With the wave of changes spurred by advancements in artificial intelligence and quantum computing, and more disruption on the horizon, securing the cloud against attacks is more important than ever.

“Software supply chain security is actually driving a lot of the zero-trust conversations that are now coming to the forefront,” said Emily Fox (pictured), software engineering lead of emerging technologies for security at Red Hat Inc., and former co-chair of KubeCon + CloudNativeCon North America. “It’s not necessarily about just signing and verification; it’s actually understanding what went into the build and whether or not you can make decisions about that information.

Fox spoke with theCUBE industry analysts Savannah Peterson and Rob Strechay at KubeCon + CloudNativeCon NA, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed the impact of AI on cloud-native security and the need for more contributors in the cloud space. (* Disclosure below.)

Securing the cloud

As chair of Cloud Native Computing Foundation’s Technical Oversight Committee, Fox looks to integrate open-source technologies into new security solutions. With security breaches such as Log4Shell and SolarWinds haunting the security space, educating companies and consumers is vital.

“[Software bill of materials] are not a silver bullet,” she said. “A lot of organizations are starting to produce them, but they don’t necessarily understand how they should be using them.” 

If implemented thoughtfully, advancements such as the Sigstore, an open-source project for improving software supply chain security, could prevent attacks like Log4Shell in the future, according to Fox. The new era of AI further complicates cloud-native security because of the potential for models to produce “hallucinations,” or false results.

“With large language models, there’s an integrity mechanism that needs to be verified so that you know that the data that went into the model to train it is producing … the expected results that you’re looking for and having the ability to independently verify that,” Fox said. “AI is really just another workload with special needs that we need to design cloud-native technologies to accommodate.”

Growing the contributor base

Moving forward, the most crucial element of cloud security is a body of contributors to keep up with the demand for cloud-native technologies, such as Kubernetes, according to Fox.

“The entire ecosystem needs more contributors,” she said. “When you’re an adopting organization and you have demands or wants and features of Kubernetes — or any of the cloud-native projects — what the concern then comes in is, we don’t have enough people to do it.”

Opening up space for underrepresented people in tech, particularly women, requires acknowledging and thanking them for their contributions, according to Fox, who maintains that one of the biggest strengths of CNCF is its “diverse contributor base.”

“We don’t do enough thank-yous in technology. We don’t do enough embracing,” she said.

As the world of cloud-native technologies continues to evolve and expand, communication between contributors, consumers and developers will be key.

“Cloud-native is an international community, which means we have all sorts of different cultures and perspectives and everybody has their own job … cloud-native is just yet another hat that they wear,” Fox said.

Now in a new position at Red Hat, the path to better security solutions looks complex but promising to Fox. “There’s so much more in software supply chain security that needs to happen,” she said.

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of KubeCon + CloudNativeCon NA:

(* Disclosure: TheCUBE is a paid media partner for KubeCon + CloudNativeCon NA. Neither Red Hat Inc. and CNCF, the main sponsors of theCUBE’s event coverage, nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE