Qlik is a business intelligence company. They rely on AWS to keep pace with the speed of business and accelerate adoption of Kubernetes. When it comes to the shared responsibility model, customer data is the primary concern. To secure container-based workloads, Prisma Cloud - the industry’s most comprehensive Cloud Native Security Platform - provides the runtime protection and static container scanning that is required to protect Qlik’s customer data.
Transcript:
My name is Richard Gerard. I've been working here at Qlik for two years. My role is SRE Security, but the rest of the industry still calls it DevSecOps.
Qlik is a business intelligence company. Our mission is to accelerate business value through data, and we have a global initiative to promote data literacy, that's the ability to read or work with data.
Four years ago at Qlik, we started our cloud journey and we started hosting some of our applications in the cloud with AWS. Two years ago, when I came onboard, we started looking for a security partner to help secure those workloads. Specifically, the containers that we were hosting in Kubernetes.
Qlik has been around for years and years and years now and always on prem, so when we migrated to the cloud, we wanted to take a cloud first approach, but there were some pieces, like our legacy engine, that just couldn't be done. So those workloads had to be ported. Everything else we tried to take a cloud first approach, and sometimes it took us two times to get it right, but that's where we are now.
We chose AWS because they provided the infrastructure that we could build on and there were enough companies out there that had gone before us that we could learn from them and stand on their shoulders, so to speak, so we could get it right.
Primarily we use EC2 and S3 for our hosting, but we're starting now to adopt more Lambda functions for serverless. I'm starting to use Security Hub, which is a lot of fun. And there was one more. Oh, right. And in addition to those two, we're using CloudFront to do more of our hosting for our static CDNs.
When it comes to AWS's shared responsibility model, customer data is primarily my concern. AWS will not secure that. That's my job. So in order to secure workloads in our containers, Prisma Cloud gave us both runtime protection and the static container scanning that we were looking for.
Prisma Cloud is my runtime tool for monitoring abnormalities in my environment. It's also my static container scanning tool, which I incorporate in both my production environments and my CI process.
When I started in this role two years ago, we'd had 37 different container workloads running in AWS in Kubernetes, and the first scan when we deployed Twistlock was awful. We joked that the radar chart was bathed in blood. Everything was bright crimson with highs and criticals in every single one of our images. Now, two years later, we have over 100 different bespoke, I guess, images running in our production environment. And as of early December, we were down to just seven unpatched critical vulnerabilities.
This was a tough one because we didn't really have a before. This was the first compliance tool that we wanted to introduce into our cloud environment. We knew exactly what we wanted it to do and we were just extremely happy with the results when we first put it in place, because we had that visualization now of what was wrong.
The after now is I use it every single day to look at all of my environments. I have staging and production environments in three different regions around the globe.
I have a fun story in this regard. There's an on-premise version of our tool that we provide and sale, and customers are able to deploy that in their own Kubernetes environment rather than use our cloud hosting solution. When people download those images and scan them with their own static image scanning tools, they provide us with a list of the CVEs that they find. And it turns out that our intelligence is more correct and more complete, and that just helps us know that we've chosen the right tool.
For anyone who's looking for an image scanning tool and runtime protection in one, Prisma Cloud has been the best solution for us. The results are the most accurate, the most correct. And when it comes to product features, every single request I've made of the product team has turned into a feature, and I can't say enough about the product team for their help in that regard.
For our customers, they can know that our images are as correct as they can possibly be, that our CVEs are patched regularly, and that we have runtime protection. Speaking to that point, we're really proud of our SOC 2 and our SOC 3 compliance. And one of the compensating controls that we mention quite frequently is that we use Twistlock with Prisma Cloud in our production environments to secure our environments and to know what's happening.
For the things that are holding me back in my cloud native container strategy. Well, this week in particular, there was an open SSL vulnerability that was... Well, it didn't make the boat for the latest Alpine release and my metrics jumped to have 27 new unpatched vulnerabilities in my environment. So I would like it if open source could move maybe as fast as I imagine it could. That's one of my challenges.
The other is upgrading major Kubernetes versions is extremely painful for us, so we're hoping that shifting our workloads to AWS as EKS service will help us in that regard.
Perfect. At Qlik, we have a global DevOps team primarily based here in Ottawa, but also with an office in the United States and in India. Our dev team here in my Ottawa office outnumbers the SRE by about team 10 to one, and if you take in the global team, it's way, way worse than that.
Our development process and pipeline is your standard agile development with local development, to staging environment, to a production environment pipeline, with checks along the way, including production approval scans, linters, integration checks, integration tests, system tests, and time-travel to make it all work faster.
Our challenges with shift left were speed related, honestly. Our developers will typically work on one component and move on to another one, leaving the maintenance for another team to pick up, and if we don't address the security issues with the development process early on with the first team, it's very hard to convince the maintainers to make massive changes to their Docker images that we deploy into the cloud.
For a shift left, we were able to take advantage of the Twistlock CI Orb that they provide, introduce that into our Circle CI scans at the organization level, and provide a context that any repo anywhere in our organization can pick up and use to scan their images as part of their CI builds.
This goes against my nature. I like to talk. In terms of compliance regulations, I'm personally bound by ISO 27,001. I'm not directly reporting into our IT Operations Team, but I do provide an operations role for our cloud infrastructure. We're also bound by our SOC 2 and our SOC 3 compliance, which is very important for the cloud.
If I had my way, my own internal compliance rules would be far more strict. I'd like to introduce a few more checks on our images, but just knowing about the problems that are out there with Prisma Cloud is helping me make that journey. And I have friends in the compliance department, so I'll win those battles.
Before we used Prisma Cloud, we didn't have a compliance tool. We had looked at a few others and we had looked at some other image scanning tools as well in the marketplace, but nothing provided the same balance of runtime protection and image scanning capabilities that we needed to put into production.
Today, Prisma Cloud is not my only compliance tool, but it is my favorite one. It gives me a live look at six of my different production workloads scattered throughout the world. It shows me at a glance which are red, or as I call them, bathed in blood, because they're failing compliance, and shows me which of my lost sheep I need to go look after on any given day.
Because our customer data is our primary asset and our biggest responsibility is taking care of that, looking for a compliance and image scanning tool that provided a runtime protection in our cloud environments, as well as image scanning to make sure that what we're putting out there wasn't vulnerable, was a high priority for us in our cloud journey.
We've never had a reason to question our decision to choose Twistlock, at the time, now Prisma Cloud. Prisma Cloud gives me a radar view into all of my different regions that shows me which images are out of compliance every morning, and also cardinality metrics to help me chase down which components might need a little bit more education and a meeting with our security office.