Guest: Oleg Matskiv (LinkedIn)
Company: Loft Labs (Twitter)
In this episode of TFiR: T3M, Swapnil Bhartiya sits down with Oleg Matskiv, Senior Software Engineer at Loft Labs, to talk about this month’s focus, Security and Compliance. He goes into detail about the current state of security and what organizations are doing to keep ahead of the threats.
The evolution of security from legacy IT to native cloud:
- Best practices for cloud security have been documented for a long time. However, the adoption of IaC and GitOps is providing a better overview and audit ability for organizations.
- A substantial amount of focus has been placed on supply chain security recently on the cloud-native side.
Is security now considered a priority?
- The shift left movement has helped in finding the gaps in security earlier on in the cycle so that new vulnerabilities can be resolved quicker. However, the onus still falls on organizations to make security a priority.
What does the state of security look like for the past 6 months?
- Matskiv feels that things have improved on the infrastructure side and securing infrastructure access.
- Phishing attacks directly on the users continue to be a problem. Two-factor authentication is not always enough and more education is needed for users to understand best practices and how to identify phishing attacks.
Are there any new tactics organizations should be aware of?
- Attacks are getting more sophisticated and so organizations need to treat newcomers carefully. However, lots of different tools are emerging to help with this.
Are DevSecOps, Zero Trust, and Shift Left being put into practice?
- Customers are not necessarily putting these labels on their processes, but it is a priority.
- Zero Trust is predominantly a concern for very big companies and heavily regulated ones, and perhaps not so much for smaller companies.
The cultural side of security:
- Matskiv often talks with the customers’ engineers and not as much with the managers. He feels that the bottom-up approach is the best way. Engineers are taking a proactive role.
- It can be problematic if companies are dictating it from the top without making engineers part of the conversation.
How are Loft Labs’ solutions helping?
- Loft Labs provides building blocks for platform builders for access to Kubernetes clusters for the users of the Kubernetes platform. This simplifies role management and access to many clusters in one central space.
- Loft Labs also provides virtual clusters capability, which gives an additional level of security for the Kubernetes administrators.
Advice for companies to improve their security posture:
- Invest in their people by educating engineers about security and why it is important. This will help engineers correctly implement best practices and be proactive.
This summary was written by Emily Nicholls.