Infrastructure as code – less complexity, better security and compliance

By David Sandiland, Puppet by Perforce.

Infrastructure as Code (IaC) has compelling potential benefits for data centers. For instance, IT can be deployed faster and complexity controlled better while also improving security and compliance. While these are powerful arguments for IaC, as is so often the case with technology, theoretical advantages do not necessarily translate into real-world success. The good news is that some proven techniques can make a significant and positive contribution, such as automation, a focus on platform engineering, and getting the right people culture in place.  

Before diving into those, here is a reminder of what IaC is: using software to define configuration instead of people manually performing configuration to manage IT infrastructure across software hardware, network components, data storage, and operating systems. 

 

Consequently, users can access what they need more efficiently, accurately and faster (great news for the IT operations team, who receive fewer support requests). Costs are reduced because there is not a need for people to manually creating, configuring and often having to follow up with corrections. Plus, updating and patching IT infrastructure (even when there are thousands of servers across different locations) can happen on a rapid, huge scale, thus supporting compliance and security. 

 

So, the argument for IaC is strong, but — as someone who has been an in-house DevOps engineer and now a vendor working with large customers — I have seen what (and what does not) constitute best practice. The good news is that while many organizations are still grappling with IaC, others have been able to use it to address big challenges such as better control over IT complexity, managing infrastructure even on a vast scale, plus always up-to-date security, and compliance.  

  

People and Culture 

 

Above all, it is vital to remember that successful IaC deployment depends as much on people and culture as technology. For instance, all stakeholders should collaborate and be included right from the start: existing IT teams, other in-house teams such as process teams like change management, external consultants, and vendors. This is often not the case, yet it is the only way to get a comprehensive scope of what is required while also achieving buy-in.  

 

Also, start small, set expectations and avoid scope creep. While it can be tempting to pursue big goals that will deliver massive ROI, it is far better to start with smaller wins that are easier to achieve. Set minimal acceptance criteria so that the tests that must be passed can be more easily determined.  

 

This approach will still contribute to ROI, giving early cumulative savings and demonstrating IaC’s benefits. In addition, make it clear to stakeholders that IaC implementation has to happen step-by-step towards a more ambitious future vision. Also, be aware of the risk of scope creep, particularly team members adding in extra use cases as they start to see IaC’s benefits. Of course, being open-minded is important, but so is staying focused on the ultimate vision. 

 

Automate at the edge 

One of the most successful techniques for IaC deployment is to install software agents on all nodes within the IT infrastructure. This allows vast volumes of servers to be simultaneously and automatically patched or have configuration updated and enforced without manual intervention or site visits.  

 

Furthermore, it becomes easier to implement continuous compliance, with policies that can be tested repeatedly, rather than depending on audits, which might only happen on, say, a quarterly basis and so which quickly become out of date and something for which the team have to prepare. In addition, IT operations spend less time addressing security vulnerabilities, and the risk of manual error is eliminated. 

 

Also, it is important to consider IaC’s deployment in cloud environments. Often organizations mistakenly assume what they have done for IaC in-house for private cloud/data centers is not relevant for public cloud or, worse, they simply apply in-house IaC to public cloud with no thought of the differences. With careful work, IaC code can be set up using site specific data and variables to ensure it is site and cloud agnostic. As a result, organizations can remove the potential of duplication of effort, standardize configuration where appropriate and reduce maintenance. 

 

Platform engineering 

IaC also benefits from one of the biggest trends in IT infrastructure management: platform engineering. According to Gartner, approximately 80% of organizations plan to have a team dedicated to Platform Engineering by 2026, and as the 2024 Puppet State of DevOps Report found, 43% of its survey’s global respondents have had a platform team for at least three years.  

 

Platform engineering refers to having a team responsible for managing tooling, workflows, and self-service platforms for end users within an organization. An integral part of DevOps, platform engineering helps users access what they need more quickly, contributing to the fundamental attribute of good DevOps, especially efficiency, speed, and security.  

 

For example, when asked about platform engineering’s leading benefits, 31% of respondents to the State of DevOps Report quoted reduced risk of security breaches, and 24% cited less time spent on security. The overwhelming majority — 83% — believe platform engineering has helped improve compliance. The survey found that 51% of platform engineering teams enforce software and tool versions, 46% implement organizational security benchmarks, and 42% continuously scan for vulnerabilities.  

 

Platform engineering, together with adopting the right processes and tools, helps turn IaC’s potential benefits into reality. However, first and foremost, successful IaC deployment depends on people and the right cultural approach: this has to be a team effort, not just a technology investment. Address all these requirements and any data center is on the road to successful IaC implementation, better management of IT complexity, improved compliance and more robust security.  

By Hans De Visser, Chief Product Officer, Mendix.
By Andy Mills, VP of EMEA for Cequence Security.
By Frank Baalbergen, Chief Information Security Officer, Mendix.