[00:30.000 --> 00:37.000]  Hello, thank you very much for your time.
[00:37.000 --> 00:40.000]  You're welcome.
[00:40.000 --> 00:46.000]  So, I'm sure this interview will help me a lot in the paper.
[00:46.000 --> 00:53.000]  So, I prepared some questions, of course, and I wrote them on a presentation,
[00:53.000 --> 00:56.000]  so you don't need to remember what I'm saying.
[00:56.000 --> 01:00.000]  You can just look at the shared window.
[01:00.000 --> 01:03.000]  So, I'll, well, okay.
[01:03.000 --> 01:09.000]  [redacted] is a bit pessimistic, it seems.
[01:09.000 --> 01:14.000]  For movement, for evening and I will change it back.
[01:14.000 --> 01:16.000]  Okay.
[01:16.000 --> 01:20.000]  Okay, so I'll share the screen now.
[01:20.000 --> 01:23.000]  Yeah, thank you.
[01:23.000 --> 01:27.000]  First of all, thank you very much, [redacted], for taking this interview here
[01:27.000 --> 01:30.000]  and supporting us in that manner.
[01:30.000 --> 01:32.000]  Yeah, sure, you're very welcome.
[01:32.000 --> 01:34.000]  I hope it will be helpful for you.
[01:34.000 --> 01:36.000]  Yeah, I'm sure it will be.
[01:36.000 --> 01:43.000]  So, as I wrote you in the email, I'm recording this session audio
[01:43.000 --> 01:48.000]  and we will transcribe it and anonymize it, so no reference to your name
[01:48.000 --> 01:50.000]  or the company will remain.
[01:50.000 --> 01:57.000]  And then, yeah, we will analyze the answers and report them in a paper,
[01:57.000 --> 02:01.000]  but not individually, so there are, in total, nine interviews.
[02:01.000 --> 02:06.000]  So, we might quote some things, you say, but most likely what we will report
[02:06.000 --> 02:11.000]  is kind of a summary of all participant's answers.
[02:11.000 --> 02:16.000]  And we will use the results only for scientific communication.
[02:17.000 --> 02:21.000]  If you later decide to, like, withdraw your answers, that's fine
[02:21.000 --> 02:25.000]  until the end of this month, because after that we will submit the paper,
[02:25.000 --> 02:29.000]  so it's difficult to withdraw after that.
[02:29.000 --> 02:31.000]  Okay, okay.
[02:31.000 --> 02:34.000]  Okay, so did you manage to watch the video?
[02:34.000 --> 02:35.000]  Yes.
[02:35.000 --> 02:38.000]  Okay, do you have questions about it that you want to ask now?
[02:38.000 --> 02:43.000]  Or do you think they will be answered during the interview?
[02:43.000 --> 02:48.000]  I have, I would say, several comments, but I think let's do the interview part first,
[02:48.000 --> 02:51.000]  and most probably we'll touch this, if not, then I will mention them.
[02:51.000 --> 02:54.000]  Okay, perfect.
[02:54.000 --> 03:01.000]  Okay, so first some demographic questions, so what's your current role in the company?
[03:01.000 --> 03:03.000]  I'm a first line manager.
[03:03.000 --> 03:09.000]  Okay, and what kind of tasks do you usually do in your work?
[03:10.000 --> 03:17.000]  Well, I manage a department of, I would say, software engineers and IT specialists.
[03:17.000 --> 03:21.000]  I have various groups in my team.
[03:21.000 --> 03:31.000]  One is focused on doing continuous integration, and another one is responsible for our special
[03:31.000 --> 03:33.000]  purpose private cloud.
[03:33.000 --> 03:35.000]  Okay.
[03:36.000 --> 03:43.000]  So now the next question tries to assess how well you know IAC scripts.
[03:43.000 --> 03:52.000]  So assuming you have enough time and you have an IAC script of a language that you are familiar with,
[03:52.000 --> 03:58.000]  do you think you are able to understand the architecture of the application system that
[03:58.000 --> 04:03.000]  this IAC script is trying to model?
[04:03.000 --> 04:09.000]  So IAC script like Kubernetes, for example, or Terraform or whatever language that you're
[04:09.000 --> 04:11.000]  familiar with.
[04:11.000 --> 04:18.000]  So I'm familiar with the concept of infrastructure, the code.
[04:18.000 --> 04:26.000]  In general, I'm familiar with Saltstack, maybe you heard about the software, and in Saltstack
[04:26.000 --> 04:32.000]  it uses YAML to define the model structure.
[04:32.000 --> 04:40.000]  And according to this definition in YAML, salt master instructs salt minion to execute some
[04:40.000 --> 04:42.000]  actions on the minion.
[04:42.000 --> 04:44.000]  So from this perspective, I'm familiar.
[04:44.000 --> 04:50.000]  I do not know too much details about Ansible or Puppet or Terraform.
[04:50.000 --> 04:52.000]  Terraform, I know just in general.
[04:53.000 --> 04:55.000]  Yeah, perfect.
[04:55.000 --> 05:00.000]  Usually we don't see one person who knows all of these tools at the same time.
[05:00.000 --> 05:06.000]  You have an idea about most of them, general idea, but you're familiar with one tool.
[05:06.000 --> 05:11.000]  Well, I would say I have general idea also about Tensorable, Terraform, but never used
[05:11.000 --> 05:12.000]  them personally.
[05:12.000 --> 05:13.000]  Yeah, perfect.
[05:13.000 --> 05:14.000]  Okay.
[05:14.000 --> 05:21.000]  So how many years have you worked with tasks related to IAC or infrastructure in general?
[05:21.000 --> 05:22.000]  In general.
[05:22.000 --> 05:29.000]  Infrastructure in general, I would say, 20.
[05:29.000 --> 05:34.000]  And infrastructure, the code 8.
[05:34.000 --> 05:35.000]  Okay.
[05:35.000 --> 05:40.000]  So how large is the company [redacted]?
[05:40.000 --> 05:45.000]  More than 100,000.
[05:45.000 --> 05:46.000]  Okay.
[05:47.000 --> 05:49.000]  So now it's some technical questions.
[05:49.000 --> 05:53.000]  And for these questions, feel free to ask me if something is unclear.
[05:53.000 --> 06:00.000]  And feel free also to go beyond the limits of the question itself.
[06:00.000 --> 06:08.000]  So how do you check compliance of the software applications in your company?
[06:08.000 --> 06:14.000]  Well, we use quite a number of different tools.
[06:14.000 --> 06:26.720]  And those tools, the compliance status inside the reporting tool, I would say, is not directly
[06:26.720 --> 06:29.400]  related to the state of a operating system.
[06:29.400 --> 06:34.000]  You need someone in between.
[06:34.000 --> 06:36.000]  Some person?
[06:36.000 --> 06:40.000]  Yeah, the person in between.
[06:40.000 --> 06:52.000]  Well, or you need to write your own automation, which is, I guess, possible, but in my area,
[06:52.000 --> 06:54.000]  we do not have this yet.
[06:54.000 --> 06:55.000]  Okay.
[06:55.000 --> 07:04.000]  Yeah, I'm asking specifically about your teams or closely related to you because it's difficult
[07:04.000 --> 07:08.000]  to guess what's like for other teams.
[07:08.000 --> 07:09.000]  Okay.
[07:09.000 --> 07:14.000]  So for these compliance rules, how do you define them?
[07:14.000 --> 07:23.000]  Is it like a text-based list or is there some sort of a model for each compliance rule?
[07:23.000 --> 07:28.000]  Is it only human readable or machine readable as well in the current form?
[07:28.000 --> 07:35.000]  Well, in the current form, we have guidance that is human readable and needs to be translated
[07:35.000 --> 07:43.000]  to something that you can have to make or directly configure on the system, on the target system.
[07:43.000 --> 07:46.000]  That should reach a certain compliance state.
[07:46.000 --> 07:49.000]  But at the moment, it's text, right?
[07:49.000 --> 07:52.000]  It's human readable text.
[07:52.000 --> 08:00.000]  Well, then we need to clarify what does the model means in this case.
[08:00.000 --> 08:10.000]  So we have a guidance which tells us about which, let's say, data classifications we have,
[08:10.000 --> 08:14.000]  based on the data that we store on a certain system.
[08:14.000 --> 08:20.000]  So it's not only, well, it's about data, availability.
[08:20.000 --> 08:22.000]  So what do we have?
[08:22.000 --> 08:25.000]  Confidentiality, integrity, availability.
[08:25.000 --> 08:36.000]  So based on those three criteria, a person can identify or a system can identify which guidance
[08:36.000 --> 08:41.000]  are applicable to a certain system, but those guidance, they are written in a human readable form.
[08:41.000 --> 08:44.000]  So the categorized kind of?
[08:44.000 --> 08:45.000]  Yeah.
[08:46.000 --> 08:54.000]  But in order to understand how to apply a certain applicable, we call it security control,
[08:54.000 --> 09:01.000]  to an instance of an operating system, at the moment, you need to do some work.
[09:01.000 --> 09:05.000]  Either you do it manually or you create some automation that will do it.
[09:05.000 --> 09:14.000]  But this is not presented as a common offering from the IT or from CIO, which is responsible
[09:14.000 --> 09:16.000]  for the guidance.
[09:16.000 --> 09:18.000]  Okay.
[09:18.000 --> 09:30.000]  So in the following questions, when I say complexity, I'm referring to the need for an expert to do some task.
[09:30.000 --> 09:36.000]  So if some task is complex, this means you need an expert to do it.
[09:36.000 --> 09:46.000]  So when I say reduce complexity, this means you reduce the need for an expert and it becomes less complex.
[09:46.000 --> 09:55.000]  So question eight, do you think having a well-defined and machine-readable format for compliance rules
[09:55.000 --> 09:59.000]  reduces the complexity when checking the rules?
[09:59.000 --> 10:02.000]  Yes, I think so.
[10:03.000 --> 10:10.000]  And uncertainty means not being sure how to interpret the compliance rule.
[10:10.000 --> 10:19.000]  Do you think having a well-defined and machine-readable format for compliance rules reduces uncertainty?
[10:23.000 --> 10:30.000]  So let's say someone really wants to check now the compliance rules and he or she reaches a specific compliance rule
[10:30.000 --> 10:32.000]  and it's written in text.
[10:32.000 --> 10:41.000]  Do you think sometimes it's uncertain how the person should interpret this compliance rule?
[10:41.000 --> 10:42.000]  Yeah.
[10:42.000 --> 10:44.000]  I think I understood the question.
[10:44.000 --> 10:47.000]  I'm just trying to formulate an answer.
[10:47.000 --> 10:49.000]  Go ahead, please.
[10:49.000 --> 10:59.000]  If we talk about relatively simple compliance rule that we need to implement,
[10:59.000 --> 11:01.000]  then definitely yes.
[11:01.000 --> 11:13.000]  So if we have a person who gets a new direction, you need to follow this specific security control starting today.
[11:13.000 --> 11:22.000]  And this person can get an information that, okay, for his flavor of an operating system,
[11:22.000 --> 11:28.000]  this security control can be enforced by doing a change in the specific configuration file.
[11:28.000 --> 11:30.000]  So this is an operating system version.
[11:30.000 --> 11:34.000]  This is the software package that needs to be changed.
[11:34.000 --> 11:35.000]  This is configuration file.
[11:35.000 --> 11:38.000]  This is the new parameter that you need to check and enforce.
[11:38.000 --> 11:40.000]  Definitely yes.
[11:40.000 --> 11:46.000]  But some of the security at least guidances that we have are security controls.
[11:46.000 --> 11:52.000]  They have a bit more complex nature that cannot be reflected in a single configuration file.
[11:52.000 --> 11:58.000]  You also need to make some kind of an architectural decisions.
[11:58.000 --> 12:10.000]  For this, I think it will be helpful, but it will not, in my eyes, be able to provide you an answer in 100% of the cases.
[12:10.000 --> 12:11.000]  Okay.
[12:11.000 --> 12:12.000]  Okay.
[12:12.000 --> 12:18.000]  So how often do you have to deal with new compliance rules?
[12:19.000 --> 12:26.000]  Well, I would, several times a year.
[12:26.000 --> 12:27.000]  Okay.
[12:27.000 --> 12:32.000]  And they come individually or new sets of compliance rules?
[12:32.000 --> 12:42.000]  Well, we have the CIO team of our company releases new versions of the security standard from time to time.
[12:42.000 --> 12:46.000]  From time to time, there is not known to me periodical schedule.
[12:46.000 --> 12:52.000]  And the changes that they're introducing and the guidance, they are quite different.
[12:52.000 --> 12:55.000]  So sometimes they have changes that affect us a lot.
[12:55.000 --> 13:02.000]  Sometimes they have changes that clarify some things and do not require so many technical work.
[13:02.000 --> 13:09.000]  So yeah, but several times a year, it happens that we need to change something.
[13:10.000 --> 13:27.000]  And also, I can give you another example of such a request that cannot be easily handled by this kind of machine readable format.
[13:27.000 --> 13:29.000]  How do you define it?
[13:29.000 --> 13:34.000]  For example, if we talk about the support of operating systems.
[13:34.000 --> 13:38.000]  So in some case, the CIO can make a decision.
[13:38.000 --> 13:39.000]  Okay.
[13:39.000 --> 13:46.000]  We will not tolerate any more some levels of legacy operating systems, even so they are supported.
[13:46.000 --> 13:48.000]  But we do not tolerate them.
[13:48.000 --> 13:52.000]  Oh, they are, no, they are not supported for many years.
[13:52.000 --> 13:56.000]  And now we made a decision that we will not support them anymore.
[13:56.000 --> 14:01.000]  And in our case, this means that we have to identify all systems that are running.
[14:01.000 --> 14:08.000]  This level of operating system, which we can achieve, by the way, using your software and your data models.
[14:08.000 --> 14:14.000]  But then we would need to reinstall them or redeploy.
[14:14.000 --> 14:22.000]  And an outcome of this action is, yeah, so we need not only to redeploy, but we also need to verify that everything works.
[14:23.000 --> 14:31.000]  So that is, this is, yeah, also a security story, but not directly related to the configuration management.
[14:31.000 --> 14:36.000]  This verification step, you mean, or the deployment?
[14:36.000 --> 14:37.000]  I mean, both.
[14:37.000 --> 14:44.000]  First of all, switching from one operating system release to another, which is enforced by the security regulations.
[14:44.000 --> 14:46.000]  And second verification, yeah.
[14:46.000 --> 14:59.000]  It's something that whenever you apply some settings, you need to ensure that your system, especially if you manage complex systems,
[14:59.000 --> 15:03.000]  you need to ensure that your, well, it's not application, it's a system.
[15:03.000 --> 15:12.000]  In our case, by system, I mean it's tons of servers running lots of different applications that are all working together.
[15:12.000 --> 15:15.000]  I think you mentioned in the video, open stacks.
[15:15.000 --> 15:17.000]  So this is exactly what we are doing.
[15:17.000 --> 15:19.000]  So we're running an open stack cloud.
[15:19.000 --> 15:25.000]  And if we enforce a configurational change from all hypervisors that run open stack, we need to restart.
[15:25.000 --> 15:26.000]  Of course, yes.
[15:26.000 --> 15:31.000]  But sure, we need to do it in the staging environment first, and then we do it in production.
[15:31.000 --> 15:38.000]  But still we need to have some means of verification that after the change, our applications are still working.
[15:39.000 --> 15:41.000]  AC, yeah.
[15:41.000 --> 15:42.000]  Okay.
[15:42.000 --> 15:50.000]  So now this set of questions are kind of similar to the ones in the previous slide.
[15:50.000 --> 15:58.000]  But now we want to get rough numerical estimation of how much you agree with certain statements.
[15:59.000 --> 16:08.000]  So in the following, when I say effort, this means that some task needs a lot of time to be accomplished.
[16:08.000 --> 16:11.000]  So when you reduce effort, basically you reduce this time.
[16:11.000 --> 16:14.000]  And this is regardless of how difficult it is.
[16:14.000 --> 16:16.000]  It might be how complex it is.
[16:16.000 --> 16:20.000]  It might be like not very complex, but it just needs a lot of time.
[16:20.000 --> 16:23.000]  So this is what we mean with effort.
[16:23.000 --> 16:32.000]  So do you think that using the framework reduces the effort associated with defining compliance rules and checking them?
[16:32.000 --> 16:36.000]  Yeah, I think I would say four.
[16:36.000 --> 16:37.000]  Okay.
[16:37.000 --> 16:44.000]  And do you think it's equal for defining and checking?
[16:45.000 --> 16:54.000]  Well, by defining, if you mean by defining that I will get enough information about how to apply this new security rule,
[16:54.000 --> 17:06.000]  then yeah, definitely that will give me a very clear guidance, like new security control or my operating system level gives me this exact,
[17:06.000 --> 17:13.000]  let's say, change that needs to be done either with the package or with the configuration file doesn't really matter.
[17:13.000 --> 17:25.000]  By checking, I also think that it will help a lot because, well, your system I assume will have some means of reading some new.
[17:25.000 --> 17:34.000]  Yeah, whenever you have a new rule defined, you know which configuration settings you need to set and how to read what is on the system,
[17:34.000 --> 17:42.000]  which means if I scan all of my systems that I defined in your system, I will get an information which of them are compliant to the new rule
[17:42.000 --> 17:45.000]  versus which of them are not applying.
[17:45.000 --> 17:46.000]  So, yeah.
[17:46.000 --> 17:47.000]  Okay.
[17:47.000 --> 17:56.000]  So, a similar question, but now regarding complexity, so for doing this, the modeling or defining and then the checking,
[17:56.000 --> 18:03.000]  do you think using the framework reduces the need for an expert to perform these tasks?
[18:03.000 --> 18:08.000]  I would say four as well, so it will definitely help.
[18:09.000 --> 18:14.000]  And now regarding the uncertainty of interpreting the compliance rules.
[18:14.000 --> 18:25.000]  So, how well, how much do you agree that a well-defined model for compliance rules would reduce the uncertainty of interpreting them?
[18:28.000 --> 18:32.000]  Well, I would say also, yeah, maybe even five.
[18:33.000 --> 18:35.000]  Okay.
[18:35.000 --> 18:38.000]  Yeah, we want to say something more.
[18:38.000 --> 18:39.000]  Yeah.
[18:39.000 --> 18:40.000]  Yeah.
[18:40.000 --> 18:42.000]  Just let's continue.
[18:42.000 --> 18:43.000]  Okay.
[18:43.000 --> 18:44.000]  Okay.
[18:44.000 --> 18:49.000]  So, now about architectural reconstruction.
[18:49.000 --> 18:58.000]  So, in the videos, we showed the first step in the whole compliance management process that we are proposing.
[18:58.000 --> 19:06.000]  And this first step was creating an architectural representation about the running system.
[19:06.000 --> 19:11.000]  And in order to do that, we had to use cases.
[19:11.000 --> 19:17.000]  So, in the first use case, we assumed there's no IAC tool that manages the infrastructure.
[19:17.000 --> 19:21.000]  So, the user had to use like a modeling tool.
[19:21.000 --> 19:30.000]  And the user just grabbed certain nodes and described how these resources that describe the infrastructure,
[19:30.000 --> 19:33.000]  how they look like and how they relate to each other.
[19:33.000 --> 19:39.000]  And in the second use case, we assumed there was an IAC tool that manages the infrastructure.
[19:39.000 --> 19:48.000]  And then we used a plugin in the framework that communicates with this IAC tool and reads the information from there.
[19:48.000 --> 19:54.000]  And based on it creates this initial architecture that describes the application infrastructure.
[19:54.000 --> 20:01.000]  And in this second use case as well, we were interested in certain properties of a database.
[20:01.000 --> 20:07.000]  And this information is too detailed such that the IAC tool doesn't know about them.
[20:07.000 --> 20:15.000]  So, that's why we had to also use another plugin that's like designed specifically for MySQL databases.
[20:15.000 --> 20:18.000]  And it was applied after the first plugin.
[20:18.000 --> 20:26.000]  And it like communicated with this database management system and read the interesting information from the database.
[20:26.000 --> 20:32.000]  And we embedded this information in the architecture.
[20:32.000 --> 20:40.000]  So, in theory, we can add more and more of these refinement steps that we call them refinement steps through plugins.
[20:40.000 --> 20:56.000]  And we can build an image about the whole infrastructure of the application system that this image is important for being able to judge on the compliance.
[20:57.000 --> 21:02.000]  So, we don't like arbitrarily choose to know information about the database.
[21:02.000 --> 21:09.000]  If the compliance rules only deal with the operating system, we wouldn't bother with this plugin for the database.
[21:09.000 --> 21:16.000]  So, we only use these steps, refinement steps that are necessary for the compliance checking.
[21:16.000 --> 21:31.000]  So, in total, this first initial step that uses the IAC tool and then these refinement steps that are that refine information about individual software components or resources, not necessarily software components.
[21:31.000 --> 21:34.000]  We call this whole thing architectural reconstruction.
[21:34.000 --> 21:45.000]  So, this is useful for compliance checking, obviously, but it's also useful for just understanding the architecture of your application system.
[21:45.000 --> 21:57.000]  So, now let's imagine a scenario. Let's imagine that you have a new application system that's running and you want to know how its architecture looks like.
[21:57.000 --> 22:04.000]  So, which resources are used and how they are related to each other. How would you do that?
[22:04.000 --> 22:09.000]  If it's unfamiliar to you, it's completely new and you want to understand it.
[22:10.000 --> 22:28.000]  Well, since you mentioned two scenarios, one is when a certain infrastructure the code tool is used and another scenario is when it's not in use.
[22:29.000 --> 22:36.000]  So, let me try to answer in a following way.
[22:36.000 --> 22:49.000]  So, at the moment in my area, we use infrastructure, the code, and we have a certain for automation or so for deployment of operating systems and for configuration.
[22:49.000 --> 22:56.000]  So, that we configure operating system itself, we are installing components, open stack, for example, components.
[22:56.000 --> 23:10.000]  We configure them through this tool and after the execution of this tool and maybe some steps like rebooting the system, we expect that it comes up in a state that it is usable.
[23:11.000 --> 23:25.000]  So, in this case, I do have existing model of the system, namely in YAML file, which is in a machine readable form.
[23:25.000 --> 23:36.000]  It's not easy to deconstruct it for the human to get every bit and piece about what component will be installed
[23:36.000 --> 23:40.000]  and which configuration setting will be applied, but it's possible in general.
[23:40.000 --> 23:53.000]  So, this means that in my case, this architecture exists already and what is missing is exactly the security of the security control.
[23:53.000 --> 24:03.000]  So, some pieces we do, but we do not verify compliance and we do not verify, for example, against the stick best practices.
[24:04.000 --> 24:25.000]  However, I must admit that initiative exists and there is a tooling already available inside [redacted] that tells you an information about how are you compliant versus what is the stick, I think it was against the stick framework.
[24:26.000 --> 24:32.000]  But it does not, well, and in the report, it even also tells you how you can fix it.
[24:32.000 --> 24:39.000]  So, something similar to your, I think, refined rules, if I remember this correctly.
[24:39.000 --> 24:53.000]  So, I would say in a data model, I'm not interested too much for some of the existing systems and for everything which will come on top.
[24:53.000 --> 25:04.000]  However, we do have legacy systems and for those legacy systems, we also are interested in knowing about their compliance status.
[25:04.000 --> 25:15.000]  And for this reason, yeah, it would be good to build an architectural model of what this system is.
[25:15.000 --> 25:29.000]  So, for example, it is an instance of Linux which runs, I don't know, MySQL, some web service, and genix, and has, I don't know, some private code somewhere.
[25:29.000 --> 25:44.000]  In this case, we would like to have a way to create a data model in terms of, again, operating system which known applications are installed, like, for example, SSH, daemon, MySQL, and genix, Apache.
[25:44.000 --> 25:53.000]  And verify them against the best practices which your software is actually offering.
[25:53.000 --> 25:55.000]  So, hopefully, I was able to.
[25:55.000 --> 26:00.000]  Yeah, you provided very valuable information.
[26:00.000 --> 26:18.000]  Okay, so you said, for the systems that does have configuration code, IAC, configuration scripts, you already have this, the architecture kind of in the YAML formats, right?
[26:18.000 --> 26:29.000]  So, do you know if there are tools that can be used to kind of visualize these YAML files into some architectures?
[26:29.000 --> 26:32.000]  I do not know this.
[26:32.000 --> 26:33.000]  Okay.
[26:33.000 --> 26:40.000]  So, we are using salt, well, so it's, I guess, we can look it up, but we never used any visualization.
[26:40.000 --> 26:43.000]  And simple tower?
[26:43.000 --> 26:59.000]  With, I think, I do not know, openly speaking, I never used Ansible Tower, but I can imagine that Ansible Tower provides you some level of graphical information, but never did this myself so I cannot comment.
[26:59.000 --> 27:01.000]  Okay.
[27:02.000 --> 27:23.000]  So, assuming now that you would use the framework, do you think that this would reduce the effort of architectural reconstruction, meaning getting this idea about the architecture of some application system?
[27:23.000 --> 27:28.000]  I would say it will reduce the effort of keeping this information and using this information.
[27:28.000 --> 27:38.000]  But initial effort to understand what is installed, so which operating system is installed, which applications do we use?
[27:38.000 --> 27:41.000]  What are the configuration of those applications?
[27:41.000 --> 27:50.000]  Well, at least I didn't got it from the video that your software is capable of inspection of systems.
[27:50.000 --> 27:56.000]  So, my understanding that this initial effort should be done most probably manually.
[27:56.000 --> 28:08.000]  So, a person is logging in into the system and documenting it according to, basically, filling out the data model in your system, like which, what is installed.
[28:08.000 --> 28:17.000]  And with Linux, actually, it's quite complicated because whenever you are installing Linux, you are installing usually hundreds of packages.
[28:18.000 --> 28:20.000]  So, for SSH is easy.
[28:20.000 --> 28:31.000]  We know that SSH is installed, but Apache is installed and Genix is installed, but there are many other components that are contributing, like, for example, simple network management protocol.
[28:31.000 --> 28:34.000]  If it's installed, it should be configured.
[28:34.000 --> 28:45.000]  Quite a lot of people might not even be aware that this package is installed, but this package provides you a network access to the configuration of the operating system.
[28:45.000 --> 29:05.000]  So, I would say, if we talk about the inspection, ideally, we need something that, in case of Linux, reads a list of RPMs that are installed or Debian packages, whatever you name it, and identify which of them are relevant for the data model.
[29:06.000 --> 29:17.000]  And then, based on this, the software can decide what needs to be patched.
[29:18.000 --> 29:36.000]  Yeah, so the general idea of the framework is to be extensible, meaning that if you want to achieve this task in a somehow automatic or mostly automatic way, you would need to program a plugin, a suitable plugin that can do it.
[29:36.000 --> 29:44.000]  So, of course, at the moment, we do have plugins, but they won't cover all use cases.
[29:44.000 --> 30:07.000]  So, most likely, when you decide, or if you decide to use such a framework in your company, either because it's open source, at some point, there is a large repository of these plugins, like some existing tools, not for compliance checking, but for IAC management in general.
[30:07.000 --> 30:17.000]  They do have, like, large libraries, or that your company will have to kind of program this suitable plugins themselves.
[30:17.000 --> 30:31.000]  So, it's good and bad thing at the same time, because extensibility is allowed, but at the same time, at the moment, there are only few plugins.
[30:32.000 --> 30:40.000]  So, I think it might be automated. It might be automated with a suitable plugin.
[30:41.000 --> 30:58.000]  So, I would say, yeah, legacy systems is something special, but everything which already uses infrastructure is a code. I would say, yeah.
[30:59.000 --> 31:22.000]  Ideally, we need the functionality that you described, and I think you mentioned this already, as a plugin to our infrastructure as a code, so that we can use our ways of deploying of initial configuration, then we insert a step that is checking compliance.
[31:23.000 --> 31:44.000]  And after this, we do some testing and verification. So, in this case, it fits, because if this is a separate entity, then it will be very hard to use it, because if our optimization will overwrite the settings at some point in time, that would be obviously a miss.
[31:44.000 --> 31:56.000]  So, if we have an optimization, then we need to have a way how we can either trigger this compliance checking or embed it.
[31:56.000 --> 32:02.000]  And if we need to trigger it, then obviously, we need to somehow transfer the information about the data models.
[32:02.000 --> 32:11.000]  So, that should be a way how those two systems exchange information about available servers, operating systems, applications.
[32:12.000 --> 32:22.000]  I see, yeah. So, kind of how you integrate this process or the framework into the existing pipeline that you have, right? The deployment pipeline.
[32:22.000 --> 32:36.000]  Yeah. Yeah. I can also imagine something like, for example, if you have some means of scanning and operating system on the fly.
[32:36.000 --> 32:47.000]  So, let's say you have some kind of an agent that is placed by our automation to a target host. It scans the host and tells, okay, this is Ubuntu version 20.
[32:47.000 --> 32:58.000]  This is the list of the packages that I installed. And according to my database, I know that for Ubuntu 20 and for this list of packages, I have following compliance rules.
[32:58.000 --> 33:07.000]  Let me check what's going on on this system. Okay. I have, I don't know, 400 findings.
[33:07.000 --> 33:16.000]  And then I will report it back to the aftermation hour of the main aftermation that triggers this.
[33:16.000 --> 33:25.000]  In this case, you do not need to pass any information about this target host to your system, but it will just on the fly detected.
[33:25.000 --> 33:35.000]  I identify. So, it will be like a one time execution. Yeah. And maybe you can also store and document the results if this is needed.
[33:35.000 --> 33:48.000]  But since there is another aftermation layer that might change and reinstall and redeploy, keeping this data in sync, I'm not sure where there should be a source, main source of truth.
[33:48.000 --> 34:06.000]  Okay. Yeah. I understand. I understand. Yes. That's many, many of the interviews I had so far mentioned like that this framework and tool, they would be most useful if they are integrated somehow into the deployment pipeline
[34:07.000 --> 34:20.000]  as a step. Yeah. So this is certainly a direction for our future research. Okay. So we are about to be done. No worries.
[34:20.000 --> 34:30.000]  So now it's about violation fixing. So a violation is I think what you called a minute ago as a finding.
[34:30.000 --> 34:45.000]  So basically a compliance rule that is violated. And the videos showed that the framework is capable of automatically fixing those, providing that you have the plugin for that.
[34:46.000 --> 35:01.000]  Okay. So in your case, what do you do if you find out that a part of running application system is violating some compliance rule? What do you do at the moment?
[35:02.000 --> 35:16.000]  I would say for us, it's already a step two. First, since as we discussed, we have our security guidance in the human readable form without any technical specific about how to implement them.
[35:16.000 --> 35:31.000]  So we know what we need to achieve, but we do not know how. For this reason, we need to first analyze our systems and understand which of them are really a non compliant to this new relation.
[35:32.000 --> 35:52.000]  And once we know which of them affected, then we need to define an action plan. Like if this particular version of application is not allowed, then can we reinstall it? Can we test this? How this will affect all other applications?
[35:52.000 --> 36:05.000]  We need to do it on all assets, but it's a certain configuration parameter. We need to do it on the test system, try to ensure that everything else works. If not, we will have dependencies.
[36:05.000 --> 36:21.000]  Like something is not working. We need to introduce another fix. So that might be a chain of fixes. They will be tested in the staging the environment. And then all of these changes accumulated together should be rolled out to production.
[36:22.000 --> 36:42.000]  During this whole process of creating the action plan and testing it in staging, do you use any automated or semi automated tools?
[36:42.000 --> 36:57.000]  Well, I think we try to provide a fix for the violation as a part of our infrastructure of the code library, which not always can be the case.
[36:57.000 --> 37:12.000]  Like for example, if we need to reinstall an operating system, so switch from one version to another. So this triggers some changes in the way how we deploy, but then we need to execute this.
[37:13.000 --> 37:27.000]  So yes, this is somehow automated as well. So yeah, we try to automate this so that whenever we reinstall, this change is applied automatically.
[37:28.000 --> 37:43.000]  Okay. Oh, in some cases, I can give you another example. So for example, if we get an instruction that a certain data should be stored in an encrypted storage.
[37:43.000 --> 37:53.000]  So in this case, we will have some pieces of the solution in the automation library. For example, creation of this partition that to be encrypted.
[37:54.000 --> 38:17.000]  So sitting maybe encrypting it, but after all, we would need to have some additional steps, manual steps on when we will start this particular system, because we cannot store the secret on the same system where we have this
[38:18.000 --> 38:27.000]  encrypted partition. Either we need to have some job that will mount this encrypted partition automatically, or you need someone to, after the reboot to.
[38:27.000 --> 38:36.000]  So in specific cases, you do have some manual steps at the end. Yeah. Yeah. Yeah. Okay.
[38:36.000 --> 38:44.000]  Okay. So how much do you agree with the following statement using the framework reduces the effort of fixing violations?
[38:47.000 --> 38:55.000]  So you already have some automated solution. Do you think using the framework reduces that effort?
[38:55.000 --> 39:08.000]  I think it will, if it will give us a clear guidance on how to, for example, change your configuration file, so that we do not need to research it, we need to just, we will get quickly this information.
[39:09.000 --> 39:17.000]  So if you have suggestions, like for this violation, you probably want to change these things. This would help you.
[39:17.000 --> 39:30.000]  Yeah. Yeah. Yeah. Like it is described in a stick. So this is how you test for this issue. This is how you fix it.
[39:31.000 --> 39:51.000]  Okay. So this is maybe also related to 20. So 20 says, okay, you find an issue and then you want to fix it, and then there might be some uncertainty on how to fix it.
[39:52.000 --> 40:03.000]  So the framework defines this notion of a compliance job. And a compliance job is a set of related compliance rules. Let's say one specific catalog of sticks.
[40:03.000 --> 40:12.000]  And then it says, okay, if you find this rule to be violated, you fix it that way. If you find that rule violated, you fix it that way.
[40:12.000 --> 40:19.000]  We have a structure in the framework called a compliance job for that. And of course the user deals with it with using the UI.
[40:19.000 --> 40:36.000]  So do you think that this notion of a compliance job makes it more certain on what to do if you have violations?
[40:37.000 --> 40:50.000]  Let me think for a moment, please. Yeah, please.
[40:51.000 --> 41:01.000]  Well, I would say, yes, it does reduce. But I would say the level, I would say maybe three.
[41:01.000 --> 41:19.000]  And the problem is that sometimes you can get a new security control. You can get a guidance on how to to him.
[41:20.000 --> 41:37.000]  What to change in a specific configuration file. However, your system might be configured in a way that it's not that easy to apply this change and you need to do a lot of testing to understand what which consequences will come out of it.
[41:38.000 --> 41:52.000]  And especially this is related to legacy systems that are not managed with infrastructure, the code, and it's not easy sometimes to test the changes for them.
[41:52.000 --> 42:04.000]  Or you can introduce a change and you can get a feedback from someone from the multi user systems who is blocked after a certain amount of time.
[42:04.000 --> 42:11.000]  So, yeah, it reduces, but yeah, not entirely, I would say.
[42:11.000 --> 42:20.000]  Yeah, there are still some cases in which you still, the compliance job probably doesn't describe how to fix.
[42:20.000 --> 42:31.000]  How to, well, it's not only about how to fix. Sometimes yes, fixing might be way more complex, but also the verification part after.
[42:31.000 --> 42:35.000]  For sure, it's, I would say, it's a different question.
[42:35.000 --> 42:44.000]  But for me, verification after introducing a change to something which is running is a necessary step which follows.
[42:44.000 --> 42:50.000]  And complexity for the team depends on all of this.
[42:50.000 --> 43:01.000]  So, in the current design for the process, we actually have a step of validation after fixing, after automatic fixing.
[43:01.000 --> 43:12.000]  And it's basically also plugin based, so you would need to create plugins to actually implement this validation step.
[43:12.000 --> 43:17.000]  But in the video, we don't have any of these validation plugins.
[43:17.000 --> 43:27.000]  But after our talk last year, when we were like in this group, and I think you were the one who mentioned validation.
[43:27.000 --> 43:37.000]  So we kind of updated, at least theoretically, we updated the flow of this compliance management process.
[43:37.000 --> 43:42.000]  And we added this validation step.
[43:42.000 --> 43:50.000]  Yeah, but the videos don't show that because we don't have a plugin implemented yet.
[43:50.000 --> 43:59.000]  I would say that validation in my eyes is very important in managed by your software.
[43:59.000 --> 44:07.000]  It's important for the cases where users do not have any infrastructure the code implemented yet.
[44:07.000 --> 44:10.000]  In this case, this helps a lot.
[44:10.000 --> 44:19.000]  If you have a user who would like to use your system as a plugin to, for example, existing incibel automation or salt stack automation,
[44:19.000 --> 44:26.000]  then we can assume that most of those users, they will have their own ways of verification.
[44:26.000 --> 44:32.000]  And most probably, yeah, I cannot really predict it.
[44:32.000 --> 44:42.000]  Some simple verification might be valuable and make sense on your end, but most probably end-to-end verification will happen
[44:42.000 --> 44:46.000]  anyhow after the execution of this complex automation job.
[44:46.000 --> 44:52.000]  So it's already part of the existing deployment or integration pipeline.
[44:52.000 --> 44:55.000]  This kind of checks validation.
[44:55.000 --> 44:59.000]  Well, I would say it should be.
[44:59.000 --> 45:00.000]  It should be.
[45:00.000 --> 45:03.000]  Is it really the case and all of the cases?
[45:03.000 --> 45:04.000]  Yeah, of course.
[45:04.000 --> 45:08.000]  It depends on how well they actually have their pipeline designed.
[45:08.000 --> 45:09.000]  Yes, of course.
[45:09.000 --> 45:13.000]  But ideally, yes.
[45:13.000 --> 45:15.000]  Okay.
[45:15.000 --> 45:19.000]  So now 20 is done.
[45:19.000 --> 45:27.000]  So we go to the next slide, which is like the last set of questions, and they are kind of general questions.
[45:27.000 --> 45:37.000]  So according to your knowledge, how do you evaluate the novelty of the framework?
[45:38.000 --> 45:48.000]  Well, I must admit that I'm not up to date with the latest greatest state of the DevSecOps,
[45:48.000 --> 45:57.000]  because I know that, for example, in Saltstack, they, I think, since maybe years for now,
[45:57.000 --> 46:06.000]  they invested and they have a product, which is focused on implementing
[46:06.000 --> 46:12.000]  certain compliance rules as a part of the, yeah, their main application.
[46:12.000 --> 46:17.000]  I know that Ansible also is doing some work or Red Hat is doing some work for this,
[46:17.000 --> 46:21.000]  but I do not know the latest step and what is the functionality.
[46:21.000 --> 46:29.000]  From the very brief view, I would say that Saltstack sounds quite similar.
[46:29.000 --> 46:33.000]  Well, Ansible, I do not know.
[46:33.000 --> 46:34.000]  Okay.
[46:34.000 --> 46:36.000]  So for me, it's hard to judge.
[46:36.000 --> 46:37.000]  Okay.
[46:37.000 --> 46:38.000]  Okay.
[46:38.000 --> 46:43.000]  I would say for the state of the infrastructure that we manage in our team,
[46:43.000 --> 46:47.000]  this definitely introduced some new functionality that we do not have yet.
[46:47.000 --> 46:51.000]  That's interesting.
[46:51.000 --> 46:58.000]  So now a question about extensibility, and it's actually two questions.
[46:58.000 --> 47:03.000]  So do you think extensibility is useful in general?
[47:03.000 --> 47:08.000]  And extensibility here means the ability to add functionality via plugins.
[47:08.000 --> 47:10.000]  Do you think it's useful?
[47:10.000 --> 47:15.000]  And second, do you think that the framework actually provides extensibility?
[47:15.000 --> 47:18.000]  Well, I think it provides.
[47:18.000 --> 47:21.000]  So you can define new operating system flavors.
[47:21.000 --> 47:26.000]  You can define new security controls for each of the operating system.
[47:26.000 --> 47:30.120]  So you can define new models of the systems.
[47:30.120 --> 47:36.640]  So what maybe I'm missing a little bit, but I assume it could be also added easily is
[47:36.640 --> 47:41.720]  some kind of a classification of data.
[47:41.720 --> 47:47.320]  Because in my eyes, so you have any instance of Ubuntu.
[47:47.320 --> 47:54.600]  If the instance of Ubuntu is used for one day to just install it and test the hardware
[47:54.600 --> 47:58.600]  where the instance is running, it has one value.
[47:58.600 --> 48:05.600]  If the same Ubuntu is used as a server where you host git repository with a source code,
[48:05.600 --> 48:08.600]  it has a very different value.
[48:08.600 --> 48:17.600]  So I would say this kind of security importance, if you may, or classification, this is what
[48:17.600 --> 48:22.600]  I think might make sense.
[48:22.600 --> 48:32.600]  So the same version of operating system, you might want to spend different amount of effort
[48:32.600 --> 48:34.600]  that you would like to invest in the security.
[48:34.600 --> 48:42.600]  In some cases, it makes sense to have some basics applied like basic user management,
[48:42.600 --> 48:47.600]  higher wall, pseudo configuration, SSH configuration.
[48:47.600 --> 48:53.600]  But in other cases, you really need to build a protected system where you need to look
[48:53.600 --> 48:57.600]  into each and every piece.
[48:57.600 --> 49:06.600]  So you need a way to identify these important nodes in the architecture.
[49:06.600 --> 49:15.600]  Yeah, I think it's an effort for the compliance rule modeler, but in theory at least, I think
[49:15.600 --> 49:20.600]  the framework is able to do that at the moment.
[49:20.600 --> 49:26.600]  Okay, so hypothetically, would you use such a framework in your work and if so, in which
[49:26.600 --> 49:27.600]  areas?
[49:27.600 --> 49:28.600]  Yeah, I think so.
[49:28.600 --> 49:39.600]  Well, I would use this framework and especially in an area where I would like to understand
[49:39.600 --> 49:46.600]  the state of the systems that are running, so their current compliance state, and get
[49:46.600 --> 49:49.600]  a report about what is missing.
[49:49.600 --> 49:54.600]  So not the automatic fixing part, the checking part mostly.
[49:54.600 --> 50:04.600]  Well, first is checking and then providing an input that is easy to embed into our existing
[50:04.600 --> 50:08.600]  automation framework.
[50:08.600 --> 50:14.600]  In your video, you provided an example with the shell, snippets, so this is something
[50:14.600 --> 50:18.600]  that can be easily automated.
[50:18.600 --> 50:27.600]  In our area, I would just add this to our regular automation and run it on all servers.
[50:27.600 --> 50:37.600]  Okay, so in the last question, you can give your general impression if you want.
[50:37.600 --> 50:39.600]  Yeah, let me think.
[50:39.600 --> 50:48.600]  I think we talked about the data classification and about the server classification from security
[50:48.600 --> 50:51.600]  perspective.
[50:51.600 --> 50:57.600]  Yeah, we talked a lot about the integration with existing automation tools like Ansible
[50:57.600 --> 51:00.600]  Assault.
[51:01.600 --> 51:07.600]  We talked about the verification that the software is running as it should after applying
[51:07.600 --> 51:10.600]  the security ratings.
[51:10.600 --> 51:14.600]  Yeah, so I would say most of my comments we already discussed.
[51:14.600 --> 51:20.600]  And other than that, I think in general, this is a good initiative.
[51:20.600 --> 51:26.600]  I also cannot compare this with what Saltstack or Ansible.
[51:26.600 --> 51:29.600]  Alright, Ansible is doing in this area.
[51:29.600 --> 51:33.600]  Yeah, for this, I'm not prepared to make any judgments.
[51:33.600 --> 51:42.600]  And yeah, for me, it's something that we miss, a certain piece that we miss in our implementation
[51:42.600 --> 51:45.600]  of the security framework.
[51:45.600 --> 51:46.600]  Okay.
[51:46.600 --> 51:48.600]  Yeah, thank you very much.
[51:48.600 --> 51:55.600]  You provided very valuable information and I think this will influence the paper and potentially
[51:55.600 --> 51:57.600]  also the future work.
[51:57.600 --> 52:04.600]  So I hope that the framework at some stage will be in a state which you can actually try
[52:04.600 --> 52:10.600]  and use because yeah, we would like that our efforts are actually used