“We need to be constantly vigilant” – McAfee’s director of cloud talks security in a modern age

Long read.

McAfee is one of the biggest household names in cyber protection. This means that Nigel Hawthorne director, EMEA cloud security business, really knows his stuff when it comes to anything DevOps and cybersecurity-related. To prove this point, the director flexed his knowledge with us, discussing anything from DevSecOps to whether we should genuinely be worried about the threat of a global cyber-attack.

How do you manage your scale DevOps practices with such a huge firm?

Like many organisations, we’re now releasing code at an ever-faster rate. And when you do that, you need to make sure that security cannot get in the way of release times. But at the same time, you don’t want to have to roll back or hotfix software. So, we’re following the practices that we recommend to people of shifting left, bringing security into our development earlier and ensuring you were using the power of the cloud, and containers. This way, the development team actually feel more empowered that they can release their own code. And they don’t have the problem of finishing some code and then having to pass it to a separate security team to approve it, because in almost every company I’ve worked in, there’s been that friction between development and QA, where, the developers think QA takes too long and in development, the code too late. And really the aim is to make one team in sec ops that will be able to code and releases together.

With cloud being kind of one of the biggest trends right now, do you think it’s good that so many people are using it, or is it just more competition?

Cloud is where computing is because of its flexibility and scalability. There’s absolutely no doubt that the days of on-premise only are over. As an example, two days ago I saw a well-known UK Government Department who you may consider typically to be a relatively late adopter of new technologies, and they were talking to us about their cloud adoption and how they can accelerate it. Because they do recognise the huge benefits that it gives them. But like any new technology, it brings in questions on governance, management, and how to ensure that you move from previous systems to new systems without losing security as you go.

What are your general thoughts on shift left and containers right now, and what does this mean for DevOps?

Containers are just yet another area where virtualisation from the days when one piece of hardware would run one application and sit there and perhaps not be fully utilised. I remember in offices having a PC that was basically just a print server. You are now in a situation where to get greater flexibility, you have lots of virtual machines and containers. It’s just the next step of virtualising as many things as possible to make sure that you are being as efficient as you can be. So, you’ve got a small container that may last only a few minutes that is performing one function, it’s created to perform that function then it closes down. The great thing about performance and scalability has to be compared to the problems of security. How do you secure something that might not last very long? If you go back to the days of physical security for someone to get your data they’d have to somehow get into the building, get the device they needed, put it under the overcoat and walk out. You then need a company who’s watching what’s going on, you need CCTV, you need controls on doors, etc. Today you think, “how do you put that in a container that doesn’t last very long?” And therefore, you need things like cloud security posture management. You need vulnerability assessment of each container and to work in a zero-trust manner. So, even though you may have multiple containers with infrastructure as a service, it doesn’t mean that you trust every single container because one of them may well have been inserted there by an attacker. So, you’ve got to be constantly vigilant, to see whether or not all the containers that you’ve got are doing the job that they should be. And it’s not easy. And it can’t be done slowly, it has to be done in real time, as the containers are created and executed.

How do you feel about DevSecOps?

For me what it means is pulling together groups that were often working independently. And I think that’s a good thing. You don’t want the security people and the development team to be at loggerheads because they have different requirements. One is all about speed of delivery, the dev team wants to release code, they’ve perhaps got internal deadlines to hit. And then they find that the security team or the QA team, slow that down because they need to do their work. I think actually is a great innovation from a philosophical point of view, which says we’re all one team. We’re working together. How can the QA and security people give some of their tools to the developers so that actually, they can release code themselves?

Microsoft has recently announced that they’ll be stopping support for Windows seven. What’s your opinion on this?

Well, if you can, for sure, it’s time to look at your windows seven and upgrade those systems to Windows 10 or something else that ensures you’ve got the latest updates. And then those devices need to be used in internal-only processes. So, never be connected to anything that can go out to the internet. And if that means that there’s not much for them to do, well, I’m sorry about that, but it really is time to move on. It’s been running for over 10 years. It is time to move those systems on now.

What about the thought that a lot of NHS trusts are still running on Windows 7, should the government be investing in more advanced systems?

We shouldn’t necessarily say all windows seven devices should immediately be removed completely. In a recent hospital visit, I noticed a computer left around. So, there are always problems, like, what if somebody comes with a USB stick? But I think you’ve got to look at the likelihood of a problem in more general office applications. So, in terms of old systems, I’m sorry, you’ve got to get rid of them.

What do you think people can be doing to make sure that they’re not missing out on security?

I know it’s a very cliché message but you can’t control what you can’t see. So, firstly, you definitely need visibility. Think about what software as a service are your office-based employees using? But also, what infrastructure as a service your DevOps teams are implementing? You’ve got to be able to look at the systems that use the containers, the different bits of code that you’ve got. Ensure that you’ve got the policies there that look at the possible problems. Perhaps to answer an alternative question, why are the problems different? Well, because you can have multiple pieces of code in cloud for the cooling each other, and you’ve got to not only look at those individual pieces of code but the interaction between them and ensure that you are, therefore, providing Application Security, data security, privacy compliance data loss events. At the same time running this code on the platform that isn’t under complete control of the organisation so it’s provided by someone else.

When the year 2000 rolled around, everyone was so scared of the millennium bug. We’ve forgotten about all this kind of stuff now. But instead, with the development of tech over time and considering recent political issues, should we be worried about a huge cyber-attack that could affect us in a big way?

You know, maybe that’s more likely if there’s some massive sunspot of activity. I think the problem is we need to be constantly vigilant and we need to recognise just how much our daily life relies upon technology. Look at the problems [that companies that have faced cyber hacks] are currently suffering from, what will be the long-term impact on them? At this point we don’t know. But we have to plan for the worst. Even though we expect it won’t happen. I don’t want to be wandering around with a sandwich board saying doom and the end of the world is nigh, but unfortunately, I think there’s a famous phrase, “hope it’s not a strategy.”

I’ll go back to Y2K, a lot of companies spent a lot of time, effort and money updating code, checking code, training people. Even I did a lot of presentations. And so, when you read articles that said, “Well, the world didn’t end, there wasn’t a problem”. That’s because we did a lot of work to make sure that those things that could be, were updated and worked. A lot of companies actually obsoleted products in 1999, saying we can’t guarantee that this will work after the year 2000. I think that we have to focus on industry and individuals being constantly vigilant. There are tools there to help you. Companies like mine, try to help you as much as we can. But we need to first recognise that there’s an issue to address.

So, if for example, say the power grids were hacked, would your advice on preventing this be to plan for the future?

Well, actually, when you talk about power and other things that are critical national infrastructure, the good news is that governments and regulators are taking this incredibly seriously, and are doing everything they can to look at all of the embedded code within the critical national infrastructure.  If we are talking to organisations in that area, then they have even more stringent regulations upon them than traditional commercial businesses and that’s a really good thing. We’ve seen various what looked like state sponsored attacks on some country’s infrastructure. And, of course, each time that happens, it’s a major concern but each time it happens, everyone else in the world learns from those attacks. There’s a whole wealth of people whose job it is to keep us safe.

In your field, what do you think the future will hold?

I’m optimistic, I do think that there will be a much broader understanding outside IT. In fact, if there’s one thing that I’d say people can do whether they work in DevOps or anything else, it’s talking to non-IT people and talk to people in HR and people in risk. Talk to your legal team try to get them to understand that the things that you do all important and that the stories behind security technology, because every time that someone talks about security to a non-IT person, there’s a rolling of eyes and snapping of pencils and people say they’re really busy. But if you can turn it into a story if you can turn it into a, “Hey, look, I’ve heard about this or, here’s what happens if you don’t do this, then you can start to engage non-IT folk.” And I think by the end of the year, we’ll have a much greater understanding and all those other departments find out any other line of business, individual users that it’s their responsibilities well they can’t believe it.