Security delivered the Red Hat way, at Red Hat Summit

Life can be good with open source — so, went the title for one of my recent blogs after a recent ransomware attack that had apparently compromised critical systems and applications at a medical facility.  The point of this article was that enterprise solutions are safer and better prepared for such attacks with timely patches and upgrades to the tools and technologies used.

That being said, it is also important that said tools and technologies are intrinsically secure across all architectural layers of these solutions.  ‘Adversaries R Us’ do not necessarily have a top down, layer based approach to planning their next attack.  The most vulnerable opening is the best point of attack — no matter which layer it is in — could be the underlying operating system, the virtualized environment, the authentication mechanism — you name it, they got it!

Thus, it is vital that all solution layers have security mechanisms built into them.  Even better, the underlying products and tools must have such features intrinsically enabled.

With these thoughts in mind, I sauntered over to the agenda for the Security track at the upcoming Summit which tells us a compelling story around securing open source the Red Hat way.

REDHAT20150623-1432-XL

There are four simple questions that come to mind as I review these session abstracts.

  1. Are we on secure ground?
  2. Who are we dealing with?
  3. Are we following the regulations that matter?
  4. What lies ahead?

And here is how the Security track at the Red Hat Summit addresses these questions.

Q.1. Are we on secure ground?

  • Platform.  Are you listening to what SELinux is telling you?  Asks Mr. SELinux (Dan Walsh, Red Hat principal security engineer) about one of the key security features within Linux.  Well known among system administrators, it is not activated as often as it should be in production.  You will get a first hand perspective on activating SELinux and hearing about implementation challenges and successes from IT.NRW, a German government IT service provider.
  • Virtualization. Rapid adoption and growth of virtualization over the past few years has led to increased complexity and risks.  Widely prevalent and pervasive environments are prime targets for Adversaries R Us.  Hence it behooves us to get an Understanding of the security risks and mitigation across the virtualization stack.  Having second thoughts? Just think about vulnerabilities like Venom (CVE-2015-3456) and AMD PCNET buffer overflow (CVE-2015-3209). In this session, Prasad Pandit and Scott Herold will review security across the virtualization stack—from the host, to the hypervisor (kvm/xen) layer, to Qemu or the guest level.
  • Containers. Just because you are using containers, does not mean you are secure.  Secure your enterprise software supply chain with containers is designed to help architects, developers and ops in enterprises to securely deliver containers for serious production workloads and deal with the operational challenges of patching and deploying them at scale in an automated manner. What gets packaged, delivered, and deployed in container images has become the focal point of its reliability and overall system security. Knowing what’s in your stack and having the ability to patch vulnerabilities in a timely manner is critical in running your cloud applications on containers.

Q.2. Do we know who we are dealing with?

Q.3. Are we following the regulations?

  • Compliance is good. Automated compliance is priceless. OpenSCAP provides practical security hardening advice for Red Hat products and links to compliance requirements, making deployment activities like certification and accreditation easier. The session on End-to-end OpenSCAP for automated compliance, describes how to use OpenSCAP along with Red Hat products, like Red Hat Satellite 6, to ensure security and compliance in your enterprise. SCAP provides us a way to create machine-readable controls that can automate compliance checks.

Q.4. Where are we headed?

  • Vision, solution and roadmap for identity and access management.  Identity management and authentication are core elements of the security fabric that connects all layers of the modern enterprise. The Red Hat identity and access management vision, solution, and roadmap session describes Red Hat’s vision in identity and access management (IAM) – Red Hat’s identity management portfolio from a near-term perspective, and the long-term roadmap

Those then are the sessions that call out various aspects of securing open source the Red Hat way and answer the four questions listed above.

What say you?  Which of these sessions are you plan on attending?  Let me know @NadhanEG.

Rest assured I will be there — eagerly awaiting a conversation with you after the session.

Securely yours,

E.G.Nadhan

Follow on  Twitter   LinkedIn

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s