Security Is Still An Afterthought In The Cloud-Native World

The security landscape is evolving rapidly and navigating these complexities can be difficult. Although there is a growing awareness of security and building it in at the start of the development lifecycle, this is not always the case, and getting it wrong can lead to serious setbacks. There are also differences in how security is approached from the relatively mature private cloud infrastructure perspective compared to cloud-native applications.

In this episode of TFiR Let’s Talk, Swapnil Bhartiya sits down with Prashanth Nanjundappa, VP of Product Management at Progress. He discusses some of the key trends in security and compliance, and the challenges they present. He explains how Progress and Chef Software, which was acquired by Progress in October 2020, are helping developers improve their security posture with their Cloud Security Posture Management (CSPM) platform.

Key highlights in this video interview are:

Progress primarily focuses on products targeted towards development ecosystems. The company acquired Chef Software, a leader in the DevOps domain, one and a half years ago. Nanjundappa explains how the acquisition has shaped their offerings and the key areas they are working in, such as continuous compliance.
We are seeing a lot of changes in how security is approached, particularly with the shift left movement. Nanjundappa feels that there are two different sides to how security is being approached with private cloud infrastructure being quite mature, compared to cloud-native applications where security teams are not necessarily consulted.
Security is still not necessarily being built in as a default from the start, rather as an afterthought. Nanjundappa believes that although compliance is a necessity early on for organizations needing certifications, core security can still be an afterthought. He explains why this is problematic.
Security and compliance can often be merged together, and the distinction between them is not clear. Nanjundappa provides a definition for both terms and explains the key differences between them and what that means for the organization.
Nanjundappa goes into detail about the role policies play in security and infrastructure compliance. He feels that although there are advantages of private and hybrid cloud and Kubernetes, it is still challenging to be compliant and secure. He explains the three main reasons for this and how Progress is helping organizations navigate these complexities.
Compliance and security remain problem areas in the cloud. Nanjundappa discusses how Progress is helping to address these problem areas. He explains how their solutions are available out of the box to be built out based on your organization’s policies.
Nanjundappa discusses the importance of policy as code and compliance from a business-level perspective where failing to understand the checkboxes and validate them earlier in the development cycle can put the product back by months. He also dives into what this means from a developer’s point of view.

Connect with Prashanth Nanjundappa (LinkedIn)

Learn more about Chef (LinkedIn, Twitter)

The summary of the show is written by Emily Nicholls.

[expander_maker]

Here is the automated and unedited transcript of the recording. Please note that the transcript has not been edited or reviewed.

Swapnil Bhartiya: Hi, this is your Swapnil Bhartiya and welcome to another episode of TFiR Let’s Talk. And today we have with us, Prashanth Nanjundappa, VP of Product Management at Progress. Prashanth it is good to have you on the show.

Prashanth Nanjundappa: Hey Swapnil, thanks for having me on the show as well. It’s exciting to talk to you and I have seen some of your episodes and the audience have… I think the many events that come and are similar to many of our customers and our community members also dig into, so excited to talk to you and your audience.

Swapnil Bhartiya: Yeah. I was also looking forward to this discussion with… Because of all the events, everything there was some delay, but I’m happy to finally have you on the show before we get started, because a lot of things happen, Progress acquired Chef and I just want to give our viewers a bit of a background as well. Talk about how the ecosystem has evolved because when we talk about security in today’s world it is different from what it was a few years ago. So let’s start with some basics there.

Prashanth Nanjundappa: Sure. And you mentioned Progress and you mentioned Chef. So let start with that and then now I’ll talk a little bit about Chef products and DevOps and DevSecOps and the transition into that. I am with Progress for about two and a half years now. And Progress is a 40 year old company and we are listed at NASDAQ for more than 30 years. And most of our products are targeted towards development ecosystems. And many of our customers use our products as platform to build enterprise products which consumers… And consumers are businesses use. And we acquired Chef about a year and a half ago, Chef has been a leader in DevOps domain and Chef started this whole journey of infrastructure as code. And we have three or four different broad products in our product portfolio, all of them are code first.

And we started our journey… And I mean, we Chef started our journey in automating infrastructure and infrastructure as code was one of the key element there and that was the foundational element of the DevOps movement. While there are so many things that come under DevOps, one of the key element is automating your infrastructure, deployment and management of that infrastructure. And that’s where Chef infrastructure management comes in and all the 12, 13 years of Chef’s movement or Chef’s evolution, Chef’s product portfolio has also kind of extended to different parts of this ecosystem. For other than infrastructure support, we also help organizations maintain continuous complex.

Continuous compliance is one of the key element in both security and compliance domain, where it’s not just important to have your automation around deploying your infrastructure and managing their configurations, but you also need to shift lift your risk around compliance and security. So that’s where shift compliance comes in. And you also have [inaudible 00:03:10] which is based on habitat, which helps packaging and deploying applications in a complex ecosystem. And altogether we help our customers accelerate their DevOps journey and with continuous focus on our customer base and their needs we have been investing a lot off late on making our products easy to use and also to make sure our products address the cloud adoption journey.

As we see many of our customers, you have a multi-cloud or a hybrid cloud strategy. They need us and they have additional leads that are required to automate both compliance and infrastructure aspects of their back cloud infrastructure and that’s where we have investing off late and we will continue investing in that space.

Swapnil Bhartiya: Normally… Thanks for sharing the kind of history of Progress. Is that contrast also when you look at Progress versus a Chef different companies born in different eras, which also set a stage for a better understanding, if you just look at cloud security, how it has evolved over time in the early days, security used to be someone else’s problem as you talked about, led to the whole DevSecOps movement as well. Now things are shifting left, but how much do you see is still in the preaching stage versus actual practicing when we go to all these events which are coming back, we do hear a lot of security last year, even the Biden administration, they came out about software supply chain security. So there is a lot of movement going on there, which actually makes things easier for you folks, because you don’t have to do the whole education part around security. But how much you’re seeing in practice, which would also explain when we talk about the whole CSP platform there?

Prashanth Nanjundappa: I’ll answer that in two buckets for me because this is a… There are patents and these patents are emerging slightly differently with these two buckets, one bucket I will take is private cloud or hybrid cloud, the traditional infrastructure, private cloud infrastructure are on-premise, as we said, right? Or as we understand, this is a fairly mature system and why I say mature is there are standard practices put in place and most of the DevOps evolution happened on that side. And there are practices automation as well as tools that have matured and well understood, which is not just required for… Let’s say, when a developer wants to start a new application or start a new microservice or enhance their existing application, they will start with asking for infrastructure and this kind of goes through a streamline process where they ask an IT team or a centralized team, if not a dedicated IT team.

And these teams have… There is a high level of maturity of also plugging and compliance and security in that process. What I mean by that is when they provide an infrastructure for any such ask, there is a high level of understanding of the security and compliance need. So most of these organizations have adopted tools like Chef compliance or Chef infra or even Terraform and many other security tools to not just provide them the infrastructure that they need, but also to provide them in a state where all the policies are already enforced. This happens because for this, there is a physical approval, or there is approval process. And there is a capacity planning that happens at an organization level for them to procure that data.

Let’s shift our attention to the second part, which is the cloud native applications, right? Here, things have flipped a lot with them, this is a very, very fast paced evolution and changes. And here the autonomy of the decision power is not in the centralized organization, but it has completely decentralized, right? So the developers have access to AWS control, Azure control or GCP control panel. And they go click, click, click on buy services, right? They don’t even know that they’re buying, they go and select services and they start using it. And application developers, our development team are making the architectural decisions, which are not necessarily consulted from security team or any other teams. Right?

So here, the adoption of security is still after thought to a great extent. And it is yet too mature. The good news is people understand security. Like you rightly said, we don’t have to go and educate a lot of enterprises, even startups. It’s unfortunate that so many exploitations are happening, but because of that, the awareness is also increasing. Consequently, there is a demand to have tools and process in place so that they don’t have the same fate as many other companies have had either because of misconfiguration or lack of compliance or leaving some small backdoor open, which costed them millions of dollars.

Swapnil Bhartiya: It’s more or less everybody wants security, but you have to do something about it too. I sometimes compare it with the automobile analogy where brakes or airbags, not an afterthought. You’ll buy a car and then later on, you’ll get them installed, they come pre-installed when you buy a new vehicle. So do you also see the trends here, once again, security is kind of becoming a default before the software actually hits GA. Do you still see that it’s still… I mean, it’s not about you still see it, but don’t you think that is the ideal world?

Prashanth Nanjundappa: It is. And I would take the security and divide it into two parts, the compliance and the core security. The compliance is unfortunately, not an afterthought, although in many ways it is afterthought from a developer’s perspective but if an organization, startup even has created a product and they want go sell it to a large enterprise, they ask for certifications. They want [inaudible 00:09:51], they want PCID as if they’re in financial domain, if they’re in healthcare, they want HIPAA certification. And there are so many other things that come up. So before they hit GA or before they scale the product because of the business needs, they are asked to provide compliance certifications, right?

And when they go for the certifications, the organizations that demand for certifications, they don’t care if they’re on-prem or cloud, they want for all the infrastructure that is being used to provide the service for it. Consequently, the cloud compliance and even Kubernetes and container compliance is something that is made conscious. There is a conscious effort towards that. However, the security is still an afterthought, especially fast paced new organizations, traditional organizations are a little different, their security team kind of comes in the last part of the development and things come to halt. That’s a different problem. But the security part is I think there is lot of maturity to happen in the core security aspect in terms of bringing that shift left and not making it an afterthought.

Swapnil Bhartiya: I’ve been hearing a lot about compliance and security, but if I’m not wrong these could be seen as two different things, compliance in many cases can be just seen as a checkbox, you know you checked all the boxes, but security is much more in depth. So it’s like compliance, when you have done all of those things, that’s why you’re compliant. Compliance should not be the starting point and in some… Many industries, as you mentioned, also regulatory industry, you do have to have those compliance in place. So can you also draw a distinction between these two things because one does not equate with other.

Prashanth Nanjundappa: For sure. I think you said you kind of called out one of the biggest difference. Compliance is seen as a checkbox and to a great extent, if it is executed as a checkbox, then you don’t accomplish the security aspect at all. And in many organizations pursue it in the same way, compliance is something essential for them to stay operating in a specific business or a specific region and so it becomes a necessity. To what extent they follow it seriously is dependent on the organization. Whereas security is essential if you want to protect your intellectual property, it is essential for if you want to protect your data, if you want to protect your customers, right? And if you want to protect your core ISP, whatever your product is actually providing. But there is a common thread that ties these things. Fortunately.

In most organization, the governance body for both compliance and security is [inaudible 00:12:56] right? It comes under CISO, or there is a security team, which is a sub part of CIO. So they come together and they look for tools or technologies, which help them accomplish both security and compliance, but you are spot on and there is no doubt about saying that compliance is seen as that checkbox. And a lot of companies do just that because they want that first few dollars come in as revenue and security becomes really an after thought when problems arise, or if there is an expert in the house and they bring this up.

Swapnil Bhartiya: Let’s just focus on compliance and also talk about policy as could, because that’s where we are also seeing a lot of things are moving, which makes it easier, you get a framework there. So let’s talk about what you folks are doing to help them.

Prashanth Nanjundappa: So before I get into the security and compliance for cloud and Kubernetes let me talk a little bit about policy escort which I think is an important concept, and it is an evolving concept. At a high level, if you are a business owner, or if you are running an organization, you devise many policies, right? And many of these policies are related to people, related to how you manage your physical assets, but when it comes to your software, there also you have… The software that you build there also you have a lot of policies and these policies could be at infrastructure level. That is what kind of… What hardware you want to use, right? And which region, which cloud provider we want to host on. And then it could be on compliance. Do you want to follow STIG, CIS and any other… Do you want to follow any of those things? Or do you want to follow [inaudible 00:14:52] PCIDs, right?

And then the security aspects starts, who in the organization should have access to the infrastructure? What is the level of access they should have? If you are having storage units, what level of encryption it should have? And then if you have, let’s say private cloud and public cloud, who should have access to private cloud? Who should have access to public cloud? What services should be used in public cloud? What services should be used in private cloud? For example, healthcare company do not want to use any surveys on AWS on Azure, which is not capacity, right? They don’t even want their developers to have access to those services, without their conscious, so they want to enforce such policies, or they want to enforce policies for cost optimization that on development clusters, I should not run on those devices on [inaudible 00:15:53] right?

So policies are across the board and they cut across infrastructure compliance and security, right? And what we have been working… What we started, our journey was infrastructure escort. And gradually we moved at… We had another product, which was compliance escort, which is powered by [inaudible 00:16:13]. And these were working… Kind of made to work together but we realized that if we bring these two together, we can also expand this aspect of policy escort and bringing this aspect of policy escort so that organizations can quantify infrastructure policies, compliance policies, and security policy. So this is I think, where the organizations are going towards, and if you want to automate, and if you want to bring security, DevOps and compliance team together, code is that common language. And if you can help codify that, and if you can help that code to be managed consistently across the policy escort becomes important.

So in that context, we looked at… We are seeing some trends on… We definitely saw some trends on the private cloud and hybrid cloud, but as you rightly said, when it comes to cloud native, that is AWS Azure, GCP, hybrid cloud, any of these things, there are so many services that are there. It is almost impossible for a CISO or anyone to track those things, let alone identify where the problem is. And similarly, Kubernetes is another base, it has so many advantages, but like you said, managing that and making sure that it is secure and compliant is another challenge altogether. And this boils down to two or three different reasons. One, like you rightly said, skill, right? It’s hard to find the people who can… Actually, who understand security that is a different these security plans. And who also understand the security and compliance aspect of all these heterogeneous services that an is using.

And then second is the first phase evolution of these services that are coming up. And third is the time to value, if you buy a product, if you have multiple products, how fast can you integrate them? How fast can you get started? And I think there are problems in three dimensions, and that’s where we are looking at and how we can simplify that. And our recent launch is taking all the advantage that we had of policy escort for private cloud and hybrid cloud to make it available for public cloud. So that multi clouds can be secured and made compliant in the same way organizations are used to making the hybrid cloud compliant [inaudible 00:18:45] and also provide similar level of compliance and security capabilities for Kubernetes.

And to reduce that time to market or time to value, we have also codified lot of industry standard compliance and security policies and made it available out of the box. For example, we have about 300 or CIS or such premium content, which will cover across CIS state, then best practices, which is available for you out of the box. This helps addresses that skill gap, as well as the time to value and then now people who are used to the Chef tool chain, they can seamlessly migrate to managing public cloud as well as Kubernetes and containers for compliance and security.

Swapnil Bhartiya: Excellent. And since you talked about the launch of Progress, Chef, public cloud security, that was I think in May, since you mentioned it, let’s also talk about what are some of those again, let’s look at the problem area that you’re trying to address and solve what features it brings to the users.

Prashanth Nanjundappa: Yeah. So I think at a high level, I would categorize in cloud and container and Kubernetes, these two markets. And when it comes to cloud, there are, again, two big problems, one is the compliance itself. If they want to adhere to some of the compliance standards, how can they accomplish that? And second is the security and in that there is a very, very significant bucket of misconfiguration. And so most of the times the vulnerabilities happen because you have misconfigured something and a very classic case, and a simple case to understand as if there is an S3 bucket. And if it is [inaudible 00:20:31] you are bound to get exploited, right? So this is a very simple misconfiguration.

So in the recent release, we have helped address both of these aspects, the compliance by providing a lot of CIS and stick benchmarks, and also AWS and few other recommended benchmarks for compliance. And for misconfigurations, again, we have identified whole lot of most common problems, and there are some best practices that are recommended by industry, we have codified that and provided. In addition to that, it is powered by through which you can write human readable policy code, you can take whatever is available out of the box, and you can create your own, both compliance and security policy as per your organization needs in a very, very easy and seamless manner. And similar coverage is available for Kubernetes and container as well, which is again, few resources out of box and few they can build out based on their organization policies.

Swapnil Bhartiya: Can you talk about the importance of these two things, policy as code and also compliance, which should be seen more or less like you have done everything, and then you’re checking a box. So that when folks look at improving their security posture, they look at them as tools. That, “Hey, this is the final stage of you have done everything, right?”

Prashanth Nanjundappa: So let me give an answer to that in two different perspectives, one, someone who is at a business level, right? Who wants to see faster time to market for them, if they don’t have these check boxes, even let’s assume if it is checkbox, right? For the argument sake, if these check boxes are not really understood, validated earlier in the development cycle, if they don’t automate this process, because things are constantly changing, then when it is about to hit the market, that is when they’re going to have a big, big blocker, right? And these are not days and weeks. These tend to become months or quarters even, right? So from a business perspective, I think it is important to invest in automation of these compliance early on in your product development life cycle, so that you don’t have to wait for a fully ready product to hit the market.

And that is a huge loss, right? Opportunity cost is huge there, and competitors can keep it. And second perspective is from a developer or a technologist perspective, right? So I think the security team is always seen as a stopper or as someone who does not understand, who does not empathize with developers, but if we start understanding their perspective, if we are aware of why security exists, why compliance exists, then we can start bringing these practices early on. And all it needs is actually having a dialogue early on in the cycle and getting to know which service is good. For example, there might be a bleeding edge technology which is not a good service to include or there could be outdated, not supported service, which has known vulnerabilities, which we should not include.

So these are some basic, we exclude those things and also have checks in place so that we validate such misconfigurations or identifying vulnerable products or identifying products that are not to be used then you save lot of views and your team’s effort. So in both perspectives, I think automating this and bringing it in the cycle is very, very important. And that’s why adopting the policy of scored methodology and tools that enable them is going to be beneficial for everyone within the organization.

Swapnil Bhartiya: Prashanth, thank you so much for taking time out today and not only talk about the work that you folks are doing there [inaudible 00:24:24] Progress, but also in general, how to help organization improve their security posture, of course, through policy, as code, and also share some tips also there, how they should do it right. So thanks for sharing all those insights as well. And I would love to have you back on the show. Thank you.

Prashanth Nanjundappa: Thanks again for having me on the show and it was a really enjoyable conversation. I hope these insights are useful for some of your audience and like I said I’ll be happy to engage with you and your audience in future as well.

[/expander_maker]

You may also like

Why AWS backs Valkey, an open source alternative to Redis | David Nalley

LF Energy leads digitalization efforts to tackle decarbonization challenges

Carbon Data Specification Consortium helps drive climate solutions with carbon data standardization

Tackle data complexity with Hasura v3

Acorn Labs’ GPTScript aims to redefine coding for AI applications

CIQ announces support for upstream stable kernels in Rocky Linux