Cole Morrison: [00:00:00] If we could free up our time for doing the stuff and infrastructure that we want to be doing, developing some sort of platform that automates most of the cycle is generally where you start heading towards. So time for you, the platform engineer to say, here is something you can go and fill in the values you want.

Okay, great. It's going to go make all the stuff you need and I can go about my life and you can go about yours. We're going to just.

Ashish Rajan: Oh, that worked.

Why do organizations build platform team, platform engineering? What's the point of having a platform engineering team in enterprise? And where does security play a role on this?

I had the pleasure of talking to Cole Morrison, who is a senior developer advocate at HashiCorp at HashiConf in Boston. And we spoke about the value of a platform team. And how does an enterprise scale with a platform team in terms of not just scaling the engineering, but also scaling security? Overall, it was a great conversation.

I hope you enjoy this episode with Cole. And if you know any other enterprise companies that are trying to look into the whole platform space, just to understand what it's about and what unlocking that capability could mean for that [00:01:00] organization in terms of automation and just the overall productivity increase that you will find in running large scale cloud footprint across the organisation.

If you're watching this on YouTube or LinkedIn, you can show support for free by subscribing or following us on social media. I hope you enjoyed this episode. I'll talk to you next one.

Cole, can you share a bit about yourself and what do you do at HashiConf?

Cole Morrison: So I'm a developer advocate with HashiCorp. But prior to this, been over 10 years of, well over, because I don't want to give too much age away because I look so, so great. Yeah, cloud, DevOps, platform, software engineering.

Software engineering was actually my bridge into the whole cloud space. Oh, nice. Started talking about it, teaching it, and then eventually wound up with Hashi when one day I picked up Terraform and was like, oh my god. This is so nice. Yeah. It looks so pleasant. I'll just write JSON, YAML. And then here we are at HashiCon 2024 in Boston,

Ashish Rajan: Can't believe you said JSON and YAML are being, like, so awesome?

Cole Morrison: No, sorry. Not being awesome.

Ashish Rajan: It's obviously much more understandable than what it used to be before, I feel it allowed more people to enter the [00:02:00] space. Obviously, I guess the conversation focus today is both from an infrastructure perspective as well as the cyber security side.

Just to lay the groundwork for most people. And I think obviously different people are different scale for cloud and otherwise as well. Where do you see the infrastructure as code integration and the whole platform life cycle, infrastructure life cycle? How would you describe that to others, what an infrastructure life cycle is and what is the role of cyber security in there?

Cole Morrison: What's really interesting is even though we have those split, I see the ILM side of build, manage, and deploy, specifically if you're on Terraform, as where all the security begins. Because, in essence, since our products like Vault, Boundary, you can configure in Terraform, technically Terraform and infrastructure as code as your interface into everything else that you're doing, if such is the case.

And you say, decide to build a policy, right? You're building that policy in your infrastructure's code. And part of the security aspect of that is not only are you getting the policy enforced across [00:03:00] everything, you're getting the system of record around the policy, it's usage, where it's being applied, you're getting the ability to apply it again, and you're getting to do it before everything gets deployed, right?

Instead of having thousands upon thousands of resources and error messages coming back. You have the template, for lack of a better word, that defines all of it. You're monitoring that. Yep. And since we monitor, we lock down before it ever goes out. Hey, we're good, right?

Ashish Rajan: Yeah, awesome. And I think as you can see, there's Jenga in front of us.

Yeah. And we are testing how great tech people are with Jenga. Yeah. If you can build infrastructure, Yeah. now that we have the infrastructure organization, Yeah. I'll say how good we are. I'm going to make a move quickly over here. You're going to go right. It's like a ding. Wow. You went like right for that.

Cole Morrison: Okay. So I probably shouldn't play too safe, but we'll counterbalance it here. All right, cool.

Ashish Rajan: So next question for the infrastructure that you define now. So obviously we're building an infrastructure stack over here as we do this. From an infrastructure as code perspective, what is like the transition different companies go through, especially enterprise?

Yeah. [00:04:00] What are the transition they go through when they're starting off say some maybe starting in cloud today, what would be I guess some of the initial stages they have to work on and how does it evolve as you grow a bit more mature?

Cole Morrison: So interestingly, When you begin in the infrastructure's code in any of our product space, it generally comes down to, especially if you're in a brownfield environment, it comes down to that sort of quick win, new business function, or something that gets blank slated.

Hopefully you've done that pattern, because beginning with migration of something that's already legacy, That's pretty rough, but you tend to think in that first level of scale, getting code defined for that first environment, and then here we're going to keep going.

Ashish Rajan: That's to make it, that's to make it challenging.

Oh! That one's not stable. Oh, that's the whole point, that's the whole point.

Cole Morrison: Yeah, so you tend to, so you tend to wow, this is making folks on the topic very, very challenging for me here. You tend to have the infrastructure defined in one place, run from, by one small team.

You don't have nearly as much policy, you're more concerned with [00:05:00] getting things out and put out there. But the longer that you go about the more you start, I know, that was me being very cowardly. The more you start seeing it run across a variety of cloud environments. Okay. Where monitoring it, working with it isn't just about concerning yourself in one sandbox, so one AWS account, one GCP project.

It's okay, how do we centralize everything? How do we start thinking about instead of managing thousands of members, thousands of code bases, thinking in terms of managing them as a, an ecosystem community in one language. And of course that bleeds into security and everything else as well. I'm trying to, okay, here we go. Oh, wow. I'm trying to counterbalance you, because I feel like I'm trying to Okay, so if I'm going to counterbalance, we've got to go here, too. Oh, this one's fine.

Ashish Rajan: Yeah, there we go. Oh, this should be fine. I'll just take some of it out. Oh. A lot of people get confused with the whole platform engineering word.

Yeah. A lot of people would have DevOps. They would have people who are building cloud infrastructure, cloud engineers. Yeah. What is the whole where does it become a platform?

Cole Morrison: Is it the same people as DevOps or who are [00:06:00] these platform engineers? So I, it's one of my pet peeves. The devops versus platform engineer it's because like for a while there that was what a platform engineer it was devops But thing that happens is devops to me, and I'm gonna say this is my own opinion That's the skill set platform is which you build therefore you are either a platform engineer if you're working on an internal platform or you're a devops engineer if maybe they just don't know what to call it, right?

Because that's your skill set, right? You're bridging between the two. The platform is the internal platform upon which all of your applications are running, right? And you tend to have DevOps skill sets because you're doing both development and ops work, right? And you're working on an internal platform of some sort.

That one was bold. Now I've got to counterbalance this stuff. I'm going to be I'm trying to find one that's No, that would be evil. Okay, see this one's safe.

Ashish Rajan: I'm going, I'm surprised you're going for the safe option, but so now that we understand what platform is and where people want to be talking about focusing attention on if you're [00:07:00] building a infrastructure as code platform is what is the goal for building a platform?

Why not just do what everyone else does, which is just build some infrastructure as code and keep them in a code base? Why was there a need for going to the platform?

Cole Morrison: Mainly because you don't want to deal with developers, do you? Do we really want to talk to developers? Or would we prefer them not send me a ticket ever, like that one time that Greg decided he was going to ask me to rip out something for Mongo because he didn't know how to manage his application, right?

We really don't want to do that. It would be better. If we could free up our time for doing this stuff in infrastructure that we want to be doing, right? Developing some sort of platform that automates most of the cycle, is generally where you start heading towards, right? The question was why, right?

Time, right? Time for you, The platform engineers say, here is something you can go and fill in the values you want. Okay, great, it's gonna go make all the stuff you need and I can go about my life and you can go about yours, right? Yep. That's a very extreme version, the self service side.

Sort of the in between is we make a bunch of reusable building blocks, right? Because imagine us having to build a full Jenga tower [00:08:00] up from just, I don't know, like straight resin. That'd be wild, right? Yep. Instead, a lot of sensible building blocks such that we can build something up very quickly and know that each one of these building blocks has all the investments of security and policy in them, lets us build rapidly, but still with retaining more customization than a self service platform.

Ashish Rajan: What would be the business use case for it as well? Would you say, more from an application perspective, over time, does it make it more complex as well? Or is it more the fact that it's a lot more, hey, how do we automate as much, so it's self service driven. Which do you lean one more?

Cole Morrison: So there's sort of two sides to it, right? There is the efficiency, so that you can get out the door. There is the developer experience, that they can just be done with it. But you're asking from the security perspective, right?

Ashish Rajan: Yeah, I guess either ways, both sides, I feel as you grow and have more products that are being built with infrastructure as code, does it lead us to a land of, I think, in the Lambda world, for people in the self serverless environment, they talk about way too many Lambdas.

Is there a world of way too many Terraforms?

Cole Morrison: Yeah no. The world could always use more Terraform. But, in [00:09:00] essence, the cyber security side of it is that it's not just about me freeing up my time as a developer. Or as a platform engineer, or whatever you want to call yourself. It's that I'm freeing up also the concern that the network module that you're deploying, that I've crafted, has every single thing that needs to be in there from a security standpoint, for my posture, right?

All these things. So that when you are making tons of different networks, they conform to everything they should have been, and I don't need to go and check them. Not only that, if I need to make a security update to it, those changes can propagate outwards to all the existing networks, and there we go.

We've got it controlled all the way in the front. Awesome. Your move.

Ashish Rajan: Oh, I knew you were going to go for that. Oh, you did? I sensed it cause I was going to pull the other one, but I'm like Oh, good. Good job. Then I could bring this a bit more unstable. There you go. Okay. Just like next move.

Okay. Let's see.

Cole Morrison: That was, Oh, look at that. Here

Ashish Rajan: we go. Oh, smart. That was good. That was good. Oh.

Cole Morrison: I don't know. Now we're taking the middle blocks out. We took like most [00:10:00] of the like side blocks. Oh, he got it. Wow. Nice.

Oh, aha. Now we're getting, now we're getting there. Okay,

I

Ashish Rajan: can just take it out.

Cole Morrison: I don't know about that one, man. Oh, wow. Now it's getting pretty top heavy. We're gonna keep going

Ashish Rajan: for the base.

Cole Morrison: Ah,

Ashish Rajan: yeah. And the platform engineering, what would you say is, some of the more mature ways you're finding security teams use automation infrastructure as code to have security obviously, you're talking about the initial phase of having security already part of it, is that more when security engineering teams are developing their own Terraform modules, or is it more by using the different options for, say, secret management? What do you see is the easiest starting [00:11:00] point, A, and how do you see people do that?

Cole Morrison: Easiest starting point, interesting. The easiest starting point is absolutely what we've mentioned there is you get to, every time you build a module that gets reused, you get to invest in the exact standards that you want. Yep. And the second, side of this, which honestly sometimes will come first because people won't think of modularity at first is policy use code.

And that's using something like Sentinel or OPA to say, okay, when we get new infrastructures code in, let's look through it and make sure that, the bucket's not left open, right? The servers don't have SSH access enabled or the security rules only conform to particular CIDR blocks that we want.

And let's just make sure we check that every single time. And if you haven't invested in reusable code yet you at least have those guardrails. And it can also be simple stuff like no friday deploys, like different things like that.

Ashish Rajan: Oh, no friday deploys , I like that.

Cole Morrison: My team actually has that set on across like our entire account.

Ashish Rajan: Really? So there's no deployments on Fridays?

Cole Morrison: Yeah, no. Sometimes we'll bypass it, but for the most part.

Ashish Rajan: For the most part, so you don't want to go on a Friday 5 p. m. deployment freeze at that point in time. Yeah, for sure. Fair. Now that we've spoken about the [00:12:00] maturity, the different kind of roles, where do you see as Is it my Oh, sorry, it's mine.

Sorry. You're good. You're good.

Cole Morrison: Oh, wow. Wow. Okay. Oh.

Ashish Rajan: Oh,

Cole Morrison: that one. Ha. Look at that. Oh, that's cursed. You should not touch that one. Yeah, I'm like, I have to actually, if you make it collapse, you lose. Actually, you should certainly go for that one.

Ashish Rajan: Yeah, it's gonna collapse either ways, I think. I feel like So does

Cole Morrison: that have I1?

Is that what that means?

Ashish Rajan: You would have. But now I think

Cole Morrison: I

Ashish Rajan: have an opportunity.

Cole Morrison: Ha. I don't even know if there's any, oh actually I can be really easy here, there we go.

Ashish Rajan: Oh, damn you

Cole Morrison: oh.

Ashish Rajan: The table is shaking. Aha, okay. I'll try and get this one out. Oh

Cole Morrison: oh that one's loose too. Oh, wow. Cool. Okay, now I think. This is the moment where it's gonna happen I think. Yeah, I think the only other one is, oh, these are like low hanging

Ashish Rajan: fruit. Yeah, okay. I

Cole Morrison: think this might [00:13:00] be it. I think I'll just take that out.

I'll. So now we're doing the like. Are we just taking the top off? Yeah, now we're just taking the top off. Because now we're at that.

Ashish Rajan: Are we really going to just,

Cole Morrison: what happens if we just keep deconstructing it from the top here and we just keep going this way, right?

Like eventually we're just going to have to de take, because I don't think there's any other ones we can take. I

Ashish Rajan: would think that there would be a rule against this. Otherwise it would never end. Now that we've defined self service, it could be complex as the complexity of these rules. Yeah. I am happy to call that this is going to fall at this point in time, but since it's your move, you're going to have the honors of

Cole Morrison: So here we go.

Ashish Rajan: Yeah, okay. Okay.

Cole Morrison: All done. Go ahead and start doing that. But wait, shouldn't I take away one though?

Ashish Rajan: Oh, yeah. Actually, you

Cole Morrison: know what, we'll put one in for credit. Then I'll go. Yeah,

Ashish Rajan: okay, fair.

Cole Morrison: Okay, here we go.

Ashish Rajan: Oh, it's still pretty unstable. Here we go. We're gonna just

Cole Morrison: Oh! Look at that. That worked.

Ashish Rajan: Look at

Cole Morrison: that.

That

Ashish Rajan: definitely worked.

Cole Morrison: Wow. Look at [00:14:00] that. That was like I should get like a coupon for that. Yeah, you clearly

Ashish Rajan: have done this before, for sure. Are you just flicking it? Yeah, I

Cole Morrison: totally just flicked it. That was pure luck that worked. Alright. There he is. I'm undefeated in Jenga. Yes. 1 0, lifetime record.

Ashish Rajan: Is this your first HashiConf by the way?

Cole Morrison: No, this is my first. Fourth? Third? Fourth? Oh, yeah. So I've been with Hashi for coming up on 4 years here pretty soon. Oh, wow.

Ashish Rajan: Do you feel like the kind of audience that you're seeing in the maturity and all of that, how have you seen it being different between the first one and now that you're on the fourth one now?

Cole Morrison: That is, that's always interesting the more any of the tech companies seem to get further, right? Four years ago, a lot more front line engineers are obviously a lot more plugged in. And but as we go further, the more we get more of a mix of technical decision maker, right? Customer C suite, because obviously we get more customers, right?

We get more people making decisions. We need to understand what exactly their engineers are trying to champion upwards. So we start getting the [00:15:00] pressure from both sides. Oh, leadership wants to see it because they've heard of it. Engineers still want it. As a result, the audiences that we see start becoming more and more of a bit of a diverse mix of the entire company roster.

Ashish Rajan: Like tech stack in a way. Yeah. I guess I'm also thinking about people who are looking to attend probably the next one. Yeah. Would that be more for people who are in the infra, security, CIO, CTOs, or who would you put that as?

Cole Morrison: To piggyback off your previous question, actually this is the first year we've added an entire business track of talks.

So that's how much, like, how much more audiences started changing. But we also have a third cloud engineering track as well. So we just continue to grow and add those outwards. So this year we have five different tracks. We have two cloud engineering tracks, one business track. One education track for specific hands on work because we have a lot of people coming and they just want to learn the space.

And then a hallway track for community members and a lot of other people with lightning talk ideas. So the reality is we're growing in all the directions, new people to the system, people that are mature, frontline users, and then of course the business decision makers. It's really not anyone who can't get something [00:16:00] out of it.

Ashish Rajan: And also because most of the security tracks are in there as well as the cloud engineering ones. So most of the security conversations are also in that cloud engineering piece and the business piece as well.

Cole Morrison: Yeah, there's a lot of big mix. I will say that for this particular HashiConf, day one is very infrastructure focused and day two is going to be very security focused.

Ashish Rajan: So quite an integral part then. Is there a favorite thing you look forward to at HashiConf now that you've been to four?

Cole Morrison: So like the stereotypical things like, oh, the networking, it's the people, which sounds, You sound so excited

Ashish Rajan: like this. But it's true

Cole Morrison: because Hashi is very, we're a remote company, right?

So we don't get to see as many of the employees, the customers. Oh, yeah. Or even

Ashish Rajan: your colleagues for that matter as well, because they're remote for us as well.

Cole Morrison: So you get to see all the people you've been working with and talking about talking. About, yeah, talking about, in person. It's oh, you're not as bad in person as I thought you were.

But that, but of course, getting to see the creativity that, from the different use cases that customers and practitioners will come in with. You can really spark your imagination, either show you the art of the possible, or show you that the art of the possible you thought was it, wasn't what you should be [00:17:00] focusing on.

There's a lot of learning and tacit knowledge at these conferences that you don't get when you're just, online, complaining on a GitHub issue.

Ashish Rajan: Thank you. Awesome. And where can people find more information about HashiCorp and the work you do there as well on and educate themselves on this entire space?

Cole Morrison: Yeah, so two main hubs. Obviously, the first one being the official website hashicorp. com and then the second one being developer. hashicorp. com and that is our website geared towards all the different tutorials, the engineering ideas. Oh, and use cases and stuff as well. Use cases, yeah. That one's very geared towards the hands on, how do I get this done, but also the architectural, what does this look like from a high level perspective.

Ashish Rajan: And how does it integrate with the cloud provider.

Cole Morrison: Yep, how to set it up with all the different providers and the like. Oh, that's awesome.

Ashish Rajan: Dude, thank you so much for coming on the show as well and sharing all that with us.

Cole Morrison: We weren't even playing it right for the first

Ashish Rajan: yeah I guess clearly the new rules are still broken by the time I won or lost. But I appreciate coming on.

Thanks so much. Thank you.

Thank you for listening or watching this episode of cloud security podcast. We have been running for the past five years, so I'm sure [00:18:00] we haven't covered everything cloud security yet. And if there's a particular cloud security topic that we can cover for you in an interview format on cloud security podcast, or make a training video on tutorials on cloud security bootcamp, definitely reach out to us on info at cloudsecuritypodcast. tv. By the way, if you're interested in AI and cybersecurity, as many cybersecurity leaders are, you might be interested in our sister AI Cybersecurity Podcast, which I run with former CSO of Robinhood, Caleb Sima, where we talk about everything AI and cybersecurity. How can organizations deal with cybersecurity on AI systems, AI platforms, whatever AI has to bring next as an evolution of ChatGPT and everything else continues.

If you have any other suggestions, definitely drop them on info at cloudsecuritypodcast. tv. I'll drop that in the description and the show notes as well so you can reach out to us easily. Otherwise, I will see you in the next episode. Peace.

‍