Cloud Security 1984

further - first things first just give a round of applause for all the wonderful people here it's great it is here and it's great to see so many people that they're in the in the InfoSec community so so everybody loves a disclaimer so let's get that out the way there's the framer so let's crack on right so a little bit about me I'm Andy I'm Andy I joined IBM three years ago security architect by now lead a growing team of security architects within the business and we've grown from 1 to 24 in the last 12 months so if you're looking for any jobs look up IBM jobs that so cool so a brief agenda right this isn't

going to be in any particular order so when it's all about the Clyde we're going to talk about the problem you know hackers things like that we're gonna talk about the solution and then if there's any time for a conclusion and some questions at the end so quick show of hands who's read the classic novel 1984 by George Orwell yeah cool right so that's it for those that haven't it's a dystopian novel written in 1948 Penina when computers looked much like this so you know make further kind of you know procrastinating about what happened then what is the Clyde where did it come from either there how did it get there what when was it invented so in the very

beginning you have these heavy people does anybody know who they are so we have grain valve for the left of Herman Hollerith to the right so I mean probably better known for telephones was Graham Bell although history really kind of attributes it to this guy here he invented the very first communications device but it was Graham Bell actually made it easier to do and Herman Hollerith invented the punch card later machine which which then it went on to make IBM and of course there were hackers as well so so did he know who this guy is Shirin thank you so I'm actually enigma so of course you know when we had computers back in the past we were

already hacking so this was this was when we were down at Bletchley Park hacking the Enigma machine which which enabled us to decipher the messages from the Nazis in the Second World War so in the not so beginning obviously telephones were more kind of you know made accessible to everybody and so we had phone phreaks and we also had old IBM mainframes as well so of course you know history shows us that it's always been there it's always been a problem it's anybody know what this is so 2600 books was very good cigar lounge and there so it has PC nowadays so yeah basically for those that don't know what it is there was a

serial in America called Captain Crunch and it used to play 2600 Hertz times telephone lines so if people who have found the telephone line it would open up free calls you get free calls and some course phone free King was born so it escapes me Lobby I think it was John Draper something like that who was nicknamed the Captain Crunch who did a short well quite a long stint in jail but further subsequent to that people are also intrigued by this 2600 so people started to emulate it when obviously the the telecoms companies and the government's made Captain Crunch stops selling this so so some of the people that used to replicate this this device it was called a blue box Steve

Wozniak Steve Jobs so you know there's hackers everywhere people have been hacking forever and ever and ever and so cause hacking continued to evolve so when I will add yes that is me computers look much more like this and and III as opposed to kind of behind people use computers nowadays I use them probably in a lot of ways that that you that you use them and so of course you know and I was about 11 I started to build my own computers and so going on but it's in board systems and things like that you know that the the the internet came along and it was amazing because it was this new place where everybody could could could

communicate so so again we've gone through all these different eras and we've all been connecting to the cloud alright so you know taking back to the IBM old mainframes you know you use Teddy typewriters to control them so how old is the client i I don't actually know the answer because it's been around for so long so so when I started to grow up I started to build my own data centers and course you know that essentially is a client so I started to build my own pride and then kind of the last 10 15 years that the cloud as we know is born right so strategy's started to evolve as people start to move their

workloads to the Clyde and and of course you know it's super cool isn't it it's the Clyde it can do everything it will save our it'll save our existence it will be able to do all kind of a manner of things you know all the different capabilities all the different models of course all the rules that we have to go by to you know the road ahead for everybody you know is actually really really full of surprises right so so you know more often than not you know I hear people's catastrophes of moving to the Clyde and and not you know we're gonna start doing he played ourselves can you give us a hand with it it's always too far down

the line that they come back to us and say actually yeah you should have taken your advice and that and actually got some some help before we started our journey to Clyde so you know take that as a piece of advice because of course the aftermath you know it can be really catastrophic so there are some good examples of of pride topologies all right we see some really good examples of cloud but then we see some really really really bad examples of Christ all right now this is a really interesting important slide because I mean I I'm really happy that I got that responsibly on this but but it plays on something called confirmation bias all right

so so this brings me back a little bit to the kind of George Orwell times the kind of dystopia whatever dystopia is and you know to to to to normally we're overrun by our own confirmation bias and and that basically takes us away from true fact or what has actually factually true so so of course you take the emotion away you take the bias away or at least you try to take the bus away now unfortunately we all have this is programmed into us we can't you can't change it what we can do is we can be mindful of it so we can try and make better and important decisions like I said relying on fact and not just what

confirms your belief you know and similarly you know I'm not a religious person by any mate but by any means but you know to judge is to be judged so you know I always say that you know I can't judge someone for doing something on a basis that I have no authority to do so you know if there's someone I mean coming here today there was someone in a in a Honda Civic wanting to go past me at lightning speed right yeah perhaps I think mmm god what a one I've got here you know what what are they doing I'm going to sit a 17 in the fast lane but who am I to judge who can I honestly

stand up to and say well I know that there being an idiot for trying to drive fast you know they could be going to they could be driving to go and see a dying relative you know I don't know that they could just be you know late for work and they should have got up five minutes it earlier so yeah perhaps they are an idiot but you know at the end of the day you can't really you know judge just on the basis of that and of course why the hackers hacks date of the new oil so as we bring out all these new technologies and all these new things course the the threat landscape

changes so we're now seeing that the criminals and the cyber gangs you know using a lot of this new technology in ways that we don't understand please we don't see and and we have to always try and maintain that one step ahead now my course if businesses are now monetizing all their data I of all the machine learning algorithms that they're processing against these things then then of course the cyber criminal is going to do that as well right right so so but it's okay because we've been saved right we've got quantum we've got blockchain we've got AI and it's gonna it's gonna save the world it's going to revolutionize the world of course what

what we're seeing is that release in a lot of this so I mean what do you mean now we've been playing around with image recognition so so obviously I hope you all know how image recognition works right you you play your algorithms into into your into your a I to show a no to provide we'll talk about foxes right you want it to recognize a box you train it with a load of theta by boxes now one might not know that if I now stick a picture of a of a toaster with rainbow colors all over it I've now spoiled that algorithm and it will now not process Fox data will not correctly look at data

that pertains to being a fox so of course you know if you think a bit D provide this well you know what why would I not want to start then trying to hack people and poison their rai data that's a perfectly good way of sabotaging a business so in course a lot of the time a lot of the the people that are making these these things you know have no concept of security they have no ability to be able to think about well how do I do this securely and as everybody or just a quick show has anybody heard of the hypes cycle in Gartner yes okay so the hype cycle is is a kind of theory that

when a new technology comes out there's there's there's a hype for it and this hype really kind of dictates how well or how or how rubbish this this thing does but what we always find is that there's a peak and and they set that peak that we realize that these technologies aren't actually going to save everything that they're not going to be able to make us you know save the world and and all the great things they get me wrong in the future twenty thirty four years we maybe I don't know if you can see that's where we are at the moment with machine learning so so we're just about to drop into the trough of

disillusionment you make the trough of disillusionment is that we realize that okay this not this isn't actually going to fix everything so you can see just here we've got less than five percent of the potential audience has actually successfully adopted the technology fully so that is still a few years away yet so it's not going to fix everything so how do we fix it well we all aware of DevOps I'm hoping were mostly aware of DevOps so that's traditional DevOps now unfortunately for us or fortunately you know we you know developers are going out spitting out this lovely magical unicorn poo and and worth going around having to sweep it up everywhere and so of course the the methodologies and the

frameworks I've come across multiple multiple DevOps teams across not just the UK but internationally as well and everybody's got their own way of doing it so so kind of you know what do we do right now I like to think that security is everybody's responsibility I mean who's responsible for the security when you leave it at the end of the day you know do you have a security guard that looks after it do you do you do you ring up some special number to say right I've left the house now it's locked it's locked it's and it's alarmed it's engaged in anything but what we do know in in DevOps is a good buzz term which

is infrastructure as code so everybody is aware who's aware of infrastructure as code cool cool cool so I like to think there are some good books on this as well as coke culture as code all right changing the mindset changing the culture because if you change the culture then you change the way people think and take security very very important so who's got social media everybody yeah I'll tell you what who hasn't got social media cool no 101 whatever that cool so fair play absolutely fair play you know now it's it's a great thing right you know it's a platform which can which can make things great it's a platform where everybody now has an opinion but course the

problem is when you mix that with technology it gives people a platform to voice their confirmation bias and course people are emotional people are changeable people have habits so so course giving them a platform to voice or their that their opinions and all their bad all their bad juju are obviously makes real work real work with things happen so you know never is a time when we've been so connected that that we that we are so divided right you know a whole nation is just pretty much being divided based on praxis and and and the virtual that you see from both sides both sides of the argument it's just like you know being in a school

playground when these people are actually looking after our actual world you know so so kind of we gotta rein it in a bit now in this brings back to kind of 1984 right because for those that haven't seen it I mean I won't spend too long talking about it but but everyday they used to they used to meet and watch the television it was called the telescreen and they would participate and participate in what they called the two minutes hate right and the two minutes hate was them watching their their enemies their enemies of the state and they would they would play videos of these people and they would all scream and shout abuse and and and

and spread their vile hatred against their enemies and course the way in which they manipulated the news they manipulated the media they really kind of you know change the way people's perception yesterday's enemy was completely forgotten by because tomorrow's enemy is the one that's right in front of their face so so you see this now all the time all over all over social media all over social networking so you know again how do we fix that I mean any any ideas for me this is really really undervalued right it's basic it's generally easy and it's generally something all of us have every single one of us we all have morals and we all have values and so kind of shift in that

behavior changing that culture changing that mindset you know security is everybody's responsibility you know should help to better ourselves we'll never get rid of the problem you know we'd only have to just find new ways of fixing the problem so so course let's get back to the technology so DevOps acceleration is too fast the security that's what I hear all the time hey how do we integrate with your pipelines how do we integrate with your tool chains because security is static security is seen as the same no you know we're all saying no you can't do it like that can do like this I don't think that's right I think security is a driver for private

option and insert DevOps methodologies because because you know changing that culture changing that - set shifting to the left you know means that they've set cops becomes kind of part of everyone's way of thinking and of course that way we get into a much easier continual delivery of our Clyde's and services and solutions to be able to to keep up with the pace of change to keep up with the pace of Deb's DevOps and dev seconds and making sure that all of our all of our pipelines and our chains are as secure and we're taking all the necessary steps to to embed this in and of course there are hundreds of tools to help us

absolutely hundreds of them so you know if you don't know or not comfortable with one try another because at the end of the day at the end of the day you know what what you're practicing preached today will be something completely different tomorrow and you know I'm always you know having to kind of change my mindset on things you know when for instance shower two and shower three become bad it'll be what would it be next char four or five six and so on and so forth so with the clay it will always change it would always have that it will always evolve and we have to try and be one step ahead and and and like I

said you know what I preach today tomorrow will be something completely different now how again you know do we do we be able to to really rate in that in how do we how do we make sure that we're all working towards a common goal well it's pretty easy you know ethics morals and collaboration it's work together let's share ideas let's let's participate in constructive criticism you know and let's join let's join them build a community yeah it's great seeing everybody here today Abey sides you know it's awesome and I battle through those quite a bit quicker than my fault so there's a couple of good links there we got about 10 minutes left nine

minutes left so say are there any questions

what this is a good question actually so so we're well seeing things what we're doing is the DevOps teams are integrating security into them so so rather than pulling in the security people to come and fix their projects fix their teams fix their their methodologies they're employing so so in some instances the larger teams are becoming smaller because those skill sets are going towards the development side but then course you're always going to need a higher level of of help sometimes so so what I do see is those teams becoming smaller from the security standpoint the dev ops team becoming a little bit bigger but then still also relying and needing to bring in well I

mean the thing about the cloud is the shared responsibility model so you know about the CCM matrix and the staff so the cloud capability model I get makes our mark immense but look it up CCM 3.1 I think we're on our controls matrix at the moment but you know absolutely the good thing is is you know I talked about this taper and utopia I mean what is utopia you know what is does anybody want to live in a perfect world where everything's hunky-dory and really happy and fluffy I'm not sure that people do but but of course there becomes a crunching point and I think we're we're nearing that kind of critical mass where you know the people will start you know

I'm not saying go and become especially W and start shouting from rooftops and tying yourself the buildings and stuff but you know definitely I think the conversations are beginning to be had so

their second loss do you see the same pipelines or you see yeah she said no all part the same what about the fiscal insider the employees pipeline delicious connect gaining access there's always the insider threat you can never be you know how secure secure secure isn't an end goal and say of course the problem is as people are people you know the lady before she was saying that you know although we know what's good and what's bad people still choose to do bad things

oh yeah yeah maybe you've always got you you've always got to sign off right by somebody else and that's the whole that's the whole point the same I see what you're getting out right so yeah so obviously from from one to other yes absolutely because you should always have sign off of somebody else's work so the thing about the pipeline is it may still be able to come under the same pipeline but then it will get picked up at that QA stage when they go what hang on what's what's this exposing 65000 course yeah yeah and that's and that's what and that's why I'm seeing some and don't get me wrong they're still early days they they still think once the dot

so you know they still see securities as inhibitor do you think it will sway them by so a degree it does a little bit but you know companies like Netflix can do it then then what why aren't the rest of us kind of probably yeah yeah little insider actively in fact old enduring that same deal a problem you might you can create deal IPE to stop reduced you couldn't have yeah said one at the backbone anymore cool that's a rapid thank you thank you very much really [Applause]