Guest: Rob Hirschfeld (LinkedIn)
Company: RackN (Twitter)
Securing bare metal can be a challenge, ensuring that you are aware of the whole environment and are on top of updates and patches. RackN is working to help organizations deal with these bare metal challenges. In this episode of TFiR: Let’s Talk, Swapnil Bhartiya catches up with Rob Hirschfeld, CEO and Co-Founder of RackN, to discuss some of the best practices for bare metal security. He goes on to talk about some of the common mistakes people are making with Infrastructure as Code (IaC) and how organizations can improve their security posture.
Key highlights from this video interview are:
- Hirschfeld discusses the similarities between the CI/CD pipeline and an infrastructure pipeline saying you can build an end-to-end workflow with good injection points adding in security steps where you can do additional checks without it impacting the function of the pipeline like you can with a CI/CD pipeline.
- The complexity of infrastructure continues to be a challenge that RackN aims to solve by creating abstractions that allow you to deal with different types of infrastructure, using the same APIs and workflows. He explains how actually the infrastructure people are dealing with has more similarities than differences.
- Hirschfeld explains why bare metal security adds some additional complexity and BIOS vulnerabilities mean that people need to be aware of the whole environment ensuring it is patched and updated similar to if they were going through a service provider.
- Bare metal does have additional responsibilities and Hirschfeld discusses the best practices for dealing with these challenges. He tells us how one of their customers is aiming to audit every server in their entire state on a monthly basis.
- Hirschfeld shares the three KPIs organizations need to think through: how do you know that you are secure, when was the last time you checked that you are secure, and how long will it take to do the work should you ascertain this?
- For companies where compliance is a top priority, their key concern should be who is accessing their system, and regularly doing a full system reset. Hirschfeld discusses why it is best practice to be able to reset the system back to an immutable state each month regardless of if it is needed or not.
- One of the mistakes people are making with IaC is that people are taking a secure and validated Terraform plan or Ansible playbook, making a copy of it, and changing it to meet their needs. Hirschfeld explains how this now will not automatically be patched and updated and how this can lead to drift and security issues.
- Hirschfeld shares his advice for organizations looking to improve their security posture by implementing resilient, robust automation practices, which RackN helps with. His recommendations are to ensure you can restore systems quickly so that you can scan them and apply patches quickly. Also, make sure you are able to control who has access to systems.
This summary was written by Emily Nicholls.