00:01
Hello and welcome to this month's January 2022 1st coffee break of 2022. My name is Andre Miller, your host. I'm joined by Nick Psaki. When you look up the definition of gravitas in the dictionary, you find Nick's name, you'll, you'll understand more why as we get to his and going through it all and maybe we just, just hearing his voice potentially.
00:21
Uh We are here today to talk about all things security, securing all the things like it says. Uh Yes, there's a little bit of a meme there and pure pervasive approach to security. Uh Now, as always, there's just a little bit of housekeeping before we turn the music down this over here because we do do this live right. Get the dock over there. Good. So thank you all for joining in case you are
00:43
wondering where is my coffee card because I mean, that's part of the reason that everyone joins us. So let's just be real about it. You know, call, call us, call us, call us spa a spade. Um That comes now after you've attended. So thank you for being one of those who is attending and hearing this right now.
00:55
Um There's some instructions there if you don't see the coffee card as well. Uh Various folks you're listening to the exclusion categories. We love you, we appreciate you. You just know that we can't send you to stop. Right. That's the way uh, various policies work now. Not quite housekeeping, but I want to thank Nick for being willing to dive in with me for
01:13
basically what is the one year anniversary? I I know I played that card a little bit with Kyle Keller uh last month kind of thing. Uh So, but we've actually had a solid one year. We've gone on everything. We, disaster recovery, business, continuity storage, ransomware. The goal has been as you see from some of the topics here to keep its solution focused
01:31
educational, of course, it dials dials in on pure stuff because hey, you see the logos, you know what pays for it. But at the same time, we're not just here, like here's our stuff. Like hopefully it's actually educational, interesting, you get some stories and details out of it kind of thing. Emily also just put in the chat and I appreciate it document,
01:47
but I believe actually links to um the last 12 coffee breaks as well. We may be sending that in a follow up email. Some of the stuff we figure in real time last housekeeping, make sure to join us next month. We're actually going to reprise with updates a perennially always relevant topic, disaster recovery and business continuity, even if you don't care about it, it cares about you think I'm gonna be joined by Zain Allen.
02:10
Um One of my peers actually, he's got an NBA. I don't. So, you know, hey, that says something good about him. We're gonna be going through the elephant in the room, which is often that around the expectations of the business and the technology capabilities are very different. There may even be an elephant on a slide and
02:25
we're actually then gonna dive into getting actually kind of deeper into some of the ways that pure can help you. As you may know, I'm your host, Andrew Miller. I'm not gonna introduce myself except the fact that I started out with a pair of pi firewalls, some security stuff and we had our own border router and our own DMZ administered DNS servers. There was a good bit of antivirus in there,
02:47
proxy servers filtering all this kind of stuff pretty, pretty fun background from a security standpoint. But security is this huge topic is where I think I'm gonna go ahead and we will pull down the music a little bit because Nick, do you mind introducing yourself? Oh, thank you, Andrew. It's really good to be with everybody today and
03:07
thanks for having me. Uh I'm Nick Zaki, I'm the principal technologist for North American public sector for peer storage. And uh as a result, I I deal with uh a lot of customers, some of whose middle names are security and I have a, a background in this for better or worse. Um I was the chief uh of the Army Intelligence branch.
03:26
Uh So the technology and integration director for the Army G two where security is essentially your building code and everything that you're gonna make has to fit inside the security parameters. So you never even set foot or start out building a system or an architecture without consulting the code first. Uh So i it's a curse that we all have to bear somebody in every organization winds up being
03:48
the security policy and implementation guy. And I, I really thought it escaped it. But, you know, there's a, there's a, a quote from the Godfather part three that always comes to mind, you know, just when I thought it was out, they pull me back in. Um So I've, you know, I've been the, the field facing component for the security practice for
04:06
pure storage for almost as long as I've been here. And it, it's kind of interesting how this always comes in waves. Security is not a focus, generally gets subsumed by performance or scalability or cost economics or any number of things. And then something happens and then it becomes top of mind. Again, in my old line of work, we simply
04:25
assumed that people understood we had very specific security controls because they were, you know, published as a matter of statute and regulation and come to find out an option. No choice. Right. But, you know, again, another great quote, trust would verify. So this is something that, you know, has become very prominent in a lot of people's minds,
04:46
especially since uh the rise of ransomware and crypto ware and all other sorts of nefarious activities uh as the work from home and remote work, uh reality blossomed in the wake of the, the COVID pandemic. And uh you know, it's, it's become, I shouldn't say a hot topic. It's just become a front and center consideration now in system design and
05:08
particularly in the data service infrastructure for a lot of our customers and, and a lot of our prospects. So it's, it is about as exciting as watching paint dry a lot of times. Um it can get pretty esoteric but, you know, fundamentally I, yeah, it matters, you know, and I look at it, I look at it as one of those things where you buy a super awesome car but,
05:27
you know, you assume it has a BS brakes, airbags and seat belts. This is one of those things where we want to make sure not only do our customers go fast but, you know, they go safely as well. So I think securing all the things I'd love to say that we secure all the things, but, you know, security is a many splendored thing or a many layered thing and that's really
05:47
what, you know, I'm looking forward to talking about today is, you know, how do you build an integrated data architecture where the data service infrastructure is an active participant in helping secure the enterprise because it's, you know, storage is the foundation of, of the enterprise architecture. And a secure enterprise really begins with a secure foundation.
06:03
I think I wrote that as a blog post about seven years ago. That feels like a segway. I'm actually, I, I remem I reminded what so so as as if you're listening and we try and keep this relatively relaxed, but we do prepare, like prepare to be flexible kind of thing. So when we were chatting ahead of time and Nick and I were,
06:18
were uh were discussing how this is actually a topic that you want to be boring because if it's not boring, it's a problem. It's not boring at 2 a.m. in the morning or the times that you don't want it to be boring in front of your boss or your or an auditor or a regulator, like you really want this topic to be as boring as possible. That's good. So from an agenda standpoint, a little bit
06:36
similar as you may know. So, you know, not too much of an agenda, there is so much to secure. Uh we do have Rob with us today. Greatly appreciate he is here to help out with the Q and A. So please feel free to put stuff into Q and A, we'll weave it in as we go along the way if we can. If not, I always aim to be done at the 45
06:52
minutes past the hour mark and then we'll hang out and take Q and A live as well. But from an agenda standpoint, we're gonna start with frankly not starting with pure as always or as often talked about the larger security landscape. There's actually some of Nick's background when he saw what's new, that is old. You know, there's some previous concepts that
07:09
are coming back to the forefront that we want to make sure to explore. Then we'll start to wander into various ways to look at purest portfolio through a security lens. Both Dev dev ops. I know we're already crossing off so much of the buzzword bingo cards is not even funny, but there's like legitimate stuff there that we're doing that's real um as well as then what
07:28
we're calling pure security, smart export. We'll do a kind of a, a fast run through a lot of different capabilities that pure has that is relevant from a security landscape standpoint, first, larger security landscape. So I, I think this is where Nick. I just wanted to almost go back in time. Maybe if you don't mind about uh 20 years ago or so.
07:49
I, I believe you were, if, if that, if that's all right. Um You were an infantry in the army and then there were some, I think military intelligence person, do you mind kind of talking about what security looked like? Both in general because it was kind of different in the military overall. It means it can mean multiple things as well as
08:04
how you started in the security landscape. Well, you know, it's, it's kind of funny, as you said, history, history doesn't repeat itself but it does rhyme and it certainly evolves, you know, and the threat landscape over time has, has morphed. But essentially the same stuff still happens back when,
08:19
back when you and I were much younger people with much fuller heads of hair. You know, we had worries about polymorphic viruses and, you know, bad things happening on your computer invading your, your shared memory space and your DOS platform, what have you and you know, what, what that gave rise to was. Well, you know,
08:36
Symantec, uh Norton Norton security, all the rest of the things that we take for granted today on our laptops, desktops and our enterprise infrastructure for virus scanning. But things evolved further over time. And you had, you know, crypto malware and crypto locking of data. And then you got ransomware today and it was only three years ago that we were sitting there
08:55
uh wrapped around the axle about Ry UK, right? Um People still try to steal data, people still try to steal systems, people steal hard drives out of cars, people, you know, it's the world's a dangerous place out there. And how do we help uh shore up the security barriers and boundaries? How do we help protect data and protect the
09:17
systems so that, you know, folks who are supposed to be able to access data can and folks who aren't, don't, um, that, that really, you know, was a fundamental part of, you know, what, what you get taught even as a, as a young private in the United States army, you know, you think security first last and always in everything that you do,
09:37
how do you protect yourself? Now? Obviously those threats generally tend to be more physical in nature. But as I, as, as the sins of my past found me out and I was doing more and more computer based and digital based and digital transformation stuff. The lessons come back home about how you secure any of your platforms and remote sites and edge
09:57
networks and hostile environments and all of it. Oh, I'm spotlighted. You're good. No, don't mean to disrupt you. I was spotlighting both of us so people can see us so kind of thing. And I was even thinking about like, the challenges like, like mobile data centers and enemy territory.
10:10
I mean, that's, that's kind of crazy. I think I say that. So, yeah, we can, I mean, the digital and, and why not, you know, we think about some of our customer uh, operate oilfield services in some unsavory. Or downright dangerous parts of the world. So, you know, security threats are generally speaking universal.
10:28
Now, the specific things that people are, are threatening may be very specific to your, your organization. But, you know, we've, we've fielded calls on, you know, how do I protect a data center in a country where they might seize my data center? One of, one of my, these kind of disaster recovery and continuity questions are, are sort of the nightmare scenario is that that security people stay up,
10:51
you know, late at night going. Oh What happens if you know, I, I live in Wyoming. What happens if the Yellowstone Super Cal era actually blows up? Um Frankly, I'm not gonna be around to worry about it. So that's uh that's one of those things where you just throw up your hands and go. Oh, well,
11:04
you know, some things, some things are too big to protect against asteroids colliding with the earth. That's a massive problem. Not a, not a problem. That's actually a great point and, and we didn't even talk about this. But so periodically when I'm now, sometimes this happens with ransomware, but other security conversations is either like to
11:19
embrace some of people that in good faith. Sometimes of people are playing with us, they play stump the jump like, oh you're the, you're the guy who's supposed to be smart here. I'm gonna show you. Ok? Oh, so be it. But there are people who get wrapped around the axle from a theoretical standpoint, like what are all the possible vulnerabilities and things
11:33
that go wrong? And I actually enjoy sometimes playing that out theoretically at the same time that I want to make sure to pull back at some point in the conversation to the concept of relative risk. Like is this theoretically possible? Yeah, but all these other things are way more theoretically possible. And if we're talking in defense in depth, we ought to do that stuff before we worry too much
11:52
about this, the kind of building theoretical castles in the sky before we ground in what's likely in reality? I do. Yeah. And then we uh you know, we sit there and it, you and I have often been involved in conversations where, you know, we're down rabbit holes. I mean, we're, we're living with bugs bunny's extended family.
12:11
But I'm always, I always try to be conscientious of the fact that at the end of the day, the customers got some security objectives that they really need to solve for. And some of them may be statutory like it's written in law. Uh some of them may be regulatory where there are regulations that govern their business. Some of them may be internal policy, everybody's got security policies for really
12:30
good reasons. And this goes back to the famous Simon Simon Sne title, right? Start with why? So I love having conversations with people about why are you trying to why are you implementing this technique to secure your enterprise? What are you trying to achieve for your data protection?
12:45
Uh overall. And there have been times where I've followed that with customers and sometimes they're stuck with doing a certain thing because they're required to do that thing. But their objective is different and then we do something else to actually fulfill the objective, the outmoded control that they're still stuck with,
13:01
can't actually help them with. We, we see it happen a lot. And, you know, in, in our job, as you know, the vendor in this equation is to build systems that meet uh a foundational set of security standards. And this is one of the things that really attracted me to pure storage a long time ago. Actually, when I was still in the army,
13:19
um I was evaluating a number of different, you know, data service, infrastructure, vendors and their products. And I went, you know, this system is, has got validated cryptography and, you know, validated system security from the National Information Insurance Partnership, the US contingent on common criteria organization.
13:36
And when somebody's taken what I do seriously, and that has been something that I've taken, you know, as a, as a focus item for my own practice within the company going forward is making sure that we still do that, that we provide customers with systems that are, that are obviously high performance, incredibly scalable, that efficient and affordable to sustain incur zero technical debt, but first and foremost,
14:00
they're secure. So when I have conversations with, with our prospects and customers, I I deal with five ss, the five ss of of basically government acquisition, you know, for technology. So the five ss are really straightforward and you have to address each one of these
14:17
positively. All right, security simplicity, scalability, sustainment and the last one is speed. All right. So is this secure, will it provide me with the protection that I need to operate my enterprise effectively? Is it simple?
14:33
You know, why would I invest money in something that's more complex and requires more work? Because frankly work spent working on time spent working on your, it isn't time actually getting work done. It's sort of like maintenance on your car is maintenance, but it's not driving your car. That's not why you bought it. Do you mind if I tangent off that simplicity?
14:48
One for just a second, I want to come back to the five Ss. Um There, there was 111 story you were telling about how um you know, kind of early two thousands, it was about leveraging commercial tech and some of the simplicity of information distribution, you might kind of just like just kind of weaving that story in here with stuff. So I developed,
15:06
I developed a reputation as being a guy who exploits capability that already exists in systems. All right, I needed to be able to do stuff. So we had a big challenge um in uh an operational theater that I was working in around data distribution and dissemination. This is 2006. All right. So still web web 1.0 but the mechanisms that we
15:27
used for tasking information assets and developing products and delivering, distributing those to their, the requesters were built built off of basically FTP that they were agonizingly strict and rigid and not accessible to everybody. You know, we're all sitting there going, that sounds terrible. And the day I have smartphones where we've got access to everything basically at our
15:49
fingertips. This was, this was the landscape that we lived in at the time. So I was, I was going through the, the main directory, the root directory of one of my systems and it, you know, it's a UNIX based system and I saw a directory that said slash www. And I said, I wonder if there's actually a web server on this thing?
16:09
Lo and behold, there was so we created ad PD process maybe before Apache probably a about the same time as Apache. But given the proprietary UNIX implementation we were using probably it was not Apache, but what it was was effective. So we launched a web page which was even more barren than Google's famous search bar page. And you know, customer, our customers would ask us for information products we'd develop and
16:34
then we hang them on the web page and send them an email with a, with a hyperlink. These were radical concepts in the army at the time, but essentially, we instituted web-based dissemination and tasking for, you know, our service requests and really made ourselves tremendously more efficient and made our customers tremendously more happy by delivering them a service where they could
16:54
consume it at will. And we didn't have to worry about it anymore once it was done. But if I had to do that again today, the number of hoops, I'd have to jump through to secure the website would be pretty daunting. You know, we live, we live in a world now where we've discovered all the ways in which people can afflict our good intentions and, you know, have to think about now sequel overload.
17:16
If anyone wants a fun thing after this, go search on little Bobby tables, you know, the classic XK CD uh kind of where they needed the kid to overload tables. So going back to the five ss, what you're actually describing it actually passed the security validation process though. It was in the already there. It was very simple. It was very fast.
17:32
I'll let you keep playing out the rest of the essence because I want to, I want to make sure that we move on. So, so in the army, when you do a five paragraph, operations order, the fourth paragraph is uh uh service and support. So you're cheating, you're actually doing two things in one paragraph. So when I get to the sustainment piece,
17:47
it's really sustainment and support and government people sort of understand that intuitively, when I'm talking about sustainment, I'm also talking about what additional support is provided for that platform. So those two things sort of live together in, in the thought space of, of my customers.
18:02
Um And then the last one was speed. I mean, we build all flash platforms, of course, they're fast, but you have to address all five of those things in order to move on to the conversation of, OK, are you're suitable for what we're trying to do? Now, let's talk about how we can help the customer achieve their transformation objectives. And that's, that's, you know, but if you,
18:23
if, if, if I was talking with a vendor back when I was in my, my uniform days, and I got to know on any one of those five things I'd have to say. Well, you know, I'm really looking forward to seeing how your product evolves. You know, we'll uh we'll touch base again in six months, 12 months whenever um that's not a position that we want to be in.
18:41
Um that's a position where we want to be able to address the customer security requirements upfront. So that foundational component of being able to do data encryption and, you know, certified system administration to meet secure, you know, statutory con uh security objectives is really, really important, especially in, you know, large enterprises,
19:00
government organizations, anybody who's dealing with taxpayer information, uh, health care, patient information, citizen data, any, any protect California data privacy law. Uh, the GDPR, all these things are things that we want to make sure customers don't have to think about that. They've got a warm and fuzzy feeling that the
19:18
platforms they're adopting from us help them stay in line with, uh, well, whatever they're gonna get audited against and those are really important things people don't think about them until the auditors shows up and you're going, oh my gosh. You know, how many times do we get phone calls? Do you guys have a FIS 1 40-2 validation certificate?
19:36
Yes, I do. Here's the link to NS website. Don't take, this is another thing I always caution to people in the follow up, right? Don't take the manufacturer's word for it. I respond with canonical sources. I'm not the one who's saying it. Here's the original source.
19:52
That way nobody can say that, you know, we're misrepresenting ourselves or overrepresent ourselves. There were a couple other themes and I'm, I'm, I'm, I think I'm just gonna give you a little bit of a kind of kind of buyer's choice here, Nick. Um We talked about statutory versus regulatory compliance, data security versus system security and,
20:14
and even II, I think I, I'll go and take the log for Jay as a transition to number three. Anything that you want to kind of comment on there before we start moving to peer dese approach because there's so much we could talk about here the whole time back to you for a little bit. Yeah. So statutory compliance is, it's in law, whether it's federal law, state law would have Congress don't grant no waivers
20:36
is what we used to say in the army. All right, regulatory policy. On the other hand, you can often do you know substitution controls or mitigation measures or you can get exceptions to it. But these are things that, you know, folks who have to deal with this stuff on a daily basis, payment card industry, hospitals, health care systems, health insurers,
20:57
TC I DS s and yeah, they can't, they can't work around it. So, you know, from my perspective, my customers are not only regulated but they also happen to be the regulators and you would be surprised to the degree most government agencies bend uber backwards to make sure they're complying with their own, you know, law and policy.
21:15
So oftentimes, it's a, it's a really rigorous conversation about specifically how do we address the security controls in this 800-53 or 800-1 71 media sanitization in accordance with 800-88 or two and all the rest of that stuff. This is my, this is my nighttime reading and yes, I do usually fall asleep reading it. So in about five minutes uh, longer than that based on how much you remember of it.
21:39
I bet it's worth the five minutes. But, but maybe, well, yeah. So this is another one of those terrible things is when that's the pond that you swim in as a fish, you know, the water pretty well. And, uh, it's, it's, it's good, um, because I can take it seriously and have,
21:54
you know, conversations with people around, uh, the control says this and I'm like, yeah, but you know that it might not mean what you think it means in this context, you know, or contextually that does that control really apply to your enterprise? If the answer is yes then OK, let's talk about how we can, how we can address it.
22:11
And sometimes it's nice to be able to get people to think. Oh, wait, hold on. That's talking about, you know, access control for end user workstations, not enterprise infrastructure. Well, you know, and that changes over time too. That's why we put Multifactor authentication into our systems because more and more enterprises are going.
22:26
No, I want end point security every single end point even in the infrastructure. Um So we need two factor authentication tokenization and things of those nature, things that things of that nature, but security also is now a lot of customers are looking at, ok, tell us about how you build your products, you know, supply chain, security, manufacturing, security, uh IO certifications,
22:46
iso 9001 27,001 and, and I'm gonna take us right into number three and your software development security model, you know, or you don't want to toss in one thing there. So the, the idea that, and now this is a pure, you should have, you should apply this to pure and other companies do. We're not like cherry picking here that if you're not thinking security first and hardware
23:11
software, it's very hard to have a secure system and it's incredibly hard to retrofit it a little bit is just about as ugly as it gets. All right. So it is really, really hard to do secure, to engineer a secure system whose security components and controls work transparently. And a lot of, you know, people say opaque, but I like to say,
23:32
you don't even see it working. It, it is just working when it's done. Well, you're not embracing that security usability spectrum. It's just there is the foundation instead of like more. So the the other piece here and we weren't sure where to throw this in by the way. Um When Nick and I were talking about this topic last month and then a month,
23:47
a week later or so, actually, it wasn't last month, a week later after we decided on this topic. Uh there was this thing called log for J that hit basically the entire internet world galaxy Continuum. So the whole world did want to at least mention that because that actually relates to some of what we've done as peer from the beginning of building security in.
24:08
I'm not gonna go and make this a log for J AD. But we at the point of there's a huge amount of effort from pure engineering, multiple options that some involve non disruptive updates, self, customer driven support driven, of course, new software versions if you want them. And as I've been looking through even talking with some friends at a,
24:26
at another large company, actually a partner of here. So I'm gonna leave the name out. They're actually still pushing out updated log for J patches and scripts kind of things. So this is still going on in case you're coming, this wonder you're like, man, are they going to talk about log for J? Yes, but we're not gonna try and beat on it because we actually did a really good job with
24:42
it. There was a little bit of bumpy at the beginning because there were three versions 2 15, 16, 17, all within like a couple of days from the log for J library, from log for Jay library. Um But if you're a pure customer and you haven't reached out about this, hopefully you've already been contacted and seen emails.
24:55
Um You can be in a very good spot if you're not a pure customer and you're like, how did peer handle this? We are more than happy to give you more details and we would want to stay on a public forum, but there's actually a pretty cool story there, especially what's available today. I remember, you know, being involved in that on like, well,
25:12
I hate to say this on Zero Day. Um I was getting a, we were getting a tremendous amount of, you know, inquiry from across our customer base on whether or not we were exposed and to what degree we were, you know, what were the remediation steps and everything else? And this is one of those things where I I'm always reminded of that great line from William
25:31
Shakespeare where, you know, fire Lawrence says wisely and slow, they stumble, who run fast. The if we, if we jerk our knee, then dozens of exabytes of data become at risk, right? One of the things that I thought we did really well was say we recognize that there's a that
25:51
yes, we're exposed, we are trying to assess exactly how best to fix it because we really wanted to do a one shot fix. And that's, that's one of those things that, you know, we're, how does one say in a state of high anxiety as well? Because we know we've got a problem. We know we've got thousands of arrays and
26:07
thousands of customers who are now at risk and we're sympathetic to the customers who are sitting there going. Oh my Lord, my entire enterprise is now exposed to a zero day code execution vulnerability that automatically grants related privileges to whoever can trip the trigger on it. Um So everybody's trying to get it fixed and everybody is getting heat from on a high,
26:27
from their leadership on fix it. Now, fix it. Now, fix it now, secure all the things and we're sitting there going, we need to get this right the very first time. So while it is painful to, to take it slow, the old axiom in my old line of work is slow, as smooth and smooth,
26:47
as fast. Um There is a question from a gentleman, Harry. Uh Yeah, Harry Bill and uh I think that, you know, we've gone 27 minutes on uh the exciting and energizing world of security, but I'd love to catch a question or two. So Harry, please, by all means, put it on the Q and A.
27:07
You can't come off mute. So please put it in the Q and A. Please put it in the Q and A. So we can, we can, we can highlight you a couple more items here and then we're gonna go into all the stuff that we do this customer facing. So Dev ses um the we're actually chatting with a gentleman named Tinder. Uh he, he's public with pure um and actually he
27:25
was, he's a, he's a doctor in all things security. The summary that I got from him is that there are three big points here and I'm mainly just accelerating this next week. And moving into number four here is first pure overall designing for security in mind. This is now still from a development standpoint pro as we're designing products, we're using threat modeling,
27:45
we're using multiple scanning tools. No, I'm not gonna say what those are in a public forum because I shouldn't, right kind of thing. But there's this actually development process around that. Next, there's deploying with security in mind. So this is around um you, you, you already mentioned N as well. I always want to say SAS E and I'm not sure how
28:00
to pronounce the acronym shame on me, but it's the deployment process, the implementation process. And then finally, if you were here last month, you heard about pier one or other cloud services. So there's the idea of operating in the cloud with security in mind that's around boundaries, boundary controls actually goes back to some of the scanning tools and other ones.
28:18
So that's kind of the three part framework that often goes into, you know, dev ops as those things all kind of relate together in a continuum. I think though, I wanna make sure to leave enough time to start to wander into customer facing security features just because number three, that's cool. Hopefully it helps you be comfortable that we're doing good security stuff under the
28:37
covers, but it doesn't affect you or rather it only affects you if we do it badly if we do it right. You don't even know like you said earlier, Nick kind of thing. But I think let's wander a little bit into, um, our overarching customer facing security capabilities if you don't mind. And don't let me keep you from tossing in whatever else you want to want to say.
28:55
So. Ok. Uh, actually I'll just jump in here. Let's kind of start to walk through some of the security standards we comply with. That's right. And, and I'm gonna address something that's not on the slide when we get to the end. Um Because Alexander Watt, not Alexander Watson, we had an anonymous uh anonymous attendee who
29:15
asked us how far down the rabbit hole, do we go for something like security? For example, do we verify Docker images as part of bills? And the answer to that question is yes, we do. Um Because if it's gonna go in the, if it's gonna go in our system, then we've got to make sure that it is uh safe to eat.
29:31
Right? All right. So when we set out to build the original flash array and purity, which is now pure D FA and PDF B, we took a look at the security standards for customer who was uh an, an early investor of ours in Q. And they really kind of guided us through the security landscape of what it means to engineer
29:53
a secure system, particularly for deployment in national security environments. So they said, if you're gonna do a cryptography, then you, you need to get it fixed 1 40-2 validated and you need to be using AES two V six obviously, because that was the, the only valid cryptographic standard for the US government uh for deployment in NSS environments for national security system environments.
30:15
And then you're gonna have to get your system security validated um preferably on US soil by the National Information Insurance Partnership, which is a joint agency effort um run by the National Security Agency on one side and the National Institute of Standards and Technology and they jointly develop and promulgate uh the N Standards SP 800-53 and 800-1 71 and a whole bunch of other stuff. Uh So that was like our baseline for security
30:41
validation. Now 800-53 is hard, there are hundreds of controls. Um A lot of which actually don't apply to a storage array or data service infrastructure and then different parts of the data are new. So, you know, we had to sit there and scrub down what, what actually do we have to address and then what protection profile we're gonna use because
31:01
believe it or not, there was not a protection profile for uh for N A validation. So we had to go on the network device protection profile scheme. And then what standards do we hope to be able to encompass by doing this? And the reason why we do the hardest standards at the foundational level is it lets us do things like PC I DS S IP A high tech uh taxpayer information C and everything else
31:24
because they are actually derived from SP 800-53. And then the CIS actually puts a validation standard, uh modifications up to N APP and nest uh that ultimately can be incorporated into other, other security standards at the foundational level. So we do the hard work up front so that we can catch everything else on the way down.
31:47
And then for SOC two type two, obviously, that's an enterprise um generally and as a service platform validation and as Pier one has grown up, we started pursuing so C two type one and so two type two. So across the board, we need to make sure that the entire portfolio, the product portfolio is uh is consumable by customers with really strict uh
32:07
security compliance controls and and and needs. No, I want to make clear for you listening if you're like that said Flasher, right? We're choosing purity secure, like it says software harder measures high security standards. This is across the entire portfolio. We can only go so deep on so many things in the
32:25
time. So we chose to illustrate this especially because let's be real. You're started with flash rape. There's application here to flash blade to pier one, et cetera. We're not going to roll out every single cerca security certification for everyone. But please don't hesitate to reach out no a bunch.
32:40
So, and then you know, we talk about flash blade too that says flash rate X up there, flash blade uh is also going through the same processes. It's actually fis 1 40-2 validated today. It is actually under undergoing fits 1 40-3 validation because its cryptographic module is um has evolved. So as the standards evolved and as our technology evolves,
33:00
uh we continue to keep in step with those changes, we're pretty excited about that because I believe we are, I think if it keeps going on its current schedule, it'll be the first platform that we validate pure storage validates under the new uh cryptographic validation uh schema. And then yeah, let's let's go layer deeper.
33:21
So start to talk a little bit. So we, we put out the idea of that a security is done well and, and I'm not here to impugn other products where you do have to have some kind of security versus usability continuum and, and balance between the two. OK? But there's a lot that we did from, from day one at a feature level that actually, I think the coolest thing about the what this slide
33:41
talks about, which I'll have you go through in a second is if you didn't talk about it and people just assumed it's secure, they wouldn't even know any of this stuff is on and protecting them. But with that make it sound really cool, please. What does it all mean? So, so historically, with systems, as we recall, you know,
33:58
cryptographic management and, and crypto encrypting your data was a series of compromises. Um cryptography can be, well, actually, it is computationally very expensive. The response times for data service platforms in the enterprise are really, really low. So it can impose a tremendous performance penalty on,
34:18
on a system that wasn't designed to encrypt all of its data all the time. And there are a lot of things that have happened over time to sort of try and address that you have self encrypting drives, you have self encrypting solid state drives, you have bolt on cryptographic modules, you have cryptographic, you know, interface cards that do cryptography online, you know,
34:35
and and pieces that get tacked on in order to be able to perform these functions. So the benefit of being a more modernized design is we can sit there and say, well, you know what in the intel Xon processors, there's actually an a AES coprocessor that offloads the uh the cryptography. So what if we run our data pipeline, our instruction set or the data stream and those threads through the A S cryptographic
35:00
processor and just offload the cryptography to something on the CPU that already does it. That's actually how we leveraged that. And that led us to do uh a couple of other things. So rather than do cryptography on the individual drives themselves. We do, we do cryptography in the operating system which lets us actually control the
35:20
cryptographic scheme across the entirety of all of the drives in the system. Um And that let us turn it on and do it all the time for all the data all the time. You didn't have to make any choices. Now, like these volumes are going to be encrypted, these volumes are not uh turn it off and that's good because if you could turn off encryption, that's a vulnerability in a way.
35:38
Well, and another benefit here is everybody sits there and thinks, well, you know, nobody's gonna run into my data center and steal 20 drives out of a flash array. No, that's true. But you may have to R ma one of them. But we can assure you through independent validation that that drive is encrypted. Actually, the process is for evicting a drive logically already crypto cryptographically lock
35:57
the device and then we wipe the device. So any remnant data is a CD encrypted fragments of data that are unrecoverable because there's a, the key for that drive only exists in that array. It doesn't exist anywhere else. And by virtue of the way we manage cryptography in the array, the key was changed in the array 30 seconds after the drive was evicted.
36:18
So that data's orphaned. But that's a really mundane reason why we want to encrypt all the data. If you got to send something back to us. We want to make sure nobody including us can read your data, only, your data can be read on your systems by you. And that's it. Don't have to pay for nonreturnable drives.
36:34
I see that far less here. I wanna say it's never, but far less than other places I was at. And there's a fun thing, by the way, if you find the space interesting, go research someone the idea of data deletion or removal. It's not actually scrubbing the data, it's encrypting it and throwing away the key
36:48
inaccessibility versus deletion. And there's some fun stuff to explore there. Uh architecturally if anyone listening wants to go on a research site on that, so keep going. Yeah. So the the operations and media sanitization are clear and purge, right? So you clear the keys, you purge the data or purge the keys and clear the data.
37:04
Uh Sorry, I had that backwards and that's what we do. Yeah, zero key management is awesome. Having been the sorry sad sack son of a gun who had to do cryptographic management for dozens of devices. I was so glad to see that that wouldn't ever have to happen. Although there is another thing, some enterprises insist or some regulatory schemes
37:23
insist that cryptographic keys get centrally managed and we actually support that too. So you know, we have the key management interface protocol built into the platform so that we can participate with an enterprise key manager and data security scheme. Um And you know, our job is to be flexible and allow you to do what you need to do, but make sure that you do it safely.
37:42
Um There's a dynamic tension uh that, that there's two factors, two forces that are always there we go, always at play. There's security on the one hand and convenience on the other and these things are like diametrically opposed to each other. So our job as the, the people who build this stuff is to literally make those two meet in
37:59
the middle. So you don't have to fight your system into submission to do what you need to do. So, you know, the aspects that we focus obviously these four areas, the secure multi user administration, comprehensive auditing because you gotta, you know, trust me, verify, you gotta prove that uh what happened on the system and you
38:17
gotta be able to deposit that somewhere where a third party platform can look at it like or elastic search or what have you uh the certified drive eraser process. Um We can, we can secure erase a drive, we can secure erase the entire array. And because it's a flash system and the way we do data management within the system, it happens pretty quickly like seconds to minutes um and then all around security.
38:41
So h you know, secure access by HTTP S and SSH to all the user interfaces. Uh we do periodic security and vulnerability scanning as part of the development process that's actually no longer periodic, it is now continuous. So our DEVS process is basically everything we do gets run through a suite of security tools to validate that we're staying in compliance with and not incurring any risks,
39:03
not tripping over any hazards in the, the CV E database, et cetera. So if you're listening and you're thinking, how in the world have they not mentioned ransomware yet? You're welcome. But we really know it really briefly because we did a whole webinar on this earlier with Jason Walker back in April and there's been some other follow up since then.
39:22
So super briefly and I think Nick, I'll jump on this one for time if you don't mind about simplicity of implementation and operation immutability plus safe mode or resiliency. Or I wanna say, I think Nick, you said impermeability shot, snapshots and flash a ray are both immutable, you can't change them and they were impermeable in safe mode, you can't erase them.
39:44
So even if an attacker gets access to a peer system, if you enable a feature that we call safe mode, it actually prevents the attacker from being able to do the final deletion of the data. This can actually protect any data, application, data, backup, data log data. We don't charge you this feature and then you mix that in with very fast recovery, whether it's just moving metadata back or it's the
40:03
crazy throughput you can get out of platforms like flash blade. There's one last topic that we wanted to toss in here though and, and it was kind of funny because you, we realized this at the very end of man, we talk, can't talk about security and what pure does without talking about log data and rapid analytics. You mind taking the last one to bring us home.
40:23
Um Yeah, absolutely. So I was just taking a look at the Q and A again. So log data and external logging um but particularly things look like Splunk are near and dear to our hearts. This is actually one of the original projects that I was, I was involved in was how do we build a reference architecture for making Splunk uh
40:45
leverage the benefits of a of an external storage array. People laughed at us at the time. But then security logs started getting very, very big and the ability to, to run through them and find that became extremely important. And when you take a look at the, the anatomy and the evolution of a ransomware attack, you know, advanced persistent threats generally
41:05
tend to invade your system 220 to 270 days before the exploit actually kicks off and being able to look back through that data and see where things happened uh became actually a very important aspect to a couple of our very large customers. Um And that's, that's something that what we deliver is the ability to parse through, you know, terabytes upon terabytes of data in the matters of seconds,
41:26
not matters of minutes, days or hours or minutes, hours or days. This is why you actually want a flash array for this type of thing. Data analytics is something that that is incredibly improved by all flash platforms. But there's another aspect to this and that's controlling the the growth of that data footprint. And obviously a lot of these, a lot of these
41:45
platforms do compression on their own. It's not terribly efficient or they don't compress all of the data. So while your your ingest may have been compressed, your indices aren't. And that's something that a flash array and a flash plate can do for you over and above the data efficiency on the application side. So you wind up having a much an incredibly
42:04
performance system that's also incredibly efficient. But most importantly, it gives you the incredibly valuable answer to what just happened or what happened. You know, how far back do we have to go in a in a meaningful period of time that lets you respond to the threat? Um And that's, you know,
42:21
our old jargon is getting to the left of the bang or mitigating any effects of the bang as quickly as we can. So we're, we're pretty proud that this has become, you know, a an extremely robust area of practice for us um with both Splunk and with elastic and with vertical and with a any number of large scale data analytics platforms.
42:41
But in the world, a cyber speed is king and that's why we, we've really kind of embraced this challenge. And how do we how do we make these things performant and responsive and help people protect their enterprises? What can a flash array or a flash blade do for you? Now? Kind of the neat part about it is architecture
42:56
has evolved over time. So flash array was the initial platform that we did this on. But as the secure, as these platforms have moved to object storage, as a as a really scalable um data architecture and protocol flash blade became incredibly valuable because now you have a large scale high performance object store that has 1 to 2 milliseconds of latency.
43:19
So the ability to use a very, very flexible storage protocol object storage as a high performance data store uh became extremely valuable to a lot of our customers who were deploying these things in an object storage modality um using either S3 or our native object storage capability. And so it's it's kind of cool this can be it. We we put slunk up there on the slide and we chose to because that's the one that everybody
43:43
knows, but this could be stack. There's other ones out, there's a lot of other pla logging platforms out there that live on pure systems. So really security and data. This isn't a flash ray or flashpoint thing. This can be a whole and if you remember that safe mode thing we just mentioned about protecting from final data deletion Attackers
43:58
are also going after logs because they would because that prevents you from being able to recover, you can't figure out how they got in what systems they got access to. So there's a whole other piece here beyond there's the, you know, the platform layer and then the features and the capability and the speed and like mm so, so so much.
44:14
Yeah, so I mean you said it protecting, protecting both both your primary data and and essentially you think about the log files or metadata about your architecture. So protecting all of those things uh becomes extremely valuable in number one, preventing an attack from kicking off. But number two, figuring out what the heck just happened because that's the other thing that you know,
44:35
take log four J as an example, everybody was like, OK, what just happened? How did it happen and how am I at risk? Well, you know, those are the things that we like to our primary job is to help you make sense or give you the capability to make sense of what your data is telling you as fast as possible. That's really what a data service
44:51
infrastructure platforms do with that. I'm afraid to say we're, this always goes incredibly fast for those who stayed with us. What? Well, first one, we've got a drawing, Nick. Thank you. I'm, I'm not done with you yet. We're gonna stay around after the drawing in
45:07
the formal end because we promised to get people out by about 45. After the hour, we're gonna go through all the Q and A that we want to. But thank you so much for going through this. If you miss some of this, there will be a recording sent out afterwards. Wanna make sure to note that next month we will be continuing.
45:20
Uh Zain Allen will be focusing on disaster recovery, business, continuity, embracing the elephant in the room and want to congratulate uh Matt A from Great Southern Bank for winning an espresso Asce and Erin three milk fro we might have a different price next month, but this is a pretty amazing prize. I'm sure you'll like it. We've got a very similar one downstairs.
45:41
Nick's got the classic version kind of thing with that. Thank you all so much for joining us and I'm gonna turn the music back up a little bit and we will bring it home and then come back for Q and A. Thank you, everybody, Nick. Thanks as always such a pleasure. Thank you, Andrew. Thank you everybody for joining us.
46:02
OK, a little bit of a pause. Now we are, I mean we were, we weren't ever in super formal mode, you know, kind of thing. Um You tell me if the music's too loud there. Hopefully. And let's just go and dive through Q and A A actually, Rob. Um Thanks for being such a good soldier here.
46:18
Um Do you mind even? Are there ones that you want to highlight for us as we start to look at them? You know, one I marked as answered live, it might have been missed was Nick, how do you deal with security in the military with so many programs still in das more secure because it was less known to new generations of hackers.
46:38
That's a great question. So one of so my job was actually to, to overhaul those legacy platforms and modern. I, so that's what, you know, technology and integration dealt with. Uh how do we take those legacy platforms and bring them into the modern day? A lot of the systems that almost none of the systems that I had in my portfolio,
46:58
I mean RBG two were dos based but they might be Windows XP based, which is almost as bad. That's one of those things that you have to do. Sometimes you can containerize it. We, we actually virtualized because we didn't have containerization back then. And that let us do some hardening by putting some security boundary on the host to detect
47:18
the guest os uh some of that stuff, we just literally have to clean sheet it and build a new one with respect to, you know, being able to work with the data type that legacy application is standing next question, I'll, I'll take one. I was typing it and then like you time. So if someone asked encrypted data with zero key management, how can it be worked on? So we're encrypting before we write it to any
47:41
of the media for it. But of course, we decrypt it and encrypt it uh at a layer lower than it's going in and out via the storage protocols on the box. So one of the one of the the read steps when you, when you request your data from the Aras, the first thing it's gonna do is find the data you're looking for, then it's going to decrypt it and serve it back out to you when we park it back in the box
48:02
again. Encryption is the last thing we do that with the data where we write it for memory. So these are all operations that happen behind the scenes. So you can't, you can't touch or influence the cryptographic processes in a flash array. It's literally designed to be a black box.
48:16
Even even the the fundamental processes in the escalator dribble processes in a flash array, you can ask the cryptographic driver for a new key, but they can't ask, they can't do anything else. There's no getting in there to tamper around the cryptography. That's and I'm not telling is out of school. That's actually in the security policy document that's on the 1 40-2 website that we actually
48:37
have to do an open source version of how it works that people can consume independently. It's, you know, security is boring until it isn't. Right. Hm. Looking through here, um, I actually put one on here and I'll, yeah, I'll just keep taking the first shot but make it short plans to support M fa on flash ray. A list of various apps.
48:57
The answer is yes as a flash ray six. Well, actually previously with RS A 6.2 Sam 2.0 you got a better longer answer. Keep going there. Yeah. And well, that's exactly what it was. You know, we have to engineer to a broad set of security standards. So we tend to adopt industry standards to do that.
49:13
We implemented AM L 2.0 and P 6.2 0.3 in order to be able to provide a fairly, you know, the potential to really broad support for um Ooo I DC and those types of things, the standard. I also think there it wasn't in the question but it often relates. Uh we did add cyber ac support for both flash ray and flash play within the last year.
49:37
I don't remember exactly when, but it's it's been a quarter or two. I can't remember for sure the landscape changes and we continue to evolve to be able to support it. Ok, Rob, feel free to queue up and I'm just kind of looking through here as well. So, um some more M fa do we cover physical security? Is that what you, that would be great.
50:02
You want to talk about a little bit. So if, if you store the cryptographic key material externally to the system, you have the ability to disable the system immediately by pulling the keys out. We use a smart card in this case and then killing the power of the system. Because what happens when the flash request reboot is it's gonna look for the cryptographic
50:23
material to boot, trap the system. And if it can't find it, it's just gonna sit there as a blink con cursor until basically the cryptographic ignition key is reinserted into the system. So essentially your flash array and all of its data is a boat anchor until you can put the key in it. It's kind of like, you know, your car doesn't
50:42
start with key flops nearby or your keys actually inserted into the ignition and no, you can't outlaw the flash array. Awesome. There was one James Roberts just, hey, you're still here asking, you said you didn't answer my questions. Um I was derelict in not, well, I think I actually we did call it out verbal at one point to use the Q and A button.
51:02
Uh because there's so much in the chat, it's almost impossible, just like the steady like stream of stuff. So James, if you want to put it in the chat. Now we'll be able to see it. Uh We're not totally talking for a living or put it in the Q and A because we're looking through the Q and A right now, not trying to leave anybody out,
51:15
you know. So, um, so James Campbell asked the question, how secure can a flash ray be? What about the storage space? There might be a nuance to this question that I'm not quite understanding, but one of the things, the Committee on National Security Standards uh mandates is that anything that's secured for our national security system has to be validated.
51:35
So how secure is it? Our platforms are secure enough for deploying cops? You war? That's, that's fairly broad given the time constraints. Um we could have a much deeper conversation, but that's, that's really the, the fundamental answer pretty darn secure.
51:52
I'll go back. Actually, there's one, this is just a practical one and, but you know, hey, I appreciate folks asking if you don't get a gift card. Make sure to look double check your spam filter. You'll see it coming from mail at gift dot send dozo dot com. Adrian of pure storage really doesn't come, please just feel free to ping me on Twitter,
52:10
on linkedin, et cetera. We try to make an over the top thing, but the goal is to get them to, we're not holding out on anybody. So Ryan Goodman asked a question about M fa and he asked this question at 12 46. So we may have already answered this live. But the answer to his question is yes, we do plan to support Microsoft Authenticator or duo or any of the other standards based ones,
52:28
which obviously here to four, we supported RS A secure ID specifically. But now we're broadening that out to a, you know, basically a standard based and protocol based approach to multi factor authentication. So that's a great question. And one supports Sanders, the USB board. Hm, they can be disabled, but then you have all kinds of other challenges.
52:51
I don't think we interact. We don't automat file systems from A US P perspective. No, you actually have to explicitly mount the file system and you have to have escalated privileges to do it. Uh The only thing that the US D reports will automatically deploy for are uh doing rapid data a lot. Uh There's, there's a random question here if
53:11
I'm a certain person's husband. Uh No. Uh I'm not. Let's go back to the security questions though. I'll just say, you know, so James Burgess, the answer to your question is no, but we are related. That's for you and a couple of people asked about the recording that will be Emily
53:32
noted. Uh And if the case, folks didn't see it, uh you will receive a follow up email with the slides as a PDF. There were one or two folks who said you went too fast on the slide. You know, I was still reading something there with a slide as a PDF as well as with the recording link. And then we'll probably be sending at some
53:45
point a follow up with a lot of other recording links. So awesome. So, thank you again, everybody. Fantastic questions. See if there's any last ones here. Um uh Maybe I'm not quite sure where this is going.
54:01
It's for Mohammed. Have you thought about using flash, not only as storage but also as encryption, decryption key generator? Use it as puf to be honest, I don't know that I'm following the question. It could be me. Any thoughts Nick and you can join me in the boat of being not quite sure that that's fine too, but no,
54:19
I I'm gonna have to say that I, I might not be entirely certain either. I, I think he's talking about a physical un phone function. Um But um very interesting pause to it sort of have to discuss it in greater detail than we really have time or scope for here. Um Mohammed, I'm just putting my email address in the uh in the response and we are happy to
54:42
follow up with you on that. I mean for any of these that, that is the general answer. Um It's on my bio slide, it's just Andrew dot Miller at peers stores dot com. Uh Nick is easy to guess as well. I think maybe the last one we'll do just because we're almost at time is there was a
54:57
good one from Irvine. Um It's a little bit of what we cover, but hey, it's an opportunity to do a recap of what differentiates flash away from other products. I'm gonna take that from a security lens standpoint. Mostly it's tightly coupled architecture. You never take down time as you upgrade it. You don't have to migrate data people 10 years
55:16
ago have actually improved and changed out every single component from a security standpoint. We encrypt all the data all the time with zero key management. Although we do have keys inside, we have to and there's not performance impact as you're doing it. That's my best 62nd version, Nick, you want to do a 62nd version.
55:31
No, I can't top that. But the other, the other like I would say this, the other aspect of the platform is is when we talk about sustainability, flash a rate and flash greater platforms would incur zero technical debt. So as as Andrew said, it's a system that you buy once and it gets upgraded at a flat fixed cost for life. You really never have to worry about whether or
55:49
not your storage is gonna continue to modernize or your data performance is gonna get faster as time goes by because it is then it's not gonna cost you more to do it. So that's actually a pretty radical concept. Being able to do non disruptive upgrades from our oldest generation system to our newest generation system that's covering 12 years of products and we pretty much release a new product on the same cadence that Apple releases
56:10
new iphones. So I'm, you know, I'm pretty proud of that. That, that continues to be like the first question we try to answer when we develop the next generation system is OK. How do we non disruptively upgrade this thing to hardware and software from whatever might be out there in the field from 2012 to today? And I know I said last one, but it's a good one. And I will truly make this the last one.
56:36
Someone asking should we care about storage, data management, et cetera if we're going to the cloud? Um It's funny that you mentioned that yes, you should because data performance is what drives application performance um to the number of cloud service providers who built their storage infrastructure on pure.
56:55
Not everybody does an in house build, not everybody's got the mask to do that frankly. Past a certain point. You find out that your data services um are often very much best addressed by somebody who builds that for a living. You think of it this way, how many transmissions are built by GM Ford or whomever most of them are built by companies that specialize in transmissions.
57:15
So it's, you know, there's, there's a nuance to this once you give people back to coverage of how did how did somebody build their cloud platform? And a lot of times you find out there are very specific reasons and, and uh service capabilities that they wanted to implement, which is much cheaper to buy than to try and build it themselves.
57:34
Also, the only thing I'll add is that it's not even a common, the most common presentation I've done this year for customers that's been requested is pure cloud strategy. Walking through everything from our historical design principles that are translated into the cloud to Opex and consumption models, to cloud blocks, store pure capabilities in the cloud, to what we do with port works.
57:53
It's all in partnerships with Equinox that was a previous partnership, uh previous coffee break. There's so much that we do that customers asking us to do in the cloud right now. We're, you know, when we talk about data efficiency of availability, performance and all those things, our job since what we do is data service infrastructure is how do we let you do what you
58:12
need to do with your data without thinking about all the ways that it has to move or adapt or what have you. Now boundary list architecture or boundary list estate is kind of what we're we're ultimately striving for in the modern data experience. You just need to, you can do whatever it is you need to do without having to figure out how many hoops. You have to jump through in order to do it if
58:33
we're doing our jobs, right. Your data just moves and it's available and it's performant and it's efficient wherever it is. I think that's the great last best final word. We still got a lot of people hanging out with us. Thank you all so much for joining Nick. This was a little more relaxed. We just got to kind of wander through questions.
58:52
Please be sure to join us if you're still here. Um Join us next month, Zain and myself will be walking through the ever fun topic with lots of stories and updates when we did a year ago around disaster recovery, business continuity. Thank you all so much for joining us. Hope you all have a great rest of the month. Thanks all. Thank you, Nick.
59:13
Thank you, Andrew. Thank you, everybody. Have a great day.
