 Evening everybody. How's everyone doing today? Thank you for coming out for our panel panel summary today. We're going to talk about What does it look like to have a native thinking for? Telecommunications I've joined today with What our guests I don't want to call them just our guests. I want to call them the experts in our inner in a field here We'll start off with Fred couch Introduced down for me. Yeah, raise your hand. Please. Thank you. And then the next person is Watson he's coming from us for Volk and Jeffery saline saline's I apologize for messing up that name. We just had that discussion. I apologize So let's get started here Let's just talk about some some basics here. Let's open up with some principles to For cloud native when it when referring to cloud native and also referring to cloud native when we're talking about Referring to telecommunications. Let's start with Watson here Why is there so much confusion about what cloud native entails? Oh Okay, so as far as cloud native, let's say People were confused even just eight years ago about what cloud meant and so now you have a new Buzzword cloud native and that you know thrown on top of what cloud even means which is originally just meant elasticity and virtualization and being able to use that Virtualization in an elastic manner. I think it was coined by Werner's logo of the CTO of Amazon so it really just Stacked on top of that confusion And then also as far as just marketing buzzwords go, you know, people want to stretch Concepts to fit their bidding. So that's really why I think some of the confusion comes in But there's a history that Lends itself and built up into the cloud native so we can probably get more into that but Maybe some other people might want to join in a chime in on that This is often Frederick any thoughts on Some of the confusion that you have seen or heard or even work with in terms of What it means to have to be cloud native Sure, so part of what part of what's happening is we've seen a progression in time It's really started earlier than than docker, but docker was a major accelerator of this and Initially there was this push to let's go put things in the cloud And if I have something that fits in the container I can put it in a cloud Then does that make it cloud native? Well, we say cloud native We don't necessarily mean that it just runs in the cloud But it's been designed for the properties that Watson just mentioned that is designed to make use of that elasticity to make to make use of Having of microservices and that architecture so that if something breaks then the orchestrator can can help you heal it and connect you to things that are within your infrastructure and so to To really be cloud native is not to just put it in the cloud, but to really embrace those those methodologies and technologies to to maximize the Value of putting it in the cloud That's it now. I heard in this conversation you this what you just said you just mentioned orchestrator when I hear orchestrator often You know taking a big picture here and then scaling down to have something Manipulate something in order to do a deployment which brings to another question is CICD necessary for a benefit for cloud native is that necessary? This is open to everybody So I'll jump in I would say yes. I don't think you can really effectively Start to clear up the confusion that we were just talking about because the real reason the confusion is there is the terms evolved, right? Like it's gone from just hey this runs in the cloud to it is now this development philosophy that people try to adhere to and It's tough because I would argue that CICD is another buzzword that gets lost in translation Nobody can even agree with the D means and you know that final letter is a deployment. Is it delivery? You know everybody has a different opinion, but at the end of the day I Think one of the pieces that's really kind of become a bedrock around cloud native is this concept of infrastructure as code and immutability and so I Don't think I can anybody personally and this is anecdotal be successful at doing infrastructure as code if they don't have some clearly defined machine-driven processes to you know promote things so There's not a lot of purpose in moving away from the CLI if you're gonna still sit there and take those you know templates that you've put together Manually deploy them everywhere. So I would argue that to you do this at scale and to have some sense of you know Sanity around it. Yes, I think it is mandatory But I'm willing to be debated As anyone on the panel willing to debate that is that open for discussion or anyone I agree with Jeffrey other than my hello world program that I type and see But in general you do want that Having being in cloud native does not negate good engineering practices that facilitate communication and testing and These these these systems on how you deploy them into into your infrastructure Having a good pipeline there that you focus on means you can get that thought of it on ability You can you can get that observability into how your infrastructure works and we reduce or eliminate the Fixes which are which are manual and that are undocumented and how they work within the system Right so when we're talking about infrastructure is called we're also talking about Declaring and being in the declarative state So when we're talking about being in declared to state here For me, this is a question. I have What is it? What does it mean to be immutable? and have immutable infrastructure in particularly when it comes to cloud native and in the second part of that would be what does it mean to be a Immutable or have immutable infrastructure when it comes to defining Cloud native as a network function. So there's two parts to that question I was gonna say I mean this leads into the CI CD so when I guess I don't want to even say controversial, but maybe misunderstood or disagreed upon I Guess concept is immutable infrastructure when it comes to CI CD Do you need CI CD in order to get to immutable structure? We think so. We think so. So I think our definition of immutable infrastructure is infrastructure that's easily reproduced consistent disposable has a repeatable deployment process and it doesn't have any configuration or artifacts that are modifiable in place and Oftentimes people just Concentrated on that last portion. No artifacts that are modifiable in place, but we really As far as being any type of You know operator that's in that's managing some type of infrastructure You're really gonna have to go back again 15 years to not have those first a couple of attributes the reproducibility consistent disposable and all those things in order to get to that That final piece. So that's where some of these maybe definitions start Getting fought over start to be fought over and then When it comes to cloud native network functions and immutability there I'll let somebody else chime in and maybe I can add in Fertig you want to take that? Sure, so Once we once we start to drive towards cloud native functions Then and we started to bring in the the CICD system around it we start to to build up these processes trying to make it cloud native and So all of these work in to together to form that System that platform that is cloud native and when you start to look at what do we mean by declarative? infrastructure within that environment What we tend to mean is that not that you're you're Specifying all the low-level details instead what you're doing is you're piecing piece things together that by themselves Don't solve a problem but when you piece them together they have emergent properties which solve the problem that you're that you're looking for and You don't tell it all that might do details all the things that are that are local You keep them isolated into a local environment instead of what you do is you describe a top-level Environment, please connect me to a secure corporate intranet or please connect me to a video conferencing system or so on and The system works with those things at a high level and you're not specifying. These are the IP addresses These are the these are the VLAN tags These are the MPLS labels that you need instead. You let the system define those and and negotiate them and and Fix them if they if they ever end up conflicting with something that that they showed as as time progresses right, so when we're we're thinking about How things progress and building out our our infrastructure and in our applications I really don't want to leave out the the issue of security wrapped around all of this You know and and not just the security of let's be clear of just the of the network But there's layers and layers of security here. We're talking about security of the containers We're also talking about security of the network and of the application itself So when we're talking about this and Frederick, this is over to you How how are you looking at security? It it when we're talking about cloud native. How are we looking at that? So it's very common when people talk about security They focus primarily on the privacy aspect of it But generally when people talk about security, they mean three three general properties And they may mean more or less depending on the context, but they mean confidentiality is what I'm saying private is you have a Availability so is is my system Online is there a DOS attack or something similar they can bring it down And there's an integrity aspect of it is what I have said or done or what my system does Indeed what what it should be it hasn't been modified And an easy way to remember this is if you take three of them you could it spells out CIA So it's they're all easy to remember But right and in general when you start to look in security And in a cloud native environment The the traditional techniques that people tend to use in most environments is a perimeter defense So they set up firewalls that control what comes in they set up things to mitigate Denial of surface attacks they they use encryption to gain privacy and and so but Removing as an industry. We're starting to move away from a perimeter defense where what happens if the attackers within your within your perimeter And we're moving towards what they call a zero trust model and what they mean by this is that? Your trust is no long. You're no longer implicitly trusting the network instead. You are Establishing the trust based upon the workloads and some identity that is a status part of that workload And one common technique now is to give them all experiment like certificates with our cryptographic Certificates that can use to validate each other So when two things connect with each other then you're you're checking both identities both from the client and the server Are they who you think that they are and establishing a private connection between the two of them doesn't mean you get rid of your Primitives though. You know those primitives are still important They're part of a layer of defense, but the the network is no longer that trusted aspect And it's an important shift that we need to move towards because of the The dynamic nature of Kubernetes and other edge environments with how they treat their networks and IP addresses You can you no longer have the the flat style of network that you tend to see you see a lot of private Matted systems you start to see a lot more private communication between two systems that doesn't need to break out And so there's there's a new set of paradigms that are that are starting to come about in order to solve some of the challenges That we're seeing that where that primitive offense is not service as well as it did in previous generations of technologies right and so You you say challenges. I'm gonna I'm gonna probably label those as cost What is the cost of implementing this? I Like to say into insecurity Again going back to your CIA triad is what you were referencing I like to associate the challenge equals the cost If I'm free to do so so Jeffrey, what do you what do you think? the overview of what that Spalent or cost is what we're talking about quite native and immutable infrastructure and see as you Yeah, this is a That's a very nuanced topic Especially in the telco space and especially when we start talking about see it has in the telco space, so You know the costs usually our biggest cost is Op-ex right it is maintaining our network It is getting lots of people with specialized skills to handle the best scale that we continue with you know and That scale comes in a lot of different like you know avenues It's the total number of endpoints that we have in our network. It's all the network, you know plumbing itself It's all with different vendors, you know I could have three different styles of core router in my backbone each with their own unique CDs and security considerations and Now as we move into this cloud native space We're adding a lot of attack vectors, right? We no longer just have a physical box that has the limited number of inputs and outputs that can be attacked, right? You know traditional networking is my control plane safe Is my management plane safe? Is there some kind of weird attack factor? You know to perpetrate through my data plan Now it's you know What about the web socket that you know has been exposed in this kubernetes and grass what about you know There's some HTTP requests that's coming in on 480 should we allow it and it it starts to add you know Additional layers that now need to be accounted for that typically weren't there in legacy works before we got a server form that's in This isolated space behind that perimeter that Frederick was describing and then CIA is just like you know In and out of this wall garden if you will I'm gonna be very very strict, but once I'm in the wall garden, you know, you know legacy mindset is I'm not worried about that inside It's right, etc So we said at the beginning you know when your first question was do I think CICD is a mandatory and just one of my primary reasons for saying yes You know, I hate saying that's that job because it is one of those fuzziest words out there but in reality of It's it's super important and it's a cultural change and tell tell in what scale like To do you security at scale and to cover all of these Parameters that Frederick was laying out for us It has to be baked in from the exception and it has to be part of that to a chain You know, how do I on board for different vendors cms and still apply the same security practices across all of them How do I institute, you know Policy that is going to control what doesn't doesn't have access to the necessary resources You know, you do that by putting in a lot of work in front And you make this decision that cloud native isn't just like a container has applications on a money But it is a shift in the mindset of how I'm going to approach these problems and that's might be the only way You know to your point on challenge equals cost the only way you can make this cost effective is to get the necessary, you know building blocks in place to then eventually be able to do this at scale and Without having to hire, you know, 30 different, you know, unique security experts for every single one project that you're going to do Yeah, and you said some very key key points there. I think should be summed up as Compliance is cold Also as security is cold and then also when we're talking about this is Scaling this this design this infrastructure out, you know, so now we have Security when it comes to the containers, you also have security when it comes to just the physical hardware itself and Treating that as immutable infrastructure as close as you can, you know we're now and you'll see this in some of the Different vendors where you know people are wrapping APIs around servers You know, you'll start to see that even and I don't want to just say vendors I was just I want to say even when we're talking about people who have actual Machines on prim they're wrapping API's around that hardware But again that goes that opens up another can of words and API security, right? Yeah We started talking about it. So let's dive into What does the what are the what are these challenges because we're talking about bare metal here What are the challenges that a lot of tailcoats are facing when we're talking about being cloud native and immutable infrastructure and Security I'm gonna turn this back over to you Freddie. Oh, I'm sorry if I caught you Freddie Apologize, but I'll turn this back over to you and you tell me what what you're thinking or looking at that landscape Sure, so There's a lot of different ways to to take on this problem Some some of them are operating system-based like if I establish a unique socket between two things then It's presumed that those two things can only talk with each other But what we're one of things that we're seeing pushed throughout the industry for around those API's is starting with that identity that we spoke that we spoke about earlier and Once you have that identity in place the first thing you can do is is this system part of my is it a member of my Organization or my my group and once you have those identities in place They help you answer that question once you have that in place if you look at the traditional model of how these These type of systems are secure. They tend to drive towards like a network access control layers. There might be From an API side. They may they may start to put in Rules on what IP addresses a particular call can come from one of the things that we are seeing a movement towards is To use those cryptographic identities inside of a declarative policy where in a policy instead of saying these IP addresses can Talk to these other IP addresses and make these And make these calls based upon an application firewall instead We're seeing the declarative policy that is being written that you can state what systems based on the cryptographic identities are allowed to talk to which other systems and To put parameters about those calls about what is it making like is that if you have a friend and application making a call to a payment API with a To a database that is that friend an application allowed to is it was it designed to talk to that thing? Or is it is something else? Subverting the try to subvert that security and making a call that's considered to be out of policy. And so this this allows us to describe those and keep a really clean layer of abstraction between low-level networking and the higher level set of identities and allow us to Build up those in human ways that are human readable and in ways that also allows you to uninstall them at a later time You sunset an application. You're not afraid of removing network access control It's because you might break another critical piece of infrastructure You sense that the policy that policy is no longer rendered in your infrastructure and then you move on Jeffrey did over to you what what are your thoughts when we're talking about cloud native and security and immutable infrastructure from a telco perspective what challenges or What have you seen? So Conway's law is always rearing inside my head We have lots and lots of groups because at least in the tier one telcos and cable providers Now we're like small nations and within these nations There's tribes and these tribes tend to build systems that meet their specific needs and it doesn't always necessarily meet the needs of the you know adjoining city-states looking to take advantage of some of this infrastructure, so I'm You know what Frederick is describing is kind of like what would be nice to get to you but you know the main challenges are on Brownfield we have vast vast amounts of you know existing infrastructure That is nowhere close to being cloud native and it's kind of hard to hold on a cloud native interface and get the two You know heterogeneous worlds to talk to each other Scale we were talking about that a little bit earlier There's so much stuff to secure now and not only that but you know We always like a lot of times in my experience because I'm not a true security person the security people always forget that availability Is one of the key tenants in the security area? We're like I have to be able to access the system I have to use the system and I needed to do you know certain things for me and perform and so you get into like this The last piece that we're talking about the new ability piece of one of the things I think that when you know kind of sideways on this in the previous generation of NFB was Everything was infinitely mutable and every single knob was exposed at the lowest wires I used to nerd out like you know hardcore when it came to open stack and tweak everything They would let me to tweak I go in and let this around with like some of the like You know underpinnings and Nova and try to get it to like do something a little bit different with VM bring down my cloud have to recover the entire thing and you know my boss wouldn't have any And I you know I'm starting to realize that even though I the demanding Teleco operators like I need to have infinite control of my infrastructure In reality, I probably need to pick and choose and just figure out can I put this into this in the pipeline that we've been describing on this Can I take a vendors? artifact And put it into a system where I have trust that the security policies are in place to ensure that I'm not going to get something That's going to compromise me But they also have a reasonable level of trust that they can provide an sla on that because I haven't gone under infrastructure things Correct and last but not least watch it any any anything you want to add to to this conversation along this topic Oh, yeah for telcos as far as You know the pain that I'm hearing a lot of the benefits of just regular continuous delivery Would go a long way I'm hearing a lot of pain that has to do with Not having a proper pipeline Having and we didn't talk about microservices that much but Not having the different orgs being loosely coupled and developing their applications whether that be vendors or internal orgs within the large telco operating separately and having A different that since they all have different rates of change all operating as product teams and having versioned Code and and releasing that way That all lance Goes hand in hand with a proper pipeline so after that then Having everything in containers or some coarse grained uh delivery mechanism um For your artifacts and then putting it in something like a kubernetes or some type of orchestrator that kind of thing Yep, yeah, and we didn't talk about microservices much, but maybe we should Lend some some some thoughts around microservices uh, what does it mean to uh to be in to be In a in our microservice environment Let's start. Let's open up with some Well, I should say in with some some things here and that will be is What does it mean to to have your application? As a microservice, what does that mean and what does it mean to? Actually have that be secured as well to for in reference to telcos I'll I'll I'll open this up to jeffery When we're talking about microservices and security in telcos Yeah, um, I'm actually going to pump this one to watson first because I think you need to understand what a microservice is before we try to put the uh telcos Yeah Yeah, so, um I guess a good definition that we've been using for microservices For for if any project that exists as a microservice It's not monolithic. It's resilient and it follows 12 factor principles and it's discoverable So that's a a mouthful, but really with um microservices where there's lots of confusion in Fighting now it's really best to have a lower bound in an upper bound For your definition of microservice So your your your lower bound would be something technical like people are trying to say Oh, it needs to be something that fits inside of container with one process only These types of things some type of lower bound Uh, but the upper bound I think is just as or more important And it's really the social side the organizational side I was talking about earlier You're really fighting you're trying to work with conway's law Where your software is going to look like how your organizational boundaries are formed and it's really a prediction. You really You really don't want to fight that you're going to probably lose So that's really the upper bound so anything where If you're having one team develop software at a specific rate of change They're going to operate as a product team and they're going to be Responsible for delivering that software version software through pipeline all the way to the end and They other teams are only coupled in as much as the as the version Of the of the software so that's really Having both of those would be whenever you talk about micro services if you're not talking about both of those boundaries Then you're missing something And I think the last piece for the uh, I'm sorry As you said the last piece for the telco side is um, you know the biggest challenge is You know getting trust Um between all the different entities that Watson's describing because we have lots of lots of internal development groups that build You know and maintain software announced but then you know as a telco We don't bring in quite a lot of third-party You know hardware and software solutions that we have to then integrate and that integration is kind of the key piece Um, you know, when I think of micro services does the service standalone? Can it be maintained? Without bringing other things down without other stuff taking me down start to build that trust so that way um The different functionalities can grow and be maintained independently while still not becoming, you know, the humongous cost burden of constant integration work And I and I we ran out of time And I want to thank everyone for joining us today. We want to leave some time for q&a I thank you Watson. I also thank you Jeffrey and I thank you Frederick for joining for coming to join us today My pleasure