Lacework announced the acquisition of infrastructure-as-code security company Soluble. Pictured: A general view in the CERN Computer / Data Center and server farm on April 19, 2017, in Meyrin, Switzerland. (Photo by Dean Mouhtaropoulos/Getty Images)

Lacework on Thursday took an important step to improve the software delivery workflows in the cloud of its customers by acquiring infrastructure-as-code (IaC) security company Soluble.

The Lacework platform promises to deliver visibility across multi-cloud environments, detecting unknown and known threats, vulnerabilities, misconfigurations, and unusual activities. Now with Soluble, developers will have the option to provision IaC, which allows for more consistent configurations and version control.

 “With Soluble and the new developer-focused features of our platform, we’re helping our customers remove the friction between security and development teams, said Jay Parikh, co-CEO at Lacework. “Fixing security issues earlier, coupled with making cloud security insights more accessible across the organization allows developers to ship faster and safer.”

IaC security has become the hottest topic in cloud security, said Frank Dickson, program vice president for security and trust at IDC. Dickson said the industry continually has heard that infrastructure-as-a-service (IaaS) misconfigurations have become one of the leading sources of breaches, and as it implemented a “whack-a-mole” strategy of addressing the issue, the industry has now had a “collective epiphany.” 

“The problem is structural, finding its roots in our Terraform, Cloud Formation, and other such templates,” Dickson said. “It’s just much better to fix the problem at the source with IoC security. However, simply adding another tool, even one as important as IoC security, on top of other solutions in a non-integrated fashion, creates complexity and problems. The last thing any of us needs is another source of conflict between security professionals and app developers. IoC security needs to work as an integrated feature of developer tools. Lacework’s acquisition of Soluble enables exactly that: The integration of security practices into software delivery workflows by leveraging existing tooling.”

In commenting on the IaC trend, Douglas Murray, CEO at Valtix, said cloud environments have the tendency to proliferate across accounts and regions and even clouds, given the simplicity with which they can be spun up. Murray said that managing all of this manually has become a sure-fire recipe for trouble.

“This makes IaC, which is getting standardized around Terraform of late, mandatory for organizations with a decent size cloud footprint,” Murray said. “Standing up entire workloads to run applications using IaC entails that security must seamlessly integrate into IaC as well.”

John Morgan, CEO at Confluera, said the cloud requires a different mindset and strategy for security. Morgan explained that the pace of application and network deployment has become much higher with ephemeral workloads and IaC in the cloud. It means that the security tools and processes to keep with this high pace need to change. 

“The strategies involved require security to be inserted into a shift-left and run-time security model, with more emphasis on build and deployment time security than seen in the past,” Morgan said. “Run-time security and visibility of what’s actually happening in the environment is also required and paramount with the advanced nature of targeted attacks today. The visibility of run-time security to detect breaches will protect against insider threats, supply chain attacks, vulnerabilities, and errors from not locking things down properly. Run-time and shift-left security should work together, but these require a different set of tools, scale, and training to keep up with the pace of the business in the cloud.”