As Chief Security Architect at Red Hat, Mike Bursell spends his days talking about security both inside and outside the company. His job, he told us on the sidelines of the 2019 Open Source Europe Summit in Lyon, France, is to encourage people to think about security. Speaking of security challenges in today's containerized world, Mike said that culture change is not limited to technology. People forget that this is a culture change: it is development time, testing time, and provisioning time, as well as container closure. "
His advice to people is to follow the old rule and think about security from the design stage: "If you use DevOps for an agile methodology, you cannot wait two weeks before deploying to configure security. Deploy every two weeks, for example. So, you have to make it part of the cycle. "
The only solution is to integrate security into the CI / CD process:
"If, for example, you have a policy of only accepting container images from a trusted repository, you need to make sure it is automated. You can't expect your engineers to know what these good things should be. Likewise, I could say that I I will make sure none of my containers last longer than 24 hours, I always restart them. But you want to make sure that when you restart containers I take the last image because patches may have been provided. So you need to make sure it works on your suite of automated tests. "
Think beyond roadmaps
Part of Mike's job is to go beyond roadmaps. You work with various Red Hat product managers on "what's coming, what's cool, what's cool," and think about how they can incorporate elements that make sense. your roadmaps.
Ultimately, Mike talks about the importance of Enarx, a project he co-founded, in enabling applications to run in reliable runtime environments, completely independent of platforms and SDKs.
In addition to Enarx, he also oversees various security projects:
"Some quantum resistance algorithms are becoming important. I think some of the multi-part computing projects are becoming important. I think there are some interesting questions about AI and security. When you combine your training models, how you manage, possibly the data personal, without sharing them with everyone, and there is a crossover between multipart computing and some of the trusted environments and other runtime environments, a lot of different things in the same space right now and that certainly keeps me interested.