 Hi, this is your host Subhan Bhartiya and welcome to T3M or topic of this month And as you know the topic of this month is security and compliance and today we have with us from Loft Labs Oleg Matsky senior software engineer Oleg it's great to have you on the show. Oh, thank you for having me Before we deep dive into this topic and get into the weeds I want to start with some basics, which is more or less like if we look at Security it has evolved a lot from the traditional IT or legacy IT word When we look at the cloud centric multi cloud word So can you talk about how you have seen the evolution of security in the multi cloud cloud native word? I think the best practices for the security in the cloud world have been documented for a long time but with recent adoption of the infrastructure as code tools and Github's we are seeing better Overview and better audit ability for the organizations so they have Yeah, very precise view of how their infrastructure is configured at all times and that definitely helps with the security and on the cloud native side, we've seen a lot of focus on Supply chain security recently Can you also talk about when we do talk about security in the context of cloud? As we saw in the traditional IT word It wasn't often thought because the way the software was distributed is different than it is now Now the developers dev ops dev sec ops. Sorry, whatever the label is They are kind of responsible for the whole Lifespan of the software versus you create a software you sell it to a user user is responsible for doing it So they're different teams that whose silos We say that you know in the cloud native word Security is not an afterthought it has become a priority But we still see a lot of cases or breaches are happening you deal with a lot of customer Do you see that security has become a priority that security is no long enough to thought Are you still see there are some gaps? Yeah, I think security is priority for those who make it a priority and this shift to the left definitely helps with Finding the gaps much much sooner in the cycle and also reacting much quicker to any new vulnerabilities But yeah, but Organizations still need to make it a priority to leverage this advantages Security is kind of not a product is kind of process right is the whole movement and also it's like cat and mouse game The bad actors are always you know looking for breaches and then in today's word security can be a software bug It could be misconfiguration. It could be of like the bookings.com API Vulnerability in OAuth so there's so many things that can go wrong when it comes to security If you just look at last six months, do you see any breaches very sweet like hey note We still have to do a lot more work or when you look back and you see you know things are getting much better Yes, I think things are getting better on the infrastructure side securing the infrastructure access But we've seen a lot of breaches due to phishing attacks directly on the users and they can get very sophisticated Even with the use of to factor out the dedication some bad actors can still find the gaps and I think we still have work to do in the educating the users about all the right practices and how to notice This phishing attacks if you have seen any new kind of threats that have emerged or Because of the cloud, you know native lots of doer There are a lot of things that of course API is with the liberty and you also talked about you know phishing attacks Social engineering is also going on which happened with the Uber. So so Where you have seen hey, these are the new threat is Which are emerging that we have to be concerned with our organizations should be aware of yeah I think in the cloud native world. There is a lot of different tools emerging So The organizations need to treat like newcomers carefully wet the new tools But the attacks are usually just getting more sophisticated But you could see still Parallels to the history earlier. We are talking about, you know, some of these practice you mentioned shift left How much adoption are you seeing of practices like of course DevSecOps? Zero trust the whole shift left movement. We talk a lot about it But how much you're seeing in reality, which has been practiced adopted I don't see our customers like discussing it in exact terms like That's like they are not really putting these labels on their processes but just from the general like how the discussion go we can see that it's a priority and As far as for example zero trust goes, I think that's still Concerned of really big companies, especially in the very Regulated industries Not so much maybe for the smaller companies. Now, let's just talk about Cultural side of it. There are a lot of solutions. There are technologies. There are open source projects But it's all of these are useless if you know, these are not these practices are implemented So talk a bit about what kind of cultural changes are needed or you're seeing your customers are Implementing so that they have all these processes. They have this cultural change in place also Yeah, so in my discussions with the customers I often talk to the engineers not so much to the managers and That's really where I would like to see that active approach about the Security like from the bottom up. So when I talk to the engineers and they are Asking all the right questions about security. That's how in my opinion should be So it's not really something that can be very easily dictated from the top So if the companies do just that like saying this is what you need to do in terms of security And not explaining why and how to the engineers and not Making them part of the conversation I think that's a problem for the security But if it's otherwise and the engineers are taking the proactive role I think that's the best outcome security as you also said is becoming priority So talk a bit about how loft solution even if directly or indirectly helps customers improve their security Yeah, so a loft we provide Building blogs for platform builders and one of these important building blocks is access to Kubernetes clusters for The users of these Kubernetes platforms So loft provides much easier role management and access to many clusters in one central space, which you can also manage through GitOps Also, we provide the virtual clusters capability Which gives additional levels of security for the Kubernetes administrators Yeah, I think these are the main security topics for loft Let's wrap this discussion with some kind of, you know Some kind of advice that these are the practices company should embrace to improve their security posture. I think companies need to invest in their people like educating engineers about security and Explaining Why it's important And I think that will bring a lot of benefits down the road by engineers being proactive and Really implementing all those best practices correctly And I think this already will be a big jump for Many companies. Oh, like thank you so much for taking time out today and talk about this topic And I would love to have you back on the show again soon. Thank you. Thank you