Simon Fisher – Chef – Cloud Expo Europe 2020
DAVID TERRAR [00:00:09] Hi, I’m David Terrar reporting for Disruptive Live. We’re here at the London Tech Show within Cloud Expo Europe. And I’ve got Simon from Chef with me. So if you could introduce yourself and what Chef is.
SIMON FISHER [00:00:19] Hi David, Simon Fisher. I’m the Technical Services Director from Chef here in EMEA. Chef’s probably most well-known for IT infrastructure automation or configuration management. We’ve been around for about 11, 12 years now, and we’ve we’ve grown up as a company in the DevOps world. So we’re quite well known for helping people in that DevOps transformation journeys on the automation side of things. More recently, we’ve we’ve changed focus a little bit to look at things more like security, compliance, automation, as well as how we help people deploy applications a bit more effectively as well.
DAVID TERRAR [00:00:54] So again, DevOps and all sorts that’s great. Tell us a bit more about what changes customers have seen over this last year.
SIMON FISHER [00:01:01] In the last year I think traditionally, as I said, what most well known in Chef for infrastructure, automation, so hard to help in the provisioning of machines. And we do that quite well. We help people accelerate. I mentioned DevOps already. I think more and more with automation, people have solved that problem. So people are quite mature when it comes to things like infrastructure as code, doing the DevOps automation thing. And more and more they’ve seen that because they’re going faster. That’s really, really positive. But actually speed also introduces risk. So the faster you go, the less potential checks you can do before you release things to your live environment where your customers are facing them. So increased risk means increased exposure to things like security breaches, compliance breaches. So more and more people are starting to understand the security landscape and understand the risk and impact of data breach. And if customer data is leaked, so they’re taking notice of it. I’d say they haven’t necessarily solved the problem because there are various challenges. Security is is often a kind of a tower, an ivory tower here on their own doing their own thing.
DAVID TERRAR [00:02:10] Is this why I keep hearing this DevSecOps term?
SIMON FISHER [00:02:13] Absolutely. Absolutely. So as I said, people you know, you go to these events, DevOps is quite a well-known terminology well used piece of terminology and people are quite advanced levels on the DevOps maturity scale. But more and more we talk to people who care about DevSecOps. And for me that really means that’s as I said, we’ve solved the DevOps problem to a large extent. But now because security’s often sees an ivory tower organisations realise that they need to bring security into the fold. All too often in the security world, we look at releasing an application, but it’s put on hold because of a big security review that needs to take place or a big mandate because this this thing can’t go live without a rubber stamp to say this is secure and compliant and won’t increase our risk of a data breach. And obviously all the media attention which that brings as well. So people want to want to solve this DevSecOps problem. But security is seen as an ivory tower. So really what we need to do is foster the collaboration between dev security operations.
DAVID TERRAR [00:03:17] The frictions of the past, you’re trying to get beyond that.
SIMON FISHER [00:03:19] Exactly. And the great thing about DevOps is part of it is, is automation, which we’ve solved. But a lot of it is around people and process and bringing people together. If we think about I. of a few years ago, there was a lot of siloing in place between Dev and Ops. They wouldn’t talk to each other only when they really had to. And potentially when they spoke to each other, things went wrong because of a lack of collaboration. But we’ve solved that with people like infrastructure engineers sitting in development teams and a whole shared ownership of releasing applications and infrastructure. And it’s that same mentality about security. It’s about bringing security into that, such that when we’re starting to develop applications and infrastructure security are involved and they’re informing our decisions when it comes to deploying things.
SIMON FISHER [00:04:05] Interesting. So in customers journey to the cloud, are there any things that they get around? Is there any kind of oversight that they should be thinking about?
SIMON FISHER [00:04:14] Yeah, I think I think the cloud lets you create infrastructure and do things in a fast and seemingly quick and responsive way. The days of provisioning real infrastructure, which takes weeks because you have to go through approval levels and process and all these kind of things. I think those days are gone. But in the place with the cloud and the ability to spin infrastructure, it really, really quickly and really, really seemingly at zero cost to the person who’s actually spining it comes risk. Because what actually happens is when you spin things up in the cloud, you create machines, you create infrastructure, they usually by default quite open and people don’t realise this. So two of the biggest areas we see risk areas and we could see creating headlines for people are storage buckets and multi factor authentication. So if I talk about storage buckets for abit, storage buckets are pieces where you are in the cloud, where you stored data. And typically when you create a storage bucket, it’s open to the world. So if I click through the the user interface, the gooey and accept all the default options, which most people do when they’re just evaluating and trying things out. You accept the defaults. It’s open to the world. So if I put any private data in there or customer specific data in, it’s open to the world. And of course, in the world we live in now, the people who are dangerous, the hackers and the people who want to compromise us know what they attack vec desire. So it’s a well-publicised attack vector and some high profile data breaches have been as a result of unsecured storage buckets. The second one is multifactor authentication. So what I mean by this is we’ve got we’ve often seen it with with banking and things like that when we log onto our mobile bank. We might have to be sent a text message to verify that it serves as well as our password because passwords are sometimes easily guessable, easily compromisable. There’s phishing scames out there which capture passwords. So if you have two pieces of ID, such as a password and a device like your mobile phone, which identifies as you, it lowers the risk that you’re going to be compromised. We’ve seen a lot of instances where hackers, again, know that they can grab an exposed SSH key or something like that from from GitHub. People often accidentally share private keys into GitHub, people download those keys and then they get instant access to your cloud account. And as soon as they do, they spin up massive infrastructure. And the biggest thing they do is bitcoin mining. So say you’re actually enabling them to do bitcoin mining purely by allowing your password or your SSH keys or whatever that attack vector is to be to be open to the world. So by introducing multifactor, authentication it really helps lock down that and means that only the right people can access the cloud infrastructure. And that’s the type of conversations we have with customers. So now, as I say, we’ve moved away from infrastructure automation. We feel like that’s a solved problem for us and we’re well known for that and we’ve established that Chef can do that. But more and more we’ve taken the good stuff for infrastructure automation and applied it to compliants automation. So now, rather than creating things insecure by default, you can run scans on your security. Ideally in a continuous way, because people sometimes with security tend to scan once and get a rubber stamp everything’s green and then go away and forget about it. But you should be scanning things on a continuous basis so you can scan to make sure that all of your user access has multifactor authentication enabled and any of your storage buckets. You can look at them and make sure they’re not insecure by default. So it can understand and give you information on where your risk vectors are and where things are potentially going to go wrong.
DAVID TERRAR [00:07:53] That’s really helpful. So what’s next for Chef on the roadmap?
SIMON FISHER [00:07:57] So I think I think maturing this we’ve often part of the challenge with infrastructure automation is that you have to write a lot of content yourselves. If I’m an infrastructure engineer, I have to write my Chef cookbooks. Everything in Chef is is a food analogy. So we have cookbooks, we have kitchens, we have recipes. More and more security have documentation. So they create their corporate standards and they don’t want to have to worry about coding or anything like that. So are our main focus is Chef right now is making that journey to security and continues compliance as easy as possible. And what does that mean? It means out of the box content. And so we we have CIS certification, the Centre for Internet Security on a number of profiles. And the CIS is a body which is well known when we speak to our customers, especially in the security department. People know when you use the CIS. In the US, there’s Stig and Dissa as well. CIS well known, they specify a whole bunch of benchmarks around how to secure the cloud, how to secure an operating system and what you should be doing. Typically, they’re stored as a document, like a paper thing, which is handed to an engineer. Who has to read the documents and then go through line by line and and check all the things manually then invariably fill in a spreadsheet as well. So we want to take that documentation and make it a profile. We call them profiles.
DAVID TERRAR [00:09:17] Just an integral part of the product.
SIMON FISHER [00:09:18] Yeah profile, which is essentially your executable documentation. So as a human, you can read it and you can understand what it’s doing as a machine which executes Chef. You can understand it and it can do it and it can go and do it at scale. So all of the benefits that we’ve seen in the automation around DevOps and infrastructure we’re trying to repeat in this new DevSecOps world and make it fast and automated and repeatable so that these gaps aren’t exposed and lead to potential customer data breaches.
DAVID TERRAR [00:09:47] Sounds really good. How’s the show been for you today?
SIMON FISHER [00:09:50] It’s been good. Obviously, it’s been a bit quiet because of the virus. There’s a there’s a common theme. We’ve actually this year we’ve sponsored one of the one of the tracks. So we’ve tried to be a bit more focussed around what we like so we responsed of the security track and all the talks which are in there. So aside from some of the things I’ve spoken about today, we’ve we’ve heard common themes. And I think more and more people are becoming aware of security and compliance and the risk exposure that organizations can have. So from that regard, it’s been really good. It’d be nice to have more people here, obviously. But, you know, it’s it’s great to be here. And I have seen some great presentations today as well.
DAVID TERRAR [00:10:30] It’s been great to hear about Chef’s approach to DevSecOps from you, Simon. Thank you very much for talking to us.
SIMON FISHER [00:10:35] Thank you.
DAVID TERRAR [00:10:36] So this is David Terrar for Disruptive Live signing off. You’ll if you want to check out more content like this, go to hashtag CEE 2020 and hashtag Disruptive Live. You’ll get more interviews and content like this. Thanks very much.