INSUBCONTINENT EXCLUSIVE:
As the Chief Security Architect at Red Hat, Mike Bursell spends his days talking about security both inside and outside the company
His job, he tells us on the sidelines of the Open Source Summit Europe 2019 in Lyon, France, is to encourage people to think about security
Talking about the security challenges in today’s containerised world, Mike says that there’s more to containers than just the technology
and people miss that it’s a cultural change: “It's very easy to forget that security isn't just about runtime
It's about development time and test time and provisioning time and closing down containers.”His advice to people is to follow the age-old
rule and think about security right from the design stage: “If you're doing DevOps for doing agile methodology, you can't wait for two
weeks before you deploy to put security in because you deploy every two weeks, for instance
So you need to make it a part of the cycle.” The only solution then is to bake security right into the CI/CD process: “If, for
instance, you have a rule that you're only going to accept container images from a trusted repository, you need to make sure that that's
You can't expect your engineers to know what those correct things should be
Similarly, you might say, I'm going to make sure that none of my containers last for more than 24 hours, I always restart them
But you want to make sure that when you restart the containers you're taking the latest image because there may be patches that have been
So you want to make sure that that's running through your automated test suite.” Part of Mike’s job is to look further out beyond the
roadmaps and he works with a number of product managers in Red Hat on “what's coming, what's exciting, what's interesting”, and to think
about how they can get the things that make sense into their roadmaps. Talking long-term, Mike talks about the importance of Enarx, a
project he co-founded, to enable apps to run within Trusted Execution Environments, completely independent of platforms and SDKs.Besides
Enarx, he’s also keeping an eye on quite a few security projects: “Certainly some of the quantum resistant algorithms are becoming
I think some of the multi-party computation projects are becoming important
I think there's some interesting questions around AI and security
When you're putting your training models together, how you manage, possibly personal data, without sharing with everybody, and there's a
crossover between the multi-party computation and some of the trust execution environments and things, lots of different things sort of in
the same space at the moment and that certainly keeping me interested.”
