodian for cloud security posture management, and Gatekeeper for cloud workload protection. The thesis shows a description of their output and the results obtained by testing compliance with policies against the proof-of-concept, as well as the mitigation strategies that should be applied. The results show that tfsec and Regula can be used inside a continuous integration continuous delivery pipeline to prevent the deployment of resources that are not compliant with the defined policies and also demonstrate that the default configuration of the proof-of-concept infrastructure is quite insecure; for example, public cloud storage containers are not encrypted by default. Also, it is shown how Cloud Custodian and Gatekeeper are useful for security audits, as they allow for the verification the actual behavior of both the infrastructure and the workload, notifying the presence of non-compliant resources. Finally, the work analyzes the performance impact that infrastructure as code tools have on pipeline execution and the resource consumption of cloud security posture management and cloud workload protection tools.