 Hi, this is your host Blum Bhartiya and welcome to another episode of T3M or Topium of the month And the topic of this month is security and compliance and today we have with us Arthur Tide SVP of business development at CI Inc. Arthur it's great to have you on the show. Thank you. It's a it's an honor. It's my honor actually looking at your career graph The places your work and your whole experience with open source Linux and security So I'm looking forward to this discussion because the first question that I'm going to throw at you Which is going to be interesting is that the security has changed a lot early days In the traditional idea, whatever the you call it legacy ID word Somebody will write the application. You sell it somebody else will buy it download it install it manage it You're so we used to have says admins and all they still are there Security was always an afterthought security was always someone else's problem But in the cloud native cloud centric word, it has changed security has become a priority Developers of course the labels change DevOps DevSecOps SREs, but it is you know security is moving into their own pipeline is shifting left So if I ask you, how have you seen the evolution of security over time? Especially in this, you know, whole cloud native cloud centric world boy, that's a big question I'll take a crack at it though. I Think you made a great point actually in framing the question in the sense that Early approaches to security involved a lot of point solutions You had to have network security workstation security is like one thing after another and after a while you started to stack these things up And it became very difficult to manage And of course, you know that that actually creates a wider attack surface. It's not what you want One of the evolutions of security that I think is really important is just the cloud, right? Because the cloud has allowed The you know providers like AWS Oracle Google and so forth to really centralize a lot of the security offerings So I think that cloud security is in general better security than most of what I see on prem I mean, obviously you want to protect your network. You want to protect your endpoints and no solution is a hundred percent complete but I do think that cloud migrations represent a more Effective initial security posture and then you can build around that Another big change Which sort of goes hand-in-hand with that is the notion of zero trust, right? So the concept of zero trust basically boils down to never trust always verify So any user Service device anything on your network should not be trusted no matter where it sits internal or external So seeing Seeing people sort of look at their look at their security postures from your trust perspective. I think is produced You know much better environments for the enterprise that's for sure We do talk a lot about hey security is becoming a priority, but we continue to see a lot of breaches, you know Of course almost on weekly basis because also security is not a product is a process The good guys you have to be right handed personal time The bad guys have to be right only once and then in the cloudy toward there are so many different ways things can be compromised Configuration can be of course bucks are part of software development social engineering is there Uber is a good example patching and not patching a code, which is already passed. So when we look at The reality versus when we talk about hey, you know what? Yeah, security is a priority when you when you Talk to companies customers How much do you see that these processors are actually being followed that companies are embracing these practices? worse of course everybody wants security, but do you see that hey company are still not taking its You know seriously they do want but they don't have process in place Or you think no everybody is fully aware of security everybody has everything in place. What are you seeing in reality? honestly And this is just my my opinion, of course I think enterprises for the most part are getting it together because enterprises are really driven by You know compliance and regulatory issues So they've got data privacy and protection stuff that they have to deal with they have a whole raft of cyber security Regulations that that are often required because they have a fiduciary Responsibility to protect, you know money intellectual properties stuff like that. So and then record keeping regulations So at the enterprise I Often see very comprehensive well thought out security strategies Now as you work your way down to smaller businesses, you know It's less It gets it gets less comprehensive, but that said Security, you know patching updates maintenance of systems all of those problems still exist And they're not really getting any easier and I can give you an example recently of that impacted our company Significantly in terms of an opportunity if you will So red-headed and IBM chose to end of life centos and there were very big Enterprises running centos as part of their HBC environments now They would be doing things like airflow simulations engine testing vehicle crash analysis all kinds of Simulations work which generate a lot of intellectual property and then all of a sudden one day they wake up and All of their operating systems and their clusters would not pass a compliance audit. So that's a risk to them That's actually where Rocky Linux came from our CEO was the co-founder of centos as you know And he went out on the net. He was like, hey You know, let's let's essentially engineer the next generation of centos and that's where Rocky comes from So even an enterprise that has really checked all the boxes in terms of having compliant operating systems and complying with you Know various cybersecurity frameworks like PCI DSS and ISO 27001 and so forth You can wake up one day and the world can be different Just like you said a hacker only has to be right once. There's always going to be a risk You know, it's it's going to be very difficult to fight against a zero day But the things that you do have control over such as patching best practices that that's really where you start you get that right and you're 80% of the way there that's where I'm also want to go with you is also that if you just like look at the last six month already last one year Traditional IT versus clouds and to cloud base all tech companies today every company has to be tech company if you want to survive What are some of the major security concern that you are your team which are either is still there or new threats that are there? That you know, I mean, of course, there are a lot of other things that keep you awake at night But when they look at these you're like, hey, these these are still concerns that are there probably patching, you know security patching and updates that is, you know, it's one of these things where it's a well understood problem that everybody has had and Not that many companies are really on top of so You know, if you've got if you've got an unsupported OS, you know, and you see that everywhere if you've got it unsupported OS if you've got You know scenarios where you're using software from I don't want to say dodgy sources But you know, you should know who you're doing business with there's a huge amount of soft There's a huge amount of shadow IT out there That remains a problem and then I guess You know in the development space, you know, you're still looking at a lot of unsigned packages You're still looking at, you know scenarios where package verification isn't done Yeah You'll have users who go to unsigned unauthorized or unvetted package repositories to fill out some blank spaces on a server That's a lot of the administrative stuff that I see that that that generates risk it doesn't necessarily always mean there's going to be a breach but Kind of back to your initial point. It's like, you know, we want to reduce the attack surface not expand it. So You know, if we apply zero trust principles, then everything needs to be verified and everything needs to be authenticated perfect segue to the discussion which is like we talked about the problem area, of course technological solutions are there But as we have seen in many cases that you know patches are there, but they're never applied You know, so and the whole documentation is there but there is still missed a configuration Or you turn something on but you never turn it off Zombie APIs are there a lot of application that you know are running. You don't need anymore Which you know makes bring us the point of you know, when we look at things like zero trust or The whole culture movement is also needed where you need to approach security Not as a problem of a specific team, but across the organization. So Are you seeing any cultural changes within organizations also where they are looking at it? Not just you know as a product, but in a process that has to be implemented across the organizations or not and if yes, how much Well, we're definitely seeing that You know in the sense that most users these days and by users I mean non IT users, you know people in the business think the CFO the CEO and people have to implement services You know, they're now thinking of security. Now typically those Conversations start in the compliance space. It's like oh, I'm a bank. I've got a fiduciary responsibility to take financial data Or oh, I'm a health care provider and I've got to deal with HIPAA and other similar laws around the world Because you know again as as we become more global these things, you know, the the opportunity for The opportunity for dealing with different regulatory frameworks gets bigger So people are talking about it now because there's a cost associate associated with it. Luckily though the flexibility that you have these days Especially in cloud environments is significantly better than it was before and I'll give you an example In the past if you wanted to roll out patches or you had some kind of an audit that you needed to go through and You needed to do that to your production environment You had a couple of choices and they most always impact of production and If you're if you were completely on-prem Organization that could be a problem, right? It's not like you have a duplicate of your infrastructure that you can go experiment on Today though in most of the cloud environments, you can set up a production environment and essentially mirror it So you can You know do hot switchovers to better databases you can apply patches you can switch them over the the Opportunity to do the opportunity to do best practices and basic it Today is much more evolved than it was like 10 to 15 years ago and the user is now They've got a bigger toolbox. So So I see that you know and I see that driving cloud migrations I see that driving decisions based on operating systems and I have another example there Rocky Linux for example Is at nearly 40% penetration government and when we talk to government users, they're like We want to run Rocky Linux and there's a variety of reasons that they want to go that way for the same reasons They were running centos, but We want to run Identical platforms on the cloud and on pram so that we've got consistency across our environment because the enemy of security is Complexity so they want simple. They want what they're running on pram. They want that on the cloud. They want a very strict set of controls Yeah, so we're seeing an evolution towards simplicity and elegance and that's good to see I mean that's That makes our lives easier and it makes our data safer We're also seeing a lot of cost-cutting going on, you know layoffs are happening Actually, those layoffs have more to do with the overhiding during the Kobe time where everybody was hiding almost everybody So it may not be actual layoffs. Maybe just you know going back to their actual sizes but if you do look at This cost-cutting do you see there is going to be any impact on I mean as much as we have broken down silos The fact is that there will always be specialized team They're always the folks who are interested in networking folks in security. These cannot be generalized So do you think there will be any impact on security in any impact of CISOs budgets? Or you're like no these are the teams which will not have any impact from this cost-cutting the Google layoffs recently were a great example They let go of tremendous people Yes, there will definitely be any impact without question You know you start you start cutting you start cutting bone and you know, you can't lift as much, you know, so So that's definitely going to be a risk I think companies are wise in the sense that they that they can mitigate it in a couple of ways one they can be aware of the of the Compliance and regulatory obligations that they have and then you know make their budgeting decisions appropriately They can also cut costs in other ways, you know, for example if you are paying a Huge, you know licensing fee for a bunch of enterprise Linux machines look around, you know shop around find a better deal You know Check out ciq we do support for rocky Linux We also support the RESF so We can Tremendously cut somebody's support budget if we can cut your support budget that means you can hang on to those data security guys So, yeah, you know companies are gonna have to be creative as they trim down But they've always faced that problem since you talked about rocky Linux. I also want to talk about you know See IQ's solutions, of course, you'd have touched upon that a couple of times, but I want to just kind of summarize is that How were your solutions helping customers improve their security posture while as you talked about, you know You know keeping a tab on their cost and other things at a high level Well, yeah, I could start with rocky Linux You know rocky Linux was was created by one of the co-founders of centos who has a background working in US National Labs, so think research bio pharma very intellectually pro intellectual property-heavy Compliant secure environment, so Ciq approaches rocky Linux from a security first perspective Both on-prem and in the clouds. So For example, we are sponsoring pips 140-3 certification For rocky Linux, and we're gonna give that into the community We also build out a portfolio of high-performance options that are container driven That are also highly secure. They are policy driven. There is no rude access from within the containers Our security team is taking a real hard look at where you know I look I guess an example I could give is if I were say a major electronics manufacturer, and I wanted to protect my designs Am I gonna run it in a? In a container system that doesn't run secure that runs as the root user open No, I'm not gonna do that. Am I going to allow somebody to pull stuff randomly, you know pull You know containers out of the docker out of the docker hub Repository randomly. No, I'm not, you know, I'm gonna have control over all those things So whether you're running rocky Linux or app tainer You're gonna be running in a you can lock that environment down And you can lock it down easily and you can do it in a way that's going to protect your primary compliance objectives now, you know again that can be data privacy that can be cybersecurity regulations relative to pick and financial data or Maybe you just have record-keeping obligations, but We build Certifications into these products that all lead to auditability. So I guess the final example I can give there is if CIQ does a Let's say we certify a piece of hardware for rocky Linux All of that certification data can contribute to a positive score and a compliance audit So we're very security focused. What is your advice for for companies? So that they can at least there are some processes in place to improve their security posture also embrace this whole idea of you know Security is a process not a product. You have to be right all the time Very bad guys will have to be right only once So so just just give them some idea or advice on how they can improve their security invest in your people Get you know invest in your people. So make sure that they are up to date that they're trained So decide some money to make sure everybody has certifications You know look at it as a Don't see it as just a cost center Look at it as something that is critical to protect it. I mean, I'll give you an example if if I'm a business and I'm Writing a contract with a potential customer or partner or something like that. I'm probably not skimping on the lawyers so Don't skimp on the IT invest in your people the better your people the better your security I thought thank you so much for taking time out today. And you know for such great insights You know and of course your advice also Investing in people and how companies can improve their security in this, you know tough economic times Thanks for all those insights and as we discussed earlier before the interview that I look forward to Having you again on the show and have more discussions about security open source and a lot of other topics. Thank you You're welcome. I've enjoyed it immensely. This has been an honor Looking forward to future discussions