1

00:00:00,310 --> 00:00:04,340

<v ->Infrastructure as Code or IAC.</v>



2

00:00:04,340 --> 00:00:06,700

Now, when we talk about infrastructure as code,



3

00:00:06,700 --> 00:00:08,640

this is a provisioning architecture



4

00:00:08,640 --> 00:00:10,700

in which the deployment of resources is performed



5

00:00:10,700 --> 00:00:13,150

by scripted automation and orchestration.



6

00:00:13,150 --> 00:00:15,280

Now, we mentioned the fact that we use scripted automation



7

00:00:15,280 --> 00:00:18,290

and orchestration in cloud computing all the time.



8

00:00:18,290 --> 00:00:19,160

And when we do that,



9

00:00:19,160 --> 00:00:21,520

we're really doing infrastructure as code.



10

00:00:21,520 --> 00:00:23,900

Now, this is key to the DevSecOps culture



11

00:00:23,900 --> 00:00:25,780

because it gives our teams the ability



12

00:00:25,780 --> 00:00:27,610

to rapidly deploy things



13

00:00:27,610 --> 00:00:30,300

within the timeframe of what they're working on,



14

00:00:30,300 --> 00:00:32,720

and because they have operations personnel already there



15

00:00:32,720 --> 00:00:35,570

and security personnel already there as part of that team,



16

00:00:35,570 --> 00:00:38,850

it's not any less secure by doing infrastructure as code.



17

00:00:38,850 --> 00:00:41,650

In fact, you'll find it's actually more secure.



18

00:00:41,650 --> 00:00:43,300

Now, why is it more secure?



19

00:00:43,300 --> 00:00:45,930

Well, because it allows for the use of scripted approaches



20

00:00:45,930 --> 00:00:47,920

to provisioning infrastructure in the cloud.



21

00:00:47,920 --> 00:00:49,640

And the great things about scripts is



22

00:00:49,640 --> 00:00:50,630

they don't make mistakes.



23

00:00:50,630 --> 00:00:53,640

Once you have a script and you know it's working and secure,



24

00:00:53,640 --> 00:00:56,100

it's going to run that way every single time.



25

00:00:56,100 --> 00:00:57,020

So, this is going to allow you



26

00:00:57,020 --> 00:00:58,840

to get a lot of those configurations done



27

00:00:58,840 --> 00:01:01,990

and the provisioning done in a much more secure manner.



28

00:01:01,990 --> 00:01:04,230

Now, when we talk about infrastructure as code,



29

00:01:04,230 --> 00:01:06,850

it really comes down to three key areas.



30

00:01:06,850 --> 00:01:09,520

Part of this is going to be those scripts I just talked about.



31

00:01:09,520 --> 00:01:11,180

Part of it is going to be security templates,



32

00:01:11,180 --> 00:01:13,010

and part of it is going to be policies.



33

00:01:13,010 --> 00:01:15,670

And by applying these three against your infrastructure



34

00:01:15,670 --> 00:01:16,960

using this approach,



35

00:01:16,960 --> 00:01:19,680

you're going to have much more secure infrastructure.



36

00:01:19,680 --> 00:01:21,060

Now, when we talk about this,



37

00:01:21,060 --> 00:01:23,430

we are going to have to think about our orchestration.



38

00:01:23,430 --> 00:01:25,510

And if you have robust orchestration



39

00:01:25,510 --> 00:01:27,640

where you've tested it and you know it works well,



40

00:01:27,640 --> 00:01:29,800

then you can lower your overall IT costs,



41

00:01:29,800 --> 00:01:32,480

speed up your deployments, and you can increase security.



42

00:01:32,480 --> 00:01:34,450

So, this is really a win-win-win.



43

00:01:34,450 --> 00:01:36,280

It's all goodness here.



44

00:01:36,280 --> 00:01:37,960

Now, one of the things you have to be careful of, though,



45

00:01:37,960 --> 00:01:39,790

when you're doing this infrastructure as code,



46

00:01:39,790 --> 00:01:41,000

because we're using templates



47

00:01:41,000 --> 00:01:43,410

and standardization for everything,



48

00:01:43,410 --> 00:01:46,380

is people who want to have their special snowflakes.



49

00:01:46,380 --> 00:01:48,130

Now, when I talk about special snowflakes,



50

00:01:48,130 --> 00:01:51,420

you have people who think they just have the best idea



51

00:01:51,420 --> 00:01:53,100

and therefore, they have to be able to go



52

00:01:53,100 --> 00:01:54,500

and create their own infrastructure



53

00:01:54,500 --> 00:01:55,720

the way they want to do it.



54

00:01:55,720 --> 00:01:57,750

And they don't care about your standardization



55

00:01:57,750 --> 00:02:00,410

and your scripting and all the efficiencies you've gained.



56

00:02:00,410 --> 00:02:03,140

And so, they create something that is a one-off system.



57

00:02:03,140 --> 00:02:06,020

Now, when you're a big advocate for using orchestration



58

00:02:06,020 --> 00:02:08,580

and using scripts and using standardization,



59

00:02:08,580 --> 00:02:10,900

sometimes, you're going to face some friction at work



60

00:02:10,900 --> 00:02:12,660

because somebody thinks they have a better idea



61

00:02:12,660 --> 00:02:14,820

and they have this special snowflake system



62

00:02:14,820 --> 00:02:16,210

that they just have to have,



63

00:02:16,210 --> 00:02:18,390

and they can't use your standard templates.



64

00:02:18,390 --> 00:02:19,320

Now, when that happens,



65

00:02:19,320 --> 00:02:21,350

you end up with a special snowflake system



66

00:02:21,350 --> 00:02:23,360

and these snowflake systems are any system



67

00:02:23,360 --> 00:02:25,240

that is different from the configuration



68

00:02:25,240 --> 00:02:26,860

that's compared to the standard template



69

00:02:26,860 --> 00:02:29,190

within the infrastructure as code architecture.



70

00:02:29,190 --> 00:02:32,210

Now, the problem with this is it adds to security problems.



71

00:02:32,210 --> 00:02:33,640

It adds to configuration problems



72

00:02:33,640 --> 00:02:35,380

and supportability problems.



73

00:02:35,380 --> 00:02:37,460

This lack of consistency is going to lead



74

00:02:37,460 --> 00:02:38,930

to a lot of issues for you,



75

00:02:38,930 --> 00:02:40,630

especially in terms of security



76

00:02:40,630 --> 00:02:42,920

and inefficiencies in supporting it.



77

00:02:42,920 --> 00:02:45,740

This is because once you have a one-off system,



78

00:02:45,740 --> 00:02:48,500

it's unique and it doesn't apply to everything else.



79

00:02:48,500 --> 00:02:50,150

Think about it if you're in a large environment



80

00:02:50,150 --> 00:02:51,150

that's operating in the cloud



81

00:02:51,150 --> 00:02:53,150

and you have thousands of virtual machines.



82

00:02:53,150 --> 00:02:55,270

And out of those thousands of virtual machines,



83

00:02:55,270 --> 00:02:56,630

one is different.



84

00:02:56,630 --> 00:02:58,880

When somebody calls up and says something isn't working,



85

00:02:58,880 --> 00:03:00,820

you have to figure out is it that one exception



86

00:03:00,820 --> 00:03:03,420

or is it the thousands of others that are all working?



87

00:03:03,420 --> 00:03:05,480

And that becomes more of a support issue for you



88

00:03:05,480 --> 00:03:07,770

and it leads to a lot of security headaches.



89

00:03:07,770 --> 00:03:09,250

Now, the last thing we need to talk about



90

00:03:09,250 --> 00:03:12,520

in terms of infrastructure as code is idempotence.



91

00:03:12,520 --> 00:03:14,870

Now, this is a property of infrastructure as code



92

00:03:14,870 --> 00:03:16,740

that an automation or orchestration action



93

00:03:16,740 --> 00:03:19,070

is always going to produce the same result



94

00:03:19,070 --> 00:03:21,620

regardless of the component's previous state.



95

00:03:21,620 --> 00:03:24,200

Essentially, every time you give this input,



96

00:03:24,200 --> 00:03:26,350

you should expect this output.



97

00:03:26,350 --> 00:03:28,330

Anytime you call up this script,



98

00:03:28,330 --> 00:03:30,470

it should be doing these functions



99

00:03:30,470 --> 00:03:32,410

and it should do it every single time.



100

00:03:32,410 --> 00:03:34,770

That's why we want to eliminate those special snowflakes,



101

00:03:34,770 --> 00:03:36,830

because we want everything to be consistent.



102

00:03:36,830 --> 00:03:39,050

Now, by doing this and using carefully-developed



103

00:03:39,050 --> 00:03:40,250

and tested scripts,



104

00:03:40,250 --> 00:03:43,600

we can end up doing orchestration really consistently.



105

00:03:43,600 --> 00:03:44,780

We create these runbooks



106

00:03:44,780 --> 00:03:46,240

that are going to do all the steps for us.



107

00:03:46,240 --> 00:03:48,550

That's what we call a script inside of orchestration.



108

00:03:48,550 --> 00:03:51,070

And it's going to generate these very consistent builds



109

00:03:51,070 --> 00:03:52,630

that have a good security posture,



110

00:03:52,630 --> 00:03:54,420

and they're within compliance for us.



111

00:03:54,420 --> 00:03:56,280

So, really, what I'm trying to say here is



112

00:03:56,280 --> 00:03:58,120

eliminate the special snowflakes.



113

00:03:58,120 --> 00:03:59,680

Don't allow them to happen.



114

00:03:59,680 --> 00:04:01,960

If somebody wants to have a special snowflake system,



115

00:04:01,960 --> 00:04:04,610

there should be a really, really good reason for it.



116

00:04:04,610 --> 00:04:05,660

And it should go really high up



117

00:04:05,660 --> 00:04:07,530

in your organization for approval.



118

00:04:07,530 --> 00:04:10,250

The default answer should be no special snowflakes.



119

00:04:10,250 --> 00:04:12,120

We're all going to use the same templates,



120

00:04:12,120 --> 00:04:14,670

the same security, and the same orchestration,



121

00:04:14,670 --> 00:04:17,340

because we know it works and it's easier for us to support



122

00:04:17,340 --> 00:04:19,190

and it gives us much better security.