Search
Follow me:
Listen on:

Day Two Cloud 148: Understanding Cloud Security Roles And Responsibilities

Episode 148

Play episode

If you’re a security or network professional wondering if your skills aren’t as applicable or useful when it comes to public cloud, don’t worry: they are very, very useful.

On today’s Day Two Cloud podcast we talk with Brandon Carroll on how to properly map traditional infrastructure and network security to public cloud deployments. Brandon has old-school networking credentials and is now deep in the cloud world as a Developer Advocate at AWS.

We discuss:

  • Carrying over on-prem security constructs to the cloud
  • Common cloud processes and where they need to be secured
  • Understanding shared responsibility between cloud customers and cloud providers and where those responsibilities diverge
  • Why cloud security defaults are better now, but still not enough
  • Best practices for cloud security
  • More

Tech Bytes: HashiCorp Consul

On today’s sponsored Tech Bytes episode we check out how Consul helps with network infrastructure automation, and dig into what’s included in the Enterprise version of Consul. Joining us today is Hari Sankaran from Hashicorp’s Consul product team.

Takeaways:

  1. If you have traditional network security knowledge that can be very useful for organizations moving to cloud.
  2. A great deal of your knowledge is transferable.
  3. The barrier to entry is not like it used to be. Create two accounts, your account to learn and your account to implement and test. It’s not like trying to build a rack of 2500’s and 1900’s or even get GNS3 or IOU up and running anymore. You can pretty much do it all, now.

Show Links:

Brandonjcarroll.com – Brandon’s blog

Brandon Carroll on Medium

@brandoncarroll – Brandon Carroll on Twitter

Brandon Carroll on LinkedIn

Transcript:

This transcript is provided as-is with no error correction by humans.

[00:00:04.810] – Ethan
Welcome to Day Two Cloud. And today we’re going to talk to Brandon Carroll. Brandon is brand new at AWS. He just started recently as a developer advocate, and we are going to pick his brain on the security side side of things, which has been Brandon’s bailawic for a very long time. He’s got old school nerd, traditional networking credentials, and now he’s in the cloud world, deep in the cloud world, AWS. Ned, and what did you note from Brandon’s conversation?

[00:00:32.100] – Ned
I feel like there’s a very real concern from some seasoned security and network professionals that their skills are no longer useful, not applicable in the cloud. And Brandon has some thoughts on that. And the answer won’t surprise you that those skills are actually still very useful, very useful.

[00:00:50.530] – Ethan
The challenge just being mapping your old school thoughts about infrastructure to what that looks like in the cloud and how to do that properly. So enjoy this conversation with Brandon Carrol. And then stay tuned at the end for a HashiCorp tech bite. We’re going to be chatting with them about Consul Terraform sync, which is super neat, I must admit. So stay tuned for that at the very end of this Day Two Cloud episode. Up now is Brandon. Brandon Carroll. Welcome to Day Two Cloud. And man, you’re kind of the new guy over there at AWS. Whatcha you doing for the AWS folks?

[00:01:22.010] – Brandon
Oh, yeah, I’m as green as they get. I think it was around December. I’ve been there since early December, so I’m getting my sea legs now. I’m enjoying it a lot. I’m working with Builders, which is an interesting term, especially coming from my networking background. But I’m working with Builders to help with the cloud journey. Right. And just to kind of set what that means, I think a lot of times when I talk about AWS, you think of like developers, we’re developing some kind of app on AWS or a developer, and builder is kind of a more general term. So, I mean, you could think of it as you’re building an app, you’re building an architecture, you’re building a business. So Builder is really just a user. Right. So I look at it that way. But specifically, I’m focused on infrastructure security, that aspect of cloud. And it’s interesting that these days, mostly, I think because of my background, I’ve been just learning a lot, just trying to take it all in. And believe me, there’s a lot to learn. And I’ve really been trying to just draw some parallels between what I had been doing since the late ninetys and today.

[00:02:36.060] – Brandon
So trying to figure out what that is, how to take what I’ve always done, just the firewalls router switches, routing protocols, all that jazz. And now look at this cloud world and say, okay, what am I doing here? And how does it all come together?

[00:02:58.290] – Ethan
Well, yeah, you said infrastructure security is the focus of your job. So scope that for us what is infrastructure security and the cloud world and what isn’t it?

[00:03:08.570] – Brandon
Yeah. So I think that there’s going to be a lot of bleed over, especially just because of the nature of using Cloud. Right. But in my mind, when I think about infrastructure security again, I just go back to what I had been doing for my whole career. Right. Start out as a networking guy, get asked to throw a firewall up and protect the perimeter of our network, and all of a sudden now that’s infrastructure security, I’m protecting the infrastructure. That’s not all of it. Right. It’s not just firewalls. I mean, it’s things like VPN and encryption and switches and Port security and identity management and controlling all that stuff. I think that for me is what infrastructure security is, which really does kind of carry over to cloud. A lot of those are just concepts that are just very much the same, even the terminology. But I think what it’s not is when you get into the developer side of things and then you start thinking about developing secure code and all of that, that’s not to me, infrastructure security, I don’t do any of that. I’ve never picked that up in my career. It’s never going to be right there with what I’m doing.

[00:04:21.720] – Brandon
So it’s sort of a separate topic in my opinion.

[00:04:24.540] – Ned
Right. We had Tanya Janca on recently to talk about App SEC or application security. And it sounds like to a certain degree, the infosec part that you’re talking about is the complement to what she includes in her App SEC definition. So the things that don’t fall under her umbrella would then fall under yours. Now, in previous discussions that we had, you were working on a project and you were thinking about security roles and responsibilities. And I think we had a pretty well defined idea of that when it came to on Prem and the way we delivered it there. But obviously moving to the cloud and introducing developers to infrastructure and those kinds of things, that changes that role matrix a little bit. Can you lead us through your thinking and sort of set up the discussion around that?

[00:05:14.030] – Brandon
Yeah, absolutely. It’s interesting. Right. Because in my role as a developer advocate, I’m trying to look at the developer, the builder and figure out, okay, what Azure you trying to do when you’re moving to cloud or when you’re adopting Cloud or when you’re just getting started in cloud. What are you trying to do and how can I fill any gaps that might be there? And I think a lot of that came from me going through and learning and saying, okay, well, this didn’t sort of make sense to me because there’s a gap here. Let me fill that gap. And so as I start looking at this, I thought, you know what the first thing that’s really hard for me as a networking security guy that’s moving to cloud is there’s over 200 services, what are they for? What are they for and how do they apply to what I do, what I need to do? Right. Where does my infrastructure security come into play with any of these services? So that was my thought is, okay, well, first off, let me just start putting something together that explains in my eyes the different areas of network security tied to these services and which ones you would be touching and maybe which ones you won’t or you won’t see as often.

[00:06:40.430] – Brandon
And then once I paint that picture of what’s there, then it’s just a matter of now Where’s the best place to get started with these if it’s day one and it’s, hey, bring up an infrastructure and make sure that it’s secure. And so that’s really what my goal was in this process.

[00:07:00.590] – Ethan
When you say make sure it’s secure, if we’re still thinking in terms of defense in depth, you’re talking about, there’s a layer here that an infrastructure oriented person has some Dominion over, but that doesn’t make it a secure application. It means there’s been a layer put in that is going to help things, but there’s going to need to be more security up the stack, right?

[00:07:24.450] – Brandon
Yeah, absolutely. Right. It’s a layered approach. One of the things that we have, AWS defines a, well, architected framework, and there’s a security pillar of it. And I know we see that a lot. You can go to a lot of vendors and then they have architectures and they show how security fits into it. But security is this piece that really just got I guess it’s got a vertical or you can go kind of up the stack of all these security services, but it’s also got a horizontal because it covers the whole gamut of everything.

[00:08:01.270] – Ned
Right.

[00:08:01.480] – Brandon
There’s got to be security everywhere when you go into defense in depth. Yeah, I guess we could look at where you’re coming from in the network, because if you’re the person that’s asked, hey, go implement a cloud solution for me, and you go to AWS and you say, okay, I’m going to create an account, and then I’m going to bring up something. What do you do? Well, I think most of the time, or at least what I’ve seen is, okay, we’re going to bring up an EC two instance. We’re going to bring up a server in the cloud. Right. Okay. So here’s an EC two instance. It’s a server. Well, I’m a network guy. I don’t lock down servers. Right. So what am I supposed to do with this if that’s the first step that I’m told to do when I’m experimenting with cloud and learning cloud is bring up this instance, what do I do from an infrastructure perspective?

[00:08:54.650] – Ethan
Whereas back in the day you would have said, I’m going to put an ACL on a router or I’m going to put up a firewall and I’m going to filter packets, going to and from this device, I’m going to build the DMZ maybe and do more filtering, I’m going to do some logging and so on. Now it’s like, okay, if I don’t have those constructs because cloud, what do I do? How do I properly map? There’s not a one to one mapping, is there, Brandon?

[00:09:19.670] – Brandon
I wouldn’t say one to one mapping, but like I said, a lot of those concepts and those ideas, they hold true, right? So if you said, I’m going to build a DMZ and I’m going to put some ACLs and I’m going to do all this if I started from scratch and I said, okay, I’m going to build out my network and I’m going to rack this gear and I’m going to connect all these switch ports and I’m going to end up routing traffic. I mean, there’s still an architecture like that, like that logical architecture of traffic coming from the Internet making its way through my devices and to my server. Same concepts still apply, right? Traffic from the Internet makes its way to my EC two instance at some point, and there Azure layers in between there. And that could be Firewall, it could be a web application firewall, it could be a network firewall load balancers in the middle there. I mean, all that stuff is still there. It’s just abstract. It’s like logical because you’re just clicking a button and spinning it up. So all those concepts still apply, I think, but they just look different because oftentimes just the nature of the cloud, you don’t rack and stack it.

[00:10:33.810] – Brandon
You don’t see the racks, you don’t see the top rack switch that everything connects up to. You don’t look at any of that stuff. You don’t even hand a network vROps to somebody and say, here, connect your server to this. You don’t do that. Right. You’re drawing lines. It’s more like networking by Visio. So it makes things a little bit different. So if you’re an old timer and you’re just set in that infrastructure ways of building data centers and stuff, it can be a little bit scary or overwhelming to say, okay, I’ve got to take on all these new concepts, but when you really boil it down, it still looks the same.

[00:11:11.810] – Ned
Right. So there is the shared responsibility model that I know AWS brings up, as well as other cloud providers, and that’s specifically what are you responsible for as the consumer of their service? And then what portions are they responsible for on their side? And the delineation seems to be will handle the physical layer of things, but then anything above that line, roughly, that’s your problem.

[00:11:38.730] – Brandon
Yeah, I look at it like this, there’s security of the cloud and security in the cloud.

[00:11:47.940] – Ned
Okay.

[00:11:49.230] – Brandon
Right. And you can look at those as being two different things. So securing the cloud, the architecture, the stuff that’s all put together that you’re going to be bringing these services up on, that’s where the AWS responsibility is but security in the cloud, once you start implementing your services, put your servers, your databases, you still have the same controls that you would have if you were to bring that database up on Prem. So it makes sense that you would still be the one that would secure those things, make sure that you’re using your secrets and you’re protecting them and all that type of stuff.

[00:12:28.110] – Ned
This was always kind of true on Prem, but I think Cloud brought it to the fore is we used to have this mental model of the Internet is untrusted. I don’t trust that. I can’t trust that traffic that’s coming in from the Internet. I need to plot that in a DMZ or something. I need to filter it. I need to be careful. But traffic that’s coming from inside my data center, that’s probably fine. I’m not going to put a firewall between all these different segments of my network, or at least most organizations didn’t. The cloud, you no longer can assume that all Internet traffic is bad and everything that’s coming from within your VPC, let’s say, is good. And it’s harder to cover all the different ways that you could get traffic into one of your applications, especially if someone just stands up thing with a public IP address. So how has that changed your thinking in terms of where the security controls need to be?

[00:13:18.710] – Brandon
Yeah, I think. I still think the same. I think block everything and start permitting what you want to allow. Don’t just open things up wide. So I think that’s why I’m just going to go back to when I was doing a lot of firewall implementations and you would set up some Nat rules on a firewall and you had machines on the inside and they can make outbound connections. But the default of that device was if it wasn’t an established connection and it was external, you don’t allow it back in. If you did, then if you wanted inbound traffic. Now you’re talking about doing access lists and back when you’re doing statics and conduits and whatever you had to do back then. Right. So I still look at it that way. Right. So if you have a VPC like your network in the cloud and you have subnets within that VPC, they’re either going to be private subnets or public subnets. And if you start thinking that way, okay, public subnets, I’m assuming that public access is there. I’m going to see traffic from the outside and then private subnets, not so much. Now there’s a delineation between the two and you can start thinking about what you can put in the middle of those when traffic needs to go from the outside to the inside.

[00:14:45.490] – Brandon
Could it be a firewall? Could it be a waft with some load balancers and whatever the case may be. Right.

[00:14:53.340] – Ethan
So you still like a central device that is acting as a traffic cop between zones, which doesn’t mean this would be in addition to a zero trust philosophy, let’s say, because that seems to be all the rage. We’re going to be doing something that’s zero trust. We’re going to have some kind of filtering admission, control, security posture evaluation on an ongoing basis, and then pushing rules on maybe a host by host basis from some central policy. But there’s still in Brandon’s mind a place for that traditional firewall, if you will, that is doing some kind of filtering from a central point, which maybe a sidecar proxy is the closest thing we have. That would be analogous to it in a modern infrastructure.

[00:15:44.790] – Brandon
Yeah, but again, you talk about layers, right? So you can still have access lists, and then you go out from an access list to a security group and expanding further out. If you’re moving from a subnet to get outside, you have Nat gateways, we have Nat gateways. And traditional networking got to have that state. Yeah, right. So like I said, it looks different because I think a lot of us were used to command line interface, and we had our nice Visio diagrams of a network, and we could easily track point A to point B and hop by hop or hot by hot, I mean, that’s routing, right? And so we look at that and it’s easy to see where all these things are and where these controls are. So for me, when I look at that and how I’ve always thought about networking and securing my infrastructure, and then I go to Cloud and I see it looks different. Diagrams are done a little bit differently because it’s almost like things are kind of nested inside one another. So in my mind, as a traditional networker, that doesn’t easily translate a layer.

[00:17:03.910] – Ethan
Of services that have been service chained magically through the cloud without you having to stitch it all together somehow or another.

[00:17:10.540] – Brandon
Yeah. But once you start peeling that back and you just look at a layer and figure out how does this layer work? If you break it down, get all the way down to a subnet level and an instance that’s deployed in a subnet and it has an address in that subnet, and it has a gateway in that subnet, and that gateway has a routing table. I mean, it’s all the same. It’s not as scary as a lot might think.

[00:17:41.190] – Ned
Getting back to the conversation around roles and responsibilities, I want to focus in on that a little bit, because typically when someone has to build something in the cloud, they might not be the networking team, it might be someone who’s more on the ITOps server admin team, or it might just be a developer that’s like, oh, I have a credit card, I can swipe it and build it. Whose responsibility is it to secure? Like starting from maybe the account level down to the VPC down to the individual instance? Whose responsibility is it to make sure that that stuff is being secured properly. And how do you even track that?

[00:18:20.490] – Brandon
That’s the million dollar question. Right. Who owns this? And I think it’s different depending on I think the organization. Right. You look at like gigantic organizations and they have teams that do this, and there may be a little more clear division of who is responsible for certain things. You have a server team, you have a network team, you have a security team, infosec, whatever. That’s a little bit more clear. One of the things I think is really interesting with Cloud is how it’s enabled so many people to take advantage of things that they would never have access to to build their business on. Right, right. And so any developer start up, you know, someone with a great idea can, like you said, swipe a credit card, can create an account and go. Now it gets interesting because their background is probably going to dictate where they start. If they’re a developer, they’re probably going to be more concerned or more inclined to say, how am I going to get my server, my database, my application up quickly and go and all the plugs in between and all of the security in between, that’s probably not their expertise.

[00:19:50.190] – Brandon
And so I think one of the things that’s neat with Cloud is these services that are based on best practices that do a lot of that securing for you to bring up an application quickly. That’s pretty interesting, especially if you’re that small developer, a startup company, one that doesn’t have a lot of resources, makes it really easy to adopt Cloud. But then there’s still that kind of gap of what is there, and how do I know that it’s secure?

[00:20:22.830] – Ethan
Well, if you’re a startup with the developer who swiped a card and security is not your expertise. Okay. There’s a lot of complexity to I am, for one thing, let alone just fundamental security architecture. So do you bring in a consultant then? Is that the right thing to do?

[00:20:42.670] – Brandon
I think scale is probably going to be a factor in that decision. Right. I mean, you can implement like, I think like light sale, you can bring up a WordPress site or your database. You can use LightSail to do that. And it’s a couple of clicks, and it builds that architecture out for you, and it follows best practices, and that’s great. And you can start your business on that. Do you need a contract, somebody in to look at the underlying architecture in that case? No, probably not. Yeah.

[00:21:15.080] – Ethan
But it’s always the thing of how much growth are you going to do? And do you have an infrastructure in place that you can grow into as opposed to when you’re going to grow out of? And then it’s a painful process to re architect it so that it’s actually something good.

[00:21:26.320] – Brandon
Right. And so that kind of leads into the one there’s a marketplace. So you can make use of things in the marketplace that you might be comfortable with using already. There’s a partner ecosystem, so you can make use of partners to help with that. But yeah, it could be at the point, depending on your size and your growth projected growth, that having somebody help out wouldn’t be a bad idea. Clouds made a lot of these concepts easy to implement, but it doesn’t mean that those concepts under the hood are easy to understand. Right. I remember talking a long time ago, Ethan. Maybe it was us at a field day. I think the conversation came up a whole lot when we were starting to talk about automation and all of this stuff. Well, where does the network engineer go? The person that spent all these hours figuring out how these protocols work and all the timers and all of these things, knowing these things inside and out, and how this protocol interacts with this protocol and how they’re on different devices, different vendor devices, how they interact differently with one another and all of that stuff?

[00:22:49.690] – Brandon
What happens to all that knowledge or Where’s the need for that knowledge once things start to become automated and once you can just click a button and boom, the network is deployed. And the way I see it, that knowledge is not wasted. That knowledge can still be put to use. And I think it’s just size.

[00:23:10.840] Right.

[00:23:11.330] – Brandon
Having that knowledge of how all these protocols work probably isn’t going to help. If you’re just buddies with an independent developer that’s bringing up a single site and just using some of the managed services to do it, you’re not going to be much help to him because it doesn’t just fit together. But there is a space where professionals that have that knowledge are still necessary, like you said, especially when there’s growth involved, you think there’s going to be growth. You need to build it right from the start, and you need somebody that’s got an understanding of how these things work together and where to start. Really. Right. Identity management and the policies there, and not just thinking about the infrastructure. Right. But just gaining access to this stuff. Who gets access to it? How do we control that access, that type of stuff.

[00:24:05.740] – Ned
Right. One of the things that Cloud introduced that we didn’t really have on Prem was a common control plane where you were able to interact with all these different services invoke them, delete them, make changes to them, and so that makes security of that control plane incredibly important. And I wonder whose responsibility is it to make sure that that portion of things is secured properly?

[00:24:35.030] – Brandon
Yeah. The control plane portion, specifically. Who’s responsible for that?

[00:24:41.670] – Ned
Yeah. Because if you don’t lock down proper roles and permissions in the IAM side of AWS, then someone with you didn’t want to be able to edit your VPC could go and add a subnet provision, Elastic IP, and you’re like, hey.

[00:25:00.340] – Brandon
No, yeah, I think that the responsibility ultimately falls on the account owner. Right. The person that opens that account. Because when you first create your account, you’re creating a root user. And so I think from the very beginning, it’s really important to look at those getting started documents, look at those best practices and follow them. Really follow them. I think for me, when I go into a lab, it’s real easy to go, oh, yeah, I normally would do that if this was a production network, but because I’m just messing around, I’m going to skip this step like MFA, right. Maybe I’m not going to do MFA just because if this is your organization account and you’re the first person to create it and you’re that root user do those things, even though it may seem like it’s like this extra step that’s going to make it, next time I log in, I got to have an MFA token and I got to put that in. Okay, yeah. But that’s how you start. The right way is you just follow those best practices. I think that’s where it falls ultimately is the account owner.

[00:26:28.410] – Ned
One thing I’ve noticed, especially over the years of working with Cloud, is the defaults on a lot of the services and even just the Wizards, when you’re setting up an account or something like that, they have really tightened up the security around those things. And it used to be the old Microsoft approach. I hope Microsoft doesn’t dig me for this, but it was like, we have everything open because we don’t want anything to get in the way. And now it’s more, no, we’re going to be deliberate and make sure things are locked down so that you can’t come back to us in six months and be like, well, you didn’t secure my stuff, right? Like, no, we made every effort for you to deploy it securely, and if you chose to make something insecure, you had to do something.

[00:27:13.110] – Brandon
One of the things I think is really interesting, at least from the AWS perspective, is that AWS is just obsessed with the customer. The kid is at the foundation of everything we do, right. And so being customer obsessed means that when it comes to your services, they’re iterative. You’re taking that feedback from customers, what’s working that type of stuff, and then you’re iterating on those services to make them better. And if you were getting emails on stuff that’s being announced, new services, new features, all these updates, I mean, it’ll flood an inbox because it’s constant iteration, making things better for the customer. And I think that’s where those defaults in the cloud, they Azure getting better and they continue to get better because the customer is what’s important. I don’t think from just my personal perspective, being a customer myself to anybody, I don’t expect whoever I’m getting a service or something from, I can’t expect them to do all of the work for me. There’s certain things that I know I’m going to have to be responsible for that’s anything like buying a car. Right. I go buy a car from a dealership, and I expect that thing to work and have controls that are safe for me.

[00:28:47.050] – Brandon
But I don’t expect them to drive the car for me.

[00:28:49.820] – Ned
Not yet.

[00:28:50.980] – Brandon
Right. Yeah. Again, I’m dating myself. Right. If I’m a little younger, I’d probably say and I expect them to drive the car for me. But that’s how I see this. Right. Is all of these mechanisms are put into place that are going to provide the best environment right now. And then on top of that, the other things you do you’ve got to be responsible for.

[00:29:21.030] – Ned
Right. You get in the car, if you don’t buckle your seatbelt, it’s going to Ding at you until you buckle your seat belt. But all the airbags are there. All the other safety crumple zones and whatnot are there to help you in case you do get into an accident. In the same way those same security features are available, some of them you have to avail yourself of, but you’ll have something dinging in your ear going.

[00:29:42.610] – Brandon
Hey, you should turn that. Yeah. Isn’t that like a best practice? Put your seatbelt on the controls there. The seat belt is there. And you even get a reminder that thing dinging at you follow best practices. You don’t have to do it.

[00:29:58.930] – Ned
Right.

[00:29:59.440] – Brandon
But usually works out a lot better when you do.

[00:30:02.320] – Ned
Yeah. And some of this knowledge in these defaults have really come from what you were kind of mentioning before, the people who have the deep knowledge, who become subject matter experts in whatever it is that knowledge is now entrined in how something is deployed or in a template that you would use. I’m going to throw this idea out here, and I just want to get your reaction to your thought to it, because we’re now able to ensure and create and collect these templates, the need for as many subject matter experts on a particular subject has decreased. But I think at the same time, you made the point that so many new services exist that we actually need more SMEs than ever, but in a much more disparate field of topics. What do you think about that idea?

[00:30:55.780] – Brandon
It sounds great when you put it that way, Ned. All these experts in whatever field they’re an expert in, the thing that they have in common is that they have proven that they can figure things out. Right. And that’s what it is to me. Right. So you still use that expertise. You spread it out. It doesn’t matter. I do like the way you put it, though, Ned.

[00:31:34.650] – Ned
There’s a place for everybody because we keep making more stuff.

[00:31:38.270] – Brandon
Yeah.

[00:31:42.430] – Ethan
Well, Brandon, if you were to give us three takeaways things to remember from this conversation, what might those be?

[00:31:47.420] – Brandon
All right. I’d say the first takeaway is that if you’re that traditional networker, traditional network security person, if you’re that expert, the skills that you have are still very useful today to organizations that are moving to cloud, even to organizations that are already cloud early adopters that are continuing to adopt new services as they become available. All of those fundamentals that you have, all that expertise that you have, that’s still great to have, don’t ever discount that. That’s one thing I would say. I think another thing is that and it kind of goes with what we’re just talking about, right about being an expert is proving that you can figure things out. A great deal of your knowledge is transferable. So the concepts are very similar. Even though they may look, just glancing at a traditional network architecture versus a cloud network architecture may look a bit different. A lot of that will transfer over. You got to Peel back the layers. And for what doesn’t, if you’re an expert, you’ve already proven that you can figure things out. And then the third thing I think is super cool, especially for people that Azure learning that barrier to entry is not like it was when some of us got started in networking, trying to figure out how am I going to get a hold of a couple of 2500 and 1900 and rack up a network here.

[00:33:36.790] – Brandon
It’s not even like getting a license for an Emulator, whatever. It’s not that anymore. It’s create an account and there’s free tier. Man. Just thinking, if I had all that available to me back then, I know I spent a lot of time in front of a screen back then, but yeah, it would have been amazing. The things you could learn when you have that available to you, it’s there. So there’s just not that barrier of entry anymore. You can pretty much do anything now, Brandon.

[00:34:21.010] – Ethan
You’re a social person. You’re out there on the Internet. How can people follow you, contact you, read your blog, anything you want to pitch?

[00:34:26.460] – Brandon
Oh, yeah. So my blog, Brandonjcarold.com, I’m pretty much talking about learning there. That’s where I talk about that type of stuff. Started putting some more cloud specific stuff on Medium so you can poke around and find me there. Twitter, obviously. I’m still on Twitter. I joined Twitter in 2008. I think I looked wow at Brandon Carroll. Linkedin is a good place as well, and those are probably the easiest ways to get a hold of me.

[00:35:01.580] – Ethan
Perfect. Brandon, thank you for spending time with us today. It’s fun to catch you as you’re just entering your AWS journey, not as a user, but from the inside and to get your take on it and what’s going on and watching you map your mind from old school to this is how we do it in 2022. It’s been interesting to listen to your take on all of this. So again, thanks very much for spending time with us. Today. Virtual high fives to you out there for tuning in because you’re awesome. If you have suggestions for future shows, guests you’d like us to interview, we’d love to hear all of those things. You can hit Ned and I up at day two cloud show on Twitter, or if you’re not a Twitter person, go over to Ned’s website, Ned Multicloud.com. He’s got a contact form there you can fill out and let us know that way. Now, don’t hit Skip on your podcast player yet. Up next is a tech Bite with HashiCorp where we’re going to discuss Consul Terraform Sync, some really intriguing infrastructure automation with CTS and a cool conversation. So stay tuned for that.

[00:36:01.710] – Ned
Welcome to this Sponsored Tech bite from our fine friends over at HashiCorp. This is the second tech bite from HashiCorp around their Consul product. Last time we learned about the many challenges that Consul is trying to solve for cloud practitioners like you. Today we are going to narrow our focus to check out how Consul helps with network infrastructure automation and dig into what’s included in the enterprise version of Consul. Joining us today is Hari Sankaran from the Consul product team. Hari, welcome to the show. Last time we chatted with Van Fan and got a good grounding in what Consul is and the challenges it’s meant to solve. One challenge that we didn’t get to elaborate on too much was infrastructure management and automation. Can you describe the challenge or multiple challenges behind managing infrastructure in a cloudy world?

[00:36:50.370] – Hari
Absolutely. First off, Ned, Ethan, thanks for having me. Pleasure to be here. Huge fans of this podcast. So I know it’s no news to the audiences that cloud adoption is maturing. It’s about day two, not just day one, which means our customers are moving more, adopting at an industry level for the cloud, and they’re scaling with a huge focus on business value through all this. So what that means is that they need unified interfaces, control points, whether it be for security, app deployment, infrastructure, as, code, or networking. I know we’ve talked about Consul platform as the control point for the service networking. It’s all about a lot of the zero trust and other important business challenges. What makes Consul unique is that it is the only service networking platform out there that also solves challenges related to day two infrastructure automation. So to answer your question more directly, Ned, I think the biggest challenge is achieving a repeatable deployment lifecycle through automation. Again, this is well solved for day one and is realized through infrastructure as code platforms. But day two is a little bit harder because when it comes to infrastructure automation, networks and security Ops teams rely mostly on ticket based workflows to execute those updates and changes, which means it’s manual and it’s ripe for human driven misconfigurations.

[00:38:16.620] – Hari
It adds overhead and time. And so I think Consul Terraform sync, which we can dig deeper into, is uniquely able to solve for this business challenge and the workflow.

[00:38:28.710] – Ned
I’m laughing a little bit to myself because I think I deployed this beautiful, pristine infrastructure for you people and then you went and ruined it with all your manual processes.

[00:38:39.810] – Hari
Exactly. You’re absolutely right.

[00:38:41.810] – Ethan
So, Harry, I want to dive into what we mean by infrastructure here because it can mean a lot of different things. Networking, storage, compute, et cetera. How does Consul help out with automating and securing my infrastructure? If you wanted to find that for us and dive into it?

[00:38:54.940] – Hari
Yeah, 100%, absolutely. And it’s specific to infrastructure automation. Consul, together with Terraform, is able to act on any type of infrastructure, whether it be compute, networking, or security infrastructure that needs to adopt the same pace at which applications are changing.

[00:39:12.010] Right.

[00:39:12.200] – Hari
That’s the cloud world that we all know of. So dynamic infrastructure needs dynamic provisioning, security, networking, Consul and Consul Farm Sync is able to solve for this. So, for example, Gartner has stated that through 2023, firewall misconfigurations are projected to cause about 99% of the firewall breaches. So on the flip side, transitioning the operators from having to manage each request to change manually, but moving that to overseeing CTS automated workflows actually bolters firewall security.

[00:39:49.230] – Ethan
Okay, so you said dynamic infrastructure. That’s part of the tagline here. Does that mean it’s got to be cloudy infrastructure with an API and so on? Or if I’m still partly in a data center and maybe I’ve got some of that Icky metal that’s doing the firewalling or the routing. Could those play in a scheme like this as well?

[00:40:12.280] – Hari
Yes, absolutely. I think Consul is unique in the sense that it is multiplatform. Our binary software can go into Bare Metals, VMs or any form of infrastructure. As part of me that’s out there. And Consul is able to find services that exist in any of these platforms. And the reality is that enterprises are a lot of them are Brown fields. Right. Like they have on Prem hybrid cloud. I know you’re laughing because you know this.

[00:40:46.950] – Ethan
Some of them are brownfield. No, dude, they’re all Brown.

[00:40:50.610] – Hari
Yeah. Bachelor’s words there for sure. All of them are brownfield and hybrid. Right. So there is a lot of the layer three four equipment out there that is network security. Very important, fundamental piece to how enterprises operate. Right. But Consul is absolutely able to, especially with Terraform, provide infrastructure automation workflows for that as well.

[00:41:15.040] – Ned
That sort of gets to the heart of a question I had in my back of my mind, which was as, far as I know, Consul is able to do service discovery and it can help establish your trust and all those kind of good things. I don’t remember it actually being able to go out and manipulate endpoint devices and stuff. So it sounds like that’s where Terraform comes into the equation.

[00:41:34.770] – Hari
Yes. And I listened to the episode of The Band and you mentioned you heard about key value storage as well. And those are definitely what Constant has been used for. But I think the first thing to your point, Consul, does really well and is very well known also in the market is for the dynamic service discovery, right. Which is including a real time catalog of all your services, regardless of where they exist, your point, their health, and all the important metrics. So you take this fundamental function, it lends itself to two very valuable use cases. One is a service networking service Mesh, that touches on zero trust requirements, et cetera. And secondly, you use the same service discovery function to provide network infrastructure automation that I can dig deeper into. At the heart of it, CTS is simply combining Terraform and Consul functionality to eliminate those manual ticket based systems that we talked about. Whether it’s on Prem or cloud, it’s broken down into two parts. For day zero one, teams use Terraform, they can quickly deploy network devices infrastructure consistently, and they can reproduce it. Once that’s established team should manage day two automation tasks by integrating the Consul dynamic catalog into a terrifying workspace with the help of CTS.

[00:42:56.080] – Hari
So if you think about it, when a change is recorded from the application level in Consul service catalog, CTS triggers a Terraform run automatically to automate the infrastructure, whether it is load balancers or firewalls or any other service defined networking components.

[00:43:14.910] – Ned
I can draw a parallel to some of the ways that Kubernetes works. When you spin up a new service and a pod dies in the background, it automatically knows about that and it’s able to stop sending traffic to the Deadpod. And when the new pod comes up to take its place, all right, I’m going to start sending traffic to that new pod. But that level of automation doesn’t exist, generally speaking, out in the larger networking world, that’s confined to the Kubernetes cluster. So CTS kind of gives you that same ability to a certain degree outside of the cluster. But what do customers need to adopt Consul Terraform sync?

[00:43:50.490] – Hari
That’s a great question, actually. Also, it’s very simple. As the name indicates, you will need Consul to do that real time service discovery, and then you will need Terraform for the infrastructure as code, you install one extra binary called CTS, which brings them both together. So in a sense, Consul becomes a source of truth, if you will, right. It understands the health of all your services, and Terraform becomes the executor of all the changes to the infrastructure based on changes at the application layer. And for that to work Terraform to beat the infrastructure, obviously you will need a Terraform provider office. We know that thousands already. And so the only other piece that you may need to build is what’s called a CTS module, which defines exactly what the CTS binary will monitor and execute. Right. Even that, we have plenty of those modules out there. In fact, if you go to Terraform registry and just search for NIA. It will automatically pull up a lot of the ecosystem CTS modules that exist already from Cisco, AWS, Palo Alto, F, Five, and many others. And practitioners can also build their own CTS model. I’ve built one already few, and it’s very easy to do.

[00:45:02.760] – Hari
And I’ll provide some links on how practitioners can do that.

[00:45:08.000] – Ethan
Harry, is this sort of a self contained pipeline for infrastructure as code? It feels like it’s all been baked in.

[00:45:13.760] – Hari
Here. It is. I think HashiCorp has that advantage because we can do the service discovery service Registry with Consul and we can do infrastructure because code with Terraform, it was really bringing those two together. So it basically is all baked in.

[00:45:32.860] – Ethan
All right, I can get Consul and Terraform. There are free open source versions that are available to me. What about this CTS component we’ve been talking about? Is that also free and open source, or is there a cost for that?

[00:45:44.730] – Hari
No, it is also open source. It’s another open source binary that you will download and install, and you just provide access to your Consul and Terraform deployments and you can get up and running. So really, no cost other than the infrastructure needed to run that binary.

[00:45:59.670] – Ned
How about okay, you guys got to stop giving all the stuff away from Frank. Don’t get me wrong. I’m not complaining. I like using it. But I imagine you want to get paid for something. And I know that Consul does have an enterprise version, so maybe we can switch tracks a little bit and talk about Consul Enterprise because I’m curious, what is included in Consul Enterprise that fills out with some additional bells and whistles? What’s already included in the open source version?

[00:46:28.570] – Hari
Yeah, absolutely. This is how we survive, obviously. And it’s true for all HashiCorp products, right? Basically, Consul Enterprise Enterprise specifically addresses a lot of the organizational complexities, typically that’s around collaboration. How do you operate on that scale and how do you govern all this? And so that’s really where Enterprise adds a lot of value. If you think about scaling, you want to make sure it’s resilient and you want to have multi tenancy capabilities. Pretty much every enterprise out there has a Dev test prod, and then they have multiple different organizations. And so multitenancy is very important and then simplifying your operations. And even if there are some customers that I don’t have very complex architectures that requires enterprise. And I’ve already mentioned governance and adding policy on top of all of this. Those are some really good places where Consul Enterprise can help.

[00:47:28.930] – Ned
Okay, so if I’m starting to hit these limitations or need these additional things, Consul open source might not be cutting it for me anymore. So now it’s time to look at the paid enterprise version of Consul instead.

[00:47:40.690] – Hari
Yes. So for example, if you wanted to filter all the as triggers by namespace. Right, for multi tenancy you can do that and consult ties into Terraform cloud and Terraform enterprise. So you get all the audit logs, which is extremely important from a governance and security standpoint running history and all the triggers and the notifications. Let’s say you want to notify an operations team that something happened or you made a change previously, it was all like excel sheets and something else. Right. So all of that is automated. You get the workspaces that you get from Terraform remote execution. And the one other thing I’ll mention is Sentinel for enforcing governance policy as code. So those are some things that enterprises really cannot do away with, and so they really need those. And Consul terrorism sync enterprise can help there.

[00:48:35.710] – Ned
Okay. And Sentinel is probably something that we should do a whole separate tech bite on because it’s a pretty cool product. And I feel that it spans multiple enterprise products at HashiCorp, correct?

[00:48:46.990] – Hari
Yes. Primarily tied with terrifying enterprise. But you can see that with Consul Terraform sync, it’s able to leverage that automatically because of the tight integration.

[00:48:59.110] – Ned
Right.

[00:48:59.700] – Ethan
Cool.

[00:49:00.280] – Ned
Well, let’s close this one out. Let’s get some key takeaways for our listeners. Where can they go to find more information about Consul CTS or Consul enterprise?

[00:49:11.530] – Hari
Yeah, absolutely. So just to round up one of our north star goals is enabling our customers. And Consul is a huge part of that. It’s the only holistic solution for enterprise needs when it comes to service, networking, and network infrastructure. Automation is something that sets it apart. So overall, we really care about bringing business value to our customers, whether it’s going decreasing your time to market while your security governance is in place, reducing operational overhead, all of that network and structure automation through Consul can get you there. If folks want to learn more, they can go to our learned hashicorp.com and simply search for NIA. I already mentioned Terraform registry. Same thing. Search for NIA. We have plenty of blogs on our website as well, and there’s a lot of information out there.

[00:50:02.230] – Ned
Excellent. We’ll include all of those links in the show notes. As always, how can folks find you on the internet? Do you have a blog, Twitter profile or something on LinkedIn?

[00:50:12.070] – Hari
Blog is work in progress, but the LinkedIn is definitely the best way to get in touch with me, and my name should come up right away.

[00:50:21.560] – Ned
Okay. And we’ll include a link in the show notes for that as well. Harry, thank you so much for joining us today on today’s tech bite. And thank you to HashiCorp for sponsoring this tech bite. This is how Ethan and I feed our families, after all. And thanks to you, dear listener, for tuning in. You can find this and many more fine free technical podcasts along with our community blog@packetpush.net. Until next time, remember, cloud is what happens while it is making other plans.

More from this show

Day Two Cloud 153: IaC With GPPL Or DSL? IDK

On Day Two Cloud we’ve had a lot of conversations about using infrastructure as code. We’ve looked at solutions like Ansible, Terraform, the AWS CDK, and Pulumi. Which begs the question, which IaC solution should you learn? A Domain Specific Language...

Episode 148