 Hi, this is Yoho Sapin Bhartiya and welcome to another episode of T3M or topic of this month And the topic of this month is of course security and today we have two guests from Suza Glenn Kosaka head of product security and Fei Huang VP of security strategy Glenn, it's great to have you on the show Thank you. Thanks for having us Suzy has been around for a long time Actually, Suzy, you folks kind of also created the whole commercial model of Linux and open source So you have seen a lot of history and then also you folks serve Customers, you know all the way from newcomers to mission critical applications. So you have seen a lot in this word So if I ask you folks, how you have seen the evolution of security From the the traditional IT world to this modern cloud eduward well, fame I have been in security for pretty much our whole career. So of course, we've seen it from the early days But most recently, it's really exciting to be part of the whole cloud Kubernetes containers Movement and then to focus on security for those specific infrastructures and use cases as Glenn mentioned, you know we were working in security space for Maybe 20 plus years TNO and we were seeing this tech tech trend right keeps happening We see virtual machine came out. We see container come out. We see Kubernetes come out. I wish the server last is coming out So you can see clearly the step-by-step Technology keep, you know involving and changing upgrading at the same time, of course as a security player We try to, you know, follow the trend as at the same time, you know Put a security on the same kind of on the same boat or train to you know, keep evolving upgrading the security solutions For the for the industry when we do look at look back at the whole evolution of security talk a bit about When you see things like zero trust Architecture or zero test network you talk about shift let women beat a gop the whole DevSecOps The governments are also doing a lot of things, you know in the security space Biden administration had, you know Some along as bombs in Europe also a lot of things are going on So talk a bit about how you're seeing a volatile security in a way where organizations are actually getting actively involved They're not passive consumers of security, but they're becoming active players on making sure that their environments their workloads are secure Yeah, great question. I would say the biggest shift in security is With Kubernetes and cloud-based infrastructures, it's moved to what's called a declarative model You essentially declare the state of what you want rather than declaring all the bad stuff You want to block and that is applicable not just for spinning up cloud Infrastructure, but it's but it's useful for Specifying what security controls you want to have in place? So, you know, I know Faye can talk a lot more about how this relates to zero trust But the you know, the big picture is security used to be Blacklist and and block list a bad IPs now where you're looking for so You're always behind. You're also looking in the river mirror Whereas moving to a new model. You're simply going to declare what the behavior is that you want to trust and That have has implications to security To how you can shift left and how developers can become involved in declaring all that It's really an exciting time to be in security. Yeah to add some colors to that I mean, I call that the kind of the old model of security is kind of, you know Reactive model basically you'll see a virus, right? You try to find the signatures keywords to the catch it But tomorrow you'll see another virus you're going to do another this again again This definitely is always a chasing game, but the new way the new cloud native word I mean we first first time we got a good chance to not doing this way we call that also a Proactive security model So you don't need to you know keep chasing the signatures keywords anymore because you you can use this Declarative model be able to define. Hey, this is the right behavior. Your application should always do other than that With that baseline, you know anything else will be treated as suspicious or malicious, right? Something you should not do so this by this way you basically attend the table around You were able to proactively to protect the workload in the in the new cloud space The beauty of this is it's all two things one is I think a basic give you a way to do Zero trust at runtime right zero trust is not only about access control It's also basically you should not trust the behavior Which this appearance should not do never do right this database should never be accessed by By application, you know, which not related so so turn the table around then this become a zero trust concept For the runtime Yeah, another way. I mean actually we can talk a little bit is is automation. This makes automation possible Right the old ways. We know that you have a huge Virus database, maybe have a thousand millions of records They're gonna slow down slow down your processing time But in the cloud native word when the workload scale out Thousands millions copies in the world everywhere. How can you scale your security for that? Keep the efficiency, right? So by the way, this is your trust model as I mentioned I mean this become possible because you know So value the behavior can only be limited very limited doesn't matter it scales hundred times or thousand times It can still be that you know, three five policies So this is the way we look the world. We think this new proactive zero trust the model is a better fit For the cloud environment you cover, you know, you know a lot of you know Areas there and I do want to pick some of those there and you talked about automation You talked about zero trust. We also talk about you know whole shift left When we look at security it is as much about tools and technologies as it is about people and culture Because if you don't have the right culture within organizations, these tools are not going to help So as you're seeing the evolution of security landscape, how much you're seeing? Cultural shift is either happening or cultural shift is important. This is an issue all of our customers are wrestling with You have traditional security teams who know how to operate. Let's say next-generation firewall But don't know about the dynamic Declare of nature of Kubernetes. That's completely foreign to them So the notion of declaring security Rules for applications as they come into the pipeline and they get autumn automatically updated is completely foreign to them at the same time you have Operations and developers who are you know with the shift left being asked to care About security issues like what network connections are allowed and what process and file activity should be allowed in their app But they don't understand zero-day attacks and Deep packet inspection and why that's critical to Maintaining runtime security. So there is an educational process Going on with these teams a changing of who is responsible. How is it responsible? how are those responsibilities implemented in a company and What processes are do they need to create so that they have the right checks and balances throughout the pipeline? That's true. I mean this is DevOps, you know kind of momentum is already changing the whole ecosystem Right, we know that developers now build containers, right? That's why security also shift left I mean I mean developers not only care about their applications now They have to think about how was my configurations to make it the most secure in the later when they may run in the Cloud environment how to scale that out to make sure my configurations right follows so that's why the That's another kind of concept is a security policy as code, right? This secret policies code actually is an example of security shifting left as well because developer Understands the behavior of application. They can clearly declare. Hey, this is my behavior I define that as a manifest of the security policy Then it follows the pipeline Transferred all the way to the runtime on the right-hand side and it just applies So so this is a definitely as you mentioned the culture the you know the pipeline the whole thing is changing and Definitely more and more developers have to be involved in some security decisions So this is exactly what we are seeing in the field when we talk about this cultural aspect And we do talk about things like decks DevSecOps or you know Ideally, it's you know that hey these things are moving into developers pipeline developers are you know getting involved But the fact is there are certain areas where we do need a specialization or security is not that easy Let's say in old days It used to be silos networking folks storage folks security folks today Also, it's not about the silos, but there are folks who are specialized or interested in that particular field So when we do look at this whole, you know Security is you know, everybody's problem. It's organization why problem DevSecOps mean, you know, shift at me Everything is moving into the developer pipeline But what is happening in reality because when you do look at your customers, you cannot expect Developers yes, they realize you talk about, you know Security as code of when we look at infrastructure's code to make things easier for developers so that they can embrace these practices But we cannot expect them to become security experts two areas vulnerability management Compliance auditing and things like that is a very specialized field. So people, you know Organizations exist to look at vulnerabilities Figure out which ones are most impactful and figure out how to remediate those and track those So that's an area you still need those specialists Of course now the vulnerability scanning results are coming from everywhere in the pipeline so that's what's different and then on the Like for example diagnosing a zero-day attack during runtime when you're getting all these alerts and events Oh my god, there's these network connections This application is not behaving as it's supposed to you're not gonna ask the developer to go in there and check it out right so you do need the traditional security team to go in there and investigate and try to figure out if there is a kill chain in progress or What data is being compromised just like you would have had before yeah another point is That's that's also the job of the like a new vector is doing we try to make security You know easy not not too complicated for developer to use But we try to put the right to give the right to give the deep visibility For them to easy to understand the environment for them easy to scale as well as even though You know you have run time like a zero-day complicated the threads, but we can visualize that we can give you the you know Minimum efforts to apply Defensing depths in the runtime. So there's a right to where the tool is growing You were able to leverage a lot of knowledge is from security experts, right? You don't need to know everything by yourself, but you have the right to to help you on that I have a question regarding when we look at separate security in something developers don't Want to go and talk to security teams because they slow them down. They're like nope You can release that. How do you see organizations are or can reduce the friction between these teams? Realistically, you know hypothetically will say hey, you know, it's DevOps is zero trust is you know shift left But talk about what you're seeing in reality and how they can improve this Yeah, I mean that's a good question If you look at the to this week is RSA week, I mean a lot of people may know that right We have a talk in RSA The topic is a zero effort zero trust security. I think zero effort is kind of one of the keywords I want to highlight is you know security is You know so much things inside is to it's really complicated, you know now working endpoint, you know APIs As I mentioned with the right to with the leverage the knowledge is group them together We're trying to give developer a chance, you know to understand at a certain level, but also Make it really easy to use. I mean the I myself thinking is the old days Security kind of like a black box, you know, kind of like a secret experts thinking about oh, I this is you know Two advanced for normal people to configure my firewall Etc. Etc. I don't think they're gonna be scale. That's a that's a good way to scale security in this new world Right, we try to make things easier for people to use at the same time. They don't want to lose any, you know Advanced the capabilities. So how to balance that is tricky, but a lot of companies is doing that already So that's why I mean there's RSA talk in our, you know, new lecture folks Trying to present the idea there. Yeah, when we just look back at this discussion today and if I ask you If you look at modern companies or even companies who are in a very early stage of their either distant transformation or cloud journey Are you satisfied with the way they are approaching security where you're like, hey, these companies got security, right? They are making effort the fact is security is not a product security the process, you know It's a cat and mouse game bad actors will always be there But at least we are on the right path or you feel that hey, we are at a stage where we still need a lot of awareness We still need to develop it all our tools We still need a lot of cultural changes so that we have not reached our destination of making sure that hey You know what just you are I mean nothing can be secure But you are satisfied with the security Progress or you like no a lot of work has to be done yet. What do you think we have customers across this Completely across the spectrum There are some who really have Embrace the whole Dynamic declarative automated securities code infrastructures code And integration of dev spec ops You know kind of combining traditional security with modern security and we love to work with them because it's very exciting to see Them actually, you know taking declaring security Managing this security is code in their pipeline in a get ops fashion That is so exciting, but at the same time we also have Companies who are kind of stuck back in the old culture where they have silos. They're trying to apply Traditional security concepts to a modern architecture the security team doesn't really talk to the operations or cloud team or development and It's a challenge working with them, you know for and sometimes they're only focused on getting vulnerabilities out and We say well, there's runtime security issues How are you gonna know if you're under attack in your Kubernetes cluster? Well, you know, we we need to we need to focus on vulnerabilities first and then we'll get to the runtime later, so You know, it is a challenge, but at any stage that the customer is in we want to help them along that path Yeah, there are like a best practices processes as you mentioned a lot of companies are suffered But they know they have to moving forward So, you know as kind of mentioned a lot of companies they are at a stage in the transition to the cloud native word Maybe on the other side a lot of companies already there. They already showed the people Hey, this works for me already scaled out. So there are multiple stages there You know as a one of the wonders, you know, and a lot of ecosystem wonders as well Overdraw basically to you know smooth the path for them to transition to the new world And you know doesn't matter, you know, they are only care about scanning care about pipeline Oh, they also care runtime the care compliance, you know That like tools and the solutions be able to help them even the process wise pipeline wise supply chain, you know Security solutions trying to fit in just solve their issues and don't disrupt their process, right? Just be part of it. So that's kind of our job to to be fitting to the the pipeline fitting to the process To help customers. Yeah So many details, I know Is there anything else that you feel? Hey, so we should have talked about that also that was critical But we did not and discuss this or you think that we had a broad discussion about security Yeah, um, one thing I'd like to add and and it's kind of related to this transition Of traditional security to kind of modern security is that As fame mentioned, you have to support both aspects of it because for example, you know, pc i Requires you to have a web application firewall and do vulnerability scanning So companies do need to check the box and meet certain compliance Requirements and they have certain processes in place for detecting security threats So what we've had to do is we've had to build both the reactive security model into new vector as well as the proactive so that we can if if they need 80 percent reactive to start out with And dabble in the more proactive they can do that But if they want to be completely proactive completely automated as total zero trust model Then they don't really need to do vulnerability scanning or web application firewall rules because we're going to Build that detection into the new model and that's important to be able to bridge those two areas of security only one thing to add on is I mean if you look at from a different angle security also needs to be a full stack Full stack means you think about the layers of software infrastructure You'll have operating system. You have orchestrator. You'll have kubernetes. Then you have a container engine Then you have application workloads, right? It's a layer after layer When you talk about security is better for production grid security It cannot be one point solution, right? You're going to have to have full stack secured And in today in the in the market, it's really hard to find a solution be able to cover the full stack But luckily new vector and susa together, you know, we do have a really good strong story around that just simply because You know, we have a Securist operating system layer as a foundation Then you have a renter prime, which is a secured hardening the by default And you have adding your vector on top to do proactive zero trust the model Think about the full stack view. You're going to whole thing. Take take care of So this is also important if you don't have the, you know Foundation layer like from susa. That's fine. You're going to have to find other tools to secure your operating system, right? To make it a fit certificate a fit certificate in some for example So the whole stacks has to be secured Otherwise, you select your fans have a lot of one hole that you you lose the protection, right? So that's another point I would like to make before we wrap this up What I do want to kind of wrap this whole discussion into that There's a lot of things that we talked about But what advice do you have for companies? Of course there as you said the companies were a very advanced stage. They know security This is not for them But a lot of other companies who are still trying to figure security out What is your advice so that they can? Ensure that they have at least some security standard. Your their posture is more secure My advice would be it's a journey of many steps So start taking the first steps go as far and fast as you can as your organization can If all you can do to start out with is to do vulnerability scanning then do that well do it in the pipeline Use other traditional tools around it But make sure you are on that journey to get to the modern cloud declarative zero trust Security model because that's what it's you know was required to really have True defense in depth in in in the future My suggestion is take the low hunting fruit right pick the low hunting fruit first make the Quickly gather security in certain level And we do have a security guide by the way glenn and me I wrote a security guide for kubernetes. That's a good way to take look And we have a steps like step one two three four What you can do you can do something easily quickly To get a some level of security Then you can do it more than once the one when you feel more comfortable when you scale out more So so does have a lot of contents inside But uh, yeah, so as glenn mentioned I try something quickly and easy to have a good coverage and practice first Then you know Do more based on your situation or your plan glenn faye. Thank you so much for taking time out today and I love the discussion. I love the convention I love the also advice and you know giving us you know a state of security today And I would love to have you folks back on the show. Thank you. Yeah, our pleasure. We love talking about this It's a favorite topic. So glad to be here. Thank you a lot. So happy to drill into details I know today is very high level conversation, but anytime, you know, if any detail information I require or need it Feel free to reach out us happy to help you on any or discuss or correlate. Thanks