 Good afternoon. My name is Justin Smith. I work on security at Pivotal. Thank you guys for giving me the opportunity to speak. Something's kind of interesting. I'm not sure very many people can say this today, but I love what I do, right? And I have for quite a while. Some days are frustrating, right? But I actually love what I do. I feel like what I do is important. I feel like it matters. There's a lot of technical challenge. And what I hope to do today is actually describe to you what I think could challenge convention and enterprise security. Right? Typically, enterprise security talks are not that interesting. I think this is actually really interesting. I hope to present and motivate why security is important. At least it's my perspective, and there's lots of other people that share their perspective. And then I really think it's important to talk about how Cloud Foundry fits into that future. And I'd like to start with a little factoid. How often is the Golden Gate Bridge painted? I'm sure several of you know this answer. The answer is it's painted every day. So there's like 20-ish people that wake up every day and they think about their day and they say, I'm going to paint the bridge orange. Every day they go to work and paint the bridge orange. I don't know if that strikes a chord with any of you in the audience. There are days when it strikes a chord with me. On the surface, it looks like a very mundane task. It looks like something that would just drone on and on. There's actually no end state whatsoever. I think if you were to talk to those people, some might have that perspective. But like life, if you change your perspective a little bit, it's actually a pretty empowering thing to do. You could look at it as they're protecting a national treasure. Very much the Golden Gate Bridge is a national treasure. And it's almost an act of love. When we look at enterprise security, we tend to think about it as the mundane sort of endless task. I actually view it as a labor of love. And I think that kind of shift in thinking is really important for us to embrace. And there's another aspect of this that's really important. The bridge is always changing. I would imagine that to some extent there would be flare-ups around corrosion. Maybe something new has been done to the bridge and it needs to be protected immediately. So they go in and paint it. But I would also assume that there's an act of maintenance where it's just sort of continual painting. I actually don't know anything about bridge maintenance. I'm making that up. I'm just assuming that's the case. But the bridge is changing. Continual change is a concept I think we have to embrace in enterprise security. And it's still not the case. I want to make it the case. Any talk about security is going to have to include descriptions of features. Features, features, features. I want to run around on stage and just scream features. There's lots of cool stuff that we have done in the community, Cloud Foundry in the last year. There's lots of stuff that's right on the cusp of shipping, too, that I think is absolutely important. I don't want to talk about it. You can read about this stuff. You can look at it online. You can engage the community about it. I want to talk about something a little bit bigger. I want to talk about what I think is a bigger concept. And that is how do we make Cloud Foundry the secure runtime? What does that mean? Anybody know, by the way? I don't see a single hand. One thing that we tend to do in computer science, particularly in cloud infrastructure, and I don't know why this is, we think about features. Show me the feature matrix that is what I want. Show it to me. I can go to 10 different banks, and they can all have a completely different view of a feature matrix. Kind of interesting, right? So we've got to ask ourselves, what does it mean to look at the atomic features and try to assess the security of a platform? Security is a pretty difficult, complex topic. Let's do a little bit of a mental exercise and think about something much more every day. Think about a car. What are the features that actually define a car? Think about number of wheels. Some cars have four wheels. Cars have had three wheels. They tend to be a little bit unstable, but technically it's happened. Trucks can have six wheels or more. Some vehicles actually don't even have wheels, like a half-track. It has tracks. Oh, my gosh. Where's the commonality there? Think about engines. The blue flame, it's a rocket car. There are cars that have jet engines. There are cars that run off of solar energy. There are cars you can plug in the wall, and then there's, of course, the internal combustion engine. Cars have a really wide spectrum, but if we want to define them as a set of features, it actually becomes pretty difficult. If we were to see a palette of all the raw materials that go up to comprise a car, we would not look at that and say, that's a car. It's a pile of stuff. So part of a car means it has to be ready to use. If we were to look at two parts to a car, a brake component and a steering wheel, we wouldn't call that a car. It was a car parts. If we were to see a whole car that was missing a brake assembly and a steering wheel, we'd probably still call it a car. This is really hard to define, and it's in our everyday lives. If we look at it as a set of atomic features, we will never get anywhere. Instead, we know that we take a holistic viewpoint to something as everyday as a car. We assess its value based off, does it add value in our life? Does it actually do what we expect it to do? Can we go from point A to point B? I think we need to adopt that same kind of viewpoint in cloud infrastructure, particularly with security. I know it's a way that we look at things at Pivotal. We look at technology with a very holistic lens. We have opinions about how technology should be put together, about how you should build software, what works best, and I think it's time to take that concept and apply it to security. So what is it that we're actually trying to attain with security in the data center? Go talk to a big enterprise. Their threat surface area is enormous. Cloud Foundry is obviously about the data center, so let's hone in on the data center. Let's scope it way down. What is it that we're trying to do inside the data center? My team and people that I work with are like, please stop scaring us when I go talk about stuff, but you can look on the news or look at Norse Corp and see basically active attacks that are happening all over the world. If you think about it too much, you can actually get paralyzed by it. For us to understand what we mean by security in the data center, I think it's really important to understand how big it is. How big is this problem? I'm jaded, right? I work for a software vendor. At some point I'm trying to sell you software. Don't take my word for it. Look at somebody else. Look at a very serious professional whose job it is to protect the U.S. Every year, has anybody heard of the Worldwide Threat Assessment? It's a pretty interesting document. You can go find it online. The intelligence community every year puts together a worldwide threat assessment and they publish it and they actually present it to the Senate. The Director of National Intelligence aggregates all this information and presents it to the Senate. It's a very U.S. centric document, but I think the concepts in there apply globally. Right? This is really interesting. Look at the 2007 report. What happens? There's a bunch of stuff in there that we would expect just from watching the news. There's not really a mention of cyber attacks or cyber warfare. Something has changed. 2013, 14, and 15, there's been a title shift, like nothing I have seen before in my career. This is the table of contents to the 2015 Worldwide Threat Assessment. The order is not an accident. Look at this list. Mass destruction proliferation. Are you serious? We all identify with that, but cyber attacks, number one, how does that work? And if you read that first section, if you look at it really carefully, they're not talking about massive attacks on infrastructure. They actually call out. We're less worried about an Armageddon-style attack. We're more worried about a bunch of low to moderate attacks against a bunch of companies. And it just devastates the economy. It's number one. Death by a thousand paper cuts. I believe the work that we do matters. Right? It matters to our customers. It matters to our shareholders. And quite frankly, it matters globally. Make no mistake. And the other thing that's interesting about this is corporations are listed. Literally corporations assets of corporations are listed on the first page of the Worldwide Threat Assessment. By the way, if you work at one of these companies, particularly one of the ones listed, you know that you're on the first page. This is not a surprise. And by the way, if you work at one of those organizations, it's a really intimidating thing because there's no one to call if you get attacked. I've been through those types of situations. They are not fun. There are no 1-800 ghost busters. You're pretty much on your own. This is serious. So in the 2015 report, there's basically four companies that are listed. There may be a couple more. Two of them are on the first page. Interesting metric for Cloud Foundry. Both of the companies that are listed on the first page have suffered a terrible breach or breaches. Post-breach, both of them use Cloud Foundry. I don't think that's an accident. There's a reason there. It's not about individual features. It's about something bigger than that. What we want out of Cloud Foundry is for it to be resilient against attacks. It's not that attacks won't happen. You want to be able to survive attacks, give a little bit, and then go back to normal state. That's the concept. That's what you want from a security point of view in your Cloud software. And so to understand how to be resilient, you have to think about what the threat is. What's the shape of the threat that we're trying to resist? Right? If you go to an enterprise security team and you say, what are you most worried about inside the data center? I'll say a lot of stuff. But there's one type of threat that will absolutely terrify them. A bunch of names for it. Sometimes called a worm. Sometimes called a malware. Of late, it's been sort of sensationalized as a label of advanced persistent threat or APT. This is a really funky thing. It's usually initiated by nation states, but it doesn't have to be. It finds its way into a data center. It worms around to different servers. It observes either stuff that's happening on a server or stuff that's happening locally or locally or on the network. It collects information, bounces around, and then does an exfiltration. It's a big deal. Anybody heard of this kind of thing before? Yeah, a little bit. Now, the latest vogue is for these types of attacks to ransom data. So actually take a key and just encrypt a bunch of data if it hasn't been backed up, and then you've got to pay them to get the decrypting key. That's a lot of fun. So no exfiltration. We'll just take all the data and protect it. That's basically one of the threats. And I think it's a huge threat. It's a big one. What do these things look like? What do they require to thrive and survive? Well, you can look at lots of data that's out on the internet about how these things work. There's lots of breach reports. 2015, there's a Verizon data breach report that's really fascinating reading if you're a person like me. I've read a bunch of these things, and I think there's some common denominators. I think there's really three things that are sort of consistent across a bunch of different types of breaches. One of them is vulnerable or misconfigured software. This is almost a must-have. Patched software is rare in the enterprise. It seems like it should be basic. It's actually not. Vulnerable or misconfigured software is an absolutely essential component to these types of attacks. Another one is time. These types of attacks require a non-trivial amount of time. They require time to gather the information that they need or that they want to pogo stick around and do damage. It's sort of obvious, but it's a really important dimension. And then the third one is leaked credentials. Now, at times in my career, I have gone on this warpath to try to get rid of usernames and passwords, and I failed miserably. I think they're kind of just here to stay. So credentials, in this sense, are not so much about usernames and passwords for human beings, like carbon-based life forms. They're actually credentials for silicon-based life forms. So I'm kind of such a loser about computer science. I anthropomorphize processes. Sorry. But process identity, things like what's my username and password to connect to a database or a Redis service? When those things leak, really bad things happen. Right? These, I think, are three essential components. There's more, but this is a pretty important list. If malware were a weed and the data center was a plot of land, it would look like this. It is like this pastoral setting where there's abundant sunshine, there's abundant soil, and there's very clearly water somewhere. Right? And so if you're a malware author, you're like a malware farmer, a weed farmer, you can just sprinkle your stuff around and it's going to take root. Not hard. The barrier to entry can be fairly low. Right? It's kind of a problem. This is literally what data centers look like to an attacker. And this is not symmetric conflict. This is very asymmetric. It's not fair. So what's the software industry done to try to deal with this? Well, we're the ones, the software people, the professionals, I am partly to blame for this have built such sucky software that it resists change at all costs. Right? Look at router, you know, firewall configurations. Go to a big company and say, how many firewall rules do you have there? We've got a lot and nobody wants to touch it. Right? How often do you rotate your TLS credentials? No, no. Not going to do it. Right? These are things that we just tend to avoid. We've built software like that and we've created this pastoral scene. It's a real problem. So what's the software vendor's answer? More software. We created the problem and we're going to solve the problem with what I believe is a very flawed set of assumptions. And this is what we do. This is the state of the art today. We're going to put monitors in place to make sure weeds aren't growing. No, change that. We're going to look for weeds that are growing. So we pay vendors money, little bags of money, or sometimes big bags of money, to watch for certain things going on inside the data center. This is really goofy to me. And then there's some vendor that gets the golden ticket because somebody's got to monitor the monitors and you pay them a lot more money because they have to monitor other stuff that's going on. And they may use machine learning. Wow, cool. Right? Now I'm not saying all monitoring is bad. I'm just saying the premise is kind of weird to me. I don't accept this. I do not accept this concept. It kind of bothers me, actually. I get pretty wound up about this kind of stuff. But look, a weed just appeared. Bing! And one of the flags went up by a monitor. And the monitor didn't fix the problem. It didn't go pull the weed. It just sent up a flag. So if you're in the enterprise and you have all these, you've got to deal with a massive number of notifications. So you buy more software to figure out how to deal with the notifications. This is a never-ending cycle. There's a reason security teams inside of enterprises are grumpy. Right? They really are. They've not had good tools and they've been in a losing battle. If you go back to the bridge painting metaphor, you see the orange. That's kind of what it feels like to be in an enterprise security team. Right? Software resists change that we sell to enterprises. So the culture naturally resists change. This is a buyer, seller, sociotechno sort of system. Right? And so we have grumpy people that don't want to change. And I don't blame them. If I was in their shoes, I'd be exactly the same way. So what do we do? Current approach is not working. I assert we should try something quite different. What is that? Well, let's shift our perspective. Painting the bridge doesn't have to be about painting the bridge every day orange. It can be about something different. Right? What does that look like? Let's challenge conventional thinking. There's software today that you can buy that will help you figure out which patches you can apply because it's based on the assumption that you can never patch everything. So let's throw that out. What if you could patch everything reliably with zero downtime with the push of a button? Strike a chord with anybody? That's a big part of Cloud Foundry. We can do this. We're opinionated. We have the operating system. We also have the web server. We have the application container. We have the whole stack. We monitor that thing at Pivotal. Right? That's what other people do as well. Patch it. When you get a patch, please deploy it inside your data center. One of the first things I did when I joined Pivotal was absolutely focus on the patch cycle. I believe it's absolutely critical. And since May, Pivotal Cloud Foundry has had 30-ish releases of Pivotal Cloud Foundry that are mostly driven by vulnerabilities and dependencies. That's a lot. It's week 20. Week 20-ish, 30 releases. Non-trivial. I believe we're quite good at this. And I think the community benefits from it, quite frankly, without a question. The other one is really funny. Repave. Repair your software. Repave. When I entered enterprise software, it used to be bragging rights. How long could my server live if they had counters like days since an injury in a factory? And they would flip the... I don't know. But it was a badge of honor to have something that's lasting for years. It's been 18 years since I've had to reboot that. No, that is broken. No. No, no, no. What if we were to say inside of our data center we were to play a different game? What's the minimum amount of lifetime my VM can live? What if every server inside my data center had a maximum lifetime of two hours? Huh. Think about it from the malware author. That means you have to play a video game and get to level 100, but you can never get past level 5 because there's not enough time. Frustrating is all get out. Does this command look familiar? Cron job. Right? Not. Guys, this is part of our architecture. This is the way that we're built. And the last one is about rotating credentials. We have some work to do in this area. It's an area that I'm keenly focused on. But I think when we get it we're actually going to have a unique story, right? The idea is repair, repave, and rotate. The three Rs. These are features that upset the Apple card. These are not about features of saying, do I have this particular key agreement protocol? These are features that change the game. And I think if we do it right it means to get safer you go faster. That's the exact opposite of how organizations think today. It will turn this pastoral landscape into something that looks like this, the Mars surface. And unless you're Matt Damon, you're not going to grow a plant here. And so what I want, and my time at Pivotal, and my time as part of the Cloud Foundry community is to build the system that gives no quarter for malware in the data center. This is not a place where it will survive. Repair, repave, and rotate. Anyway, guys, thank you very much for your time. Have a great conference.