Half of our customers tell us that security is their #1 spending priority for 2017. (Source: Red Hat Global Customer Technology Outlook, 2017.) With our reliance on digital transactions and tools--and our propensity to connect absolutely everything to the internet--we’re increasingly vulnerable. New kinds of attacks target everything from routers to VCRs, and branded vulnerabilities only make it harder to tell what’s really critical.
This year, there are more than 40 sessions, labs, and talks on security at Red Hat® Summit. Our security experts are available to answer questions and demo software in the Partner Pavilion. Those who are a little more adventurous can try a security game show, learn through roleplay, or test their infosec skills.
IT’S ALL FUN AND GAMES (UNTIL SOMEONE GETS HACKED)
The Partner Pavilion houses Participation Square, where attendees can get their hands (and brains) on some interactive activities, several focusing on security. Crob (pronounced "krobe"--more about him later), a security program manager at Red Hat, took a break from session talks to run a quiz-style show around security topics. Crob tested participants’ knowledge of exploits and OSS with topics like In the News!, Hope or Hype?, and Branded Flaw or OSS Project?.
Crob, a security program manager at Red Hat, runs a quiz show around security topics.
Attendees can also test their sysadmin mettle in the Break-Fix Challenge. Using the information available in Red Hat Customer Portal, contestants must solve a product-specific problem. SELinux failure? Broken system? Logging errors? Those who find the fix the fastest win prizes--and get their name on the leaderboard for all to see.
These educational competitions will continue throughout Summit, so if you’re on site, stop by the Partner Pavilion and see how your skills stack up.
THE SECURITY LIFESTYLE
As Red Hat technical manager Mark Thacker points out, "Security is not really a technology, it’s a lifestyle." Though Red Hat does not sell any products that focus solely on security, it influences every decision and is built into every solution.
Thacker, in his security roadmap session, focused on 3 IT security trends:
- Creating secure foundations
- Deploying hybrid clouds
- Implementing security compliance and automation
For those who caught the keynote from Red Hat’s executive vice president of Products and Technology, those themes might seem familiar.
BUILDING A SECURE INFRASTRUCTURE FOUNDATION
All Red Hat products are built in a consistent, repeatable, and transparent way that includes packaging, testing, verifying, and delivering the components with security concerns at top of mind. Red Hat Enterprise Linux® and all products sharing its codebase contain many common security elements.
As IT evolves, trends in infrastructure and identity management (IdM) could include:
- Unifying cryptographic policies.
- Hardware root of trust like TPM (2.0) for storing secrets.
- White-listing for utilities and apps to reduce risk.
- Specific device authorization per device, class, user, or location (USB guard).
- IdM integration and automation with middleware, public key infrastructure, and Ansible.
- More secure data store with application programming interface (API) access (Trusted Platform Module (TPM), Custodia).
MAINTAINING SECURITY IN HYBRID CLOUD ENVIRONMENTS
Hybrid cloud deployments and infrastructure can also share consistent policies and elements--especially since they use many of the same components. SELinux, for example, can also protect virtual machines (as sVirt). And Linux provides consistency when it acts as container OS or container host.
Containers also provide isolation, and content scanning and image signing can ensure what’s inside is appropriate for your environment. Thacker also noted that the container health index--now part of a Red Hat subscription--can help evaluate the freshness of a container image.
A great deal of work is also happening around storage and security for cloud deployments, including:
- Network-bound disk encryption.
- Secrets-based protocols for containers.
- Trusted execution environments.
- Reduced attack vectors by changing platform behaviors.
AUTOMATING SECURITY COMPLIANCE
Complexity, at the best of times, breeds automation and standardization. Open standards and tools from OpenSCAP can help scan and evaluate systems based on a security profile. Certifications, like CC and FIPS, give you confidence that our products meet rigorous standards. And management products, like Red Hat Insights and Red Hat CloudForms, can identify and prevent out-of-compliance components from executing.
More than that, our dedicated security team provides rapid responses to known vulnerabilities, which anyone can evaluate in the risk report we publish each year. There’s even a vulnerability API that lets you query the remediation database.
As we deal with more and different systems and their security needs, Thacker expects we will see:
- Smarter responses to branded issues. As Thacker and Crob both noted, just because an issue has a logo does not mean it is critical.
- Increased common logging across platforms.
- More OpenSCAP profiles.
- More products patched on day 1, as monitoring and automation become more common.
RED HAT OPENSTACK PLATFORM
Keith Basil and Nathan Kinder also presented a security roadmap, but one specifically tuned to those building private cloud infrastructure with Red Hat OpenStack® Platform. They emphasized the need for security as a pervasive part of the process, illustrated by the continuous cycle:
Design → Build → Run → Manage → Adapt → Design
Basil emphasized that this circular process (including security remediation) is fully integrated with the build process for Red Hat Enterprise Linux OpenStack Platform and its continuous integration life cycle.
Nathan Kinder shared a process cycle for requesting an OpenStack virtual machine (VM), to illustrate the complexity of OpenStack services. "Each of these components," Kinder said, "is an actor. All of these different services in OpenStack are talking to each other over open APIs. How do they know that they are who they think they are?"
The many components of an OpenStack environment present a lot of attack surfaces. This means that compliance is a full-stack exercise--each piece must be protected. With so many compliance bodies around the world, the Cloud Security Alliance (CSA) created the cloud controls matrix (CCM) to help classify security-related topics and map them across various groups.
Red Hat uses the CCM and analysis of the top compliance initiatives within OpenStack to plan an agile approach to improving security features. Current top initiatives include infrastructure and virtualization, identity and access management, encryption and key management, and threat and vulnerability management.
WHAT HAPPENS WHEN IT ALL GOES WRONG?
Crob, of game show fame, also had a interactive security session at Red Hat Summit. He began by defining vulnerabilities in entirely human terms: "In the world, all software is created by people. People make mistakes, and therefore there are flaws in software. Sometimes good people find them, sometimes they don’t."
With facts from a executive summary of Verizon’s Data Breach Investigations Report, he emphasized that breaches were not just a problem for high-value targets, or the result of a clever evil-doer. In fact, 63% of all attacks in 2016 were the result of password guessing or reusing credentials.
Crob also noted that timing is important, and that 84% of breaches take months to years to discover.
He outlined the basic steps of handling a breach by following the acronym PICERL:
Crob then introduced his fictitious company, SportsBall.com.org, and its cast of characters: a charismatic but not-technical CEO, a product manager for the company’s web-based SPortal! (with the exclamation mark), and a security architect. One audience volunteer acted as the IT admin, and the rest would portray the ever-questioning board of directors.
Crob used this winding tale--with appropriate apologies to Faulkner, a bunch of internet cats, and wit--to describe the kind of security scenario an inexperienced upstart web company could face.
When the CEO’s secretary innocently clicks on an amusing cat video, the story is set in motion. As Crob explained, "Malware can come in many forms. Infected image files and video files are a popular new vector."
Through a series of questions and conversations, Crob guides his motley company through multiple waves of a breach experience. At first, lax account policies and a video that seems to forward itself don’t seem like much of a problem. Neither the CEO (whose laptop could be the culprit) nor the product manager (who has an important for-fee service update for their customers) seem concerned.
However, ignoring the problem doesn’t make it go away, and it continues to escalate. Customers start getting invoices from the not-yet-released for-fee service, unusual network traffic is hitting payroll and invoicing, and the CEO’s workstation is eventually encrypted for ransom. THAT he does consider a problem.
Crob uses this story to probe the audience for the questions they should ask when considering their security policy. Things like:
- How would you know if something was going on?
- Do you really know what your user permissions are?
- What are you doing for spam filtering protection?
- Do you know what your baseline network traffic looks like?
- Do you have a response plan?
- In your response plan, will you isolate to prosecute or eradicate to restore service? (You can’t usually do both.)
Eventually, Crob takes pity on his poor beleaguered SportsBall.com.org "employees," and reveals the root cause of their troubles: Video displays in the office were attached in the clear to the office network, and their software was very old, easily exploited, and the culprit behind the network intrusion.
SECURITY IS CONTINUOUS AND CULTURAL
Bruno Oliveira, speaking to a group of attendees in an afternoon Birds of a Feather (BoF) discussion session about improving security, echoed Crob: "I believe that security is not only about tools, but about people." His co-host, William Henry, added, "If you have a good process in place, in the pipeline, you can create standards."
Though the approaches were different, the message about security was clear: The technology is there--or on its way. Standards and compliance bodies are plentiful. The missing ingredients for many organizations are process, education, and culture.
The good news? These are all things that can be gained by collaborating with others, listening to their experiences, and learning from them. Which just happens to be what we do every year at Red Hat Summit.