Published on

Vision of security in Canonical products

  • avatar
    Predrag TASEVSKI

Being online affects a new way of living where we are non-stop connected and share our data. After all, the devices and the Internet that we connect to are not designed to be secure and to be privacy driven by default. That said, the end user is not aware, concerned and not knowledgeable about how to secure their digital environment. Therefore, with this product leadership role I would like to engage with technical, community and commercial audiences to find out what could be a turnkey solution for the end users.

Open source is playing an important role in privacy and security. But open source is not the only element to take into consideration to facilitate contribution of the community. Contribution to the community is based on transparency. In my previous working experience when I was working for an open source company gave me insides how the open source community works. However in a meantime it demonstrated to me how privacy and security topics were left out due to meeting product milestones, and making the product out on market as soon as possible. In my opinion the biggest challenge is balancing transparency, security and privacy. In the early stage of product design and development we should involve a subject-matter expert (SME) and collaborate with the community to create a bridge between security and privacy.

Customers and clients are relying on vendor risk management assessment by evaluating third-party cybersecurity posture. The assessment is aiming to ensure security across an organization's IT ecosystem. However, the multiplicity of tools generates struggles when it comes to implement and maintain security technical and organisational measures. Simplicity and transparency are great future investments to consolidate tools, fulfill and demonstrate compliance requirements.

Furthermore digital transformation is underway finding itself accelerated. Enterprises are increasingly moving toward a hybrid cloud infrastructure. Because it is providing a seamless integration management with cloud datacenters, applications and workloads. Even with these improvements, challenges due to aggressive data growth remains. Following the same trend the application security has matured, together with DevSecOps. Nevertheless there is no single testing technique or an orchestration that has helped development, operation and security teams to mitigate all security risk. It requires teams to employ multiple tools and robust orchestration solutions from multiple vendors to secure simultaneously the SDLC and the infrastructure.

Canonical is well positioned to succeed in solving the above issue with sandboxing and ensuring isolated data with the use of snaps. Another Livepatch Service is fixing and applying critical kernel patches automatically without restarting the system, and in the IoT devices Ubuntu Core provides a compliment setting.

Data has three states: in transit, at rest and in use. In the current state of art data is often encrypted “at rest” in storage and “in transit” across the network thanks to cloud computing, but not while “in use” in memory. In this regard the ability to protect data and code application while it is in use in conventional computing infrastructure is even more important.The three states principle allows a robust and sustainable ecosystem for IoT, robotics, automotive and health industries, and etc.

Notwithstanding the exponential growth of digital transformation, organizations underestimate their needs in security, resilience and agility. To secure and harden an organization, you have to take into account several factors:

  • security and privacy by design,
  • security and privacy by default,
  • orchestration of controls,
  • encrypting data in use.

Having this in mind the organizations will have a better way of managing the weakest link in technology, that is the human. Each organisation usually has enforced awareness training, phishing simulations, IT security guidance, process and practice - but is this enough? There will never be such a thing as perfect security, but rather it requires a data-driven and content-centric approach to understand the root cause and to develop the products security and privacy by design and by default. Last but not least, it is important to build a stable governance bridge between the consumer and the engineers to understand, and discuss what can be done to guarantee a secure, resilient product. Hence, the critical level of security issues that routinely plague IT today ought not be as big as they are today.