 Good afternoon. So I guess I am between you and lunch. But I'll make sure that I make it value add, as well as talk about application security and how in open source projects, you could take the same playbook, which we are trying to use at Comcast. And one of the responsibilities which I have at Comcast is to drive cloud security. And that's the focus of my talk today. So one question, and I hope the answer is different than Jim's question on Oscars. How many of you have seen any of the movies, How to Train Your Dragon, or read the book? OK, more than three. And how is this relevant to my talk here? So training, this movie is actually a tale about three things. Growing up, maturing, and how is that relevant to us? Maturing with respect to developing our cloud solutions and deploying them securely. Second aspect of this movie is about finding the courage to face the unknowns. And that's about preparing for dealing with security issues in the cloud as we develop and deploy them. And the third part, which is actually a very important part of this movie, which kids really take away from it, is how nothing can ever train us to let go. And that's about governance in the cloud. And when this movie was coming out, I think the third in the sequel and the trilogy so far was released on February 22nd when I was putting together my topic stuff for this presentation. And I thought it was very relevant to the world of cloud security. So what we started, our approach in cloud security was about two years ago. And we started looking at trends. And I think these trends are very relevant from any applications, whether it is in open source or in any proprietary or public cloud implementation. And the first chart which we look here is about total IT infrastructure spends, whether you have the traditional data centers or the public and private cloud. And this year it's forecasted that the public and private cloud spend will overtake the traditional data center spend. And so basically the story here is cloud is important. It's more relevant. Second part about is when you deploy in the cloud, what are the challenges? So when we look at the survey, I think this one is from right scale survey, where they asked what are significant challenges and somewhat of a challenge to the various enterprises. And if you look, security is at the top, along with managing cloud resources, building a private cloud, deploying it. But security was considered as a top challenge. And it continues to be a top concern for everybody deploying in the cloud. The third part is about challenges which is related to maturity. As you begin, security was one of the largest concerns for people who were deploying in the cloud. As you become an intermediate category of maturity, it becomes less, but still not the very end. And then as you become an advanced deployer of cloud technology, it becomes, again, a pretty high concern because of scalability issues, et cetera. So for us, all three, managing cause, security, and compliance, being in the internet service provider industry, it was very important. And we don't want to be in the news for the wrong reasons. So we had to come up with an approach internally. And like all engineers, we took a six pronged approach. You had to have a method to the madness. So we used an industry standard framework. And I'll go over into each of these six prongs in a little bit of detail. But the six prongs are user frameworks to identify where we are and what are the gaps. And we used a NIST framework, which is very appropriate from the world of security. We defined overall reference architecture, which will make everybody in the world whether they are product developers, application developers, or the cloud architecture and deployment teams, the SRE teams, we all have a common language to talk about. And then we take that security framework and architecture and deploy a SOAR, which takes all the events and then orchestrates security actions. And then we have to be prepared for security events, because come what may, however large your automation toolset be, however prepared you are, you'll never be prepared for any, you have to be prepared for the security events. And with this tooling that we developed, we made sure that we are going to work with the development teams to embed it in their CICD pipelines. As we heard in the open source world, there are thousands and thousands of CICD pipelines. And even within Comcast, we have several CICD pipelines. And all of this could not be done and cannot be done without uplifting the skill sets of a traditional cybersecurity organization. We've had a 50-year-old company. We've had a security organization for several years. But with the cloud implementations, with our developers using the cloud, we have to change their mindset. And how do we uplift their skills? So that's our overall approach. And I'm going to go in details with that. So the framework that we used was the NIST framework, which consists of the Identify, Protect, Detect, Respond, and Recover. All of you may be familiar. Some of you may be familiar with this. It's a pretty standard framework. And then we took assessment of where we are. We had a lot of manual processes, which come to hand when we have security incidents or we do our governance in the cloud. And we had started off on an automation journey. So the box on the top talks about the automation that we've done. And the box on the bottom is manual processes. Not everything needs to be automated, but those are the areas where we have. We are a heavy user of AWS. We have OpenStack. We have Cloud Foundry. We have Kubernetes. We have a lot of open source software, which is deployed. We have a lot of public clouds, which are proprietary, which are deployed. So, and we created a backlog of where we want to be in the future. So all the yellow stuff is where we want to be in the future. And we've already started on this journey from last year. And some of the things which you will see around the detect piece, we were using AWS's GuardDuty and then Cloud Checker, CloudTrail, all these eventing mechanisms which will help us detect what the issues are. But we also started using Netflix's SecurityMonkey, which was deployed earlier, but we were not really using it, but we did all our cost and risk analysis. And we said, okay, we're going to use SecurityMonkey moving forward and then feed it into our, the SIM databases, as well as the security orchestration and automation response tools, the source. And we are debating how we do the automatic, automated remediation using the automation that we are doing because it should not break something else. And if you look, the world of security in our organization, we are choosing not to make it constraining very protective method of security, but we are trying to make it more reactive. And when we say reactive, it's not in a negative way. We give the power to our developers and we want them to be able to take, give them the power to do the right, use the services in the public cloud or the private cloud. However, teach them, get them certified on security principles so that they don't make the mistakes. And then we have tooling which will detect any issues as they come forward. So if I move to the next slide, it talks about that architecture. So what we do here is, you have all the event sources I talked about in the previous slide about a cloud checker, a guard duty, cloud watch, all these events are basically going to feed it into a normalizer, a set of principles which will normalize against any misconfigured databases or any issues which could cause security incidents. Then we correlate them to other events which have occurred in the past and then create a reaction which may have notifications or may need some automatic remediations. And we also will create dashboards and this is architecture which we are working towards. We've got some parts of it implemented and we see great promise in this. And all these events as they collect, SIM and SOAR are very standard industry standard terms. SOAR is relatively new. It was created by Gartner a couple of years ago but the first set of three boxes is about events which come out of our cloud implementations. And whether it's Amazon or it's Azure or OpenStack or VMware, you name it and we've got it and we collect them into a SIM repository, correlate them and then we send them to a SOAR system. And the SOAR system today is mostly home-grown automation but we are now going to be using DMSTO which is a capability that we're integrating with and that helps us make our operations more effective, efficient and brings better quality into it. And the SIMs correlated, it tells you what the problem is but the SOAR helps you in the traditional world, SOAR was done mostly manually and now with the automation, you can do it much faster and make it more efficient and we don't want the, with our reactive architecture, when we are finding issues, we don't want the traditional security organization to take their time to react. So with SOAR, you can react much more quickly. So now that we are prepared for, with all the tooling, we need to be preparing for our security events. This is one of the pictures from the how to train your dragon. So since I was talking with that topic, I had to take a picture from there and Dreamworks is a Comcast company so there's that plug for them. So with all the tooling that you may have, with all the automation, with all the guardrails that we may build, that's all technology. You need to have some sort of processes, some interactions between the various parts of the organization which deal with the technology. So the cloud center of excellence, which consists, is the virtual construct, which consists of people from the cloud architecture team, the cloud SRE team, and the security team and the network team. They are the people who actually run the cloud and keep it running securely. Then you have the product teams, the developers who are actually developing our Comcast set of products and they use our infrastructure through, whether it's Amazon or Azure or any of the private cloud implementations that we have, but in case of an incident, that's we all need to come together. We have a product security incidence response team which works with the researchers in the security world. They contact us or through our bug bounty program or through any other research and analysis that they've done. They bring those issues to us, to the cloud center of excellence or to the product teams and then we work together. And then we have a threat intelligence team which needs to work together, which is the security for N6. And of course, AWS or Microsoft or the community when it's open stack. And of course, the first line of support is the security fusion center where we respond at the fastest process. So in all six of these bodies need to work together and that's where we are, where in order to work together, training needs to occur. We've been working with the methodology that we've developed over the years, but especially with the architecture that we are deploying and the automation that we are deploying. If you're not able to use it, we will be still using the same old method of communications, calling and sending emails to the folks when an issue arises. So we wanted to make it much more faster recovery to the issues that we see. So that's where we are prepared for the security incidents. Once we, as I said, we've got the tooling, we've got the process. How do we make sure that our developers are building things right? So we want to embed all the tooling into their CI CD pipelines, become a component of their test gauntlet. So when they're doing the unit development, you'll see that the security scanning is part of the gauntlet and when they're making the final release, again, security scans and assessments are part of the, full security scans are part of the gauntlet. So we're working with the various product teams to ensure that security is part of the developer life cycle. And then, we know that security training is important for our work, cloud training is important for our security workforce. And even in the industry, if you look, that the infrastructure headcount changes with respect to hosting, storage, network, hosting in the cloud, as well as security. Security is pretty much up at the top. So many new people are joining the industry and not all of them are trained to work on security principles. Not all of them are trained to work in the cloud. So we need to uplift the skills of our workforce and that has been a huge focus. And I think whether you're working on, in an industry where you're developing products or you're working in the open source community, it's fairly important to uplift the skills and keep it going. And bringing it back together, that's where we have, we bring it back together with the training of people is the most important and developing the tooling is the building blocks of getting it together. So that's when our character, who's the main character in the movie is caught against trained and ready to take off and deal with the world of security. And that's what I have. Thank you. Thank you.