 So How many of you here are familiar with? You you know, I hate switching tools too. I've gotten so used to Google slides and here I am in PowerPoint So how many of you have heard of magic eye illusions? Only yeah fair amount fair amount so Magic Eye is actually a company and this is a trademark thing So but it turns out there's a free tool that you can use to build these for yourself So I use this free tool To create this particular illusion, right? So there's Images there's an image hidden behind this now I also learned that it's actually really hard to see these on a computer screen So if I'd learned that soon enough, I would have printed out versions for everybody to try and use yourself But you know when the slides are posted if you feel like it you can print And take a look it also turns out that not everybody is able to actually see the images that are in a magic eye illusion and That's because not everybody's eyes work well together and To see everything it's kind of a stereogram to see this You really need to have your eyes work well together and to have them work well with the brain and And I think of this as being really apropos for how we need to work together To deliver cloud native security, right? So we have to think from the security perspective That's really important and it is absolutely true that not all developers understand that And we have to think about it from the app developer perspective and the business needs as well And it's a balancing act. It's a risk management act to figure out How do I meet the business needs which include a good security posture? Well, also enabling the app dev team to do what they need to do and to deliver quickly so Also, there's this ever-expanding guidance that is coming at all of us You know NIST 800 190 that's been out there for a while CNCF open source to Kubernetes security audit in 2019 Awesome really great content and there's another one in progress, right that I hope we'll see in 2022 There's guidance from analysts like Gartner, right? We need to think differently about how we protect cloud workloads Especially since they're ephemeral and they move around as was noted, right? We're not we're not dealing with IP addresses There's the new executive order which has created this intense focus on the need to create software but bill of material and the way to create and and to improve security in your supply chain Again, some great talks yesterday if you didn't get to the supply chain security con Watch the recordings and then of course the NSA cisa guidance for hardening Kubernetes Honestly, it overlaps a good bit with the CIS Kubernetes hardening guide. That's great but it's a lot for everybody to absorb and When you kind of look at this and put it all together I do think that the guidance really comes down to the need for a dev sec ops approach to securing both the platform and the workloads that run on the platform Right, we need to control application security in the CICD process We need to protect the platform at deploy time the platform Ensuring that it's configured correctly Kubernetes is complex Also ensuring that you've got protections in place to check workloads as they're deployed and Then we know that we can't avoid every there. They're unknown threats So we do need that visibility that observability that we just heard about earlier to help us detect and Respond to runtime threats and part of that response one of the things I see kind of when I talked to people about dev sec ops I see a lot of emphasis on shift left, which is important But I think of that as dev sec right a lot of that focuses. How do I integrate security tools? Into my CICD pipeline There's sort of this assumption that sec ops, right? We kind of know what we're doing and yet It's really true that kubernetes and declare the declarative environment the fact that containers are ephemeral Even if it's a long-lived workload sorry you can That that where that pod is deployed can change right so you can never fix a running container You need to rebuild and redeploy Which really means that we have to think through how do we close that dev sec ops loops? How do we feed that information back to the development team? so Red Hat has done this survey on Contain on the state of kubernetes security and one of the things we hear and I've also actually seen it in survey results from IDC a lot of people Say that they are doing dev sec ops that they have strong death sec ops adoption now I think that that's true for folks who are more on the bleeding edge and I think that enterprises who are still in their cloud adoption journey May think they're doing dev sec ops, but they're really just kind of doing that shift left I've got vulnerability scanning in my CI process and that's about the extent of it So I think you know one of the things we really have to think about is how can we as a community? help organizations Demystify What they need to do, but also help and operationalize their use of cloud native workloads, but also kind of We're all here looking at a lot of different capabilities a lot of new tools and things that we can do to address these key requirements But that comes with its own set of complexity Right, so we need to be thinking about not just technology and tools We need to be thinking about process in people as well So how do we help ensure that that process is agile and how do we help the companies that we support? Future-proof what they're doing Think about solutions that can apply no matter where somebody is running Kubernetes or their container Workloads or their cloud workloads right a cloud can be on-premises as well as in public cloud providers so Technology people process all of these remain key and it's important that we think about the people in the process as much as the technology So some of the future investments again, I love this that this community is investing In many many different ways right when it comes to application integrity and that CI CD process The sig store project has just kind of exploded. How many of you are familiar with sig store? Right, so one of the things I love about sig store is how it makes it simpler for The tool chain to sign artifacts if the artifacts are moving through the tool chain most signing solutions That enterprises are used to using aren't designed to be work to be used in a pipeline It also includes a transparency signature log right the recourse so that you can check and make sure that and verify your signature Tecton CD chains again another way to kind of document and log how things have gone through the process Encrypted containers storing and running encrypted containers ads to The ability to manage application security and then rootless builds right there are many There are some build solutions that require you to have privileges to build that container image Be much better if you didn't need to do that, especially if you're running your builds on Kubernetes Integrity integrity for the platform. How do I attest the host the nodes in my coop cluster? How do I? invest in Things like Kubernetes support for username spaces This is something that you know, we've been talking about for a while. It hasn't been delivered yet And you know, there's still conversations ongoing about the complexity required there But most of the customers I talked to are looking for that additional protection Because it's really hard, especially in certain verticals as they move workloads to the cloud Some of them need privileges this this they aren't able to rearchitect everything to be truly microservice-based or cloud native And so in particular in telco as you see containerized native network functions delivered those often require the ability to for a certain level of privilege that is better protected with username spaces and Then also honestly one of the biggest attack vectors for any coop cluster is the cluster admin privs and This is a place where we don't yet have Genuine separation between the control plane and the data plane and this is an area that Red Hat's investing in and I Would love to see the community invest in as well With the runtime again deep observability as was mentioned earlier absolutely key and the ability to use that data That's collected to automate response to what you discover not just network policy Which is a great thing to help automate it confuses Our network security teams. How do they get visibility? How do they understand also? Automated response to vulnerabilities in the runtime environment and a better risk assessment, right? Are those vulnerabilities in pods that are actually exposed to the network or not? What's my level of risk so that I can really? kind of triage those things better and then So active recommendations really key And and again just that ability to respond We look to the community to help deliver on all of these things again lots of great work happening and I think one of our big challenges is going to be how do we help our customers our end-users? Operationalize everything that we talk about everything that we're working on have them work together as Us as a whole solution and how do we help them bridge? The silos that still exist Between the different teams security ops Aptev right that's that's a people thing that I think we should be thinking about as well so that's it for me, thank you very much and Not sure what who's whether we're we have time for questions or somebody's up next