Personally, I'm not a fan of the answers that amount to a cloud-hosted thin client. I use these at work, they're absolute technological marvels, but they suck.
The real answer is a zero trust network that implements:
- multi factor auth
- deployment approval gates
- end to end service encryption
- ALE for secrets and keys
- password managers
- WireGuard tunneling or equivalent
- read only production environments by default; major levers to pull in order to write
- fully partitioned environments, all of which partitioned away from the corporate network of laptops, printers, and security cameras
> - read only production environments by default; major levers to pull in order to write
Yes. In general, it's a good idea to split state management from business logic.
In the simplest thing, that means that eg you have a database that's separate from the rest of your site. But the principle applies more generally.
Useful for keeping things simple.
To go further: if you want to log something, you send it to a log server that is super simple and can only write to one location. So if someone takes over your business logic service, they can't write arbitrarily.
The real answer is a zero trust network that implements:
- multi factor auth
- deployment approval gates
- end to end service encryption
- ALE for secrets and keys
- password managers
- WireGuard tunneling or equivalent
- read only production environments by default; major levers to pull in order to write
- fully partitioned environments, all of which partitioned away from the corporate network of laptops, printers, and security cameras