Pancakes are Hot and so Is Immutable Security
Accurics sponsored this podcast.
Who doesn’t love hotcakes? And to make them right, you need to wait until the batter starts to bubble up before you flip them. Immutable infrastructure is also “bubbling up” these days, as many organizations make the shift to cloud native environments.
In this episode of The New Stack Analysts podcast, TNS founder and publisher Alex Williams served up pancakes with KubeCon + CloudNativeCon attendees who joined him for a “short stack” at the “Virtual Pancake Breakfast and Podcast.” Panelists offered their deep perspectives on what is at stake as immutable security and other related concerns take hold.
The guests joining the virtual breakfast were Om Moolchandani, co-founder and chief technology officer for Accurics, Rosemary Wang, developer advocate for HashiCorp, Krishna Bhagavathula, chief technology officer for the NBA (who also brought his own L.A. Lakers-branded spatula), Chenxi Wang, Ph.D., managing general partner of Rain Capital, and Priyanka Sharma, general manager, for the Cloud Native Computing Foundation (CNCF).
Immutable infrastructure is layer-centric. A traditional cloud native architecture in a public cloud environment, for example, might consist of a cloud layer, another Kubernetes layer on top of that and a service mesh layer, such as Linkerd. In some cases, an additional serverless layer may be added, Moolchandani said.
“All these layers are coming with immutability built into them as design. So, what does immutability in this context really mean?” said Moolchandani. “Fundamentally, what it means is that there is going to be a single source of truth when it comes to change management… And instead of people making changes directly into your runtime environment, they will be making changes using the single source of truth.”
Security concerns — and practices — have been forced to evolve. “People talk about the shift left mindset, and we have adopted that but, I’m not saying that we have solved all the problems,” said Bhagavathula. “I’m just saying that yes, security is definitely a first-class citizen or at least attempting to be.”
The underlying technology for security tools and platforms has seen much progress, yet the human factor, and policy challenges, remain a challenge.
“When I wasn’t necessarily using HashiCorp tools, as someone who was a systems engineer, I didn’t really know what was the consequence of let’s say, exposing an S3 bucket with metadata,” said HashiCorp’s Wang. “Policy is one of the ways that you communicate and you teach proper Infrastructure-as-Code, and by extension, immutability. I think that it’s a really great way to communicate what your organization is looking for [among those who are] doing Infrastructure-as-Code, especially when more and more developers are using and learning Terraform.”
The CNCF’s Open Policy Agent (OPA) is also increasingly playing an important role in addressing security concerns, including those relating to immutable infrastructure.
“I think OPA is one step towards the right direction… You cannot deliver assurance if you cannot measure something, and you cannot measure something that you cannot specify,” said Rain Capital’s Wang. “So, I think OPA and others — giving a static way of describing and stipulating the production environment — is exactly what we need for immutable security to happen.”