 Hello, everybody. So as the name of the presentation indicates today, we are going to discuss about how networking affects security solutions for cloud, and what implications do you see in there. As the topic deserves, probably it's going to generate more questions than potential answers. And the session is a relatively short session, so if there is any question, we can go and do some questions and answers. Interim includes currently at Plumgrid. It's an SDN company that we started a couple of years ago or close to a couple of years ago focused on solutions for data centers and clubs, especially in the notion of multi-tenancy, network utilization, and some more things that we are developing. So let's start on the presentation. And essentially the question at the topic is always the same, in the sense that networking has kind of a fundamental role in terms of how to provide secure solutions, but at the same time, originally, the intent of networking was to provide connectivity. And there's a natural tension between these two ways of seeing the world. One is I have to connect everything that touches to me, and essentially it's a set of policies that by definition they are open. And the other one, the security approach is I want to prevent unwanted connectivity. And the only way to operate in this environment is when you start with a set of default close policies, that somehow you have to start opening holes as you define those. And essentially it's a matter of seeing the world, and that's how networking developed in different, like the security guys and networking guys, because one has to make applications work and then somehow somebody on top starts thinking security. And this is the way you view the world and how this tension gets solved. And this is not only for security in the sense that if you think that distributing policies from a security point of view is a notion of where do I apply them? Where do I put them? And if you map it to quality of service in the sense that security is a deny quality of service versus connectivity is allow quality of service, and there's a lot of grace in between. And you will see that a lot of the common problems that you see in security in terms of where do you apply policies, and we'll touch a bit on that, apply to in terms of how do you find policies for QoS. And we can discuss this a bit more at the end of the presentation. So why is networking and security in general so hard? And there's multiple reasons. I mean, the first thing is when you start thinking about complex diagrams, usually people build a network, build a connectivity, build the applications, and then you start thinking where do I secure the network? How do I apply the security policies? And there's a component of where in the sense that when you connect to routers together and they start exchanging information, the idea is that you want them to advertise as much as possible their accessibility concepts in a way that everybody can connect. So it's very easy to create a policy where everybody starts propagating information and everybody connects to you. But when you start thinking security, it's not about creating a set of policies and you blindly apply them in the network. You have to decide where do you apply them because somehow this mapping between the policy and the physical incarnation of the network, the place where you enforce the policy, it's very relevant in terms of how the application behaves. And the same policies that you will apply in an internet link would or may not make sense if attached to a virtual machine or in front of a database. And this is the kind of tensions that make networking security very difficult. So this points to another problem. Is that the problem in the sense that is networking security kind of condensed to the notion of defining a policy and applying the policy in the right place? Or is it something else? And the idea is that there's multiple approaches on how to define security. If you think first one that somehow we could call designing network security is the notion that somehow we develop an application I have, let's say a three-tier application with a web layer, application layer and a database. My application is running. I have an e-commerce site. And suddenly I have to think what kind of security elements do I need? Do I need to put a firewall? Do I need to put an intrusion prevention? Do I need security policies? And this is kind of an afterthought. I think that I can secure something that somebody else has built already. And usually this is how a lot of times we do security. I mean we understand that there's a set of best practices and maybe we just open HTTPS, HTTPS as a search, but now we don't think in terms of how security is my design but rather what kind of policies do I have to apply to kind of have some sense of security? The other is slightly different. It's from the beginning when I create my application. What kind of addressing scheme? What kind of physical separation? What kind of network elements? What kind of architecture am I going to create in a way that security gets built from the beginning? And usually this is much harder because it takes time, and hopefully leads to better results. But essentially it points to this thing that network security, I mean you have to treat it as a system. I mean it's not something that you can just put an entity that is going to solve the problem for you. And the reason is an interesting one and this is why it's hard again. So because at the end of the day the problem that you want to solve with network security most likely doesn't start at the network. I mean when you have an application that you want to deliver, at the end of the day you are trying to solve a business need. Let's assume that you have some sort of shopping basket that you want to sell goods over the internet. That's the business need. You want to have something that customers can reach you and can interact with a system that is providing a service to them. And the business need is that you have to be able to do that. Now the problem is that there are some risks on running this type of architecture because now you have financial information from your customers. You may be exposed to different kinds of attacks and you run some sort of risk analysis that is going to feed back to the business needs and maybe you have to refine your business needs. As soon as you've done the risk analysis then you have to start defining security policies and the security policies are not necessarily only networking security policies. They may like placement things. Can people enter in the building that you run your database systems? Can virtual machines belong into another tenant and be co-resident in the same server as you are? I mean, the set of policies that you may derive from the business needs and from the risk analysis that you've done, they may go beyond what you can solve with a specific instance of a firewall or a balance or a VPN device. And then the last step is, when you have defined those business policies, you translate them into your security system where the network is a part of it. But often because somehow the definition of machines, applications and things like that are expressed through IP addresses, people think that the network will solve those problems. And this is what we are seeing with all the proliferation that every time that you see a network problem, a network security problem, then some appliance, some service will come to solve the problem. That leads to a lot of complexity because somehow you kind of both security in one step at a time. And it's a risk to completion in the sense that another attack comes and you go from firewalls to application firewalls. And it becomes very incremental and over time the cost to manage that solution, it's unbearable because the level of expertise that you need and the lifecycle of the policies that you embed in those machines becomes difficult to understand. I mean, when a firewall has been there with 2,000 policies or 10,000 policies for four years, do you know which ones are relevant, which ones are not? And you are not capable of touching any more because the people that deploy them to start with, maybe they are gone. So that's kind of where we are today in the security. But what happens when we think in terms of cloud? Cloud is an interesting thing because the cloud provider by itself has a set of business needs that needs to fulfill, which basically is to resell some sort of compute at the infrastructure as a service, platform as a service, software as a service. And from those business needs it's going to basically do its own risk analysis, define its own security policies, create a security system. But now the trick is that this has to be exposed to the consumers of cloud, to the tenants of cloud. And they may have a different set of business requirements. So somehow now what happens is that you compound a security system on top of another security system where on the top you have many players that may have different needs. And this is an interesting problem because what happens when a tenant has a business need that is I cannot be co-placed with a competitor? How do you define a competitor? How do you define transit policies? How do you define the capital leakage? And these are kind of things that so far we've not seen a lot of SLAs in terms of security provided by cloud providers. But if this model of compounding one on top of the other as enterprises start onboarding into the cloud, it's going to become more and more relevant to understand what capabilities do we need from the cloud providers and from OpenStrike in general in order to augment the capabilities of the network to solve some of those problems. So somehow how do you break the problem in smaller pieces? I mean, like this is kind of untreatable, but the way that could be start to manage was what if I start thinking what are the requirements in terms of me as a cloud provider versus me as a tenant? And the first obvious one is isolation. I mean, how as a cloud provider do I create an environment that I create hard isolation frameworks between my tenants, between the internet and my tenants, and especially between the control structures of cloud? Because somehow if somebody takes control or cracks into the control infrastructure into the cloud management system, all bets are off that all these barriers are going to be relevant. Especially when we start converting the workflows of compute storage and networking into a single structure, that's going to lead into more and more problems from the security point of view. And saying that we require isolation is easy. Doing it is much more difficult, especially when we have an environment that we want to have self-provisioning. Self-provisioning implies that me from the cloud I should be able to somehow reach the cloud management system structures. So what kind of provisioning mechanism do we put in terms of security to prevent some unauthorized access? The other aspect, of course, is that multi-tenancy. All these customers are going to compound on top of the same infrastructure at the compute level, at the storage level and networking level. The fact that cloud providers want to offer many more services than maybe so. So the idea is this, is how to create something that isolates, but at the same time that enables all the kind of requirements that the business needs of the cloud provider require. The second view is the tenant view. From the tenant point of view, now I have provided that the cloud provider guarantees that I'm not going to have traffic from other tenants entering to my network or vice versa. How do I see security? Maybe the approach is a little bit more traditional in the sense that I see a bunch of applications expressing the form of virtual machines, storage, networks, interfaces, sports, and now I can bring the concepts that I had into my traditional security books on putting policies based on IP addresses, sports, filtering rules and so on. And I start bringing the concepts of word-way apply them. But now the word-way apply them is more difficult because apart from maybe the interface attachments of the virtual machines, we are dealing with virtual networks. So the notion of word-way apply security policies become relevant because those become virtual links. And how those virtual links are going to be mapped into the physical infrastructure of the cloud provider, it's not only unknown, it's dynamic. Depending on where my virtual machines are going to boot, the policies may have to be expressed in different places. The second aspect is that the policy mechanisms that we've been seeing from IP tables, filtering rules, access control lists, a lot of the times they are very specific. I want to prevent that a virtual machine or an IP address that exists into my web layer doesn't talk to my database layer. And I may want to specify prefix-based rules kind of to cover ranges, but when I want to allow connectivity, maybe I want to be very precise. I want to say that specific IP address from the VM application server can talk to the database. So now what happens is that that was a model coming from the physical wall, where ports, machines, servers were provisioning at some point, they were booted, they have an IP address, and now I could define those policies. When I live in a dynamic wall, now there is a disconnect between the definition of the policy and the rendering of the policy. In the sense that I have to virtual machines running, they are supposed to access the database. That's perfectly fine. Maybe the database has some sort of policy here that defines that these two virtual machines can connect to the database. And now suddenly a third VM boot that has an IP address that was not in the list. So it's not only the policies attached to the new VM that boots that they have to revisit, but even the policies that have somehow been rendering to all the ports that could potentially have an interaction with the new VM may have to be revisited. And this is where we have this transition between the physical wall and the logical wall or the virtual wall, but we have to think very carefully in terms of what do we understand by policies and filtering rules and how do we make it in a way that they can dynamically be adjusted every time that a new VM boots. So it's not only attaching policies to a VM interface, but rather revisiting all the existing VMs and all the existing interface and see how the new VM affects to the existing policies. Going back to the notion of isolation, what is isolation? I mean, because it's very abstract in a sense that one entity should not be able to talk to the other entity. But is it only like that? I mean, is it, if we think in terms of provider, do I want isolation in terms of physical placement? Do I want to be co-placed with somebody that potentially has a hostile relation with me? Do I want to be in the same hypervisor in the same rack? Do I have critical applications that may be deserving its own physical infrastructure? Do I want transit policies? My traffic, should it be capable of going through an internet link when I'm having all my virtual machines inside? Should I have some sort of data leakage characteristics? So these are the kind of things that as we start defining what SLAs cloud providers will offer, different types of enterprises or different types of users of cloud will be able to understand onboarding their workloads into cloud is worth the risk. And these are the kind of things that today, the models that we are expressing in terms of policy, they are more IP address-based, but we have to start thinking that when the environment goes from a physical data center into a virtual data center, what kind of new definitions and new policies do we have to create to give some sense of security or some real security to the tenants that are sitting or are called providers? And this is going to be an open field for a while in the sense that more and more definitions of isolation can be created. But we have to find a way that how do we manage it and who does it in the sense that I'm a tenant, how do I request they don't want to be placed close to somebody that is hostile to me? Do I have an interface? Do I define this as a policy? How do I even know the notion of the risk level that I'm taking being in place with somebody else? And even from the policies that the tenant may own, what are the types of them and the placement that we were discussing before? This is going to be compound by the fact that what are the enforcement points? Are they common between the cloud provider and the tenant? If they are common, how do I merge the policies? Do I need new type of policies? And how do I manage them? And what we were discussing before about definition versus rendering that a lot of policies may apply to an abstract concept like a web machine. But then sometimes they get rendered into an IP address. How do I make this process dynamic that every time that new VMs get onboarded that the rendering happens to the new and the old policies that existed? And the last problem is the workflows. The notion that security and connectivity were traditionally isolated into different entities had a reason to be. The reason was that I can define that I want to put a virtual machine onboard this virtual machine with a set of network characteristics. But at the same time, I want to define the policies. If the person that defines the policies and the person that puts the machine is the same, somehow security is complicated because if there is some compromise entity that has the control to both, one will not be able to enforce the characteristics that the first was supposed to provide. So the current workflows that we have in cloud management systems, especially in OpenSec, we have to evolve before there were nice discussions about trust and how to jumpstart the system messaging and so on that will be very relevant as we move forward into the network. So now that we have discussed a lot about policies and enforcement and things like that, the next is what happens with a life cycle of security? I mean one thing is to do my analysis, my risk analysis, defining my policies, implementing my security strategy and so on, but now I'm sitting on top of a cloud provider that provides the enforcing mechanism for me. And what happens in terms of monitoring, in terms of forensics, in terms of compliance checks? Now I'm sitting on top, I don't see all these things. I don't even have a preview of what's going on because imagine that I'm under an attack, my security policies may be inappropriate, but I don't even see it, I don't even know it because the cloud provider is seeing all these logs but how do I know that maybe I should start boosting my security because I'm starting to see certain attacks coming to my network? So the notion of who owns the reporting, the monitoring, the logging, how do I access to my logs? Do the logs that me as a tenant I get because somebody is trying to attack me belong to me or belong to the cloud provider? How do I create the workflows that I can have these mechanisms that I can preview what's going on with the cloud provider in relation to me? And these are a lot of things that today they are not defined and the only way is going to be with adding a lot of visibility, not only visibility in terms of traffic analytics, traffic monitoring and understanding of the workflows in the network, but rather accessing to the security logs, accessing to all the attacks and how do I generate this information with the proper tagging mechanism that me as a tenant I can only consume the ones that relate to me So if now after this introduction we jump a bit more into OpenStack I was trying to look where we are and what's going on at OpenStack and what kind of directions are taking and where some improvements can be taken. So from the current model there's a cloud controller node and of course this presentation is a bit networking centric there's much more than just a network that you would have the compute the networking and the storage somehow provisioned by the cloud management system and somehow through plugins on the quantum server there's going to be a way to reach the network infrastructure what in this slide taken from the quantum admin guide would be called the data network and hopefully this goes through a secure management network that it's an out of mind channel and let's assume that that party secures somehow, but somehow the network controller is going to define through the plugin agents the characteristics that you need from the network every time that you would but the network it's becoming a bit more complicated because somehow there's two components to the network originally the network was physical networks, you'd have physical switches routers, firewalls, you name it and you'd have ways to onboard tenants like with a flat network with IP tables you'd have villains you'd have mechanism to change the network infrastructure that would allow you to create the notion of isolation on the network level but now on top of that we compound the notion of virtual networks and virtual networks could be at the overlay level, could be different types of ones and the mapping between these two is going to be interesting because somehow a way to attack or a way to be inserted in the middle would be the notion of how can I connect to a network that belongs to a tenant that is not me and as we have this quality physical and logical now there's going to be more opportunities for me to find an open port or an open virtual port and based on that be able to inject my traffic or receive my traffic from a specific tenant that I'm targeting if we look on top of that what kind of network capabilities OpenStrike is offering there's kind of two major distinctions the first one would be the notion of virtual networks and ideally is where virtual ports attach or virtual machine ports attach and then there's the notion of physical networks where physical servers exist but in reality it's not that straightforward because then on top depending on the plugins you have some plugins may be able to control local networks in this case they live exactly in the virtual world or you would be able to manipulate the switches like attaching to villains but in between you have these entities like they have ports in the virtual world and ports in the physical world you have like the overlay networks that they have the same virtual world and they connect to physical entities that through encapsulation are going to carry the entity of the virtual network where they are connected and not only that the notion of tenant and provider networks compound on top of that you could have tenant networks that map directly to the physical infrastructure and tenant networks that map to the logical infrastructure and all these through plugins that not necessarily manage the whole network as a coherent entity so the idea is that if now we have plugins that manage the overlay or manages the fabric and if we don't manage the fabric what happens if somebody manipulating the fabric can connect to the overlay that some tenant owns and creating essentially money in the middle attack and being able to see that traffic that belongs to that tenant what if it's the opposite what if the plugin now controls the physical fabric and because of that now every time that you have a tenant that appears you change the physical fabric and you have some misconfigurations and same you have some open ports that you can connect physically to it so because of this is a split of network virtualization in terms of virtual and physical now we have created a bunch of new problems or new definitions and this is not by any means exhaustive that somehow you have to see how you can compromise a network how can I onboard a physical server into the system how can I onboard a virtual machine into the system that not necessarily are the ones that the tenant thinks they are and how do I prevent this the notion of raw ports or tabs attaching to networks that are not authorized and this would be the notion of kind of spoofing but at the next level how can I in a cloud provider start spoofing the identity of a tenant in a way that my virtual machines or my physical machines will be compromised and the other aspect would be what happens if this is not possible because we have the proper certificates we have the proper configuration models and now you cannot do that what if it happens because a hypervisor gets compromised because a cloud management system gets compromised and what kind of remediation mechanism are we going to put in order to solve that so the next would be from the tenant point of view and this is what we were discussing before already that at the virtual environment we would go probably more traditional ways like how do I define the policies how do I render how do I force them but how do I insert services into the mix and services could be in many ways could be like traditional physical appliances could be virtual appliances or could be distributed security devices but at the end of the day is kind of mapping the physical wall that we understand today into this logical wall but understanding what implications do we have on that so if we look at these two cases there is something common about them but somehow when we went from physical deployments to virtual deployments there was a split in terms of identity and location and this identity and location split you can see the different levels the first one would be when the identity of a virtual machine and the address of the virtual machine may not mean the same because I may want to express security policies based on identities this is a web server versus an application server and I know them because I have the UUID and I can correlate through the cloud management system the function that they perform versus the address that they may get that belongs more to about what subnet do they connect and what happens when they move a VM from one virtual network to another virtual network or what happens when they move a VM from one data center to the next data center and the location may change but the identity stays the same how do I start thinking and decoupling the policies of identity and location or IP address in a different way which somehow goes back to the same model at the network level we transform from physical networks to virtual networks how do I start understanding the mapping of those virtual networks on top of physical networks and how do I make sure that when a virtual networks appears on a physical network that was not supposed to appear how do I prevent that so this split that we have to create between the virtual and the physical world means that now the policies that we have to create they have to expand and be able to accommodate that and if you think compared to what happened when we had security features like port security into the stitching wall where we would associate a physical port with a MAC address with an IP address that was a binding of the physical reality with the identity, with the IP address with the location and now we have to transform this into the cloud world what happens when the notion of port is a virtual port if I attach a port security rule with a virtual port doesn't mean anything because I could move the virtual machine into another place and still fulfill the policy or I could spoof a virtual machine identity and appear with the same port ID somewhere else and still meet the policy so we have to start thinking how do we use some anchor into the physical reality as an entity that we can use to enhance the policies to give some sense of solving the problem of this identity location separation and as I was discussing before the thing gets compounded with the fact that I have multi-sites all these identity and policies that get expressed within a cloud management system within a data center what's going to happen when I have multiple of them what's going to happen when I have virtual networks that expand across sites and I can have mobility events or I can have active disaster recovery sites and the actions that happen in one of the centers have to be reflected into the other data center and this is the kind of things that as we start thinking in terms of federation systems and security the notion of expressing and the identity of the machines that we are putting and the network that they belong will have to be carried across that so there's been a lot of things that have already been said in terms of security and the things that can be done in open stack but as Paul Som and some of the work for Grizzly is going already I mean you have the notion of how do I move from the security policies that we have today to more advanced security one way is to go the service or the advanced service direction how do I onboard firewalls how do I onboard physical firewalls or virtual firewalls how do I onboard different kind of security devices and that we could generalize it with a notion of how do we connect physical appliances at the provider level or at the tenant level and how do we abstract it in a way that the workflow is nice and easy and simple to understand from the tenant or from the provider point of view the next would be this basically how do I move to virtual appliances how do I instantiate virtual appliances that are going to provide these choke points for let's say my tenants and what kind of configuration models do I have to hook to them and then the next problem appears in terms of how do I place them do I place them in my server, in my rack do I aggregate some virtual machines against a virtual appliance that sits somewhere else so there's a notion of distribution and placement which goes to the next level is what about having this distributed appliances how can I have in the same way as I have a distributed virtual switch or distributed virtual router how can I get a distributed virtual firewall distributed load balance or distributed intrusion prevention and this would be kind of the next step for moving from physical wall to virtual appliances to fully distributed network security devices then the next direction would be based on what we are discussing the notion of new policy capabilities what kind of definitions do I have to put in my policies in a way that I start accommodating this notion that maybe I don't want to do policies based on IP addresses maybe I want to do it based on identities and the rendering of the policies is going to be the one that does the matching and the enforcement point definition the next is these bindings between physical and virtual how do I express them and me as a tenant I cannot express them on top of what infrastructure I am running essentially the cloud provider has to provide me some SLAs that when I put a virtual machine the physical information of this virtual machine is known to the cloud provider so if now some other virtual machine claims to be me in a different location those kind of bindings will only be able to be provided by the cloud provider and this is the kind of things that we have to start defining what SLAs the cloud provider through the cloud management system can offer to the end user and how to express the security SLAs the rest would be the notion of what certifications and workflows can we have in the cloud management systems and how do we articulate them in a way that goes and works not only in a data center across data centers and so on so this is not a complete list I mean there's many other things that we could discuss and explore but somehow from the security point of view we have to think not only at the tenant level and at the policy definition level but even the virtualization aspect what elements and what opportunities does it bring in order to create complex policies and as a conclusion before we jump into questions and answers there's no easy answer for security I mean there's always a lot of problems in terms of designing the proper systems but essentially that this virtual and physical separation somehow at the beginning maybe look as messy and difficult to digest in terms of how to map it to policy in reality it gives a lot of opportunity because if we think that we lost this notion of separation between who enforces the policy and who deploys a virtual machine and the policies itself bringing back the security in terms of where have things been placed it's an opportunity that allows you to have something ephemeral that gives you an attachment to where the things are running at that time again the centralized control structures are more vulnerable so we need the proper workflows there and definitely they are simple to manage and deploy and the conclusion that we were discussing at the beginning that if we think security from the beginning rather than when the system already has all the connectivity in place it's over long term going to lead to better and more secure systems so after this very high level introduction if there is any question and maybe I think you could use the microphone you write the question about bringing the physical network architecture simply on to the virtual world I do agree with that it would not be appropriate there would be more different virtual network architecture so do you have any idea or clue to that more appropriate virtual network architecture so that's a very philosophical question in the sense that there's reasons why you may want to have every controller that would change the network configuration every time so going back to the physical reality how to hook a tenant network into a physical substrate and you see some of the technologies open flow base, BGP base some of them going into that direction that's the other angle of going overlays and overlays could be you name it, theory, list, BGP, STP, VX1 so there's many forms of that philosophically what you have is that in reality you want to contain the entropy of every time that the tenant gets created because if at the end what you strive with or operational simplicity you want to make sure that every time that you provision a new tenant you provision a new network and you put one of these options into your network that has pros and cons of one model versus the other if you go to the fabric controller model what happens is that every time that you onboard a new tenant you're going to have churn over the network your core, your fabric is going to be reconfigured and this based on open flow or routing protocols you name it, that's the technology detail so what's going to happen if you think in terms of the costs of running an infrastructure as a two-fold one is the cost of the physical infrastructure or a specific suite, route or whatever the other is the operational aspects, how much do you pay to manage the system if you think that every time that a tenant is going to be onboarded you change the configuration of your fabric what's going to happen that this at some point is going to lead to mixed configurations, failures problems that you will have to travel should so you'll have to have expertise in terms of how to travel should a multi-tenant network with a fabric and that's going to add cost stability probably now you go to the other extreme where you put the overlay you put an overlay, the fabric is very stable, very rock solid you don't change it, you have physical attachments where they have IP address that doesn't move and now you push all this noise, all this entropy to the edge, to the overlay now what happens is that you save the fabric because you don't touch it every time you create a new tenant but what's going to happen is that at the fabric you will not see or basically what's going on at the fabric so you may not create as an efficient structure as you would have if you would control the fabric so I don't think there's right or wrong there's depending on what's your pain if your pain is operational models maybe the overlay works better if you are more obsessed about traffic engineering and QoS and planning the network and the topology maybe changing the configuration of the fabric may be a better solution so depending on what's your criteria in terms of as a cloud provider what do you want to offer to your tenants as a service yes so that's I mean if you ask me OpenStack is still fluid the kind of networking capabilities that it's going to offer are still changing and evolving you have to think a different way the best practices is something that exists because they have been developed over the years so networking for good or bad has a lot of best practices that you would say you would never put a database and a web server in the same subnet regardless of policies or not doesn't make any sense I mean that would be kind of a best practice in a way that when you start using these cloud structures and you say well I'm going to give you this a little bit of a switch what else do you need and it's not so easy because you know how to do your applications you know your risk you have done your research over the last 10 years and the notion that is missing is how do you carry all these expertise into this world so rather than and that's different views on that too I mean some people will say this is a new world you have to learn and develop new set of best practices the other is well can you provide abstractions that look and feel similar to the ones that you have in enterprises and now you carry the best practices with you so I think the discussion is not done different SDN companies will have different approaches to it and part of a software defined network company that we have our own views in terms of how the management models and how the securities and how the things should be but essentially breaking with the past may not be completely the most wise thing to do especially when you start thinking that the new cloud providers that are appearing right now they may want to onboard enterprises and those enterprises may have best practices so the question is what kind of environment in terms of network and security do you give on top of a cloud environment that at least makes existing enterprises feel comfortable with going back to your point of best practices I think this is still on the works there's a lot of ways to solve the problem and we are going to see it in the next month, years, different answers to your question any other question? Thank you