Infrastructure Governance As Code

We continue our Governance as Code discussions in today’s episode.

We started by very broadly looking at Governance as Code generally, but quickly drilled down into Infrastructure as Code meets Governance as Code focused discussion. Understanding that intersection is critical to building something that is both automated and governable.

The topic explored how we audit controls for systems. We also need to make sure that when we build infrastructure, it’s following our policies. The challenge here is making sure that what we’ve automated is conforming to our governance.



How do authorization systems need to be built and made resilient for distributed infrastructure? We discuss how having a single centralized authorization system is incredibly fragile compared to distributed edge infrastructure.

Everything we build has some element of distributed component tree and resiliency in it, and we need to make sure that the authorization systems are included in that analysis.

We explored how you can make MFA more resilient and how you can improve the security of authentication by building additional layers of trust based on behaviors.


Improving Automation Safety

Making automation safe is essential to making it usable at scale. How do we make automation safe? We found a lot of great insights drawing from space craft design, aircraft, aircraft design and other systems where safety is super important.

Automation is a force multiplier. If we don’t factor in safety when we build it,then we could create a lot of harm in systems from wasteful spending to actual injury. These designs have very real implications.


Can Machines Update Themselves?

We know that humans have trouble keeping systems updated, but… how can we address the challenge of knowing which updates are required and, critically, if the updates with break other systems? Even knowing if they worked is a really thorny problem!

In this episode, we focus on actions about what’s going on and why this problem has persisted in industry for so long. Starting from the news of the day about CentOS 8 mirrors being taken down. That’s exactly the type of challenge we are facing when we think about where updates and repos are coming from.


What’s up with Containers for 2022

This discussion sifts into tactical concerns for containers in the near term. We’ve gotten far with containers and Kubernetes. But what about process controls that we need to wrap around containers?

We talked through how we need to be thinking about containers now that we have good control surfaces around them to make things work. If you were using containers and Kubernetes, this podcast will certainly inform your thinking.


What’s Next for Cloud and Edge?

We reflected on 2021 and our four key panelists talked through what’s coming for 2022. Instead of making broad predictions, we focused on the needs of the market. We felt there were many immediate needs around cloud outages and security challenges.

Of course, we also discuss how the edge is coming up along with more physical integrations like for automotive, healthcare, and energy creation and storage. All are very big topics that are local presence related computing.

Photo:…spyglass-7139730/Cloud20302022 PredictLog4jOutagesSecurityEdgeAutomotiveHealthcare

Software Supply Chains [#Log4Shell]

Our scheduled topic was supply chains generally, but the Log4Shell vulnerability dominated the discussion. We dove into the challenge of patching and fixing a library that is literally in nearly every device or service for years and years.

That led us to supply chains in the context of software, and specifically Java Log4j. This is a critical topic and our conversation about it was very thoughtful. We really covered the angles of what it takes to produce and maintain a supply chain for software. Then we discussed alternatives and things to consider when you building anything: software products or physical products in which embedded systems and components impact your designs.


Securing Software Supply Chains

Today we talked about supply chains, but mainly security and the security aspects of supply chains because we have a very serious challenges here.

We have made software and on boarding software for developers so easy, but haven’t put the same efforts in how to manage production systems! The team really talked about what it takes to build production systems that respect security, supply chains, dependency graphs, and inclusion in a way that cross teams.

It’s an incredibly important topic, and it is the foundation of any successful supply chain hardening effort.


Can we Secure SaaS? RE: facebook & Twitch

During this 20 minute check-in we dive security and SaaS infrastructure.

Can we protect the secrets that people are trusting to SaaS providers to store for us? The topic was inspired by the Twitch leak where a lot of sensitive information was exposed exposed to the public. That comes on the heels of all sorts of other leaks, compromises and down time on systems.

Overall, it seems like bad news is coming faster and faster for operators. The fundamental question is NOT can we trust a SaaS provider to secure information. We know the answer is NO. But what to do about it?

Photo by Joy Marino from Pexels [ID 3054158]