Guardrails and Paved Roads

Cloud resources are complex! Engineers in cloud-first environments often struggle to provision simple cloud resources that meet their company’s standards, best practices, and requirements. Many organizations introduce central teams (i.e., Platform, DevOps) to help developers get cloud resources set up the way they need. Unfortunately, these teams quickly get buried in ops. There’s a lot of friction to what should be a quick process, but companies tolerate the ops load and slowness because it’s critical to get cloud resources configured correctly and securely from the beginning.

Data shows that misconfigurations are responsible for 90-99% of cloud security breaches. Today, the primary market focus within cloud security is on scanners, which reactively indicate when a misconfiguration is detected. The problem is that by the time you’re alerted to misconfigurations, it’s too late. You have to fix it with cloud vulnerability management, and as an industry, we’re just not good at it. 

In Netflix Information Security, we faced many of these problems, and the best solution was paved roads. Paved roads create a win-win, where developers get what they need quickly with self-service, and the central teams that support them avoid the ops load and ensure correct configurations from the beginning. Paved roads provide other benefits, including resource ownership attribution and safe change management.

In the video above, Jason Chan (former VP of Security at Netflix) discusses paved roads for security, where the concept originated, and how they were effective at Netflix. 

Watch Jason’s interview to learn:

• Where the terms “paved road” and “guardrails” came from
• How an open-source project, Lemur, created a win-win for developers and security
• How to measure success for paved road projects
• What kinds of problems lend themselves to paved road solutions
• How and when to get started with paved roads as a security team

‍