Guardrails and Paved Roads

In conversation with Jason Chan
AUTHOR
Travis McPeak, Co-founder & CEO
PUBLISH DATE
February 13, 2023

Cloud resources are complex! Engineers in cloud-first environments often struggle to provision simple cloud resources that meet their company’s standards, best practices, and requirements. Many organizations introduce central teams (i.e., Platform, DevOps) to help developers get cloud resources set up the way they need. Unfortunately, these teams quickly get buried in ops. There’s a lot of friction to what should be a quick process, but companies tolerate the ops load and slowness because it’s critical to get cloud resources configured correctly and securely from the beginning.

Data shows that misconfigurations are responsible for 90-99% of cloud security breaches. Today, the primary market focus within cloud security is on scanners, which reactively indicate when a misconfiguration is detected. The problem is that by the time you’re alerted to misconfigurations, it’s too late. You have to fix it with cloud vulnerability management, and as an industry, we’re just not good at it. 

In Netflix Information Security, we faced many of these problems, and the best solution was paved roads. Paved roads create a win-win, where developers get what they need quickly with self-service, and the central teams that support them avoid the ops load and ensure correct configurations from the beginning. Paved roads provide other benefits, including resource ownership attribution and safe change management.

In the video above, Jason Chan (former VP of Security at Netflix) discusses paved roads for security, where the concept originated, and how they were effective at Netflix. 

Watch Jason’s interview to learn:

  • Where the terms “paved road” and “guardrails” came from
  • How an open-source project, Lemur, created a win-win for developers and security
  • How to measure success for paved road projects
  • What kinds of problems lend themselves to paved road solutions
  • How and when to get started with paved roads as a security team

Ready to get started?

Set up a time to talk to our team to get started with Resourcely.

Get in touch

More posts

View all
September 23, 2024

Insights from the a16z Security Theme Week 2024

Takeaways from meeting dozens of security leaders at Fortune 250 companies
July 29, 2024

Announcing Resourcely Guardrails

How cloud infrastructure policies keep configuration on the rails
October 24, 2024

Use cases for Resourcely's configuration platform

Domain-specific applications of Resourcely with tutorials, walkthroughs, videos and more

Talk to a Human

See Resourcely in action and learn how it can help you secure and manage your cloud infrastructure today!