Episode 5: Geek Out with Tom Hance - Part 1: The Impact of Containers: Everything You Need to Know

Hey, this is Pete Tseronis and welcome to this episode of Geek Out, brought to you by Rancher government with our guest today, Mr. Tom Hance, the Director of Container Security. Tom, it's great to see you.

Tom Hance:

I'm fired up to chat with you, my friend. I know as we were prepping for this, that we were literally geeking out quite a bit, but we're going to do a lot of today's discussion or address a lot of today's discussion around the impact of containers, what we need to know how to secure those containers, and hopefully those listening and participating or attending are going to walk away with an interest in wanting to understand more about this powerful capability you brought to you by of courts, rancher, government. But before we go there, I'm big into making sure folks know a little bit about our guests, but just who they are, what brought them to this organization, and why you're so passionate about this topic. So knowing that you're a Los Angeles Pierce College graduate, I did do my homework and you are a Brahma Bull. Love that nickname and mascot. Tell us a little bit about your personal professional journey, my friend.

Tome Hance:

I got started a few decades ago actually building to arrays for the Navy I early eighties and then of course networks as they developed through the nineties. And then as soon as security became fashionable, I jumped on that bandwagon until the cloud came about and then moved over there for the last 10 to 15 years. Since it's existed over the last six years, I've been focused on really changing container security to container protection.

Pete Tseronis:

So along that way though, Tom, I mean you've seen the world change and you mentioned security became fashionable. And by the way, I love that you didn't just jump in with cyber security. Security is more than umbrella, so amen to that. But let's go back to, you've seen this in the government, especially with the advent of FISMA and eventually the cloud and this constant changing or those winds that change where it's we have to keep thinking about better and better risk mitigation. I mean, how much of that is challenging for you along the way and where we are today is not where we're going to be tomorrow in terms of mitigating that risk?

Let's hope so, because I really have seen history kind to repeat itself in the early days of networking. Of course, it was all about connectivity. Everyone wanted to add X number of ports so that they could have

endpoints and users added to the network and everyone could communicate harmoniously. But then after that they said, oh, we have to secure this stuff. And then they started throwing gateways at the network between each boundary and it got quite messy. And that's simply because security is always an afterthought. Unfortunately, it's still an afterthought today. In fact, it's just the way networks develop, whether they're wired or they're in the cloud or they're microservice based or Kubernetes based, you build the network first and then you try to add security. I'm trying to change the way we do that, but that's what I've observed and has kind of the reason I'm here.

Totally understand and coming from the government where the mantra of “architect, invest, and implement” solutions, which is not linear, but it's kind of more of an iron triangle. I can totally appreciate your comment about security shouldn't be an afterthought. Maybe there was a time you had to bolt it on versus bake it in, and we know that there's a number of recommendations and guidance documents that the federal government public sectors marching towards, but clearly a lot of that makes sense and has been driven by the advancement and sort of the ingenuity more so than anything from folks like yourself and of course here at Rancher Government. So we're going to jump into that Kubernetes and kind of break down a little of the container security things that it could be challenging, but how to overcome, and not asking you for secret sauce, but we know Rancher Government's a leader in this space.

But back to just this journey, because again, I've seen it too. I'm no spring chicken, I'm 56 and I was there when there wasn't even an internet when I was back in government. And Tom, we hear zero trust, we hear ubiquitously connected devices, we hear protocols and standards. How do you express that while this world we live in, which is, I'll just say in a world that we have to accept that everything's connected and can't really trust anything. Is that scare you? Does that something that you say, well, hey, let's figure that out. How do you convey to your leadership and the companies you've worked at that, hey, this is just something we have to keep working on continuously?

Tom Hance:

That leads into maybe let's jump into NeuVector a bit. One of the many solutions that serve a purpose but also are part of a platform that Rancher Government delivers. So we know there's this, as they call it hyperdynamic nature, that containers can create in terms of challenges, but also opportunity. And I'm a believer in with all risk that's out there, there's all this opportunity to mitigate said risk and innovate and transform. And that's something the government mantra has been from day one, but break down new

vector, it's unique differentiation and its actual capability that excites you and should excite all your customers. What does it do?

The key thing it does is it changes the game from IDS intrusion detection systems that are broadly available for containers and Kubernetes to intrusion protection. So getting in front of an attacker and blocking an attack before it can hit its target, that is the major differentiator. It's the only inline and real time Kubernetes armor to assure that one container cannot attack another, and that your containers are protected across multiple vectors, multiple attack vectors.

Yes, I love the definition on your website, zero trust container protection, providing real time automatic container security to stop attacks dead in their tracks. And for those listening, this is where if you don't know the terms zero trust, please Google it: Container Kubernetes. We're going to get into some of that, but I love the phrase to those that maintain a lot of this, and that's going to be my question, Tom, securing your digital business from pipeline to runtime, who actually does that typically in an organization who's in charge in your view, especially in government with that securing of digital business from pipeline to runtime?

Well, it's everyone's responsibility. Let's say that upfront from DevSecOps, the initial development effort all the way through the pipeline into production reduction. Typically, if you were just to name a group, it would be the SecOps teams that provide overall security for the agencies. But in reality, you want to track every move that you make in this new media, if you will, for developing applications and ensure that you not only have the agility which Kubernetes brings to the table in application development, but you also have the security built in and zero trust to make sure that you're following a deny all by default model. And that only data that is authenticated and authorized to cross a demarcation point between containers is permitted.

And that gets to this pipeline or value chain of multiple stakeholders. I appreciate that. For us in government, in my former life, we had a number of federal employees. We had systems integrators, we had folks who sold equipment to us, and then once it was attempted to be implemented, there was always that are we checking our P's and Q's, dotting I's and crossing t's to make sure that that chain is not going to be introducing some element of risk. So appreciate that component. And for those listening stakeholders from the C level to those you hire to maintain that pipeline, that's critical back to NeuVector and its uniqueness and we can see what it says online. I also phrase it caught my attention, integrating your zero trust to security across all your containerized network workflows to ensure your apps are protected from evolving threats. What can you say about the value of this evolution where cloud now is involved and application workflows and what NeuVector does to really mitigate a lot of that risk for those adopting cloud migration and open source?

Well, certainly we've gone away from relying on latent image images, CVE monitoring and remediation scans, port labels, eeb, PF estimates. We've moved away from that to real time behavioral learning and then enforcement in between container periods. And that's a different approach than what's been

available to folks running Kubernetes platforms in that it is in line and in real time making a judgment call for you using this behavioral learning technology to assure that only data that meets your zero trust policy set crosses between containers. So a protects a container in a preemptive manner from ever seeing an attack attempt manifest at the victim's location, whether that location is an application that you've finished and is running in production or in the pipeline where it can be attacked as well through a simple image.

Yes, I was reading, and I'm going to just reference again, and if we're watching this amazing ultimate guide to Kubernetes security and I say, amazing, how to secure your Kubernetes pipeline, because it really spoke to me. I do a lot of teaching and educating, and sometimes we go down the rat holes or dark holes of explaining Kubernetes and application development and CICD pipeline, et cetera. And that being continuous integration, continuous, continuous delivery and deployment. I found this artifact to be very helpful. And when I think about again, this effort to, as the government introduces a zero trust mentality and a framework that should be adopted and the internet of things and things at the edge, and that's a term I hear a lot in the world of rancher, government of protecting at the edge. What can you emphasize about just that deployment and implementation of what rancher government folks like yourself bring to the table so that the customer, the government in this case says That's a group I want to work with because they're not just selling me a product and a solution and service. They're helping me understand what that outcome and result and how it's going to benefit us. And automation seems to be a big piece of that.

Yes, certainly is automation to the point where you don't have to man the platform. Most platforms designed to protect Kubernetes require personnel to search for vulnerabilities for CVEs and to pass up. Same thing with compliance issues. They need to be found and addressed with a patch of some sort. Unfortunately, when you're in a, let's say on a mission or you have a mission to do that's more tactical in nature, there's not going to be any personnel available to search for CVEs. You can't afford that in a tactical deployment. So our customers turn to us for two primary functions. One is to take the load off those folks that are still doing the detect and patch model, which is extremely costly for the government and to move it to more of a protect and defend model. So preemptive protection and defense of your assets no matter where they are in the container cluster. This is advantageous simply because it also means once you've set up new vector to protect your environment, you can move to a tactical environment where you're not going to have personnel available to monitor what's happening. You just want to assure that you have zero drift in your applications and their performance throughout the mission. And that's something that NeuVector offers.

Tom, I appreciate that. Again, coming from the world of government where we want to, I love the protect and defend and being preemptive. How much of the NeuVector capability maybe allows those individuals, the stakeholder to have visibility into or dashboards that can give them that real time monitoring or updates on the health of a network? Is that something that is a big part of the new Vector capability, having that dashboarding and that actionable intelligence?

Absolutely. You always want situational awareness, and that includes what your defensive posture is with your Kubernetes networks. We offer that as part of our dashboard pointers. I think it's more important to be able to see the actual payload that's traversing your networks in real time. Learning that you've had a breach after the fact is not that useful. Frankly, some folks call it actionable intelligence. Actionable intelligence to me is only intelligence that comes before an event happens so that you can prevent it. And that is kind of the direction that NeuVector takes our customer base. It's all about prevention, not waiting for an attack to happen inside the perimeter and then reacting.Tom, I appreciate that. Again, coming from the world of government where we want to, I love the protect and defend and being preemptive. How much of the NeuVector capability maybe allows those individuals, the stakeholder to have visibility into or dashboards that can give them that real time monitoring or updates on the health of a network? Is that something that is a big part of the new Vector capability, having that dashboarding and that actionable intelligence?

I love situational awareness because that is the term I love to use is what do we look like now? But we don't want to wait in 15 minute intervals per se, but we want to have that real time monitoring. So I appreciate that. And again, just to summarize for some of the audience what I've been taking some mental notes and writing a few down, and you can read about this, that security challenges around containerization and app development in the cloud folks is a thing, and there is no silver bullet, but working with companies like Rancher Government and solutions like NeuVector, whether you're in X, Y or Z cloud service provider, you have to think about a lot of things. And that was this CICD pipeline that Tom, you hit on. I was going to ask you about east west traffic just because I know what it means, but a lot of people when they hear that, they're like, is that some new buzzword geek out thing I have to read? But maybe we can go there for a minute. Just explain for the average person out there and then increasing attack surfaces, we know we have that today with all of our devices we use in our personal capacity. And then I loved your automating security to keep pace with is what you emphasize a lot when you speak and a lot of the documents you've written. But the east west traffic, how can you illustrate that for somebody?

Well, in traditional networks, you can see the data as a traverses via the gateways, the routers that you have, let's say in a wired network, when you move to the cloud, things are a little different. And when you move to microservices, in order to keep Kubernetes agile, meaning, so you can deliver quality product quickly, they obfuscated or hid a lot of the network and application information. So the developers themselves can focus on building their applications and not so much the network infrastructure behind the platform that they're using to build these applications. And doing so by hiding that information. That leaves liability simply the network traffic, the applications, the processes, the packet flows that run between containers is what is considered east west traffic. Every transmission between from one container to another, whether it's in your DevOps environment or in your staging or in your production environment is east west traffic. When it reaches outside, that's given cluster that is considered north-south traffic. So that's a basic definition. Any ingress or egress connection in and out of a container cluster is north-South. Any container to container or application to application connection within your container or Kubernetes cluster is east-west

So a lot, again, for folks listening, you have to think about it's not as linear or what have you as maybe way back in the past it is so many more devices, so much more data. The volume, velocity, variety, veracity of data, most of us in the cloud world tend to address is we got to figure out a way to help mitigate that. And it clearly is part of the DNA here at NeuVector and Rancher Government. You want to say something?

Yes. One of the things that NeuVector developed was this behavioral learning component. And what that does is as soon as you install a new vector, which typically takes about five minutes with a helm chart and 15 minutes with a YAML file modification, the platform goes out and learns all your connection. It learns your behaviors at the application and packet level. That means that we understand almost 40 cloud native application protocols, just like the routed networks that protect every boundary from the United States, Pentagon on out. But when you get to Kubernetes all that, again in order to keep you agile, Kubernetes hit that NeuVector has developed a unique way using container deep packet inspection to show you that traffic to assure that there's nothing embedded in that east west or north south traffic that can harm the agency. So the second piece of that is that we're deployed in between each container pier and the only defensible position that allows us to block an attack before it hits its target. If one container attacks another, we are the boundary, the gated blocking device in between these peer containers that are potentially going to talk, that's going to challenge that attack and block it dead at layer seven. So our layer seven application aware behavioral enforcement platform for Kubernetes.

Tom, I'm a big fan of the behavioral learning behavioral analytics in this space. That is we're allowing systems to learn how we as humans react and act. So I appreciate that big time. And at the application and packet level, that's awfully impressive. And being an OSI model layer one through seven kind of guy, I appreciate you breaking that down. Since we've talked a lot of north-south, there's a lot of this east-west traffic going on in risk.