The Computer Weekly Developer Network (CWDN) continues its Infrastructure-as-Code (IaC) series of technical analysis discussions to uncover what this layer of the global IT fabric really means, how it integrates with the current push to orchestrate increasingly cloud-native systems more efficiently and what it means for software application development professionals now looking to take advantage of its core technology proposition.
This piece is written by Daniel Riedel in his capacity as SVP for strategic services at Copado – a company known for being a DevOps platform that works to power enterprise software, specifically within the realm of Salesforce deployments.
Riedel writes on strategies for building resilience through Infrastructure-as-Code (IaC) and writes as follows…
A cow and a cat are taking a leisurely stroll through a bright green pasture. The cat, feeling secure in its own importance, leaps to hitch a ride on their friend and whispers into the cow’s ear, “I am so nimble, smart and loveable. I feel as if I am royalty with all the knowledge in the world.”
The cow looks up at the cat on its head and responds, “If you’re so smart, then why are you talking to a cow that does not exist?” In that instant, the cow disappears in a puff of smoke.
The cat falls to the ground, pausing.
“Evidently, I’m not royalty,” the cat thinks to itself. “However, the ability to conjure cows on demand makes me a magician!” So with a flick of its tail, another cow appears to continue its ride.
We have heard the pets v. cattle comparison many times before in the development community. Our pets – like the above cat – are our irreplaceable beloved stateful systems that hold petabytes of important data.
Meanwhile, the magical, more ephemeral options are the imaginary cow. They are the cattle that process vast amounts of computing focused on a specific task and then they disappear once that task is complete.
Both the pet and the cattle require well-thought-out architecture, thus the magic of infrastructure as code.
Ephemeral & stateful systems
I would like to suggest that ephemeral and stateful systems are the cats and cows of modern computing.
If stateful systems were self-aware, they’d probably be just as smug as the cat in the intro. It wouldn’t matter how many times it tore up your shoes or knocked your water glass off the table; it would know you were never getting rid of it. You need it and you’ll do whatever it takes to support it.
IaC is critical in creating and maintaining that cat because of the complexity of securing, scaling and managing it. Just as your beloved cat (or dog for the dog lovers) needs a lot of care and feeding, it needs emotional attention and it needs ownership. That translates to a DevSecOps architecture that can be resilient because of the code built upon it.
To constantly manage the testing, compliance and security automation, you need to build significant robustness in your design. If you are doing anything manually, you are opening yourself to errors and you will crush that ability to be resilient. If your environment is compromised, you may have to rebuild it from the ground up to ensure that it’s secure and stable. Altogether, if you have not implemented a good architecture through IaC you will struggle.
Conversely, when looking at the ephemeral nature of your cattle, IaC plays just as crucial of a role, to be able to manage spinning up and tearing down compute nodes as quickly as your systems demand. Having a significant portion of your infrastructure be ephemeral means that you can reduce the security and maintenance costs of your environment.
After all, you do not need to secure that which does not exist.
That ephemerality provides inherent protections. Hackers have significant challenges to go after these separate, short-lived events. If they catch a toe hold there, they will only have it for a brief time. This allows organisations to spend more time and focus on the stateful systems where the critical data resides.
This is the cost-benefit and risk-reward of using IaC combined with ephemeral and stateful systems. In essence, the cow only exists because it needs to serve the cat.
It turns out cats were right all along. They are the center of the universe!
Modern computing allows for this pet and cattle approach and our security methods must follow it. Luckily, there’s already an existing model that fits right in with IaC in supporting systems.
IaC & D.I.E. model security
A lot of great information on the value of IaC comes from the perspective of Sounil Y and his approach to Distributed, Immutable and Ephemeral (DIE) model security. For those who have not seen any of his presentations, I would highly recommend checking out his RSA Conference presentation “New Paradigms for the Next Era of Security.” One thing he goes over in this is the importance of the DIE model in modern infrastructure management.
The DIE model is an interesting corollary to the Confidentiality, Integrity, Availability (CIA) triad of security that’s not the only method as we embrace modern computing challenges. DIE centers on working with ever-changing and growing systems and IaC fits right into that approach.
- Distributed: IaC is designed to build distributed systems. its very nature, set up to be run on cloud-based, decentralised systems.
- Immutable: The ephemeral environment needs to be fixed and immutable, making it very difficult to make changes, adding additional security capabilities while also creating auditable records.
- Ephemeral: IaC allows for rapid deployment of containers, or short lived functional interfaces (such as AWS Lambda, or Copado Functions). Itsupports a single question or event and then is disposed of and replaced.
DIE isn’t a new concept. It’s been around for several years, many organisations are still building out their approaches for managing their infrastructure. Stateful systems will always exist, but the ephemeral nature allows us to protect them and use them in a secure environment while giving flexibility to scale and compute costs.
So we adore and care for our pets and we deliver them the capability to have as much cattle to scale and answer all the questions they may have.