This blog comments on a variety of technology news, trends, and products and how they connect. I'm in Red Hat's cloud product strategy group in my day job although I cover a broader set of topics here. This is a personal blog; the opinions are mine alone.
Ellen Newlands shares new IdM and cryptography features in Red Hat Enterprise Linux--including the new RHEL 7 beta--while Matt Smith talks about some trends that he's seeing at the customers he speaks with such as the desire to extend enterprise identity into public clouds.
Haff: You're listening to the Cloudy Chat podcast with Gordon Haff.
everyone. This is Gordon Haff, cloud evangelist with Red Hat, and today I've
got two guests here with me. I've got Ellen Newlands, who runs product
management for our identity and security products, and I've got Matt Smith,
who's a solution architect in the Northeast region with Red Hat. Matt's going
to have some great insights about some of the conversations he's having with
customers around security and identity.
like to start off first with you, Ellen. What's new?
Newlands: Well, I have to say, Gordon, especially with Red Hat
Enterprise Linux 7.0 going into beta ‑‑ as you know, we just went into beta
with 7.0 at the beginning of this month, December ‑‑ there's a lot that's new
in identity management. Many of you may remember that we've included identity
management as a feature set in RHEL, which means that it is free with the RHEL
subscription. In 7.0, we are bringing out some new functionality that we think
is particularly useful.
lot of customers have Active Directory as what we call their authoritative
source for identity in a Windows environment, and yet they'll very often have a
very, very large Red Hat Linux deployment, particularly in development or in
test. One of their questions is always, "How do I best manage my Linux
identities but maintain my capabilities to have Active Directory as the
authoritative source for regulatory and compliance purposes?"
in RHEL 7.0, we're shipping something we're calling cross‑realm Kerberos trust.
What does that mean? What that actually means is that we have put together a
very secure scheme for setting up a trust between Active Directory and what we
call the IPA ‑‑ or identity, policy, and audit server, the server piece of
identity management in RHEL ‑‑ so that your users in a Windows environment can
use their Active Directory credentials and have them passed to an identity
server for Linux and then securely and safely reach Linux resources without
having to, for example, change one authoritative source for another. In other
words, keep your Active Directory, set up a trust with identity management in
Linux, and enable your Windows users to access the Linux resources that they
would want. We are beginning beta on this now, and we have already had some
very good feedback on this functionality.
I did want to mention that, in addition to this, there are customers who do not
wish to have any kind of a second domain in Linux, so we have functionality
that we call SSSD, which is client functionality that will allow you to connect
your individual Linux resources or hosts directly into Active Directory should
you prefer. We believe that this gives us a wider reach in today's
heterogeneous environment for identity management.
Going to talk a little bit about crypto in a couple minutes, at the risk
of having people's heads explode, but for right now, Matt, maybe you can tell
us a little bit about what you're seeing out in the field. You spend a lot of
time talking to customers, and I'm sure you've got a lot of good insights about
what they're seeing out there.
Smith: Sure, absolutely. Thank you, Gordon.
what we're seeing come forward with the RHEL 7 beta here, with the new features
and functionality in IdM, this really addresses some of the calls we're seeing
in the field. Customers have a huge investment in Active Directory ‑‑ in the
infrastructure they've deployed, in the processes they've developed. As Ellen
already described, really being able to bring forward a solution that allows
the Linux environments to interact with an Active Directory but have the
features and functionality that Red Hat IdM provides, which, beyond just the
authentication, also has the management of the access control within that Linux
environment, and it gives the Linux admins the ability to interact very, very
easily with that IdM environment. Being able to have that integration with an
established Active Directory meets a very, very high demand from our customers.
You've been doing this for a while. What are some of the trends that you
see out there? What's different today than if I was asking you this question
maybe a couple years ago?
That's a great question. Really, the newest trend that we're seeing, and
really, it's been developing over the past few years ‑‑ how do I extend my
enterprise identity into the cloud? As software‑as‑a‑service options are
becoming more and more attractive, as platform‑as‑a‑service and infrastructure‑as‑a‑service
offerings out in the public cloud become more available, more cost‑effective,
and more feasible for many of our customers, they look at that credential set
that today might live inside of an Active Directory or inside of a Red Hat IdM,
and they question whether they should extend that to those outside public
services, whether they should be creating new IDs and passwords out there in
that public space, if there's a way that doesn't violate network security
principles to tie those systems back into credentials inside their data center.
course, here, we are very aware of the other authentication activities in the
world, whether this is SAML in the federated authorization space or OpenID and
oAuth, and we're developing those strategies around how to leverage those
technologies to be able to extend enterprise identity into those cloud
Ellen, let's talk a little bit about crypto specifically. I know we've
got some new features out there, so maybe if you could explain it without
having people's heads explode too much, I think that'd be interesting.
I did want to start by saying I have worked with what we call the crypto
geeks for about half of my working life, and I will tell you, you can always
spot them in a crowd.
said that, all crypto is essentially mathematically based. One of the best
protections for any of the cryptographic algorithms that keep your
communications and your data safe and locked up is that it takes so long, using
computers, to crack the code. As computer power has increased, the algorithms
that were in common use are more easily cracked. It takes less time. Cracking
an algorithm is all about the compute time it takes to crack it. With the
expansion of compute power and the high demand for security, the National
Institutes of Standards and Technology ‑‑ known lovingly as NIST ‑‑ recently
set out standards and recommendations for what we would call higher‑order
cryptographic algorithms, which they call Suite B.
the Red Hat Enterprise Linux 5.10 and 6.5, which just recently went GA, and
7.0, which is in beta now have all included some new cryptography in addition
to the original algorithms that they had in Suite B. One of the more
interesting pieces of cryptography that has been included is something called
elliptic‑curve cryptography. The reason that this is interesting is, for less
processing power and less compute power, it offers stronger crypto than had
previously been available.
think the basic point here is that the crypto in Red Hat Enterprise Linux has
been updated, which ensures safer communication, safer data at rest and in
motion. As the standards change, I just want it on record that RHEL and the
feature set in RHEL keep up with the changes and recommendations.
Matt, out in the field, how are you seeing use of crypto out there? Is it
increasing? Are people being more aware of the technical details? What are the
trends that you see there?
Absolutely. Crypto becomes more important every day, but at the same
time, the assumption is generally that it is just there. At this point, being
able to see that HTTPS in your URL bar in your favorite browser is just an
assumed technology ‑‑ "Oh, it's HTTPS, therefore it is secure." Of
course, as customers look to move data out, again, into the cloud, or they
start expanding where their data lives ‑‑ it's no longer just within the four
walls of their existing data center ‑‑ really being able to encrypt that data,
in flight or at rest, becomes more and more critical and more and more of an
assumption on our customers' part.
Are there changes in the way they're doing key management these days?
Encryption is easy. It's the key management that's the hard part.
Absolutely. There are a number of vendor products out there for key
management, as well as when we look at certificate‑based management, our own
certificate management capabilities within Red Hat IdM and within Red Hat
Certificate Server. We provide those capabilities, but again, as customers are
looking to distribute the geography of their data, this is a challenge in the
space that, really, there's still a lot of space left to find proper solutions.
Ellen, maybe we can start to wrap up here. Anything else that you'd like
I would like to say that if customers are interested in any of the new
capabilities for identity management in Red Hat Enterprise Linux 7.0, we have
instituted a high‑touch beta program specifically for those who are interested
in the identity functionality, and customers are still welcome to join that
beta program because it runs from now until the middle of March. There's plenty
of time to get a look at the new features and, if time permits and resources
allow, to give them a test run.
I'm in the cloud product strategy group at Red Hat. Prior to Red Hat, I wrote hundreds of research notes, was frequently quoted in publications like The New York Times on a wide range of IT topics, and advised clients on product and marketing strategies. Earlier in my career, I was responsible for bringing a wide range of computer systems, from minicomputers to large UNIX servers, to market while at Data General. Among other hobbies, I do a lot of photography and enjoy the outdoors.