Unlocking the Cloud Operating Model: Provisioning - Cloud Compliance and Management

Transcript

My name is Meghan Liese, and I am with HashiCorp and I work on the Terraform product marketing team. Today I'm going to talk about cloud compliance and management.

The question that I hear people ask is, What do I do now that I'm going to cloud and operations is no longer the gatekeeper to infrastructure?

Improving cloud security

This raises a lot of concerns around: How do I manage my security posture? How do I manage regulatory compliance? And how do I ensure that our organization is maintaining operational consistency and best practices?

As we look forward and think about what it means to maintain a security posture, it really is thinking about, How do I create and then enforce policies that prevent breaches in my organization?

We've all heard headlines in the last few years around telecommunications companies or government organizations or other types of organizations that have experienced data breaches due to their data being accessed through cloud services.

So what can I do to prevent this?

And as we think about provisioning, it's really around, How do I restrict risky behavior that exposes our organization to security breaches?

This might be around restricting app versions that have known vulnerabilities. It might be around restricting resources with public-facing IP addresses. It could also be around security groups with egress of 0.0.0.0. Or it could be restricting the use of only approved modules. All of these things, if done correctly, can help reduce the risk of a security breach.

The compliance piece, and the cost question

The next part is compliance. How do I create and enforce policies that restrict noncompliance for the regulations that my company has to follow? This could be GDPR, FedRamp regulations, healthcare regulations, or the PCI regulations. This is to ensure that you do not incur the charges organizations are faced with when they are in noncompliance.

The final part is around operational consistency. This is really the biggest one for organizations.

How do I create and enforce the operational best practices that help me manage the costs of my organization long term in the cloud? How do I tag my infrastructure? How do I make sure that my developers, when they're doing development and testing phases, don't use the premium instances that costs hundreds of thousands of dollars a year?

How do I ensure that I'm not having people provision infrastructure on weekends, when it can't be properly watched? How do I ensure that I'm using variables that deprovision infrastructure when people are done using it? How do I ensure that people are not incurring costs that are unnecessary?

For example, if I have infrastructure that costs $1,000 and then a developer goes and it now costs $20,000, how do I put a restriction where that can be reviewed or checked prior to actually being provisioned? All of these operational best practices can yield a 30% to 40% reduction in cloud spend annually.

Sentinel and policy as code

So as we go out and we talk to customers, the thing that we like to reinforce with them is that Terraform provides that compliance and management aspect through what we call Sentinel policy-as-code management.

This not only allows infrastructure to be represented as code; it also allows the policies around security, compliance, and operational best practices to be represented as code as well. These can then be inserted into the provisioning workflow between a Terraform plan and a Terraform apply, and those policies can be enforced at that point.

So before any infrastructure is actually provisioned, it is policy-checked, and if it does not follow the policies, it's prevented from going out and being provisioned. This helps organizations manage security risk, ensure that they are not in noncompliance, and follow the operational best practices that fit the organization.

To learn more about Terraform or get started today, visit app.terraform.io.