Enforce Secure Automated Deployment Practices through IaC

  • Jun 5 2024
  • 30 mins
  • IaC, Best Practices, Automation, DevOps

Things you’ll learn

  • What is IaC?
  • Automation Basics
  • IaC Industry Standards
  • Best Practices for IaC Deployments


Emin Alemdar
Emin Alemdar
Solutions ArchitectSpacelift
Ciara Carey
Ciara Carey
Developer RelationsCloudsmith


We are thrilled to welcome Emin Alemdar, Solutions Architect at Spacelift, CNCF Ambassador, AWS Container Hero, and holder of multiple certifications (CKA, CKS, and 6x AWS Certified), as our guest speaker. Emin will share invaluable insights on streamlining infrastructure management with Spacelift's sophisticated CI/CD platform, which supports various IaC tools, including Terraform, Pulumi, and Kubernetes. Key topics include: - What is Infrastructure as Code (IaC)? - How tools like Terraform can help with automating IaC? - Best practices for ensuring secure and automated IaC deployments. - How Cloudsmith's seamless integration with Helm and Terraform simplifies artifact management, aligning with industry standards for security and automation.


  1. 00:00:00] Ciara Carey: Hey, this is Ciara Carey, and this is Cloudsmith's webinar on all things DevOps and supply chain security. So today we're going to be talking about how to enforce secure automated deploying practices through infrastructure as code. We're going to be joined today by Emin Alemdar, he's a solution architect at Spacelift.
  2. 00:00:19
    Ciara Carey: Before we bring him on just to let you know, next week Cloudsmith are going to be here. See you then. PlatformCon, which is how I say there's an online version and an on site version. I'm going to be there for a workshop on how to securely consume open source. So, and I think we're giving away some, a thousand euro Amazon voucher.
  3. 00:00:42
    Ciara Carey: If you, if you register, register through us or something like that. There's a euro on the fence. It's pretty good. Thousand dollars. Yeah. So before we go on, let us introduce to the stage, our cloud expert, Eamon Alemander from he's a solution [00:01:00] architect at Spacelift. He's a CNCF ambassador, an AWF container hero, many certificate holder.
  4. 00:01:09
    Ciara Carey: Welcome on stage Eamon.
  5. 00:01:11
    Emin Alemdar: Thank you. Thank you. Thank you for having me, Chiara.
  6. 00:01:14
    Ciara Carey: Oh, happy to
  7. 00:01:15
    Emin Alemdar: have you.
  8. 00:01:16
    Ciara Carey: Hey, everybody. Yeah, so I'm hoping we're going to try to get a bit more audience engagement as well. So I'm going to be listening out for your questions, but I am terrible multitasker. So excuse me if I, if I miss a question.
  9. 00:01:31
    Ciara Carey: So let's just get. Right into it. What is infrastructure is code.
  10. 00:01:36
    Emin Alemdar: Yeah, infrastructure as code allows people to basically declaratively manage their infrastructure resources, including computing sources, networking resources, storage resources, even in public cloud providers or or even in on prem environments.
  11. 00:01:54
    Emin Alemdar: So basically, Rather than manually clicking through a [00:02:00] UI, a cloud provider's UI management portal, you write down your code to consume those infrastructure resources in a declarative way.
  12. 00:02:10
    Ciara Carey: Oh, brilliant. And like what would be like the classic example? Tools associated with them. What would be the benefits?
  13. 00:02:16
    Ciara Carey: Let's talk about what are the benefits of infrastructure as code?
  14. 00:02:19
    Emin Alemdar: Brilliant. So basically when you have your infrastructure definition written in code, written as code, you can easily duplicate your environments. Because you can basically copy and paste that code and change some variables, change a parameter within the code and deploy the same infrastructure to, let's say, another region or to another cloud provider account even.
  15. 00:02:45
    Emin Alemdar: So it makes it easier for people to basically create, I don't know, maybe their stage of production environment very easily. With just changing some parameters and also it reduces the configuration [00:03:00] errors too because we are human We're making errors all the time if If one person clicks one button in the ui that's going to make You know that that's going to change something or that's going to basically break something right?
  16. 00:03:16
    Emin Alemdar: Eventually, but if you have everything written in code you're now able to You See the configuration details about every resource because it's there for you, right? You reduce the human element in the in the occasion and also basically you can iterate best practices, open environments because just like I said, it's reusable.
  17. 00:03:45
    Emin Alemdar: It's extendable and and it can be collaboratively worked on together with different engineers as well. So that also increases the increases the collaboration between team members too. [00:04:00]
  18. 00:04:00
    Ciara Carey: Oh yeah, automating the stuff instead of manually. Provisioning stuff is, it sounds like the way to go.
  19. 00:04:07
    Emin Alemdar: Yeah, definitely.
  20. 00:04:09
    Emin Alemdar: Definitely.
  21. 00:04:10
    Ciara Carey: How good the tooling is, is what is the infrastructure code tooling? What's your toolkit look like?
  22. 00:04:16
    Emin Alemdar: Yeah, there are, there are multiple tools out there from different vendors. There's the open tool for Terraform, Plumy, CloudFormation, there's Azure Bicep, right, and ARM templates as well. And there's also TerraGround, which is basically a wraparound on Terraform and OpenTofu.
  23. 00:04:36
    Ciara Carey: I was wondering what that was. I was like, oh.
  24. 00:04:39
    Emin Alemdar: Yeah, yeah. And also there are some other configuration management tools as well, such as Ansible, Chef, Puppet. Those are the old ones. Ansible is really popular these days, but those are. Usually, you know usually confused. People are confused about this because those are not [00:05:00] actually infrastructure as close tools.
  25. 00:05:02
    Emin Alemdar: But people use those tools, use those configuration management tools to manage infrastructure resources as well. So you can count them as a C tools as well. But
  26. 00:05:14
    Ciara Carey: yeah, I just use for automating Resources in a way, but kind of a different use case, isn't it? Then Terraform.
  27. 00:05:22
    Emin Alemdar: Exactly. Exactly.
  28. 00:05:24
    Ciara Carey: Yeah. I heard it described as Terraform creates something that doesn't exist already.
  29. 00:05:29
    Ciara Carey: Whereas Ansible or tooling like that will be configuring stuff that's already there. Exactly.
  30. 00:05:35
    Emin Alemdar: Yes. That's the way it is. Yeah, that's correct.
  31. 00:05:38
    Ciara Carey: Yeah. And so what, where does Spacelift fit in all of this?
  32. 00:05:43
    Emin Alemdar: Brilliant. So spaces is actually an infrastructure S code management platform. So you can think of spaces as a sophisticated C I C D platform for I C deployments.
  33. 00:05:55
    Emin Alemdar: And we, of course, mainly follow the get off pattern here. Everyone [00:06:00] uses this pattern because Your Git repositories will stay as your single source of truth for your code, for your infrastructure code. And based on the, based on the actions you do on your Git repository, we we will trigger the runs, the actual deployment runs for you, for your IAC code, right, IAC deployments.
  34. 00:06:25
    Emin Alemdar: So you can think of space as a centralized management platform, centralized CICD platform for infrastructure as code deployments, basically.
  35. 00:06:35
    Ciara Carey: Yeah, that's really important. I know Cloudsmith, we sort of do that with your builds, with your central stores of truth for your, all your builds. Build, and that's really important for visibility and transparency and sharing.
  36. 00:06:47
    Ciara Carey: Yeah.
  37. 00:06:47
    Emin Alemdar: Yeah.
  38. 00:06:48
    Ciara Carey: So I can I usually though, I would've, I, I used the, I, I would've heard of the term like for C-I-C-T-I normally associate it with before the build. It's kind of interesting to [00:07:00] see that terminology after you have her. Yeah. Yeah, so, and so let's get cracking on the kind of things that we should, that the problems that can occur when you're deploying to the cloud.
  39. 00:07:14
    Emin Alemdar: Yeah, so, yeah, you want to go first?
  40. 00:07:19
    Ciara Carey: Oh, do you know what? Before we move on, let's get a poll. Let's get a poll. Hillary in the background. You can see it there in the chat. Can you, can you push out the, the first poll?
  41. 00:07:33
    Ciara Carey: I think it's going to come up on screen. Oh wait, maybe I can do this. Okay. I'm going to do this.
  42. 00:07:40
    Emin Alemdar: Okay.
  43. 00:07:41
    Ciara Carey: Oh, is there one already published? Oh, there's one published. Okay. So, oh, thank you Hillary. What infrastructure code tool do you primarily use for deployments? So, Terraform is King, Ansible, they're probably used together, but Plumie and Chef and Puppet would kind of be more old school.
  44. 00:07:58
    Ciara Carey: So we don't have, nobody's using [00:08:00] OpenTOFU yet. I know there's a lot of talk about OpenTOFU, but maybe it'll take a while before it's sort of used more in people's pipelines. People are still probably using Terraform. What do you think?
  45. 00:08:11
    Emin Alemdar: We might see the change. We might see the shift. And we have already started seeing the shift because, yeah, and because, because, you know, it's open source and it's under Linux foundation right now. And, and It's doing really well right now, and we have started seeing the shift towards open dover actually.
  46. 00:08:34
    Ciara Carey: So interesting, I'd be like, I suppose we're still in the, I've watched the space, see, see where they're where everything's gonna land. They probably both happily live together for, for a long time. Okay, so let's move on. Let's talk about the kind of, I suppose There's a lot of things that you have to consider with infrastructure code, like network security, identity services, like secret management, [00:09:00] logging, threat detection, static testing, the app and runtime testing.
  47. 00:09:08
    Ciara Carey: And there's so much to consider. Maybe we'll start with, before you deploy, Where, where, what kind of things do you think you should do before you're deploying your infrastructure code? I suppose you, you have to write your template for us, right?
  48. 00:09:24
    Emin Alemdar: Exactly. Yeah. But, but let's start with this. Never store any credential data, any secret data inside your code.
  49. 00:09:33
    Emin Alemdar: Let's start with that. But, but basically what I'm trying to say here is you can run static and then against your code as well. So we have to. Shift left for the security posture, and it starts on developers IDE, actually. So you can run some, run some tests against your codes. And there are some open source tools out there that can be helpful, really helpful.
  50. 00:09:59
    Emin Alemdar: [00:10:00] And also you can integrate those tools into your CI CD pipelines, automation pipelines as well. And by doing that, you're actually automating that process as well. So instead of manually. You know, checking your code yourself on your laptop. You're basically trusting a, a, a third party solution. And of course, an automated system to check your code for yourself.
  51. 00:10:24
    Emin Alemdar: By doing that, you can, you can make sure that you're actually writing the secure code for your infrastructure, because. Infrastructure resources are gonna be our production environments, right? It's gonna be accessed by end users. Let's say we have an e-commerce website and, and we are deploying the, deploying the actual infrastructure for that e-commerce website.
  52. 00:10:48
    Emin Alemdar: So we, we have to be secure in that manner as well.
  53. 00:10:53
    Ciara Carey: And at that stage, you would you would you store your, like Terraform, I suppose you might store it, you would store it in somewhere like Cloud [00:11:00] Smith?
  54. 00:11:00
    Emin Alemdar: Most of the time people store their Source code, source infrastructure code in Git, in a version control system.
  55. 00:11:08
    Emin Alemdar: In
  56. 00:11:08
    Ciara Carey: a version control, okay, okay, great.
  57. 00:11:10
    Emin Alemdar: Exactly, exactly, yeah. Because that way, in the version control system, you're able to collaborate with your team members. For example, people can introduce them. pr some code changes and they can, that can be reviewed by other engineers, other team members, maybe a manager, right?
  58. 00:11:30
    Emin Alemdar: And that can, they can also have an approved approval process for the, for the infrastructure. Resource releases as well. Let's say
  59. 00:11:39
    Ciara Carey: you can you like test the I'm sure you can. I'm sure there's some static analysis that can check out your, your, your templates and make sure that they're written correctly, secret detection, all that kind of thing.
  60. 00:11:53
    Emin Alemdar: Yeah, they can be they can be done with with some third party tools as well. So there are some tools out there such as [00:12:00] I don't know, let's. Named a couple of a couple of open source ones. For example, you can use TF land, for example, to check the link of your code, right? Or you can use terrace can or I don't know, TF sec for checking the code itself as well.
  61. 00:12:17
    Emin Alemdar: Static code analysis, basically. And you can, like I said, integrate these third party tools, these open source tools into your CI3D pipelines as well.
  62. 00:12:28
    Ciara Carey: Okay, great. And so, so we've written our, we've written our templates, they passed the initial test What's, what's the next thing we should consider?
  63. 00:12:39
    Emin Alemdar: We should basically automate the deployment of this code as well.
  64. 00:12:43
    Emin Alemdar: So, most of these tools, most of these IEC tools, they offer a CLI, for example, right? For you to basically manually run the commands to apply those resources, let's say, create those resources, right? But, we should [00:13:00] avoid that manual deployment approach as well. We should have an automation for that. To reduce the human error and increase the visibility and of course increase the control Increase the governance around those infrastructure resources as well because Less human let's let's accept this fact less human is more secure.
  65. 00:13:23
    Ciara Carey: Yeah anywhere you can put in automation It will eliminate human error. And also it's it's the visibility and the tracking if you're not you're changing things on the bounce that won't get tracked and potentially you'll lose that, that that, that that data that, that change.
  66. 00:13:41
    Emin Alemdar: Exactly. Yeah. So that's, that's why we, we recommend people to put their code in a version control system to have that versioning available.
  67. 00:13:50
    Emin Alemdar: That's why we recommend people to have that automating posture of the deployments of the, of the IAC, of the infrastructure resources as [00:14:00] well. So, yeah.
  68. 00:14:02
    Ciara Carey: And even before you're deploying what kind of things should be, what kind of things should you be making sure your infrastructure has like, so what, what should you be configuring for to, to manage your, your, what should you be configuring to kind of monitor the security of your infrastructure?
  69. 00:14:22
    Emin Alemdar: It depends from, from environment to environment, of course, but, but basically let's say if you're deploying a. Networking stack, for example, right within AWS, for example, let's say you're deploying a VPC for your networking stuff, but you also need to configure security groups, maybe network access control mass, right?
  70. 00:14:44
    Emin Alemdar: All of those security aspects of those network layer network layer configurations as well for your compute resources. And on top of that, of course, You can, you can deploy some I am rules with some policies [00:15:00] right with I. A. C. As well. We do infrastructure is good as well. So like I said, it depends on the environment.
  71. 00:15:08
    Emin Alemdar: But but there are there are more than maybe 10 20 even 100 ways to deploy those secure security related services within the cloud provider with I. A. C.
  72. 00:15:24
    Ciara Carey: And I know you just mentioned IAM there. Can you go into that a little bit for me? That access. So what does it mean?
  73. 00:15:33
    Emin Alemdar: Yeah. So it basically allows a person or a machine to perform any activities against the, against the resource, against the service.
  74. 00:15:44
    Emin Alemdar: within the cloud account, right? It can be a compute service. Let's say I want you, Chiara, to be able to create and launch an EC two instance. I'm defining that in an I am policy, right? [00:16:00] And I'm giving you a role and attaching that role that that policy to that role. And with that role, you're actually Authenticating against the cloud provider, right?
  75. 00:16:13
    Emin Alemdar: And once you're authenticated with that, it goes ahead and checks your IAM role and policy and authorize you to perform that launch a virtual machine activity. So that is, that is where you define all of those all of those who can do what rules basically.
  76. 00:16:33
    Ciara Carey: Yeah, it kind of reminds me of like SCIM or something like that in my world, you know, for deep provisioning and deep version.
  77. 00:16:41
    Ciara Carey: But so, and Can you enforce? Oh, sorry. Before you go on can you like use OIDC with can you enforce that? Yeah,
  78. 00:16:52
    Emin Alemdar: definitely. Definitely. You can use OIDC. You can use SSO, SAML, all of that stuff is available. But [00:17:00] basically, Most of the time YDC and SAML in general SSO is used for authentication part, but you also need the authorization part as well to be able to form some activities after you authenticate against your cloud provider, which is mostly controlled IEM policies.
  79. 00:17:22
    Ciara Carey: Okay, great. Okay. So do you think, so what, so before deployment, you see ICD to to, to host your templates, make sure that you have version control, make sure that you, you set up your templates where appropriate to have the correct access control using IAM is there anything to consider anything to do with like resource protection or anything like that at this stage?
  80. 00:17:53
    Emin Alemdar: Yeah, but that's mostly external to the resource itself, other than, you know, not [00:18:00] keeping any secret data within the code itself or within the resource itself. That's mostly external to the resource, because, for example, you can configure file volumes, or you can configure those IAM policies, but like I said, that's external, that's an additional configuration you need to think of, basically.
  81. 00:18:23
    Ciara Carey: Okay let's let's use this time to do our second poll.
  82. 00:18:28
    Emin Alemdar: Yeah.
  83. 00:18:29
    Ciara Carey: Oh, it's published. Let's see. God, I have to lean in. Do you currently have automated security checks integrated into your CIC pipeline? Okay, we're getting A live footage so far. Yes, improve it. That's probably every, even if everybody should probably say that it's like, I'm done from now until the end of time.
  84. 00:18:56
    Ciara Carey: Yeah.
  85. 00:18:58
    Ciara Carey: We have robust security practices. [00:19:00] Yes, we need to improve it. No, but planning to implement soon. And no, we rely on manual checks. So you should be having, you should have all these checks in your CI CD on your, on your templates themselves before you Before you deploy.
  86. 00:19:16
    Emin Alemdar: Exactly. That's correct. So you should avoid manual changes.
  87. 00:19:21
    Emin Alemdar: You should, you should, you know, enable the access control. You should basically configure. There are some buzzwords out there. I don't want to, I don't want to hear them.
  88. 00:19:32
    Ciara Carey: Are you going to say ghost?
  89. 00:19:34
    Emin Alemdar: No, I was going to say use least privilege access methodology here. Right. So you're going to have to repeat
  90. 00:19:42
    Ciara Carey: that over and over again.
  91. 00:19:44
    Emin Alemdar: You, you need to least privilege access. Basically, you don't give permissions to if, if that's not needed to two people. Right. And also, just like you said, you need to have those checks. [00:20:00] In your CI CD pipeline to have that ultimate automatic to run against your code and your deployments as well, right?
  92. 00:20:08
    Ciara Carey: Okay, cool. And can we talk about I'm not sure where this, you should be worried about this, but drift in relation to your templates. So we talked about this after deployment. I suppose this is something that happens after deployment. It's like drift away from what you've initially provisioned.
  93. 00:20:28
    Emin Alemdar: Yeah, exactly.
  94. 00:20:29
    Emin Alemdar: So I'm going to play the bad guy here. So let's say you use, you use an IAC tool, right. And deploy some resources in your AWS account. And as the bad guy, I went to hedge and from the AWS management portal, change the configuration of some of those resources that you deployed with IAC. So I'm the reason of that drift actually.
  95. 00:20:56
    Emin Alemdar: So, and, and. By doing that, you're, [00:21:00] you're actually no longer have full control over the resources and full visibility over the resources, because you have a desired state, which is your infrastructure code, basically. And you also have an actual state, which is the resources that you deployed with that infrastructure code.
  96. 00:21:18
    Emin Alemdar: And I'm, as a bad guy, changing that, changing your actual state. And if there's a drift between your desired state and actual state, that causes some problem for the future. Of course, during some, I don't know, maybe downtime or troubleshooting sessions or things like that, you can cause a drift intentionally.
  97. 00:21:43
    Emin Alemdar: But that shouldn't be your I don't know, daily operations, basically.
  98. 00:21:50
    Ciara Carey: Yeah. So, and if say you were doing all these little manual changes and disaster struck and [00:22:00] you had to redeploy it, you couldn't just redeploy it. You'd have to redeploy it and do all those potentially undocumented manual changes to get back to where you want to be.
  99. 00:22:12
    Emin Alemdar: Exactly. That's correct. So you're going to lose control and, you know of your resources because just like you said, you're going to, you're going to lose track of all of the details about the configurations of those resources. And just like you said, you should avoid manual changes. And and you should have a process for updating the infrastructure resources as well.
  100. 00:22:39
    Emin Alemdar: Because most of us have processes for application resources as well, right? We have automation for application processes, application deployments as well. But we need to have those processes for the infrastructure resources to
  101. 00:22:56
    Ciara Carey: okay, so drift. Drift bad [00:23:00] So, what would you do if you didn't say you wanted to make a change you would have to Restart go into your your you would do what you would do a code.
  102. 00:23:09
    Ciara Carey: You would make a pure Merge it and deploy it at appropriate time.
  103. 00:23:15
    Emin Alemdar: Exactly. That's correct That's the process actually we should follow right? We should introduce a code change in a pr and that pr should be reviewed by another engineer Thank you Another peer, right? Another team member. And once we are happy with those changes, we should then together merge and automatically deploy those to our infrastructure, basically.
  104. 00:23:38
    Ciara Carey: And can you enforce that, like, someone doesn't do a manual change? Is that something that you are, you have to give some leeway or what would you, where, what do you think?
  105. 00:23:51
    Emin Alemdar: You can enforce that by, let's say I'm the bad guy again, you can, yeah, I'm the bad guy [00:24:00] again. So, but, but you can limit my access to the AWS account,
  106. 00:24:03
    Emin Alemdar: let's say
  107. 00:24:04
    Emin Alemdar: to the cloud provider account, right?
  108. 00:24:06
    Emin Alemdar: If you limit my access, I will not be able to change any, any configuration of that resource. So, you can do that with policies as well, but also at the same time, let's say, as the bad guy, I also, I also know some, my way around IEC as well, and I want to introduce some bad code changes. To the infrastructure depository to right, let's say I'm not doing doing it with bad intentions, right?
  109. 00:24:37
    Emin Alemdar: I just don't have the required experience with IEC to be able to actually changing change a configuration of the resource within our infrastructure. But let's say I made a mistake. So In in our CI CD pipelines, we should also have some extra policies to check [00:25:00] what is actually being deployed to our cloud provider accounts as well.
  110. 00:25:05
    Emin Alemdar: Right. So there are some open source tools out there, for example, open policy agent, right? It allows you to write down policies as code, right? And, and you can use these policies to introduce some guardrails, right? Security guardrails around those automated pipelines, automated deployments as well.
  111. 00:25:29
    Ciara Carey: Oh yeah, Kyvernos is another one, isn't it?
  112. 00:25:33
    Ciara Carey: Open source.
  113. 00:25:34
    Emin Alemdar: Kyvernos is another one, exactly. Yeah, yeah. That's mostly used for Kubernetes policies Kyvernos, but OPI can be used for IEC as well.
  114. 00:25:45
    Ciara Carey: Oh, cool. And so, okay, so we have those guardrails and what should we do after you deploy? What should we do around around logging or in continuous logging?
  115. 00:25:56
    Ciara Carey: That's a big problem. Not a big problem, but an important thing [00:26:00] to think about. When you're for troubleshooting for recovery for incident response that you need to enable logging. And so how would we do that with ISD? And can we enforce it?
  116. 00:26:13
    Emin Alemdar: Yeah, we can also, we can also deploy. Observability related resources, not just logging, but but metrics and also metrics and also traces and all of that with I.
  117. 00:26:26
    Emin Alemdar: A. C. As well. So if if we are going to use an external tool for that observability stack, we can deploy that tool to our infrastructure with I. A. C. As well.
  118. 00:26:40
    Ciara Carey: Oh God, someone there. I, I mentioned as we at the start about platform Con, how if you register to, to Platform Con and on our site that you're in for a chance to win 1000 dollars.
  119. 00:26:54
    Ciara Carey: But someone thought it was for the webinar and just to let them know. That is for
  120. 00:26:58
    Emin Alemdar: [00:27:00] when
  121. 00:27:02
    Ciara Carey: you're going to announce the winner. I'm like, sorry, sorry, friend. That's another, another thing. Okay. So we've talked about access. We've talked about drift, about avoiding manual changes, about using version control do you want to talk about, we've talked about logging Oh, actually, I don't think we talked about access control.
  122. 00:27:23
    Ciara Carey: Let's, let's talk a little bit about access control after you've deployed and how do you manage that? So you, you can also manage
  123. 00:27:29
    Emin Alemdar: the access control with IAC as well. So you can limit everything with, regarding access control to those resources with infrastructure as code as well. So to have that written as code is, is actually giving the admin admins.
  124. 00:27:50
    Emin Alemdar: admin teams, let's say, or platform teams. That's the, that's the regular term we use these days. Platform teams can [00:28:00] control that access with IEC, with code, and they can basically manage those, those access with those policies, with those custom policies. to their actual infrastructure resources very easily.
  125. 00:28:15
    Ciara Carey: Brilliant. Okay. So we probably just be wrapping. Is there anything else that we can consider? Maybe oh, one more thing. How do you like manage the dynamic, dynamically Manish, the security of an app that's running in deployment after can use infrastructure code to help with that or to
  126. 00:28:34
    Emin Alemdar: you, you can, of course you can definitely use that because because what you're doing here is with IAC, you're, you're removing that manual intervention and you, you are actually introducing a process.
  127. 00:28:51
    Emin Alemdar: Into the picture, not just a tool, not just an approach, but a process, right? And if you have, if you have your, [00:29:00] your processes, you know, documented very well within the, within the organization, you're actually introducing a culture to that organization as well. So. These things start with the cultural change as well.
  128. 00:29:15
    Emin Alemdar: So we can throw in, I don't know, maybe a hundred tools into the picture, but if we don't have that culture, Ready for us to actually create that process. Very well documented process. Basically when you think about DevOps, for example, it's not, it's not a collection of tools, it's a culture. When you think about platform engineering, that's the same.
  129. 00:29:41
    Emin Alemdar: So basically we have to think about how we do things in our organizations rather than thinking about tools themselves.
  130. 00:29:50
    Ciara Carey: And how do you, what do you think are the important things around culture with this? Is it like automated? Everything would be probably
  131. 00:29:57
    Emin Alemdar: Automate everything, secure everything, [00:30:00] shift that for the security, right?
  132. 00:30:03
    Emin Alemdar: It all starts from, from the developer's IDE, from the developer's laptop, right? And of course Remove the, the, the manual intervention to the processes as well. And maybe I can also say define everything as code.
  133. 00:30:21
    Ciara Carey: Brilliant. I think that's a great way to end the webinar. There's a, can't get better than that.
  134. 00:30:28
    Ciara Carey: So thank you so much, man. And I hope people have enjoyed it. Oh, is there any questions before we go on apart from the thousand euro?
  135. 00:30:39
    Ciara Carey: Any questions before we go on Yeah, so oh, looks like no questions. Okay, great. So I hope you enjoyed today. We talked about how you can enhance the enhance the security of your user infrastructure as code to enhance the security of your cloud deployments. And [00:31:00] Remember to try to not manually change anything, try to put everything version control and try to use some of those guard rails and tools to stop people doing things that probably they don't need to do.
  136. 00:31:14
    Ciara Carey: Yeah.
  137. 00:31:16
    Emin Alemdar: Well,
  138. 00:31:19
    Ciara Carey: thanks again, Eamon. And oh, and So platform connects, and if you want to know more about Cloudsmith's cloud native artifact management, we have an intro to intro to Cloudsmith that was another webinar that we'll post at the, at the top there. Oh, there it is. Hillary's like, she's on it.
  139. 00:31:37
    Ciara Carey: Yeah. The banner there. So thanks everybody for today. Automate everything. And I'll see you later. Bye.
  140. 00:31:46
    Emin Alemdar: Thank you so much. Bye.