As the Chief Security Architect at Red Hat, Mike Bursell spends his days talking about security both inside and outside the company. His job, he tells us on the sidelines of the Open Source Summit Europe 2019 in Lyon, France, is to encourage people to think about security. Talking about the security challenges in today’s containerised world, Mike says that there’s more to containers than just the technology and people miss that it’s a cultural change: “It’s very easy to forget that security isn’t just about runtime. It’s about development time and test time and provisioning time and closing down containers.”
His advice to people is to follow the age-old rule and think about security right from the design stage: “If you’re doing DevOps for doing agile methodology, you can’t wait for two weeks before you deploy to put security in because you deploy every two weeks, for instance. So you need to make it a part of the cycle.”
The only solution then is to bake security right into the CI/CD process:
“If, for instance, you have a rule that you’re only going to accept container images from a trusted repository, you need to make sure that that’s automated. You can’t expect your engineers to know what those correct things should be. Similarly, you might say, I’m going to make sure that none of my containers last for more than 24 hours, I always restart them. But you want to make sure that when you restart the containers you’re taking the latest image because there may be patches that have been provided. So you want to make sure that that’s running through your automated test suite.”
Thinking beyond roadmaps
Part of Mike’s job is to look further out beyond the roadmaps and he works with a number of product managers in Red Hat on “what’s coming, what’s exciting, what’s interesting”, and to think about how they can get the things that make sense into their roadmaps.
Talking long-term, Mike talks about the importance of Enarx, a project he co-founded, to enable apps to run within Trusted Execution Environments, completely independent of platforms and SDKs.
Besides Enarx, he’s also keeping an eye on quite a few security projects:
“Certainly some of the quantum resistant algorithms are becoming important. I think some of the multi-party computation projects are becoming important. I think there’s some interesting questions around AI and security. When you’re putting your training models together, how you manage, possibly personal data, without sharing with everybody, and there’s a crossover between the multi-party computation and some of the trust execution environments and things, lots of different things sort of in the same space at the moment and that certainly keeping me interested.”