On this special episode of the Futurum Tech Webcast – Interview Series, I am joined by Ian Hood, Chief Strategist at Red Hat, for a conversation around one of our favorite topics: Edge+Security. This conversation is the third in a four-part series with Red Hat.
In our conversation we discussed the following:
- Security challenges as they relate to edge computing solutions
- An overview into the best practices for edge security and compliance
- An exploration into edge security efforts, and who should be leading those efforts
- A deeper dive into Red Hat’s zero trust approach
It was a great conversation and one you don’t want to miss. Interested in learning more about edge+security? Be sure to read our latest research brief A Deep Dive into Edge+Security. Want to learn more about what Red Hat and what they are doing with open-source edge computing? Check out our latest report — — done in collaboration with Red Hat.
Also, make sure you check out our first episode in this four-part series with Red Hat, A Deep Dive into Edge+Automation with Dafné Mendoza, and our second episode, A Deep Dive on Edge+Scalability with Bradd Weidenbenner.
Don’t forget to hit subscribe down below so you won’t miss any episode.
Watch my interview with Ian here:
Or listen on your favorite streaming platform here:
Don’t Miss An Episode – Subscribe Below:
Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this webcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.
Daniel Newman: Ian Hood, welcome to the Futurum Tech Webcast Interview Series. Excited to have you here.
Ian Hood: Well, thanks for having me.
Daniel Newman: Yeah, it’s great to have a chance to chat to you. This is part of a multi webcast series that we’re doing with Red Hat. Focusing on a bunch of different edge applications. So really glad I had the chance to talk to you. You, Ian, are the Chief Strategist in your business unit, give a quick introduction. I’d love to explain a little bit about what that is, what that role is and what you do day in and day out over at Red Hat.
Ian Hood: Well, certainly. So what I do is, I work across all of our industries, telco, financial services, healthcare, industrials, and it’s really about working with our customers to provide them guidance on both business and technology strategy to take advantage of open source technology, of course being Red Hat, on how that improves their business and brings more value to their customers.
Daniel Newman: Love it. Nice consolidated answer for a very big job. And the industry lens has grown rapidly. We’re seeing so much more focus on tech trying to address all the different needs of different industries. And that’s something that I’m going to love to get a little bit more of your take on, because it sounds like it’s something you do every day. But let’s start with a little bit of that broader lens. What are the big security challenges that you’re seeing as it relates to edge computing solutions?
Ian Hood: Well really, the big challenges are the fact that we’ve gone from a heavily centralized architecture to a distributed architecture. So like everybody says, we expand the surface area and the number of devices, the complexity, and basically we just scaled this whole problem up to a much larger extent. And we’re trying to now secure many more things across many more different technologies all the way up and down the stack from the hardware at the bottom, all the way to the applications at the top.
Daniel Newman: So when you talk about edge security use cases, how do you explain those to your clients markets across different industries?
Ian Hood: Well, there’s two ways to look at this problem. I don’t actually think of security as its own specific use case. You could take it down that road if you wanted to, to say, “Okay, let’s go secure this edge device as a use case.” But I look at it as, I really need to secure my entire environment from the time I actually go consume the hardware, the software, build the application, then to go deploy it at the edge. So it’s a complete approach that you have to do to make this happen, as compared to a use case that says, “Let’s go secure the applications and antivirus or cybersecurity applications to those, or let’s go put IPsec tunnels in here to go solve this problem. Well, let’s go meet the security compliance rules of Mister, the federal government FedRAMP.” There’s many ways to slice it up into very small use cases. We tend to look at as an end-to-end problem, from the time you start developing something, to the time you actually deliver a service on top of it.
Daniel Newman: Yeah. So I agree with that. I think security’s a bit more of a macro and an overlay. And so it’s something that organizations need to be thinking about. And that’s why many organizations, by the way, have CISO or some sort of chief security that works in tandem and in parallel with that chief information officer or that person that’s leading the deployment of the applications of the business, because these two things do run horizontally together. But of course every application has a security consideration. As data continues to proliferate, it becomes an even bigger thing, right?
Ian Hood: Right, because the real thing is, how do I protect both the data, so that the right people have the right access to the right information. And this is where we changing the rules in the game. The rule used to be that you had a wide open system and you locked it down piece-by-piece, solely secured it. Well, now we go the other way around, we don’t trust anything. We basically, it’s all locked down to start with, that’s the default, and nobody has access to anything and you can’t actually get access until you’ve been authorized to do so.
Whether it’s identity, your application, role based access, all those kind of things are now blocked until you actually open things up and change the way you do things. So that changed the entire approach to a much better, more secure way to start from, at a better posture and allows you to actually improve the whole thing from the time you actually go consume it from a hardware, software vendor.
Daniel Newman: Absolutely. So you’re out there, you’re talking to customers across many different industries. What are you finding? What are you recommending? What are you saying when it comes to best practices for edge security and compliance?
Ian Hood: What we’re saying is that the first thing is to make sure, as I said, the entire supply chain is secure. So making sure you’re getting design, you’re actually getting secure images from people you’re running your scanning on the images that you get from them. And before you even actually [inaudible] into your application pipeline to actually go build this application and deploy it somewhere, you’ve actually gone through that process of making sure that it is secure in the first place. So that’s the first thing, is to start from the application in, and then work through the role-based access models to let the right people, the right applications have the right access to the right things and the right data. That’s the next portion of the puzzle.
And then it’s really about ensuring that everything that you can do from a connectivity perspective, is encrypted at the right levels across the network. And that’s actually where we’re changing the game a bit now, is that we’ve all been locking down the network with IPsec tunnels. And now we want to say, “You know what? The networks getting complicated doing firewalls and all these interesting technologies to secure the network. We need to actually have to step it up a notch and secure it at the application layer through things like mutual TLS to support that problem.”
Daniel Newman: So, if I asked you about the capabilities, then I’m hearing encryption, I’m hearing some new methodologies for streamlining and simplifying all of… You’re unwinding the spider web that’s become IPsec. I mean, it’s become so complex and the edge and the volume of data, the volume of devices is only going to make it more complex. So best practices, somewhat you’re saying is to simplify. What are those capabilities and requirements that are going to enable that?
Ian Hood: So the first things are that you’ve got to have immutable software as an operating system that you can separate the applications and processes from each other. Then you’ve got to have things like name spaces to separate and isolate things. So there’s basic foundational tools you’ve got to have and things in the world of Kubernetes to separate things. But the other technology you’re going to need to bring to bear, is the ability to separate the application at a layer above the network, and do this at layers above layer three and four, and allow you to separate those applications and enable the applications to be securely communicating to each other in a manner across those different edge clouds, going from a centralized cloud to multiple edge clouds at a higher layer than we currently do, because what we’re finding is our customers are having to build all these and reconfigure them all the time, all these different collections of masses of IPsec tunnels, massive poking pinholes and firewalls every time they turn around, those kind of things.
That makes the operational challenge much more complicated. So we’re eliminate some of that challenge by building that intelligence into the application layer above the network.
Daniel Newman: Yeah, absolutely. There’s going to be way too much. And as you create these little one-off accesses, you’re just creating so much opportunity for threat, for vulnerabilities at scale. And of course you make it too complex for outsiders, I say outsiders, new people that can come into, to working in the organization there. How do you make it scalable, trainable? And of course you got to think about things like automation, AI, ML, because that’s going to be the key technologies.
Ian Hood: Well actually, you just jumped into where I was going to go next, which is if you don’t automate all of this stuff, the operators have to keep putting hands on keyboards to go change this stuff. You’ve got to actually make the entire operation, as much as you can automated, with humans doing what they have to do. Still have to have them involved, but automate as much as you can and apply policies with human intervention and apply your AIML to those in that manner. So it’s a balancing act between the human and the AI routines, but automation is key to eliminating what, we find people make changes by hand and that creates a security flaw right there. They make a change, and all of a sudden somebody was able to hack in, whereas you’ve had it automated, had it go back to the secured mode, you’ve got a much more secure system.
Daniel Newman: So if I say, who should be responsible for this, then you could almost say the machine, quote unquote, the automation, but of course you need smart people in the loop that are going to build these policies, build these systems and make sure that they are scalable and managed and secure. So in your case, who are you recommending to lead these edge security effort?
Ian Hood: It really is a combination of multiple teams, both the security officer and the design teams and the operation teams. You have to build that multi, I guess, team across different groups of how you build what we call the CI/CD automation for application development, how you secure that, but also in the world of networking and deploying things in a virtual world for telecoms, the entire network configurations and how you actually deploy networks and configure those things, that follows the same GitHub’s model of an automated reconfiguration of the network in a secure fashion. So that, that also takes that away from humans being involved, except to apply the policies from the business perspective, to apply those things and automate a recommendation to make a change, if a security breach does occur.
Daniel Newman: What are you doing at Red Hat?
Ian Hood: What’s that?
Daniel Newman: I said, so what are you guys doing at Red Hat? I always say proof is in the pudding.
Ian Hood: Yeah, so the proof is in the pudding. The proof really comes from Red Hat’s building of how we build our platforms and how we build our software in the first place. We do follow that same approach I mentioned, the zero trust approach to building everything we do and making sure all of our software tools are built in that fashion. We also bring a set of tools along with our platforms to automate and secure this deployment of these applications at scale on our platform and distribute it across the on-premise clouds, as well as the public ones, because people are now wanting to build this edge on-prem to some public cloud and also make sure that, that data is secured.
And another piece is to actually secure the data in motion, as well as the data that’s at rest. So that’s another piece of making sure that these platforms are secured for the data that’s really the gold you want to make sure you’re protecting, but you’ve got to make sure the entire system it runs on, starts as the foundation for that, but the tooling to actually do the automation and securing it with the right policies with tools, is how we put things together at Red Hat.
Daniel Newman: Well, it’s always great when you’re building something that follows your own way of approaching it and meeting the stringent requirements that every company should have for securing their data and applications. Ian Hood, thank you so much for joining me here on the show. A lot of fun having this conversation.
Ian Hood: Well, thanks so much.
Daniel Newman is the Principal Analyst of Futurum Research and the CEO of Broadsuite Media Group. Living his life at the intersection of people and technology, Daniel works with the world’s largest technology brands exploring Digital Transformation and how it is influencing the enterprise. Read Full Bio