Marino is well placed to talk about these challenges, as he focuses on application networking for microservices and the security concerns regarding communication streams between microservices.
In the video, we discuss the importance of the following factors in security and IaC:
Role-based access control
No matter the scale of your company or the type of product you build, role-based access control (RBAC) is critical.
You want to know who has access to what, what they’re able to do, what they’ve done, and then be able to trace actions so if you were to troubleshoot or debug something, you can go back in time. Where RBAC comes into play here is that you are defining a set of groups, a set of individuals, a set of actions, and who can take those actions.—Marino
Marino notes that we’ve come a long way in our codification of RBAC and how granular we can get based on the use case in question, but that has added complexity to organizations’ security postures.
In the video, Developer Advocate Tim Davis shares how env0 helps to simplify RBAC while maintaining full control.
For customers who want to go a step further in controlling access not just by users, but by their IaC management itself, the ability to self-host enables you to run your backend so that your code and secrets are kept inside of your cloud. This can help to address some common concerns from enterprises where the sentiment may be “We can’t trust full SaaS with our IaC.” These concerns usually fall into one of two categories, says Marino:
When you have something that’s SaaS-based, you tend to not see a lot of what’s going on underneath. You have a lack of ability to be able to troubleshoot and go deeper, and that creates a bit of a security concern because if you’re trying to trace an attack you’re very limited in what you can trace through.—Marino
"The compliance side of it really falls back to needing things to stay in your own environment so that you have complete visibility as to how it operates and you have complete control over the lifecycle management behind it. Alongside that you actually have control over what that system might be doing in terms of who it’s communicating with and who it’s able to talk to outside of your own network." —Marino Wijay
For many customers, the flexibility to use a trusted and easy-to-implement secrets manager in tandem with their IaC management platform is paramount. HashiCorp’s Vault and AWS Secrets Manager are two of the most commonly used solutions. If you’re looking for an IaC management solution, it’s worth finding out if it supports integration with your chosen secrets manager or if, like some SaaS solutions, you are locked into using their solution. Env0’s approach is not to be prescriptive, so our self-hosted agent supports multiple popular secrets managers, giving you better control.
Watch the full video below, and stay tuned for the next in the IaC Challenges series, in which we’ll be exploring extensibility challenges in IaC.