Cloud Governance using Infrastructure as Code

View Show Notes and Transcript

Episode Description

What We Discuss with Ohad Maislish:

  • Three Stages Cloud Evolution.
  • Governance in Cloud using IaC
  • Challenges with IaC in companies of different scale – Startup vs Enterprise?
  • How to get started in IaC for Governance in Cloud?
  • Would IaC become a standard for anyone doing cloud deployment?
  • Challenges for organisations looking to implement IaC
  • How to get started on the governance pieces of IaC
  • And much more…

THANKS, Ohad Maislish!

If you enjoyed this session with Ohad Maislish, let him know by clicking on the link below and sending her a quick shout out at Linkedin:

Click here to thank Ohad Maislish at Linkedin!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at

Resources from This Episode:

[00:00:00] Ashish Rajan : Hello, and welcome to another episode of Cloud Security Podcast, today’s topic is governance. In cloud using IaC or infrastructure as code.

And I have Ohad here. Who’s waking up really late for me at his hour. And I’ll let him explain why and how but as always, if you are not watching this on YouTube, feel free to subscribe. And like we make videos like this every week when we interview people on cloud security topics. And if you are watching this or listening to this on another platform, Feel free to subscribe and leave a review.

A five star review will be awesome. As you guys have been commenting already on different DMS, it really helps us take the podcast to the next level as well. All right. So without further ado, let me bring the man of the hour. Hey, Ohad. Welcome to the show

Ohad Maislish: Hey Ashish Pleasure for being here. Thank you for inviting me.

Ashish Rajan : Thank you for coming on. And it’s pretty awesome to have people stay up awake. Well, stay awake late for us. So what time is it for you at the moment?

[00:01:00] Ohad Maislish: That’s actually 1:00 AM. I hope my kids would not wake up during the day.

Ashish Rajan : Oh my God, dude. Thank you so much for staying away from me. I just appreciate the fact that you’ve been awake for us, man.

That’s pretty much what I was I guess that’s. That’s value for me right there. So I’m going to ask the obvious question that a lot of people may be asking. So I guess a little bit about yourself, where and how, who is Ohad and how did you, I guess, reach where you are today in terms professional life.

Ohad Maislish: Okay. So I’m, co-founder and CEO of feed for such as called startup name and I’m 39 father of two kids. And my background is technical from a young age. I started programming, went to university and worked for Microsoft and then working for several other places. And env0 is my second startup and not in our third company in between those two startups.

I had a company focused on DevOps cloud [00:02:00] infrastructure. Then I saw the huge shift to infrastructure as code and decided it’s, a good idea, probably to do a startup. It feels like there is a gap like between git github. So same goes here. Infrastructure has got its technical framework and we’re focusing on the next level.

Ashish Rajan : I always ask this question and I always get different response. I’m curious to know from your side, what does cloud security mean for you?

Ohad Maislish: Oh, wow. It’s such a, such a big question. And you know, for me, it’s everything about, I, I focus on infrastructure as code and infrastructure as code totally changes cloud security in my honest opinion, because you no longer just have the cloud resources, we now have this hybrid creature of both cloud resources and give people with code.

Let’s say Terraform. So it needs always to be sync, no drifts. So let’s the basic question about cloud security is who has access to, to the cloud account. So five years ago, before infrastructure’s code, you gave direct access to people to do certain operations on the cloud. But now with infrastructure as code, you don’t want drift.

So you give everybody [00:03:00] just read access, but you give this one special user of this robot. Full access to execute the code. So how you manage permissions, how you manage policies, how you define Guardrails, everything changes because you need to define those entities on this hybrid or two headed create shell, which is both cloud resources and code.

So again, infrastructure’s code totally changes, operations and security.

Ashish Rajan : So Ive seen a few of your interviews and there’s this whole concept of third data center evolution as you’ve called it. What is the third revolution, I guess for people who dont know.

Ohad Maislish: Okay. Yeah. So we often talk about the third data center evolution or the third cloud revolution. If we go back 20 years ago. And for the older people that are joining, I’m going to hide away. And you say all the people like, so, eh, not sure if you know, but like up until 20 years ago it was the cloud.

And then it was just physical servers, like. Yeah, Amanda, that you [00:04:00] install it, operating systems directly on the bare metal, usually Linux, but you had a room full of servers with Dell, HP. IBM like boxes that you have in a woman then came VMware and created the first revolution, which is virtualization and totally change how you operate those servers with another layer of.

And virtualization and consolidation much better service for your customers and upgrading memos, the CPU of a virtual machine without any downtime, zero downtime, and just move it to another physical server. And nobody knows. So that was the major 1st evolution the second obviously is about 10 years ago, with AWS

and the other cloud vendors that you have stopped having those servers in your room with air conditioners. And instead you pay with credit gal to this vendor called AWS later, Azure and GCP and others. And you pay as you go for different services. And by clicking buttons, you click [00:05:00] button to grade an EC2 instance later, GKE and Google and I EKS and EKS can, can later for your own managed Crinetics cost of several, a soundbite, whatever you need, just click a button and we’re going to be in it.

You get to give a source now, nobody’s clicking those buttons anymore, but instead engineers are writing, maintaining, and something executes that code like telephone, gloomy cloud formation. So that’s the third level of the cloud code infrastructure is code. Evolution that changes everything and operations and security.

Ashish Rajan : Interesting. So the use of IaC is considered revolutionary in cloud world, according to you, and any particular reason why?

Ohad Maislish: It’s again, that the new thing to manage combines, both code and cloud resources. Okay. So you need to make sure. That you need to make sure that your code is secure, that your code operates as it should. And you know, with costs, maybe you don’t just change some code and then it’s huge [00:06:00] cost implication.

It wasn’t like that before that, because usually your code was all about your application. Now it’s about your infrastructure. So it’s very dangerous. To change that code. So you need a lot of governance. We say that customers always talk about, they want better visibility, predictability in governance when it comes to infrastructure scale deployments.

Ashish Rajan : Interesting. So would you say I guess the whole, what’s the word I’m looking for? It’s more template driven, like ISC kind of helps you to do that. You define what you want to want as an infrastructure. If you define what you want as policy and like you basically have, you know, exactly what you’re getting instead of to your point credit card.

I have no idea how many servers that were hard created. Instead of at least I have some visibility of it. Evolutionary

Ohad Maislish: it’s repeatable, it’s predictable, it’s auditable. And basically it’s un-scalable without it, because there are [00:07:00] two other shifts that happened in the last few years. You obviously know the shift from monolith to microservices, the shift to cloud native applications became much more complicated and it’s just impossible anymore to continue clicking those buttons and understand what you’re doing is you cannot manage that in scale.

So that’s why engineers started writing, maintaining that code and of Terraform is the de facto standard to do it. But there are those.

Ashish Rajan : There are right. And for people who may not know what governance in cloud, because I feel like there are a couple of , other aspects of governance, not just to this finance and security, but keen to know what does governance in cloud using IaC mean for you

Ohad Maislish: so first of all, it’s all about developers. Okay. So you want to empower the developers as much as you can, but if you just give them full access, They can damage themselves. Okay. And they can just maybe test the wrong things. They can manage their colleagues and interfere with the environments of their colleagues and the most important they [00:08:00] can damage the service that their customers get if they deployed the wrong thing to do production.

Okay. So that’s governance to protect me from myself. To protect me from my colleagues. So to protect my colleagues for myself and to protect my customers and basically my organization from my mistakes. So how can I empower them to with maximum freedom, but with low risk, ,

Ashish Rajan : so how does this scale, I’m curious to you hear your side of the story as well. So you’re allowing to have freedom minimizing risk. So is infrastructure as code the only I guess, over here achieve this or are there like, I’m sure the other ways as well, but it, but to your point governance, is that like basically having the ability for developers to go that extra mile without feeling restricted?

Ohad Maislish: I think infrastructure as code is more technical. Well, okay. Like, let’s say gatefold source control. It’s Technicolor and the governments. It’s another layer [00:09:00] on top of that. Okay. So let’s, I think Git is a great, great example because in Git you don’t have the concept of pool requesr. That’s a concept in GitHub the concept of full request in public.

You’ll have both freedom. Developers can develop, change their code in a branch, in a pool request. But before they mailed the pull request, they called it needs to approve it. Okay. So you have the workflow how to approve a change. And so you have this governance for changing code. So same goes here for.

Changing cloud resources. What is the pull request of changing cloud resources? Because if you just have it, GitHub pull request, you just see the change in code, but you don’t see that fact what’s going to happen if I merge it. So you want to perform it dry run, let’s call the plan and to make sure this plan and is legit.

Okay. So then you have automatic validations on that plan worth mentioning OPA open policy action. That is very. Powerful mechanism that goes [00:10:00] over your code and your state plan to make sure that what you’re about to deploy complies with the holes that you defined in open policy agent. So that’s how policy is called effects.

Infrastructure’s code to get the governance that you need.

Ashish Rajan : Interesting. One, because I’ve already explored the thing, why a lot of solutions have become developed 1st and keen to know I guess Env0. You mentioned this earlier as well. That it’s. Developers being able to go at speed without restrictions, while minimizing the risk.

So why a developer first solution? So I would think s like a governance body in the company, security, finance, legal those guys, right? Like why developer first?

Ohad Maislish: It’s always about developers. . They are the one that needs to decide which architecture to use. Which service sales. I remember for the first time seeing GKE in Google, [00:11:00] before, eh, EKS and AKS.

Okay. So GKE was the first managed kubernetes among those three big vendors. And then a lot of developers told their organizations, okay. It’s time to use GCP. Okay. Moved from AWS to GCP, moved from Azure to Can make huge decisions. So you need to put the right tools in the hands of developers.

I think it started, and I don’t know, 12 years ago. And with ABM, like, eh, AppDynamics, new Relic, Datadog that you want to make sure developers know about the performance and latency of their application, then it moved to security like with snake and no shifting, shifting left. Security. And I think, and Zillow is doing the same to cloud deployments based on infrastructural score and how we shift left to developers to give them the right tools to make sure they can, you know, work as fast as they can while being secure. [00:12:00]

Ashish Rajan : I developers are the ones who are making money for the business. When you look at a business and people who are generating money, apart from the sales guys and girls bringing in more skills, it’s usually the developers who are building the features that gets sold, that the sales person can go out and sell.

So without that, I guess technically there is nothing to sell.

Ohad Maislish: Absolutely. You know, each company eventually has its competition. Okay. And how you beat your competition with a better product. Okay. So who bits of the product it’s not being built by magic, you need great developers. And I think by the way, Tesla is a great example of how they beat other car manufacturers that have been in existence for many years.

But the Tesla product is much better than so many other products. And I hope I will not make a lot of people angry at me, but I think what Steve jobs, an iPhone did 15 years ago is [00:13:00] that they introduced a much better smartphone on the phone than all others. And then Apple became, became huge again because they had the best.

Product it’s, you know, it’s about marketing as well and brand, and then the ecosystem and the API for developers. But the basic thing is the device that the product that people want to use.

Ashish Rajan : well said, and I a hundred percent agree with you on I’m an Apple fan boy as well, which is why I’m totally on the Steve Job’s bandwagon.

I’m sure Android is the same as well, but we all know who came first. So I’m going to drop that ball there and move on before we will get angry conference in the VR Android users. Stop disrespecting Android. I do not mean disrespect to Android, but I have Android.

I’m going to hold off on that now. So, you know I’m glad you mentioned this to developer First definitely makes sense, but. How has governance and because I don’t normally see people relate governance and developers together. And [00:14:00] so why do you, so why in this layer? Cause why not say security?

And I think that’s kind of where I was coming through. I love the aspect that you’ve learned about developer first, because they’re the ones who are generating value and money for the company. So a hundred percent. For them to go. And risk-free so, because, and this is kind of where it goes, is it? Because I see is primarily in their land.

Is that why that’s what’s driving governance?

Ohad Maislish: IaC is code code. The people who change code those are the developers. And this code is about the infrastructure. Okay. And in organization. Okay. An organization, although developers are super important in an organization, it’s not just, you know, it’s not just the developers.

You need to make sure that no damage is being done. And if it’s so easy to change the infrastructure, now again, you do Git Push, that’s it? Yup. What an organization cannot allow that every Git Push will be automatically deployed. [00:15:00] Okay. So, it’s not just to execute that code it’s to build a mechanism that makes sense for an organization to define which developer can execute, which code, and which cloud account associated with which cloud and.

You know, it’s what kind of policies I said. Okay. Is it okay to create new 20 EC2 instances, ec2 like huge instances or maybe it’s it’s too expensive. Is it okay to define this resource outside of the VPC? Or maybe it’s not supposed to be like that? Is it okay to execute it automatically?

Or I want a colleague. To take a look and approve those changes. Is it okay to cross that? Badgett so, you know, it’s now more than just code. It’s how I operate in organization in a way that makes sense to, to move forward.

Ashish Rajan : So. Does IaC take away the responsibility of having some kind of an asset management.

Then I’m just trying to think, because you know how you mentioned [00:16:00] everything is code. We are in GitHub. I feel like there’ll be a lot of different kinds of code in organization. There’ll be Terraform code too.

There’ll be cloud formation. There’ll be something else. So is governance around that, more bringing that all up one layer so you could see what technology is being used and where it’s been deployed? Cause I feel like the governance is almost like, yes, ISC is great.

Helps me automate. I’ve automated, how a developer can deploy I guess a infrastructure as code into my organization, but as a security person listening to this, I’m like, Hmm, that’s very interesting. So I may have Terraform cloud formation. I see. Is there like a layer on top? That’s it for this

Ohad Maislish: Env0 that’s exactly that

Ashish Rajan : I did not intend to do there, but that was the best. I, I love what you did. You basically made me go down the parts where somebody is like, Hmm, I wonder what’s the problem here? And they’re like, it actually reminded me of someone else as [00:17:00] well. And Who happens to be the sponsor of the season

.Hey, Ashish and cloud security podcast listeners. Thanks for giving Avonius the opportunity to sponsor the show. Axonius does exactly three things by connecting to existing data sources, assuming this gives customers a comprehensive asset inventory, both cloud, and on-prem it, then uncover security apps and finally it automatically validates and enforces policies.

Thanks again, and check us out. Awesome. Nathan does that really well? So I was like, Oh, I wonder this is a good segue to that as well, but so I’m glad I brought I was able to kind of spring up the problem as to, Hey, I’m a security person, or I’m a person who considered, because I feel like the reason I bought the Axonius Piece and they are sponsor, I love those people.

But that I love about the space we are in is that I have a security as a CISO. I have a asset management challenge. I have a. Challenge where I’ve got IaC now being developed to your point about the third data center evolution. And I’m looking at this across the board and going, okay. I have I aC with Terraform Iac, with [00:18:00] cloud formation.

Everyone seems to be coming to me and telling me I’m doing Iac. But I don’t know that it’s like that layer. So I’m glad we could come up with that thing, but in saying that actually there’s a question here from one of our regular listeners and a previous guest as well. Darpan can even take a step further by governing what service is, can even be used within the CSPM and by whom.

What are your thoughts on governance using cloud native services?

Ohad Maislish: like cloud formation, for example, like for example, yeah. Okay. Again, at the end, a you need to, to build workflows the cloud formation language, by the way, like arm templates in Azure is a single Vendor

infrastructure is called framework that if you execute that code, the resources are being provisioned.

Sometimes you don’t want different types of services being provisioned, and you want to control, maybe it’s about cost. Maybe it’s about security. Maybe it’s about standards. Maybe it’s about [00:19:00] compliance licenses. I don’t know. It really depends what you want to.

To enforce. Okay. Each organization has its own regulation on requirements. So if you want, you do sometimes cannot just tell developers, okay, develop whatever, whatever you want and provision it. So instead of limiting the clicks they can do in the cloud vendor will now need to take it. And associated with code..

Okay. Like what kind of code can be executed and on which cloud account, maybe on the same code can be executed on one cloud account, but cannot be executed on a different cloud account. Okay. So it’s not just, I can execute that code. Maybe I need to associate what I can run. On which cloud account and the, which Valerie there’s values policies.

It’s all a matter of settings that you need to define and to make sure you’re not doing any harm.

Ashish Rajan : Interesting. And great answer again. Thanks for sharing that as well. I find it fascinating that [00:20:00] now we have landed on, we have different types of IaC challenges that come across in an organization.

I wonder in your opinion, as you are listening to this, you may be a startup. You may be a big enterprise or medium, small, medium size business. How does it play a role as you go from a startup to an enterprise? So I’ll be keen to know from you. The IaC started saying, can they start IaC as a startup? And that’s the good foundation, or it doesn’t make sense.

I’m just curious to know in terms of if I’m listening to this and on different company profiles, how would this kind of step by step, go from a startup to an enterprise and maybe some challenges that they will face as they go through this that you might’ve seen.

Ohad Maislish: So let’s talk about the journey. Okay. So the journey of the customers of implementing infrastructure as Code always start with the first, they solves the first thing that you move from manual clicks to cope, and maybe the new start-ups, you know, start fresh, start clean and [00:21:00] never have the cloud resources that was deployed manually.

Maybe the only thing they did is to provision or to create a new cloud account. And from there just executed code. Okay. So, and, you know, as I mentioned, the third evolution, so maybe 15 years ago, there was another question of, okay. I already have those physical servers in my server room. how do I migrate to the cloud?

Okay. And then, okay. What do you do with those all boxes? I do not need them anymore after two years of just provisioning to the cloud. So I think the same. Goes here. Probably most of the listeners today already have cloud resources that have been deployed manually by somebody you think about it and you still didn’t read it, scratch everything from code.

So it’s a migration and I believe we already have one or more infrastructure as code framework in the organization, probably telephone, but again, other options as well. And as we all evolve and [00:22:00] progress. They see more and more provisioning of the new type of code execution and less manual clicks by a human. So I guess in two, three, five years, 99, or 100% of the cloud resources in that organizations.

would have been deployed, will be deployed from code. Okay. So that’s the journey and it depends not just about the type of the company, but you know, architecture, how old school kind of things they have the legacy and how their migration looks like, but the direction is clear.

No more clicking buttons moving to code . I think we, Sylvia mentioned the word Polumi, which is also interesting to talk about, and the new way to operate in cloud.

Ashish Rajan : Interesting. So do you see the IaC for lack of a better word revolution become a standard across the board for anyone doing cloud deployment.

Ohad Maislish: Absolutely. I say no way to avoid [00:23:00] it again with the shift to microservices and cloud native applications became too complicated to continue clicking those buttons anymore. Just too many types of services, too many small entities. And so you have many small entities of different types that you need to manage and you want to run fast.

And again, it’s like. Talking with somebody 15 years ago. will everybody moved to the cloud though? I use with the physical physical servers and maybe it stole the, they always say directly on the bare minimum. So no, everybody moved to virtualization and to the cloud, even fewer customers are now often hybrid cloud.

So they have both their on-prem, VMware and their external AWS, a theirs. And so they use hybrid hybrid mode. So the same clearly. It’s not just me talk with any analysts or , any infrastructure dev ops cloud platform, cloud operation, engineer, same title, different title, but same, same day [00:24:00] job.

Eventually those people do is that they understand how to deploy to the cloud in the best way. That makes sense for the developer and for the organization and moving to the cloud. The question is not. If the infrastructures call is happening. I think that the question is which infrastructures code framework should they choose if I’m in AWS, they go cloud formation.

As you mentioned earlier or Teraform or Pulumi and then the question is okay. Have infrastructure as code in my Git Repo. Yeah. So this is my Git. What is my GitHub? Is it Teraform cloud or is it then ENV0? I think I know the answer.

Ashish Rajan : Yeah, I’m sure you do. I was going to ask because that comes across to me as well.

Last week when we had Kelsey, we were talking about this again over there and how. A lot of organizations, and this is something that I’ve seen. I hear a lot of, it’s becoming a spaghetti of different kinds of framework. And so I would have thought the solution would be kind of like what Darpan mentioned [00:25:00] earlier, where you basically know what you’re putting in.

And infrastructure is probably one way of doing it, where you have some code written in, which allows you. Okay. You can only use cloud formation. I’m just making up an example there, but it could be anything else.

I would have thought that things like this are more complicated when you are looking at multiple technologies across the board.

So one of the challenges, if I’m looking at IaC in my organization, no matter how big or small would the, would that be the different frameworks most that would be used. So is that a challenge that you see to the developers that you’re talking to with the companies that you’re talking to and. What other challenges do you see in this space as people are trying to make the decision for?

Oh, okay. So now you want to do IaC great but we already have Terraform that’s been used for so long

Ohad Maislish: so usually companies know or make official decisions on what framework to use, but again, eventually developers.

Have the [00:26:00] freedom , to have initiatives and, that’s why they start introducing new technologies. So maybe organization already has a lot of Teraform, but some developers in some groups decide that this new project they’re going to do in Pulumi. . Okay. And nobody basically can tell them, no, you have to do it in te it’s not a black and white , kind of thing. So sometimes you will have this enforcement and they will tell the developers. No, you cannot use pulumi. We already use teraforms. You must keep using teraforms, but the truth is. That eventually developers, other decision makers from the technology is the architecture.

And that’s why things naturally evolve and you’ll see different. And you know, like you have multicloud organizations now have multi cloud. You don’t have just AWS. For example, you have both AWS and Azure being used in a customer. When did it start like someday it happened when somebody decide, okay, I’m not going to [00:27:00] use a second cloud provider for their thing.

And I have a good enough reason and nobody can stop me. So same goes here with their multiple frameworks there. It’s going, there’s going to be a variety of frameworks. We already. Say that, I think it’s still early to tell who’s gonna, was going away the current winner is teraform, but what’s going to happen in three years in five years.

Let’s see.

Ashish Rajan : Right? Well, so in terms of IaC it’s Terraform seems like Kubernetes is taking the other side of the battle where it’s the platform piece where for, as I’m going to court call the cloud Kelsey and other people as well, becoming more cloud native as well. So too, Add onto this. If we know, okay, we have defined it, we understand that there will be multiple frameworks that will be used as well.

How it’s more a cultural challenge as well then. So it’s not just the way we started before. It’s not a technology challenge. It’s also a cultural challenge as well, where people just accept the fact that yep. This [00:28:00] is happening. So we need to find creative ways that allow for developers to be able to continue developing without being block And how do you do that?

Do you see cultural shift for the challenge as well as the company kind of grows?

Ohad Maislish: I think the first challenge, and maybe before I answer that you said about Kubernetes, Kubernetes is fulfilled and the fact to stand up for computer sources. Yes. Nobody’s using virtual machines anymore.

Obviously people still use virtual machines, but it’s. Air reducing dramatically and it moved to containers and the standout to manage containers at scale in the cluster is, is obviously Kubernetes so if you want a compute based resource and Kubernetes is for, for a few years now, there. The the big winner,

Ashish Rajan : So people who may be listening to this and I’m going, Oh, that’s the IaC thing. Sounds good. And we were talking about challenges as well, and I feel like IaC probably to your [00:29:00] point, you can use terraform or any other open source tool out there to kind of learn it.

Where do you see it as a good point for people to kind of start learning about IaC and also maybe. How would they start with, like, it’s an easy step to start the governance pieces , of IaC for an individual who may be tied into this for the company.

Ohad Maislish: Ah, the governance. Yeah. So before that, you need to understand infrastructural as code and you need to write your first maybe teraform code provision. Few instances. And if you want to talk about governance, so I think there’s two or three types of governance. Like how, how you do governance. So one is to use a solution that manages the wall base access and put things in the right context, like tteraform cloud or Env0. Another thing is to automate the policies.

So you have a policy as code. Okay. It’s important to understand that the scalable way to [00:30:00] do policies for infrastructure’s code is with a policy as code engine mechanism. So I strongly recommend of what seems to be the standard, the de facto standard today to do so with open policy agent. So go into open policy, and.

Right. You’ll fail. So the foods try to deploy something and is okay and see that you manage and you have success and you managed to deploy, but then try to deploy something that is not according to the open policy agent tools that you’ve defined and say that, that it failed. And then take it from, from there because once you have great open policy agent tools, And like a vibe variety of force.

And you can trust that. Then you can allow a lot of freedom because you know that those deployments make sense and will not harm you or your organization.

Ashish Rajan : And is there a developer friendly way o fintroducing this in the company if you’re not using this at the moment, or it’s a developer [00:31:00] friendly way that you recommend, like talk to them, give them a hug. And they, hopefully this works.

Ohad Maislish: I think communication, you know, the talking piece is is always important. Transparency. Communication, but I don’t think this thing is too complicated. I think the culture thing that is complicated is early on the journey before the governance is when you maybe revoke direct cloud access from developers.

Again, when you move to infrastructure as code, you must make sure there is no drift. And the number one reason for drift is for people to directly provision cloud resources without. Changing co So the first thing you’re doing organization that moved to infrastructure, so the cultural change to be folk, they are called access full developers and just give them read-only access.

It’s so big and painful and long lasting, process. Sometimes some companies just one, one day say, okay, forget about direct cloud access. But once you move to that direction and automate deployments, [00:32:00] And the payments are only being done by execution of code in your source control management system. Nakida then introducing open policy agent as a process should be simple because it’s the same process for the developer.

It’s the same experience. They change code in GitHub. They change Teraform Code in GitHub. But then sometimes this call is being rejected. Okay. And they cannot cannot deploy it, but it doesn’t, they still do the same things pretty much. Okay. They just write code and try to deploy it. So adding governance with policy as code, I don’t think it’s the biggest cultural change.

The biggest cultural change comes before that when you move to infrastructure code in general and you need to. Do we vote with that? In what way do I commend people that are doing this journey is to do it gradually. Okay. So at the beginning, let’s say you just evoke from them the out of the S the database, right.

Access, and you force that obvious [00:33:00] deployments will be done using code execution. Like they are from execution of the RBS model. And then. You take to the next page VBC. Okay. You can no longer provision VPC by direct access to the cloud, you can just execute it, like take the rare cases and then move to the common case of probably changing your Kubernetti’s definitions.

Something that is being done quite often. So that’s. Might be the last thing that you do after each person already. So, okay. How I do things without clicking buttons, without opening ticket. How I do it myself by, by changing code, if I need a slice, like a small infrastructural change, so you can do it all at once, but I think there’s going to be backfire from the developers that would not like it.

So. That’s a lot of communication, a lot of transparency a lot of great tooling to help the developers during this transition and gradually [00:34:00] revoked the cloud.

Ashish Rajan : It’s funny. When you mentioned this reminded me of a couple of big companies during this already, well, obviously mature and have gone down the path quite deep, where it may come across as , what do you mean revoke access and read only permissions, but it goes a long way in going into that third revolution of cloud, where everything is.

In GitHub or Git lab or some form of Git and you have I guess a one source of truth instead of click ops where you have no control. That was a great answer. Keen to know from your side, where do you see this go as in, is there a fourth revolution for, or what, where did, where is IaC driven governance going?

Ohad Maislish: So I think infrastructure as code is still evolution is is a fact. And I think the next phase is how, how I manage the workflows in our organization. And I think what we see a lot of companies do at the moment [00:35:00] is that they try to abuse their Jenkins, their CIO, their secrecy, either get of actions in all the.

To manage that. Okay. And Jenkins and circle site are not built for infrastructure as code workflows. Okay.

they’re built for technical execution of, of jobs, not proprietary to understand. Okay. I have now a change in cloud resources that they do not have the concept Of cloud resources and policies of cloud resources. They have a general approach on how to do things and their focus is to take the code and build from that great.

Binary’s like great Docker images, run unit tests, integration tests, test coverage, put it in a, Docker hub and, make sure that the CI. Makes sense, but then when you need to do CD, you can do it with Jenkinson and execute a form of light in your Jenkins. But [00:36:00] again, it’s not scalable.

And once you have, 5,100, 200 different workspaces, you need to manage that at scale, you need to have day two operations. On those existing cloud environments, a need to associate resources to a workspace, understand who did what on each entity manage that in, in scale and in Jenkins, secrecy and actions do not suit that, that next level.

And that’s why you have m cloud. And that is now the most common. Solution for managing infrastructure is called deployments and in a collaborative kind of way. And that’s exactly where also where Env0 fits as an alternative. So that’s, I, I’m a strong believer in infrastructure as code, and then to the next level of infrastructure’s code management layer.

And I think that’s there. That’s the next step. How I am as an cloud operation team can manage infrastructure, skull deployments.

Ashish Rajan : And maybe [00:37:00] even multiple cloud environments as well, to your point earlier, maybe you’re talking about multiple languages, multiple frameworks, but then there’s also multiple environments that they have to work with as well.

So yeah. I love the answer, man. This was awesome, man. I thank you so much for sharing your story as well. I know it would not have been easy, but I appreciate that. And I’m really glad that I could have you here. We could explain to the problem as well, but for people who may be waiting to ask another question and maybe have a followup to this, where can they find you?

Ohad Maislish: My Twitter handle is dev ops and on our website, ENV zero and zero. Awesome. A

Ashish Rajan : And this podcast episode is obviously on the podcast platforms as well for anyone who’s still tuning in all the 50 or people that are there. Appreciate you guys hanging out and guys and girls hanging on with us and we will see you in the next one.

But if you’re here, if you liked the video, feel free to like the video. If you’d like to talk to you, you spoke about, but feel free to leave a review or broadcast platforms or feel [00:38:00] free to subscribe to channel as well. But until next time, Thanks so much. Thanks for coming in or Ohad it was really awesome.

Thanks man. Bye bye.

No items found.