 Live from San Francisco, it's theCUBE. Covering Red Hat Summit 2016. Brought to you by Red Hat. Now, here are your hosts, Stu Miniman and Brian Gracely. Welcome back, happy to welcome to the program. First time guest on theCUBE, Josh Pressures, who's a security strategist with Red Hat. Josh, thanks so much for joining us. Hey, thank you much, I appreciate it. All right, so security's always been really important, but last few years it's really been top of mind. You've been with Red Hat a few years. Tell us a little bit about your role, how things have been changing over the last few years. Yeah, sure, so I've been at Red Hat for 12 years, so I'd like to say I've seen it all twice. And I mean, back in the day, security, you know, Red Hat's taken security seriously forever, quite frankly, but it's not until the last probably two, three years that it's really gotten a lot of mainstream attention compared to kind of where it was in the past or a bit of a niche topic in a lot of areas. So what I do now is I work with the platform business unit and basically I pay attention to the industry, what's going on, what's happening out there, where's the market going, and then additionally what does Red Hat need to be doing? You know, what are we doing in this space? Well, what do we need to improve on? And obviously, where do we need to go next? All right, so what's, you know, containers has been like the hot topic of the week. That's right. Probably the last two years, you know, we talked to Paul Cormier, security obviously has a significant place. So tell us about your role as to how security and containers fit. Yeah, definitely, so I mean the biggest thing with containers that we always say is when you run, containers are magic. So if you're running a container, you don't get security for free, it's not magical, right? And so from the Red Hat perspective, it's very much where are those containers coming from? It's my analogy I like to use always, it's like finding a sandwich on the ground, right? Are you going to eat that sandwich? Absolutely not. And so when you're dealing with containers, it's very similar. And so Red Hat has a secure supply chain when you're dealing with containers. You know, we have our trusted content. We kind of carry this stuff from start to finish when we're building our containers, but then also once that container leaves our hands and goes out past that, now the hip thing is to start talking about container scanning is where we're looking at now. Because once you get your container, you have to understand what's in it, where did it come from? Is it, does it have security issues? Is there something misconfigured on it perhaps? And so the scanning is really looking like it's where the future of this is headed. Yeah, so Paul talked this morning, you know, there was a virus, there was a Linux problem earlier in the year and he said basically every container in production that was out there was infected. Talk about, you know, those scenarios are gonna happen. That's just kind of what goes on in the world. How does Red Hat deal with those things? How do you alert people? How do you patch them? How do you, what are the systems and tools in place to make the world good again? We don't sleep. So no, this was a problem in something called G-Lib-C, which is kind of a fundamental core library of every Linux system. And so it's not even just containers, it was literally every Linux system that exists had this problem that used G-Lib-C, right? And so what ends up happening is that for Red Hat, we have a dedicated team that's called the Product Security Team, that their job is to pay attention to this stuff and understand what does a security issue mean for our products. And in this case, we know it was bad and it affected everything. So in which case, you know, we're gonna sound the alarms, everyone, you know, get out the bows and arrows into the wall. And so what happens is we literally, we bring together a war room of people that start figuring out what does this mean for every product? Which products are the most important? Just let's face it, we all have limited resources, be it Red Hat or even the customers. So we have to understand, how does this problem impact customers? How does it impact Red Hat? What do we need to do? And then we prioritize things and we just, we literally, we get cracking and a lot of us don't get a whole lot of sleep until we're done. Yeah. Josh, can you up level a little bit for us? You know, how have the kind of corporate boards getting involved in security discussions? You know, have the conversation you're having with CIOs changed recently? A little bit, yeah, indeed. So I mean, fundamentally, no one wants to be on the front page of the New York Times, right? I mean, that's the goal here. But I think what we're seeing more and more now is compliance and security are really becoming drivers and they're becoming things that you've got, your CIOs, your CISOs are really paying attention to, is, you know, am I compliant? If I'm not compliant, how can I get more compliant? And additionally, when you're dealing with someone like Red Hat, what is Red Hat doing to help with that compliance? And that's like probably the number one topic I'm seeing right now coming out of that level. Yeah, one of the terms that we hear kicked around now that more and more people will use the public cloud or consider it for something, is this thing called sort of like shared security, you know, shared, you know, dependencies? But what does that mean, where they're talking about like, I'm the cloud provider, you're the customer, we somehow have to share the security concerns or, you know, liability for that. What are they talking about in that context? Sure, well, I mean, if you think about it, if you're a consumer of a public cloud, you have your security and your needs, be it compliance or your internal governance or whatever. Yeah. And then when you have your cloud provider, what are they doing as well? And so obviously it's up to both parties to understand what's happening because from the perspective of the customer, you want to ensure that your cloud provider is vigilant and they're taking the right steps around security. But additionally, as a cloud provider, you want to make sure your customers aren't just putting piles of trash in your cloud either. So it kind of goes both ways, right? It's a very interesting, and this is something that we don't have all the answers to today, but now from the redhead angle, we have tools like CloudForms, for example, that helps you kind of orchestrate some of this. You can get a feel for what's happening in your environment then. Yeah. One of the other big topics is automation. You know, Paul talked about it yesterday. Jim talked about it yesterday. Like the only way to keep up with all these things is we're going to have to automate more and more. Security and automation in the past didn't mess, they're sort of oil and water because, what's going on with that? We're seeing Ansible doing things, we're seeing CloudForms doing things. What is going on with security and automation? How are they coming together as well? I think those two stories are tied together now in a way like we've never seen. So from the security perspective, one of the really important things you need to do in any organization is understand what's in your infrastructure. And now, this is a difficult problem. It sounds easy and obvious, right? Oh, what are you running? But a lot of people, it's hard to answer because you might have been spinning machines up for 20 years and never paying attention to it. So what's happening now from the security perspective and the automation perspective is it's all about how do we start automating ourselves into security? Because let's face it, number one, humans make mistakes. It doesn't matter what we do, we're going to screw it up. And so with automation, we have repeatability. Okay, that's a big deal there. Number two is obviously understanding what's going on in your environment, what's happening, how could we do this? And then the most important thing around automation is the ability to do inspection. I mentioned container scanning. We have a tool we call OpenSCAP that lets you inspect you, you can scan your machine and you have a profile that basically says these are the things I want to understand what's going on, am I missing security updates? Do I have a password policy? Is there a root account with no password? And there's all these things you can check on. And in the past, literally a guy with a binder would sit down, open it up and go through hundreds of pages of these rules and it would take hours to days. And now you can do it in a couple of seconds and it is phenomenal the power that's available through automation with the security perspective. So it's really about sort of trying to replace as many of those will be human mistakes with automation that you can do repeatedly. Absolutely, right, right. So Josh, how does ransomware fit into discussions that you're having with customers today? Is it something that, you know, come on the marketplace, great, you know, very devastating impacts, you know, not just to bring things down for a little while but, you know, could shut down businesses? Yeah, I mean, it's definitely a concern that you're seeing and it's something that's affecting literally every infrastructure that exists today. It's very opportunistic. I mean, this is one of those things in the past, people would write malware. And the quest, I remember, I'd get asked all the time, you know, why do people do this stuff? What's the benefit? And there wasn't a lot of benefits, fame, notoriety, just being general pain in the behind. But now with ransomware, there's actual financial benefit to what's going on here, right? And so the things we're seeing is, people are obviously very concerned about this and they're asking, what's going on? Like, what is Red Hat doing in our systems to make sure that we're making this very difficult for these ransomware authors to interact with us? And we have a handful of technologies now, you know, things like SE Linux. We have containers, we have a virtualization, it's called S-Fort, that kind of protects the VMs. And there's even more work going on now, things like, how could we do some application whitelisting? How could we have a better idea of what's in the environment? Things like open S-CAP scanning, I just talked about, fit into this, where when you can start inspecting your environment, you can watch for problems and hopefully catch them before they become, you know, something that's going to really devastate your business. Yeah, I, you know, one of the things with security, we had a guest who was on, who was from the Bombay exchange. So in India, the Bombay Financial Markets. And he said, you know, we've moved our infrastructure over to Red Hat. It's open source now. But he said, in general, there was still a feeling in India that, you know, open source is still kind of a, it's a, maybe it's not a secure, it's still kind of a tool, it's an open source community. As somebody who's talking about it all the time, how do you try and convince people, try and show them that it is secure, that you're taking all those steps, that they can feel comfortable with it for big mission critical applications? Yeah, absolutely. I mean, and this is a question that comes up on a fairly regular basis, to be quite honest. And so here's what I always say. All software has bugs. It doesn't matter if it's open source or closed source, it makes no difference, right? And so that's the first thing. But then what you need to look at past that is if you look at how open source has dealt with security, and you look at especially how what Red Hat has done in the past, we have a phenomenal track record. Even in the days when Microsoft and Red Hat didn't get along very well, Microsoft acknowledged Red Hat's response to these security issues was top notch. And so you look at what's going on in the industry. You know, I'm not going to say open source is more secure. I'm not going to say it's less secure. Then we'll say other proprietary software. But the thing to keep in mind is how is the response to this? You don't hear about open source where there's security bugs that are six months or nine months or years old at times. Things like Heartbleed and Shell Shock were literally fixed in a couple of hours. And so in the context of security, there's always going to be security issues. Unfortunately, they're not going away anytime soon. So rather than saying this is more secure, less secure, it's all about when there is a problem, how are you dealing with it? And that's where the open source universe generally is very quick. But then additionally, when you look at someone like Red Hat, we kind of add our own magic on top of that, where we've got, we're informing customers what's going on, we're paying attention to things. You know, we build these patches, we test them to death to make sure that they aren't going to ruin what's going on inside your infrastructure. And then you've got the management tools that once you have the patch, what do you do with the darn thing? So a lot of new people here at Red Hat, some of DevNations going on, application development is continuing to grow. For anybody who, you know, lots of core rel customers that are here, but anybody who's sort of new to Red Hat, what's the best way to go, hey, how can Red Hat help me with my security? What's the best place to go find tools? What's the best place to find information about all that? It's right inside the door there, right? It's got the booth full of people. But no, I mean, in all seriousness, a lot of the people we have who actually work on this technology and are setting the policies and they're the guys in the trenches, you know, they're in that building right there behind you. You know, go in there and talk to them. Come find me, have a chat with me. We love talking about this stuff. I mean, once you get a security guy going, you don't shut us up. What about that person at home that doesn't get a chance to come to San Francisco? The unlucky ones, right? No, but in all seriousness, we have a lot of community involvement that goes on. There's obviously RedHat.com with our customer portal. We have plenty of information there. We're involved in lots of open source upstreams. We have things like the Fedora project. We've got Jboss YFLOW, we have RDO. There's so many places people can interact. And I know Jim's big message yesterday was all about, you know, that power of participation, right? And that's really how we see security, too, is we've always treated security not as kind of a RedHat secret thing we're going to lock up and not do anything with. We are very participatory. We've always worked, I mean, in fact, a good example here is we work with some of RedHat's competitors in the security space where, you know, once we're out in the field, it's beaten hands without a doubt. But on the security front, we understand that we all win or we all lose. We're in the same leaky rowboat and if we're not all bail and water, it's not going to end well. All right, Jeff, I want to give you the last word. You know, as people think about RedHat and the security space, you know, big ecosystem out there, what would you want them to take away? I think the biggest thing to take away is just understanding what's going on in your environment and the future of all of this that I see is all in that automation. It's all about automation. So understand what you're doing, how you can do it better, how can you automate this? The less people that touch your things, the better you're going to be off at the end of the day. All right, and I said it was the last question, but containers, you know, secure, not secure? I would say they're a bit like Schrodinger's container these days. They're neither secure, insecure. It's like any tool. If you do it right, they can be secure. And if you do it wrong, they can be insecure. And of course, RedHat is doing them right. All right, well, Josh Brosch, I just really appreciate you giving us the update here on security in the RedPad portfolio. We'll be back here with lots more coverage from RedHat Summit 2016. You're watching theCUBE.