►
From YouTube: CNCF SIG-Security Meeting - 2018-06-08
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
Cyber Ark and Sysdig/Falco
B
A
C
A
So
I
have
someone
that
was
slated
from
about
a
month
ago,
lined
up
for
today,
but
Jerry
hasn't
been
on
last
couple
weeks
and
I
haven't
received
a
confirmation
from
her.
So
you
know
if
she,
if
she
shows
it's
her
slot,
but
if
not
here,
then
we
would
ya.
Then
yeah.
The
fact
that
you're
you're
enthusiastic
to
get
it
in
today
is
really
fantastic,
because
it
is
it.
A
A
A
C
So
when
you
said
this
is
priority,
Hillary.
A
Is
priorities
used
on
the
schedule?
Michael
asked
if
you
know
it
would
be
possible
to
present
today-
and
you
know,
I
said
that
we,
you
know,
have
maybe
20
minutes
so
and
and
Jerry.
You
know
one
of
the
reasons
why
I'm
managing
expectations,
so
much
is
I'm
in
Prague
and
my
Wi-Fi
has
been
really
poor
and
the
last
session
that
I
was
facilitating.
I
was
dropping
a
lot,
so
Sarah
is
gonna,
be
facilitating
today.
A
E
C
D
D
G
C
A
Doug
Davis
of
IBM
in
so
if
there's
check-ins
in
for
the
SIG's
and
working
groups
and
I
did
ask
Doug.
If
he
would,
you
know,
share
a
bit
of
context
from
the
TOC
meeting.
Oh
great.
D
A
If
Doug's-
not
here,
and
since
we
have
you
know
full
docket
I
think
we
should
probably
go
ahead
and
get
started
I
can
I
can
fill
in
a
little
bit
of
my
interpretation
of
that.
What
happened
so
I.
You
know
a
couple.
Things
were
having,
so
that
the
the
cloud
events
project
is
cloud.
Events
is
graduating
out
of
the
service
service
working
group,
and
you
know
one
of
the
discussion
points
that
was
highlighted
was
that
you
know
that
project
that
that
working
group
elevating
itself
to
having
code
was
seen.
A
B
A
C
Events
graduating
from
being
a
project
of
the
working
group
to
being
it's
only
its
own
sandbox
project.
Okay
dan
was
saying
that
it
was
because
it
had
code
and
I
was
saying
that
I
I
think
it
like.
It
was
to
my
mind
the
first
thing
that
had
become
a
den
bot
project
that
didn't
have
code,
but
maybe
Doug.
You
can
speak
a
little
bit
too
yeah.
E
We
want
a
whole
implementation,
we're
gone,
no,
no,
actually,
no
you're
right.
It
does
not
have
code
as
of
today,
but
the
closest
I've
heard
about
us.
Having
code
is
we
heard
some
discussions
around,
possibly
some
shared
libraries
or
shared
coding
efforts
around
some
shared
libraries
and
stuff,
whether
that
would
actually
become
part
of
our
working
group,
or
we
just
have
pointers
to
a
common
open-source
project
simply
and
talk
to
that
party
I
I
did.
E
C
E
A
So
you
know
that
was
the
there
was
that
discussion,
and
then
there
was
interesting
discussion
around
projects
that
are
only
you
know,
associated
with
with
kubernetes
and
whether
they
would
be
appropriate
in
the
CN
CF
and
there's
a
fair
amount
of
debate
there.
You
know
it
was.
It
was
fun
for
me,
since
nodejs
node.js
foundation
was
referenced
a
lot
since
we
in
the
foundation
did
chose
not
to
integrate
and
support
userland
projects
and
inside
of
node,
and
that
was
just
scale
and
scope.
A
You
know
the
scope
of
supporting
and
integrating,
and
you
know,
choosing
which
are
the
blasts.
Userland
projects
that
we
choose
to
support
inside
of
the
node.js
foundation
was
created
to
sustain
the
the
know.
Just
you
know
project
was
you
know
something
that
we
could
not
sustain
with
within
the
structure
of
the
node.js
foundation
as
it's
so
that
that's,
you
know
tangential
to
to
safe,
but
you
know
was
generally
interesting.
Yeah
I
thought
the
first
half
of
you
know.
This
week's
TOC
meeting
was
was
quite
interesting.
D
D
So
the
first
case
that
I
wanted
to
talk
about
is
our
integration
with
cloud
foundering.
Both
of
these
integrations
were
customer
driven
or
we
had
requests
from
some
of
our
enterprise
customers
to
make
it
easier
for
them
to
use
our
product
on
these
platforms,
and
the
first
customer
request
we
got
was
for
cloud
foundry
integration.
So
that's
one
I'll
talk
about
first
and
as
we
started
to
investigate
what
that
integration
would
look
like
very
early
on,
we
discovered
the
concept
of
a
service
broker.
So
what
is
a
service
broker
most
of
the
time?
D
I
look
for
services
on
there,
so
it's
a
it's
a
great
way
to
make
sure
that
your
service
is
visible
and
easy
to
use
for
developers.
So
the
service
broker
is
just
basically
an
application
that
you
also
deployed
a
cloud
foundry
and
it
has
a
handful
of
API
endpoints
that
list
the
service
offerings
that
are
available
that
are
like
provision
and
incidence
of
your
service,
whatever
that
means
for
your
service
and
that
delivers
credentials
to
access
your
service
to
the
application.
D
So,
on
the
last
side
was
sort
of
I
guess.
I
would
like
to
just
show
a
little
graphic
of
how
this
works.
So
you
have
your
external
service.
You
have
your
Cloud
Foundry
installation
display
the
service
book
for
application
to
its
own
organ
space,
to
seal
it
off,
because
nobody
you
haven't,
need
to
access
it
directly.
You
create
an
organ
space
for
your
application
to
be
deployed
in
and
in
that
organ
space
you
would
create
a
service
instance
and
creating
that
service
instance.
D
E
D
D
D
D
So,
even
though
kubernetes
officially
supports
the
use
of
service
brokers
and
still
in
pretty
early
stages,
and
if
you
actually
look
at
their
coding
github,
it
hasn't
actually
had
a
stable
release.
Yet
so
it's
probably
not
something
that
is
worth
trying
to
use
in
production
at
this
time.
So,
instead
of
doing
the
same
kind
of
model
that
we
did
in
clock,
foundry,
we
decided
on
a
completely
different
tack.
D
What
happens?
Is
the
Authenticator
container
that's
deployed
with
the
application
starts
out
by
submitting
a
certificate
signing
request
to
conjure
with
this
that
the
ID,
where
the
pot
information
contained
and
conjurer
responds
by
injecting
a
time-limited
certificate
into
the
pot
using
the
kubernetes
api
using
that
pot
information
that
was
included
in
the
cert
request,
then
the.
D
I'll
sense
with
the
certificate
and
that
authentication
process
results
in
a
time-limited
token
being
placed
into
this
shared
memory.
So
now
that
application
has
access
to
a
time
limited
access
token
in
this
shared
memory,
and
it
can
use
that
token
to
retrieve
whatever
information
it
needs
from
the
external
service
and
initiate
that
connection
to
the
external
service.
D
So
I'm
hopeful
that
this
kind
of
a
model
might
be
something
that
other
services
also
find
useful
or
the
way
that
we've
implemented.
That
means
that
external
services
would
actually
be
able
to
use
the
application
identity.
We
provide
in
kubernetes
to
authenticate
kubernetes
deployed
applications
themselves,
so
curious
to
see
where
this
will
go
right.
Now
it's
only
available
for
enterprise
customers,
because
it
is.
D
D
D
We
might
be
able
to
modify
our
existing
cloud
foundry
integration
to
work
in
a
similar
way
to
have
an
Authenticator.
A
build
pack
is
probably
how
it
would
work
that
would
take
on
that
role
of
communicating
with
the
custom,
Cloud
Foundry
Authenticator
to
inject
time,
limited
access
token
into
the
application
memory.
So
where
is
it
now?
It's
nice
with
you
compliant
I
expect
that
they
may
be
working
on
that
and
that
may
change
and
they're
working
on
improving
the
specs
on
the
workload
for
accessing
the
certificates
and
validating
them
against
the
certificate
authority.
D
D
D
And
this
was
sort
of
I
didn't
try
to
plan
something
very
in-depth
or
low-level
if
there
are
things
that
come
out
of
this,
that
people
would
like
more
information
about,
or
would
like
me
to
dig
deeper
into
another
time.
I'd
be
happy
to
to
consider
doing
that.
I
don't
know
if
people
have
a
way
to
get
in
touch
with
me,
but
I'm
on
github.
So
the
information
is
there
I
think.
D
D
Pdf
of
these
slides
in
the
minute,
so
that
people
wanted
to
go
back
and
refer
to
them,
they
could
in
particular
I
have
this
note
here
that,
if
you're
curious
about
looking
at
the
code
for
what
we
did
for
our
kubernetes
integration
or
for
the
foundry
service
broker
or
buildtak,
it's
all
publicly
available
or
will
be
by
the
end
of
the
month,
we'll
announce
the
kubernetes
on
our
website
hunter
network.
So
that
would
be
a
good
place
to
watch
out
for
it
great
also.
C
D
D
A
D
See
that
actually
I
just
yesterday,
finally
got
my
legal
department
to
approve
me
as
a
contributor,
so
I
have
a
canard
and
place
in
that
project.
That
I
need
to
go
back
and
review
now
that
they
finally
explained
months,
it's
just
a
very
long
time
to
prove
it.
So
I
will
be
doing
that.
Probably
the
next
two
days.
A
D
We
do,
for
example,
we
have
a
custom
Authenticator
for
I
am,
and
then
we
have
a
workflow
that
we
call
host
factory
that
people
use
if
they're
deploying
like
PM's
to
AWS
I,
don't
know
that
an
implementation
as
specific
as
one
of
these
would
be
required
for
most
other
workflows.
It's
one
of
those
things
where,
when
it
comes
up
we'll
know
it
and
we'll
have
to
deal
with
it,
but
it's
not
come
up
right
now.
A
lot
of
our
general
tooling
has
been
workable
for
a
lot
of
different
systems.
A
The
reason
why
I
asked
is
just
you
know
I
think
that's
a
great
perspective,
knowing
those
use
cases
where
folks
have
things
that
go
outside
of
the
you
know
the
cloud
native
workflows
and
you
know
being
able
to
validate.
You
know
the
approaches
that
we
have
in
that
non.
So
the
cloud
native
blessed
cases
is
I
think
interesting
to
to
our
work.
D
D
I
know
that
vault
has
a
service
broker
I,
don't
know
how
much
they're
doing
with
that
or
how
it's
being
used.
I
do
like
that.
Our
solution
also
has
the
build
back,
which
makes
it
easy
to
inject
the
secret
values
into
the
application
at
runtime,
because
it
installs
summon,
which
is
our
tool
to
do
that.
So
I
do
think.
That's
an
advantage
for
what
we've
done,
but
in
terms
of
you
know,
having
a
service
program.
Sure
it's
very
similar,
but.
D
C
B
Thanks
sorry,
my
wife
just
asked
me
if
my
son
can
do
piano
and
he's
right
above
me,
so
I
could
tell
her.
No,
let
me
just
share
my
screen.
B
B
We
specifically
have
focused
on
container
based
systems,
although
it
will
work
for
any
Linux
based
system,
and
it
is
Linux
only
right
now,
and
this
is
kinda,
where
the
market
is
starting
to
kind
of
define
this
term
runtime
security.
So
we're
definitely
not
the
only
ones
in
this
space
of
runtime
security.
There's
other
tools
out
there,
such
as
twist
lock
and
aqua
fresh
tracks,
also
done
some
things
around
this
as
well,
and
there's
one
other
I
think
stack
rocks.
B
So
this
is
starting
to
kind
of
become
this
more
burgeoning
space
around
run
time.
Security
we're
the
only
ones
that
offer
a
open
source
solution
to
run
time
security,
and
we
also
offer
a
proprietary
version
of
Falco
as
well.
That
gives
you
a
lot
of
features
out
of
the
box,
so
what
this
abnormal
complexion
can
do
to
detect
things
like
shells
or
processes
on
inside
of
a
container,
unexpected
outbound
connections.
So
all
of
a
sudden,
your
database
container
starts
making
outbound
connections
to
the
Internet.
B
B
So
the
cloud
native
paradigm
really
gives
you
a
lot
of
choices.
It
says
please
done
to
the
development
teams
right
developer
developers
can
package
up
their
application
inside
of
a
container,
and,
let's
just
say
you
don't
always
know,
what's
inside
of
that
container,
that
development
package
and
what
to
deploy
to
your
production
environment
image
scanning
is
seen
more
as
a
point
in
time.
B
The
resource
isolation,
paradigm
of
containers
as
much
different
than
bm's,
and
we
see
this
as
a
need
in
the
market.
When
you
see
things
like
sea
visor
and
containers
as
well,
that
have
come
around
as
well.
That
seeks
to
provide
that
more
VM
like
isolation
for
containers,
and
so
what
Falco
can
detect
is
vulnerabilities
and
things
like
container
isolation,
exploited
applications,
things
like
exposed,
dashboards
or
exposed
API
ports,
Burrell's
and
images
start
getting
launched
that
we
don't
expect,
which
the
last
one
exposed
dashboards
and
api
port
is
kind
of
a
common
thing.
B
B
Is
to
certain
functions
inside
of
the
kernel,
it
uses
something
called
trace
points
inside
of
the
kernel,
and
then
we
have
an
alpha
an
early
alpha
version
of
an
E
BPF
pro,
but
there
can
be
loaded
up
as
well.
It
has
limitations.
Of
course
you
need
to
be
running
a
newer
version
of
a
kernel
in
order
to
take
advantage
of
that,
and
it
needs
to
have
EB
PF
support
built
into
it
as
well.
B
So
for
those
of
the
people
who
aren't
necessarily
comfortable
with
the
kernel
module
level
integration,
then
we
can
do
it
with
the
EPF
as
well
then
this
basically,
this
stream
of
system
calls
will
come
into
the
processing
libraries
in
the
event
engine.
That
is,
then,
rules
are
applied
to
that
minute.
B
B
If
we
could
hit
or
push
to
something
like
a
messaging
system
like
Nats,
or
something
like
that
natively
inside
of
echo
as
well,
so
that
we
can
kind
of
be
this
rules
engine
and
then
from
a
modularity
cloud
native
perspective.
We
can
have
other
event
streams
that
are
actually
sending
us
data
that
were
processed.
B
A
little
bit
about
the
project
and
growth
of
the
project,
we're
actually
seeing
lots
of
usage,
at
least
from
a
downloads
perspective
and
docker
hub
pools
as
well,
so
we're
well
over
three
quarters
of
a
million
docker
hub
pools
for
our
images
about
34,000
downloads
of
the
actual
rpms
themselves.
And,
of
course
everyone
loves,
github
stars
or
about
805
github
stars
as
well.
B
Users
of
notes,
so
lyft
has
used
us
for
a
while
and
we're
in
the
process
of
trying
to
document
that
story
from
them.
But
another
great
one
is
cloud
gov,
so
cloud
gov
and
by
the
way
this
presentation
is
linked
in
the
the
issue
that
I
opened
to
do.
The
presentation,
which
is
in
the
notes
for
this
meeting.
B
But
this
right
here
is
actually
cloud
documentation.
It
actually
talks
about
how
they
have
this
behavioral
monitoring
in
an
experimental
mode
right
now
in
their
cloud,
our
Cloud
Foundry
environment
for
cloud
gov
and
then
they've.
Also
given
a
presentation
at
the
Cloud
Foundry
summit
as
well
about
detecting
tainted
apps
using
Falco
inside
of
thunder
as
well.
So
it's
not
just
something
that
can
work
with
kubernetes.
It
is
something
that
can
work
with
Cloud
Foundry
as
well,
and
so
Oh
kind
of.
Let
you
look
at
the
the
rest
of
the
presentation
on
your
own.
Is
there?
B
Neat,
it's
also
a
good
presentation
which
I
can
drop
in
the
document
or
in
that
meeting
minutes
as
well.
There's
a
good
presentation
around
run
time
security
that
Google
gave
at
KU
Connie
you
just
a
few
weeks
ago.
It
kind
of
lays
out
what
are
the
areas
of
security
that
you
need
to
worry
about
and
kind
of
defining
what
the
space
of
runtime
security
is
and
what
runtime
security
means
and
how
it
is
different
from
supply,
chain
security
or
infrastructure.
B
All
right,
so
what
we
have
here
is
I
have
a
bar
in
my
way,
so
in
this
environment,
I've
got
a
couple
different
things
up
and
running.
So
the
main
thing
is
is
that
we
have
Falco
up
and
running
here.
This
is
deployed
as
a
daemon
set.
We
provide
a
daemon
set
for
users
to
actually
quickly
deploy
this.
All
of
the
configuration
for
Falco
is
stored
in
a
configuration
map,
and
this
daemon
set
will
then
pull
down
that
configuration.
B
So
all
of
your
rules
and
things
like
that
would
be
stored
in
a
config
map,
and
then
those
rules
are
pulled
down
when
the
containers
latches
or
the
pods
launches
much.
The
other
thing
that
we
have
in
this
environment
is
Nats
as
well,
and
so
Nats
is
asset
acting
as
our
messaging
platform,
and
what
Falco
will
do
in
this
demo
is.
B
It
will
push
an
alert
over
to
NAT,
and
then
we
have
cout
bliss
running
as
well,
and
what
coolest
is
setup
to
do
is
it's
setup
to
listen
to
a
particular
topic
or
subject
in
Nats
and
when
it
detects
a
critical
alert,
it
will
actually
go
and
take
action.
Let
me
show
you
what
the
rules
actually
look
like
so
in
the.
B
The
rules
use
a
pretty
simple
language.
It's
the
same
language
that
we
use
for
cystic
and
what
this
looks
like
is
you
basically
just
have
the
field
and
then
some
value,
and
then
you
can
string
it
together
with
other
values
as
well.
There's
a
lots
of
different
boolean
logic
that
you
can
do
inside
of
the
rules
as
well.
The
other
thing
that
you
can
do
is
you
can
key
off
of
kubernetes
metadata
as
well,
so
Falco
will
connect
to
the
'quran
ADIZ
API
solar
server
and
pull
that
information
back.
B
B
Rule
crypto
miners
running
inside
of
kubernetes,
so
we
take
the
node
front-end
application
and
if
I
spawn
a
process
and
I'm
in
a
container,
so
basically
I'm
not
running
on
the
host
system
and
my
command
line
contains
stratum
TCP,
which
is
a
common
protocol.
That's
used
for
miners,
then
I
want
to
throw
this
alert.
Another
example
is
you
can
list
out
all
like
common
mire
ports
in
this
case
and
if
I
see
a
front-end
application,
making
an
outbound
connection
to
a
miner
port,
then
I
want
to
throw
a
critical
alert
as
well.
B
So
you
can
see
the
rule.
Language
is
actually
pretty
flexible,
it's
also
fairly
simple
as
well,
and
then
also
what
we
have
is
over
in
the
coolest
side
of
things.
We
have
a
very
simple
function.
It
basically
says
if
I
see
a
critical
alert
and
I'm
not
running
I'm
running
inside
of
a
container,
then
I
want
to
actually
take
action
on
that,
and
it
was.
This
will
actually
do.
Is
that
if
I
detect,
a
critical
alert
running
inside
of
a
pot
in
kubernetes
will
actually
go
and
delete.
That
particular
part.
G
B
B
B
B
Of
course,
when
you
jumped
the
demo,
nothing
starts
working
right,
I
need
to
specify
my
namespace
and
there
we
go.
So
you
see
right
away
that
I've
opened
a
terminal
and
I
get
an
alert
right
here
over
in
this
Falco
pod,
where
I'm
tailing
the
logs,
and
you
can
see
that
I've
opened
a
shell.
So
a
shell
was
spawned
inside
of
a
container
with
an
attached
terminal,
so
somebody's
went
interactive
inside
of
this
container,
so
what
I
can
do
now
is
I
can
run
something
that
will
actually
trigger
the
alert.
B
So
let
me
actually
go
over
here
and
see
if
I
can
get
this
to
work,
it
wasn't
working
earlier
via
the
remote
exploit.
Let
me
see
if
I
can
get
it,
and
so
this
is
actually
sending
a
profile
cookie.
This
profile,
cookie,
is
actually
encoded,
and
this
application
doesn't
actually
sanitize
the
inputs
from
the
cookie
and
there's
a
way
that
you
can
actually
exploit
JavaScript.
By
doing
it's
essentially
a
form
of
just-in-time
execution,
you
can
inject
functions
inside.
B
H
B
F
B
If
I
did
not
touch,
then
hello,
I
I
get
an
alert
right
there
that
I've,
modified
or
I've
created
that
new
file.
If
I
did
something
like
move
bin
LS,
then,
unless
old
I
get
an
alert
right
there
as
well,
that
I'm
modifying
things
in
the
binary
directory
as
well-
and
these
are
all
kind
of
common
things
that
you
would
expect
somebody
who's
getting
into
a
system
to
do
as
they're
trying
to
compromise
a
system.
So
with
that
I'll
ask
if
there's
any
other
questions
for
anyone.
B
I
would
I
would
throw
out
there
that
it
may
not
necessarily
take
care
of
the
access
perspectives
of
things
and
the
authentication
perspective
of
things.
I
was
actually
under
the
oppression.
The
impression
that
the
working
group
was
more
focused
on
cloud
native
security
in
general
and
how
you
solved
that
problem
with
native
security
in
general
and
if
I'm
wrong,
then
I
wasted
everyone
well.
C
Actually,
I
am
I,
think
we're
also
working
to
tighten
up
our
Charter
so
that
it's
clear
to
newcomers
so
but
I
I.
What
I
wanted
to
ask
is
kind
of
related
to
this.
What
we're
really
seeking
to
do
is
kind
of
figure
out.
Is
there
a
common
or
maybe
a
few
common,
secure,
architectures
right?
What
are
the
things
that,
if
you
are
coming
to
setting
up
a
cloud
native
deployment,
what
do
you
need?
C
Are
there
some
things
that
you
are
seeing
in
patterns
have
made
it
easier
for
you
to
build
something
that
works
in
multiple
environments
in
the
cloud
and
are
there's
areas
where
you've
had
to
kind
of
fill
in
gaps
and
do
things
that
are
substantially
different
in
different
environments.
Where
you
kind
of
wish
there
was
a
little
more
commonality,
yeah.
B
I
think
that
where
the
challenges
are
going
to
come
in
from
the
different
clouds
and
what
we've
seen
is
that
it's
important
to
provide
context
in
these
security
events
that
we're
throwing
and
so
in
this
case
we're
only
integrating
in
with
kubernetes,
we
can
also
integrate
in
with
mezzos
or
marathon,
and
we
can't
pull
any
metadata
right
now
back
from
something
like
boundaries.
So
when
these
security
events
happen,
we
want
to
be
able
to
access
the
API
and
give
people
information
about
it's.
This
particular
application,
or
it's
this
particular
pod
or
it's
this
particular
deployment.
B
That's
actually
that's
causing
problems.
The
other
thing
is
is
that
we
need
API
access
and
getting
those
API
access
and
authentication
to
those
different
platforms
can
sometimes
be
challenging,
and
then
the
other
thing
is:
is
that
if
you're
going
to
take
action
inside
of
that,
how
can
you
limit
these
functions
that
are
taking
action,
especially
if
you're
using
something
like
functions
as
a
service
or
service
functions?
How
can
you
give
them
the
right
level
of
access
to
just?
Do
that?
B
B
B
But
it
is
definitely
a
challenge
that
we
see
I
think
more
broadly,
and
this
isn't
necessarily
a
knock
against
the
CNC
off.
But
if
you
look
at
the
CN
CF
landscape
security
is
one
area
overall,
whether
if
it's
authentication
or
runtime
security
or
m2
structure
security,
that's
not
anywhere
on
the
landscape
whatsoever.
B
D
B
And
we've
I've
opened
up
an
issue
on
the
landscape
to
say
like
we're,
tough
it
where
there's
our
commercial
product
fit,
and
so
it's
still
TBD
to
figure
that
out,
as
I've
talked
to
some
members
of
the
talk
they're
like
well
we're
not
security
experts.
So
it's
hard
for
them
to
kind
of
digest.
Some
of
this
information
yeah.
C
And
I
think
that
that's
kind
of
that's
part
of
what
we
are
trying
to
like
trying
to
help
with
right
is
that
it's
also
hard
to
put
just
be
I.
Don't
know,
I
mixed
feelings
like
there
are
things
you
need
for
security,
like
authorization
like
identity.
There
are
these
different
things
that
you
need
that
are
kind
of
in
their
own
security
world,
but
but
everything
needs
security.
C
So
so
how
do
we
actually
sketch
out
that
landscape
I
can't
think
it's
one
of
the
questions
of
this
working
group
and
and
so
we're
not
there?
Yet
all
of
these
use
case
presentations
are
a
way
for
us
to
get
common
language
and
to
understand
the
problems
that
people
are
trying
to
solve.
So
so
I
found
this
to
be
really
helpful
and
interesting.
Yeah.
C
G
C
E
B
C
It
would
be
really
good,
maybe
you
can
find
the
person
who's
thinking
about
like
how
do
you
like
issues
of
trusting
services
and
and
dishing
out
access,
and
whether
the
open
service
broker
has
all
the
controls
it
wants
to
have
or
whether
you
know
they're,
like
the
the
people
implementing
it
or
asking
for
things
that
maybe
need
to
come
from
the
platforms?
Maybe
there's
somebody
who
has
been
focused
in
developing
that
area
but
kind
of
talked
to
how
it
uses
the
services
and
I
think
particular
key
management
is
kind
of
a
big
deal
so.
E
I
can
talk
to
some
of
that,
but
I
think
I
probably
need
a
little
more
information
before
I
can
identify
the
right
person
for
the
rest
of
this
stuff.
So
what
I
can
do
is
it's
something
that
future
call
and,
of
course
I
don't
know
when
because
I'm
dr.
Conn
next
week,
and
that's
that
I'm
traveling
in
Asia
for
weeks,
but
the
next
I'm
I'm
on
I
could
talk
about
the
various
data
that
flows
back
and
forth
how
the
open
source
broker
gets,
or
does
it
start
relative
to
credentials,
and
then
from
that?
E
C
Great
and
I
think
we
have
a
couple
of
presentations
already
lined
up,
so
whenever
your
your
back
and
frame
would
be
fabulous.
Okay
sounds
good,
so
I
want
to
be
respectful
everybody's
time,
it's
I'm
12:01.
So
thank
you
so
much
Jerry
and
Michael
for
your
presentations
and
please
feel
free
to
review
the
notes
and
if
we
got
anything
wrong
or
you
want
to
add
color
or
links,
I
tried
to
add
some
links
into
the
slide
into
the
notes.
But
please
they're
at
editable
way.
Parisa
easy.