IT Security Thing is present at numerous tech events across any given year. As you might expect, at most of these conferences security is front and centre when it comes to the keynote presentations and workshop sessions. At the Red Hat Summit 2018 in San Francisco, security was pretty much absent from the ‘general session’ stage, which is where the keynotes take place. Which isn’t to say that security isn’t taken seriously by Red Hat or that attendees to this 25th birthday year summit aren’t interested in the subject.
Indeed, the first press panel of the first day of the event was a retrospective look at the Meltdown and Spectre processor vulnerabilities. John Masters, the Chief Arm Architect (and self-acclaimed processor nerd) at Red Hat took the stage alongside Chris Robinson from the product security team who was one of the ‘incident handlers’ during the Meltdown and Spectre response. Both were very open and honest about the entire affair, especially when it came to matters such as getting the balance right between mitigating the vulnerability risks without hitting performance too hard. Given that the whole point of the speculative execution process that was found to be vulnerable is to improve overall performance.
John Masters admitted that “trading performance for security” has “always been the case.” However, with around two months of work required from the initial responsible (and not public) disclosure of the vulnerabilities, John and his team at Red Hat had produced one of the first mitigations that could be rolled out to customers. He revealed that initially, this meant a performance hit of more than 20%, which wasn’t acceptable in terms of that security/performance trade-off. This was quickly reduced to a 10% hit with some tweaking, and that figure continues to fall as tweaking work continues to this day.
John also suggested that both (actually there were three separate vulnerabilities across the two named exploit types) were perhaps overhyped as Spectre remains “technically very hard to pull off” whilst Meltdown has always been “very easy to mitigate against.” As well as the many online analysis pieces that exist now, Red Hat has produced a really easy to understand video that explains how the speculative execution vulnerabilities work. Perhaps the single best outcome from this incident was that, according to John, it helped to bring software and hardware developers together in order to produce the fix. This, John reckons, was the “silver lining” of the affair and will improve the way previously fairly polarized teams work together in future.
As with much of the Linux business, security is seen as a community effort and part of that community is the c-suite right up to the top of the tree
Security at the Red Hat Summit wasn’t just restricted to this look back at how the company responded to one threat. Indeed, the security strand was pretty much woven throughout the event if you looked closer. IT Security Thing certainly looked closer and was able to attend breakout sessions such as ‘The Red hat Security Roadmap’, which looked at everything from DevSecOps to managing encryption, with a bit (well a lot) of hybrid cloud deployment thrown in. The hybrid cloud theme was central to the Red Hat Summit this year, and so it should come as no surprise there was even a session devoted to it called ‘Red Hat Security Roadmap for Hybrid Cloud’ that covered everything from centralised management of the environment, governance and compliance, through to data protection issues.
Then there was ‘Security-Enhanced Linux for Mere Mortals’ that served to teach the basics of SELinux management and demystify what is often, quite rightly, regarded as being something of a dark art. Perhaps the two most interesting discussions, at least from the security geek perspective, were the ‘Red Hat Security BoF’ or birds of a feather to be formal, and a panel on DevSecOps with disconnected Red Hat OpenShift. The latter took an in-depth look at how MITRE and Red Hat Consulting worked collaboratively with the US Air Force Program Management Office to develop a containerised DevSecOps platform to meet stringent mission requirements. With the use of an Infrastructure-as-Code model, they produced a self-contained, bootable DVD to automate the installation process. This met a bunch of requirements such as being a dev-replicable and consistent runtime across multiple sites to support development through production via air-gapped and secure environs; being sec-secured out of the box using hardening tools compliant with US Government security baselines; and providing a fully autonomous installation of OpenShift, CloudForms, Cluster Storage and Enterprise Linux into a bare-metal environment.
The BoF session, meanwhile, brought a whole bunch of Red Hat security thought leaders to the table, ready to take any questions from the floor. Whilst aimed primarily at experienced infrastructure managers and both application and system architects, the panel gave answers that satisfied everyone in attendance across subject such as deploying containers into the cloud and keeping large fleets of servers compliant with security frameworks.
I also had the chance to sit down and talk with Jim Whitehead (President and CEO) about everything open source, but obviously, I was more interested in the security angle than anything else. Indeed, it was a good opportunity to see just how involved the C-suite are in the security journey that Red Hat, like every large corporation, is embarked upon. The good news is that Jim not only knows the importance of security, both with regards to the IT security of his own enterprise “if someone could slip something into RHEL (Red Hat Enterprise Linux) it would be catastrophic” and the product, but is actively engaged with the process. Jim told me that he has regular meetings about security, and his second in command pretty much has daily ones. For sure, Red Hat doesn’t appear to be one of those organisations that devolve the security implementation entirely to IT and strategy to the CISO who then reports back to the board. I get the impression that, as with much of the Linux business, security is seen as a community effort and part of that community is the c-suite right up to the top of the tree.
There wasn’t, truth be told, a lot of security news as such that came out of the Red Hat Summit this year. Although Mike Bursell, the Chief Security Architect at Red Hat, did suggest that the organisation will be working with CPU-makers in order to better enable Red Hat to make use of on-chip features such as secure enclaves. AMD, Arm and Intel are all said to be involved and could see some security operations such as encryption key management moved into hardware that is not accessible to the operating system. This could if it all goes to plan, mean that a compromised server (or Virtual Machine) wouldn’t be able to give up data that is isolated in this way. It’s almost a natural evolution of the containerisation concept, scaling it down and moving it into silicon itself. Certainly, IT Security Thing welcomes any efforts to make VMs more secure and help mitigate hypervisor-layer attacks.
And talking of containers, let’s face it you can’t attend a Red Hat Summit without doing so, there was one other news announcement that grabbed our security-focussed attention. This time it came from CyberArk which announced the availability of CyberArk Conjur Enterprise on Red Hat’s OpenShift Container Platform. This, we were told, is designed to allow organisations to eliminate siloed secrets through an automated, single point of control for secrets and credential management. “Container platforms can offer significant business advantages, and it is important for organizations to think about an approach to security that aligns with the agility and velocity that today’s developers want,” said Chris Morgan, global technology director, OpenShift Partner Ecosystem, Red Hat.