Josh Bressers, security strategist for Red Hat, laid down the law for the current state and future of security at Red Hat in today’s roadmap session. When talking roadmaps, nothing is definite–Josh stressed that on several occasions and offered some guidance on when we might see some of these advancements. Still, nothing is certain until it’s certain.
Foundation > Platform > Technologies > Usage
Security is big. Really big. Especially within the past year, we’ve seen lots of security issues and vulnerabilities exposed, freaked out over, and resolved. It’s on everyone’s mind and the answer to all of this isn’t a silver bullet. Security is not a single solution, but everything in your infrastructure working together–along with your users. If you don’t use it securely, it doesn’t matter how secure it is at the bottom.
Josh went into depth on the many technologies that Red Hat uses, throughout the stack, to make everything secure. There’s too much to cover in a single post, but I’ll hit some of the highlights.
The foundation of Red Hat Enterprise Linux has crypto, split into 3 major groups: maintenance, deprecation, and vision. Maintenance consists of security updates, bug fixes, certifications, and modification of defaults. Deprecation includes: watch research, proactive deprecation
And taking an active role looking at what’s out there and determining what people need, what they don’t need, and then taking away the unneeded to minimize attack areas.
A great example of this approach is the DROWN vulnerability, which attacked SSL v.2. This is something that many customers no longer use and ignore. Bad idea. Red Hat’s security approach is to disable this and look for other things to disable to keep our customers secure. Things have changed and the old approach of “Don’t need it? Forget it.” no longer works.
The third part of this, vision, is looking to the future, seeing what’s coming, and anticipating the security needed. Think new algorithms, better system management, and library improvements.
“You’re compliant for a day–if you’re lucky.”
Compliance is a big deal for some, but it’s going to be increasingly more important as we go forward. Red Hat spends a lot of time ensuring compliance so you have that much less to worry about when it comes to maintaining compliance in your business. Josh stressed that Red Hat knows how hard this is and is working to make it easier.
“We’ll keep getting those certifications for you because we care and we know some of you need this. If we get these, we’re doing something right.”
This is where things get interesting and exciting in the world of security. Containers are huge, obviously, and this technology is still very new. New technology doesn’t start our solid and Red Hat understands that. The security team is looking at solutions to keep your containers secure. Red Hat is giving you the ability to scan your containers before you ever run them. Look for problems, then run.
“Containers come from all over. Some you build. Some you find. Would you eat a sandwich you found on the ground?”
Regardless, if you did eat that sandwich and if you do run containers from who-knows-where, you can scan them, fix issues, and feel more secure. Red Hat CloudForms has this built-in. Try it, already. (But, seriously, don’t eat that sandwich, okay? )
More security than you can shake a stick at
Like I said, Josh covered a lot. He talked network-bound disk encryption, SVIRT, SCAP, Red Hat documentation and response, as well as identity management. The session was recorded, so be sure to check that out once it’s posted to learn more.
One more thing
I’d be remiss if I didn’t mention smart analysis. To me, this is some of the coolest and more powerful stuff that Red Hat’s doing for our customers. Red Hat Insights is a proactive tool that can analyze your environment against our knowledge and provide feedback and suggested improvements and fixes. Think beyond security to performance, as well. It’s extremely powerful and will only get more so. Fix your to-be problems before they’re OMG problems.