The White House is hosting a meeting on Wednesday with tech companies to discuss cybersecurity challenges. In this interview with Bryan Langston, Director of Cloud Architecture at Mirantis, we talked about the initiatives the U.S. government has created to enhance cybersecurity and how well prepared are companies like Mirantis to ensure the cybersecurity of its users.
Bryan Langston, Director of Cloud Architecture at Mirantis, discusses Security Technical Implementation Guide (STIG) with Swapnil Bhartiya. Right out of the gate, Langston discusses how the U.S. government is actively involved in defining various standards for how both cloud and legacy computing are done. Because cloud computing continues to evolve, organizations such as NIST (National Institute of Standards and Technology) have had to update their standards for computing to account for the “unique differences and characteristics of cloud computing.”
And then, there’s the Department of Defense (DoD) that has the STIG certifications which serve as a checklist for what a compute environment should have. Another program is called FedRAMP (Federal Risk and Authorization Management Program), which has well-defined requirements for use cases that need to align with FedRAMP.
According to Langston, “STIG is driven by the U.S. Department of Defense. They’re the ones that certify every STIG certification. What they’re trying to do is establish a standard that really governs and establishes a standard of configuration and process around technical environments.” He also explains that a STIG is essentially a checklist of things that pertain to a product and the processes around a product. He adds, “One thing that’s important to point out is that even though the STIG is driven by the Department of Defense, it’s essentially a set of checklists. And when you look at the details that are being certified, you’ll basically see that it’s industry best practices that are defined, that no matter if you’re a government customer or not, if you look at those things as things that can help any organization secure their compute environment, that’s a good thing.”
In Langston’s opinion, companies should most certainly give weight to STIG and that “If it’s good enough for the U.S. government, it’s good enough for you.” It doesn’t matter what sector your business is in, security matters. He also offers up this warning: “All we have to do is look in the history of just 2021 alone to see the number and scale of the various attacks that have hit companies across various industries.”
With regards to the upcoming cybersecurity meeting at the White House, Langston concludes that there are a couple of things that really map. One is the lack of culture in companies. By culture, Langson means “top-down directives and messaging that communicates the importance and severity of security and what happens if it’s not taken seriously.” Another theme is that of training. Langston mentions how Mirantis approaches training when he says, “Mirantis has a training organization that trains people around the world on what the current security technologies are, that are relevant to the cloud-native environment that many of us are engaging in right now. And another one has to do with what we refer to in Mirantis as a secure software supply chain.”
Bringing the conversation back to the upcoming White House meeting, Langston says, “In light of the White House meeting, you’re referring to one thing that we can do to kind of help support and engage in that conversation is communicate what our methodology is behind a secure software supply chain.” How you secure your supply chain matters.
Langson finally goes on to discuss how FIPS (Federal Information Processing Standards) plays into this. He indicates that the Mirantis FIPS certification covers everything that involves container operation. He also indicates that FIPS and STIG are just a couple of pieces to the overall puzzle and that Mirantis has also compiled into their container runtime FIPS libraries that provide secure communication.
Summary for this interview/discussion was written by Jack Wallen
Here is the edited transcript of the interview.
Swapnil Bhartiya: Hi, this is your host Swapnil Bhartiya. Welcome to another episode of Secure IT. Cybersecurity has become a hot topic recently, especially in the wake of ongoing attacks and after two Executive Orders by the Biden administration— one stressing on a software bill of materials (SBOM), and second to promote Right to Repair. The Department of Defense as expected, is in many cases, leading the industry by creating some of the most ambitious programs for cybersecurity. It could be Iron Bank, Platform One or STIG. We have discussed Iron Bank and Platform One earlier. Today, we are going to focus on STIG, which stands for Security Technical Implementation Guide. And joining me today is Bryan Langston, Director of Cloud Architecture at Mirantis.Bryan, it’s great to have you on the show.
Bryan Langston: Thanks for having me.
Swapnil Bhartiya: If I ask you from Mirantis’ perspective, what kind of program is the U.S. Government or Department of Defense running to enhance cybersecurity, not just within the scope of the government agencies but also going beyond in the private sector as well.
Bryan Langston: So the U.S. government and many parts of it are actively involved in defining various standards for how computing is done, whether it’s cloud computing or legacy. So as cloud computing has evolved, the government has had to evolve with it. And in doing so, you’ve got the organization known as NIST, which is the National Institute of Standards and Technology, which just had to upgrade or update their standards for computing to account for the unique differences and characteristics of cloud computing. So you’ve got documents like NIST 800-53, that have newer revisions, other NIST publications, cover things specifically like containers. Then you have the government organization, the Department of Defense (DoD) that has the STIG certifications. That really is a checklist for what a compute environment should have. So, and there’s, there are other NIST publications that I know of, that all really addressed to help secure computing environments today. FedRAMP is another one. It is a government program that has very well-defined requirements for those use cases that need to align with FedRAMP. And those are constantly updated as well to account for cloud computing uniqueness.
Swapnil Bhartiya: Can you quickly just talk about STIG a bit?
Bryan Langston: So the STIG is driven by the U.S Department of Defense. They’re the ones that certify every STIG certification. What they’re trying to do is establish a standard that really governs and establishes a standard of configuration and process around the technical environment. So a STIG is essentially a checklist of things that pertain to a product’s features that also relate to the processes around a product, how it operates, so that the combination of the technical implementation of a product, as well as the supporting processes around it all produce a secure operating environment. So one thing that’s important to point out is that even though the STIG is driven by the Department of Defense, it’s when you double click on it, it’s essentially a set of checklists. And when you look at the details that are being certified, you’ll basically see that it’s industry best practices that are defined, that no matter if you’re a government customer or not, if you look at those things as things that can help any organization secure their computer environment, that’s a good thing. Again, whether you’re a government customer or not.
Swapnil Bhartiya: Should companies give any weightage to STIG. If yes, why?
Bryan Langston: In my opinion, they should. Mirantis has a number of customers that are government and non-government. What I always tell them and how we communicate STIG and other government-led standards that we adhere to is that if it’s good enough for the U.S. government, it’s good enough for you. And sometimes these customers that I’m talking to are in financial services, or they are global telcos, or they’re in a net, a number of other industries where security matters. And really it doesn’t matter if you’re a government customer or not, security does matter. And all we have to do is look in the history of just 2021 alone to see the number and scale of the various attacks that have hit companies across various industries.
So I advise our customers to look at STIG, not so much as a government requirement, but look under the covers a little bit, and you’ll see that they essentially are industry best practices. You might not need to go to the extent that a STIG does, but you would be wise to at least consider what the STIG is and make the appropriate determination for your own environment what parts of the STIG are relevant.
Swapnil Bhartiya: Right. And since you brought up the topic of the ongoing attacks, especially in 2021, there is going to be a cybersecurity meeting at White House next week. Can you talk about what initiatives are there from Mirantis to not only contribute to this conversation, but also become part of the solution?
Bryan Langston: Really, there’s a couple of things that really map here. And one is that sometimes these attacks that we’ve seen this year, at least point to a couple of things. If I were to categorize them in themes, one is the lack of culture in companies and by culture I mean, top-down directives, top-down messaging that communicates the importance and severity of security and what happens if it’s not taken seriously, that can take a number of different ways to establish a culture. There’s also the theme of training, right? How well are you training general employees, technical employees?
Mirantis has a training organization that trains people around the world really on what the current security technologies are, that are relevant to the cloud-native environment that many of us are engaging in right now. And another one has to do with what we refer to in Mirantis as a secure software supply chain.
And so in light of the White House meeting you’re referring to, one thing that we can do to kind of help support and engage in that conversation is, communicate what our methodology is behind a secure software supply chain. We have security embedded throughout many parts of our product, but it’s not just about what’s embedded in the product, but what our customers are doing at a more holistic level supply chain—factory kind of implementation of their own software development life cycle processes.
So what we mean by this is you have a lot of inputs to what your software supply chain is and how that is secured matters. And in a lot of cases that I see, the security and the engineering organizations within companies really don’t talk to each other, partly because they don’t understand each other.
When security tells engineering or asks engineering to comply with a certain set of control frameworks, engineering doesn’t know what that means. And when just engineering says here’s what I do, security doesn’t know how that maps to what their controls are, right?
So when we engage with our customers around the concept of a secure software supply chain, we basically act as a bridge that enables these two teams to find out what that common language is. And then the context of a secure software supply chain. We can identify where and how the security organization’s requirements fit so that the engineering team knows the right way to implement those things.
Swapnil Bhartiya: Can you talk about how STIG and FIPS fit into what Mirantis is offering to security users?
Bryan Langston: There’s a lot of people in the industry that refer to security as an onion, right? It’s got lots of layers. We have a similar analogy to use. And in that analogy, we could say that things like FIPS are at the core, they’re at the center of this onion. That’s kind of an inner layer, if you will, because what FIPS does is it provides secure communications where at our level of implementation of FIPS, right at the container runtime, we’re talking about protecting any operation that has to do with a container action, right? Whether it’s starting up a container, deleting a container, anything that involves a container operation, our FIPS certification covers. And then if you start expanding out and outer layers of this onion, you have things like a STIG, which is more holistic. It has to do with all right, let’s look at the whole implementation of your Cloud solution, what best practices are followed, what processes govern the operation of this environment. And then another layer is, like I said, the secure software supply chain. So, FIPS and STIG are really just a very few pieces to the overall puzzle, which is complex, right? I mean, it’s a complex picture when you add it all up together, but really providing FIPS at the core of our container operations is kind of the heartbeat, right? We support our customers that also have their own FIPS certification to do. And our FIPS certification is just one element of theirs.
Swapnil Bhartiya: Can you just kind of emphasize on the recent announcement that Mirantis has received a new certificate of FIPS 140-2 validation covering the encryption modules for Mirantis Container Runtime, Mirantis Kubernetes Engine and the k0s Kubernetes distribution? What does it mean for customers and users? And also if you can talk about the impact they will have on customers?
Bryan Langston: FIPS 140-2 is really limited to the standard for providing secure communications, right through a set of cryptography libraries. So what we’ve done is compiled into our container runtime, FIPS libraries that provide that secure communication.
So if you’re a customer, that’s building a software stack, you’re going to care that we have FIPS certification because other areas where FIPS will be engaged, could be at the host operating system level, which sometimes we don’t manage; we can manage that but we don’t in all cases for our customers, but FIPS can also be applied at our customer’s application level.
So there are other areas where FIPS can be applied. So as you can see, our implementation of FIPS is just one of many that can be looked at to certify an entire solution stack. So if we weren’t FIPS certified with our container runtime, we might be the wrench in the spoke, if you will, right? The impediment to our customers achieving their own certification. So by us having it, we don’t get in the way we compliment our customers. And we’re just one of the many ways that secure communications are enabled.
Swapnil Bhartiya: And also there is a FIPS 140-3. Can you quickly talk about the difference between FIPS 140-2 and 140-3? And once again, what would it mean for the customers and Mirantis ?
Bryan Langston: Yeah. 140-3 is not a complete rewrite of this standard. It really leverages a lot of what FIPS 140-2 already has. There’s also another module that provides for multi-factor authentication when a certain module is engaged. There’s another enhancement to two other kinds of fundamental 140-2 components of FIPS but it’s kind of an extension and an improvement, but it all is intended to just kind of keep up as we were talking about before, keep up with the evolution of computing and maintain a high level of security.
Swapnil Bhartiya: Bryan, thank you so much for taking time out today to talk about the initiatives from the Department of Defense and also how the private sector or a company like Mirantis are kind of helping users, customers stay safe. Thank you for your time today and I would love to have you back on the show.
Bryan Langston: Thank you.