Podcast Transcript
Introduction:
You're listening to the RSA Conference podcast, where the world talks security.
Britta Glade:
Hello listeners, and thanks for tuning in for this installment of our RSAC 365 podcast series. I'm really looking forward to today's discussion in and around trends in the cloud security space with the RSA Conference Program Committee leads for our Cloud Security and Cloud Sec Ops track Shawn Harris and Rich Mogull. Before our guests introduce themselves, we'd like to share a short message from Deloitte, our podcast sponsor. Cyber and technology levers we need you. A role with Deloitte isn't just a career, it's a calling to help make the world more trustworthy, resilient, and secure. So if you are interested in joining a group of people who don't just want to fix what's broken, but want to build something better, apply for a role with Deloitte Cyber.
Britta Glade:
Here at RSAC, we host podcasts twice a month, and I encourage you to subscribe and review us on your preferred podcast app so you can be notified when new tracks are posted. And now without further ado, Shawn and Rich, thanks for being here. Can you please introduce yourselves to our listeners and we'll jump into today's discussion?
Shawn Harris:
Sure. My name is Shawn Harris and I am co-chair of the Cloud Security Alliance, cloud Controls Matrix Working Group. And my day job, I am Director of Strategy, Engagement and Architecture for the Cybersecurity Group at Starbucks Coffee Company.
Rich Mogull:
And this is Rich Mogull, and I am the CISO of DisruptOps, although we were just acquired by FireMon and I also have a role as Analyst and CEO at Securosis and someday I'll figure out how to get down to one job.
Britta Glade:
You guys have day jobs, night jobs, probably in the middle of the night jobs. And we're so grateful to both of you for leading the Cloud Security and Cloud Sec Ops track for RSA Conference. I know you've both just completed your review of all of the cloud focus submissions we received through our call for speakers process, and you've identified the sessions, so it'll be part of this year's agenda. So Shawn, I'm going to start with you in our conversation as we were reviewing those picks, you mentioned that you thought these were the strongest submissions you'd seen since you started working with the program committee three years ago, any thoughts as to why?
Shawn Harris:
I see quite a bit of submissions in the threat modeling area for cloud and as cloud matures and cloud security, specifically matures, we're going to start to see a lot more companies start to adopt threat modeling for their cloud intake process. And we will start to see a lot more purposeful cloud implementations rather than more of that haphazard lift and shift methodology for cloud intake. Some of it is just kind of the natural evolution of... When we first started doing this cloud was much less mature. There was far fewer people that had much of a knowledge base, and now we have people with skills and experiences and you know, we're still on the early edge, but it keeps improving.
Britta Glade:
Definitely. Rich, it's funny I was thinking about a conversation we had, I think it was maybe four years ago. It was a great debate at the program committee where we were wondering, does cloud even belong as a separate track anymore? We were thinking, oh, cloud's just kind of everywhere anymore. This is kind of like BYOD it's a given that it's happening. And in fact, we landed at keeping it, you had some good arguments, you and your counterpart. And in fact, it's been one of the best scoring and best attended bodies of content that's delivered at RSA Conference. So yeah, that maturity that you're seeing, the changes in the language that's coming in, the changes even of the roles of who is presenting. What do you think if we look at just a 12 month block of time, what do you think are the most seismic shifts that have been reflected then in what we're seeing in the proposals and what we're seeing in deployments and enterprises?
Shawn Harris:
I think some of the biggest things that at least that I've seen both in terms of what we've seen in the real world, as well as what we saw in the proposals. Definitely a lot more use of containers in general, but Kubernetes specifically. That trend's been going on for years, but I think it's really becoming quite a bit larger, but also people don't fully understand the implications. So on the security side, there's a lot of questions and concerns about it. We also had more, I'd say legitimate talks on some of the novel cloud risk and threats and attacks that we've seen. So we have proposals around vulnerabilities discovered in cloud providers and in the early days, these were like really stupid obvious for anybody that does this stuff for a living. Some of the ones this year were definitely more interesting than we had previously seen and not a lot, but it doesn't take a lot to notice more of an increase, more of a trend.
Britta Glade:
Yeah. So Shawn, back to you within the program committee, we've sometimes jokingly referred to Starbucks as critical infrastructure and I venture to guess that many in the listening audience did in fact rely on Starbucks infrastructure at least one point likely more during this work from home state. So the cloud security focus considerations that you are part of at Starbucks are huge. What changes do you think are the most critical for the listeners to consider within their own deployments?
Shawn Harris:
So I think that one of the big changes that I'm seeing from a trend perspective in cloud security is the aggregation of security tools to centralization of those controls as opposed to bespoke implementations. So think of the CSPs managing your container security and a lot of it is going to CSPs, but there's also an aggregation of those control tools going into single larger companies that are starting to really execute on the aggregation of control implementations.
Britta Glade:
Interesting. What are the downstream implications of that?
Shawn Harris:
So the downstream implications are really whereby you may have a particular tool or vendor that you utilize for a control implementation, and that will become part of a larger packaged offering from a larger company, or the CSP themselves will start to add that as either an add-on to their cloud service offering, or they will actually have a separate team that will actually start to market and sell that as an implementation. I look at such as container security from say, Twistlock, is now with Palo Alto Prisma. AquaSec a wonderful company and they have been in engaged with Microsoft early on. And now Microsoft for Azure in the Azure Security Center is starting to do some container-based security and workload security monitoring and detective controls.
Britta Glade:
Interesting. So Rich, I'm going to go to you related to that and related to another conversation that we had had when we were looking through the, the picks that you guys have made, and a comment that, that stuck with me was that because of the state of maturation of these deployments and all of these supporting technologies, my takeaway is it's become now more possible for companies to change cloud providers. It used to be you started with one, you were kind of locked in with that one, movement from one to the other was difficult, but it seemed to be that that has changed now. What are the implications here and how do you see this further changing and perhaps further impacting the strategies that enterprises are taking with regards to these partnerships?
Rich Mogull:
Yeah, I mean, actually it's deceptive. I don't think that that statement is true. I think it is actually still extremely difficult to change cloud providers. So there's the myth that, that is kind of well, you throw everything containers and can bounce around and yes, the containers themselves, that's the easy part to move around. If you throw yourself into a Docker container, you can just pop those up wherever you need to. But it's all the controls around that, that are extremely difficult. I think on Twitter, I said, once, "If you want to go multi-cloud, that's great. Just triple your security stack." And I truly believe that because the technical differences at the low level are so extreme between every one of the major providers that your security controls don't carry across.
Rich Mogull:
Shawn and I talk all the time. I'm always picking his brain because he does so much more in Azure than I do. And I do so much more in Amazon. And even though we both are familiar with both platforms, the level of detail can get down to well, did you use the SDK that establishes the API call with "session" versus "client" because that'll affect your ability to contain an attack and may or may and not break your application. So, no, I think it is really risky path organizations are taking to think the providers are equivalent and you can move things around. And the only people who really say that are people without hands on experience in cloud.
Rich Mogull:
And I don't mean that in offensive way. It's just if you really do this stuff at the level of truly getting the performance and the cost savings and the security out of the provider, you realize that it is still very, very, very difficult, and you can't treat these things the same, but it is on the surface you kind of think you can get away with it. It's only when you get down to the next level, which can be months after you start migrating something that you realize, ooh, we have a problem here.
Britta Glade:
Oh-ho. What are we going to do now?
Shawn Harris:
And I would add to Rich that as we look at trends and what I see happening in... I look at timelines of fairly short timeline of probably the next 18 to 24 months. And this is what I see is exactly what Rich was talking about. You can move containers from one CSP to another easy, right? But it's all of the other things you have to know and understand in order to run that container, even if it's a PaaS container host, so Platform as a Service. However, if and when the CSPs really, really start to adopt this idea, and that is that containers are leveraged at a SaaS level so take the stack up and it basically is Software as a Service.
Shawn Harris:
This happens to be that the data that you are putting into this SaaS product is your container that will run. When we get to that point then I see containers and container technology as being a potential for avoiding vendor lock-in or CSP lock-ins because I've got three SaaS providers and I can just run my code there, run my code there and it's the same code. It's truly mobile right now since we're utilizing either IaaS or PaaS, we have to go up the stack and actually run containers as the data that we load into a SaaS provider.
Britta Glade:
There's a lot of implications there for you from the enterprise perspective, long term with your planning. Thank for that, Shawn. Rich, going back to a quick comment that you made about shift left and some of the additional submissions that you saw in and around that. We've seen that language discussed as we've looked at the DevSecOps track and certainly a lot of proposals in and around that, both from how organizations are putting together their groups, how code's being written, how they're interacting with other groups within the organization. Talk to me about how this applies in cloud security. Why are we seeing this? What would you expect to see going forward also because of the shift left impact right now that you're seeing?
Rich Mogull:
Yeah. It changes a lot of dynamics, including how you can remediate security issues and where you have to. The example is, and look as somebody who's been cams on doing like a lot of cloud security automation for years and years now, it it's great that I can fix things in production, but if that gets overwritten by something in the CI/CD pipeline, I still have a problem. It was kind of interesting you asked because I was having dinner with a friend last night who's big in the cloud security world, just on an outdoor patio, it was kind of fun actually rainstorm came out of nowhere, but we were under an umbrella. So it was all good.
Rich Mogull:
And when I was talking about some of the automation stuff that I'd been playing with and doing, his first comment was what I really needed to do is to submit a poll request so that gets fixed in the infrastructure's code pipeline. That's really a lot of the kind of the changing dynamic that we've seen that's really picked up, but I find it's also too [inaudible 00:13:44]. Everybody's asking about that, but they're not necessarily consistent in their pipelines and in making sure everything runs through it and for larger enterprises, it's hilarious. I go into tons of them and having conversations and different things, or maybe just somebody showing up at a training class. And that's really what they're focused on, I go, "Great, what percentage of your apps go through the pipeline?" They're like, "Oh, it's all the new stuff. It's like 20%." And yet the other 80% has also moved into cloud. So it's a interesting dynamic, but I do think it forces the security teams to... Security can't just block and tackle on the outside anymore. I mean, that's really where we are.
Rich Mogull:
And that's been one of the early trends of cloud and infrastructure as code in shifting left really emphasizes that point that we can't just put boxes around what's being deployed and that we actually are being forced to work more directly with application teams. Because unlike before that infrastructure as code can define the fundamental infrastructure it just doesn't define the code that's running the workload and that's the biggest change. And it forces us to go ahead and have to work more with those teams and cross some of those organizational boundaries. And to be honest, this is a real struggle. I've been on multiple conversations over the last year in projects where that has really been where it's hard to get past those silos.
Rich Mogull:
So one of the things that I've noticed with several enterprises that I've talked to and colleagues is that the concept and idea of having a singular CI/CD pipeline is wonderful. In theory, it's perfect. In practice what happens is a company will have a CI/CD pipeline per application, or business capability area or team. And so you really have to start to... And it's all about engagement. So from the very early days, I've always considered that security is an engagement practice. It's all about the engagement and going and having the conversation and talking about the use of security tools going into the CI/CD pipeline, wherever that is. And what the engagement wing of security means is you have to meet your customer where your customer is. You can't just tell the customer where they have to go. So I see a lot of real distributed CI/CD pipelines in a lot of organizations. And the security team has to really have an understanding of where it is, what it is and get our security control tools into those CI/CD pipelines as well.
Britta Glade:
Awesome. I was writing that down, security is an engagement practice, meet your customer where they are. Which seems like if that was written and tattooed across all organizations, there's some different ways that they're behaving with one another. There's the different ways that groups are engaging. So related to that, Shawn, this year we changed the track name ever so slightly to Cloud Security and Cloud SecOps, because we were seeing changes in how the security operations is done, the technological, as well as the staffing that is done there. How do you expect Cloud SecOps to change in the coming year and foreseeable future?
Shawn Harris:
For cloud security operations, a lot more use of infrastructure as code, as Rich has already mentioned. The idea that a human being is logging into a cloud service provider control plane and point and click changing and/or spinning up new resources is really going to become a thing of the past. I know that there are several companies that are still are doing that. There several teams that are still doing that. However, the infrastructure as code, the pipeline of implementing your entire infrastructure as a matter of codes so that you can redeploy an entire implementation in a matter of minutes versus days is absolutely critical to being able to ensure that we have good security operations practices.
Shawn Harris:
The other aspect is we are seeing quite a few from a security operations perspective, quite a few least privilege as code or zero trust submissions. So the utilization of zero trust for the idea of security operations in both the control plane and the data plane is really taking off as well in the industry.
Britta Glade:
Yeah. The zero trust implementations and seeing what people are actually doing and hearing the examples, that's definitely something that's helpful to our audience at RSA Conference. Rich, I'm going to shift a question to you, and this also goes back to look, you know the way back machine and looking at as we've introduced tracks and such to RSA Conference. I remember the year it was probably also about four years ago when we introduced AI and ML as a half track. And at that time, most of the sessions that were submitted, it was squarely focused in the sims space. That's where people were focusing that discussion.
Britta Glade:
And at this point, thematically that it's really stretched across lots of things, almost like when we were looking at cloud four years ago. And, oh, is there are just an assumption that automation, AI, machine learning is going to just be a part of anything any enterprise is doing. How do you see those themes? So AI, ML and automation reflected in cloud? And how would you see it further changing? What's going to happen here in the years to come?
Rich Mogull:
Yeah, I mean, I think one way I could probably put this is, I think if we move forward like 20 years and look back at the road behind us, I think it will be paved by the dead bodies of AI and ML attempts to resolve these issues. Yeah. And I don't mean to be cynical, I'm not always the puppy rainbow guy, but I think there's a lot of over-promising. It is a much harder problem than a lot of us and a lot of what you would see on the show floor will care to admit, to actually get value out of the AI and ML. It is doable, it's very difficult. Even if you just take a look at like for example, Amazon has their automated reasoning team which does a lot of this. For really simple things just as is an S3 bucket public? That is literally something that they have to use their own internal AI, ML for.
Rich Mogull:
And they're very deliberate and slow in how they release those AI, ML products versus the AI, ML platform components of it. So I do think that there's a lot of... We're going to see a lot of over-promising on that, and it may be helpful, you know, even as somebody who has input into my own organization's tooling and in our own products that's something that we're always keeping an eye on, but it's got to be the right use cases. And most of what I've seen really over-promises and under-delivers, and another angle of that is even once you get it nailed help down, depending on what you're doing, we've seen a lot of very interesting adversarial research. How to break AI and ML by putting things in there that can actually trick the system into giving responses that are unexpected.
Rich Mogull:
So that's that one area, I'm not totally against it. I think that where it will be successful is in very discrete use cases. And I think we see a lot of it kind of like general pattern matching stuff, and that's where it always kind of falls down, at least with the current technologies. Now automation's a different game and that's obviously thing I've been passionate about for a decade. I think I started 10 years ago writing my first cloud security automations, and that's not an exaggeration. And is the other half of what Shawn talked about. So as much as we are trying to shift everything into the pipeline, there's still always going to be a need to also manage the operational side of what's up and running. And it's the combination of fix it in the pipeline and then fix it in prod that I think is really going to help us mature our cloud security operations.
Rich Mogull:
And it's really hard to do right now because of those silos and stuff that we talked about before. The technologies aren't fully there to be able to handle that in a good way. And when they're combined together we've seen vendors do M&A and acquire things that can cover both sides of the stack. You have to make some sacrifices on each side, but I don't think that's going to be like that much longer. I don't know if it's going to mature in a year I think it'll take a bit longer than that, just to somebody who's had to like write code for some of these things. But I do think that that combination and kind of linking in the automation to, well, you detected the operational problem, you fix it and then issue a poll request also fixes it in the pipeline, but then you have to know what the pipeline is, and you got to know what the changes are and if it's going to break something else. But there are ways to do that. It's just they're tricky problems, but I think they're solvable problems.
Shawn Harris:
I would agree Rich that on the AI, ML front, I do think that one of the discreet use cases that you talk about is a discreet use case that is probably going to be the first real benefit in market. And that is cloud authorization checks. So if Rich and Shawn are both senior security engineers at a company, Shawn and Rich both have the same level of authorizations. Rich uses those authorizations, Shawn does not. And so there are already a few companies out there looking at ways to automatically decrease Shawn's authorizations to avoid, and actually to get in front of the idea of continuing to do a bit of the old process of user attestation requests. So I think that there's definitely going to be a discreet use case that's really going to be utilized.
Rich Mogull:
Yeah, no, I totally agree. The permissions, tracking those over time we already see that in use. And what I like about it is it's that you don't need crazy advanced ML models. I mean, there's some really straightforward kinds of things that you can do. And to be honest, that identity and access management realm is the one that I think is still our biggest problem and will be for a while. And it's also where a whole lot of people, including my own organization is kind of honing in on that to figure out ways to resolve it. And I think there's some really interesting things that are both out there, but I think there's a lot more coming. I mean, I've said it on Twitter and at conferences, when you get down to it, all cloud security failures are IAM failures and all IAM failures are governance failures. So anything we can do to help with those issues is going to go a really long way.
Britta Glade:
I'm hearing for sure, we need a cloud security track for the foreseeable future too, so that's good. We won't need that discussion in future program committee meetings. Shawn, I'm taking back to your very first statement that you made in and around threat modeling and looking at vulnerabilities. What specific cloud vulnerabilities would you warn about in the future? I'm not going to say cloudy with the chance of, because I know how much you love that analogy, but what ominous clouds are out there in 2022 that organizations need to pay attention to?
Shawn Harris:
One of my close friends works on the Top Threats Working Group for the Cloud Security Alliance. And I've been having some conversations with him as of late. What I see as one of the big top threats to the enterprise as part of cloud. And this is mostly SaaS, but there's a little bit of big 3D CSP here. And that is security through obscurity has reared its ugly head in 2021, 2020 and foreseeable future, if we as cloud security professional don't step in and help some of these companies. By obscurity what I mean is several organizations utilize the idea that if I get a URL, a randomly generated URL, that randomly generated URL will give me whatever data is at the other end of that URL for the foreseeable future with no timeline on how long that URL will work.
Shawn Harris:
So you can find randomly generated URLs with this security through obscurity methodology in several cloud service providers, many SaaS providers and as they go and they market to your enterprise, you find, well, the enterprise is like, well, okay, so I don't have to deal with all that authentication stuff. Okay. This is great. But in reality, you've got a brute forcible URL and many of them are less random than you think. So there's definitely quite a few risks with utilizing many of those services.
Rich Mogull:
Yeah. I've got a friend, his name is Chris Ferris. He works cloud security and is kind of well known within the community. And his favorite phrase is, "The cloud is dark and full of horrors." And we are a little bit more getting to that point. And part of this is I'm just going to be really cautious in how I word this and Shawn and others will understand why I'm wording it the way I am. Not all cloud providers are created equal, not all look at security the same way, and this is especially true once you start looking at beyond just Infrastructure as a Service as well. Although it is even a problem with Infrastructure as a Service.
Rich Mogull:
And we're now starting to see researchers and others figuring out two things. One is inherent vulnerabilities in some of the platforms and many cases these are subtle, but if you consider the fact that we now have critical infrastructure running on cloud that are subject to nation state attacks, it's a different ball game. It's a different ball... And there's no question that there's nation state attacks against these platforms. It is very well documented. It's not like private secret information or anything else.
Rich Mogull:
The other side of it, and the one that I think that a lot of people haven't really come to terms with is the easiest thing to do is just attack like a developers and admins on their systems. Like old school malware now the first thing it's trying to do is pivot into cloud. And we saw that with the SolarWinds attack where they're taking SAML tokens and going up into Azure AD. It wasn't necessarily, I mean, they were doing all sorts of on-premise stuff, but they're like, "You got Azure. Oh, cool. We're going there now as well." And so we're seeing a new emphasis on all the problems that we've had in security that we've kind of always had on our systems, but are now letting somebody go into the cloud.
Rich Mogull:
And the key differences in cloud, the management plan for your entire data center is now potentially internet accessible. And if you don't understand that and you don't secure that those attacks on your distributed employees can be much more traumatic and damaging than they were back in the days when everything was kind of limited to your data center and an attacker couldn't just use credentials from wherever they wanted.
Rich Mogull:
So two parts, we are being more focused on some of the fundamental things in cloud, and there's been a lot of disclosures and releases. There's now increasing pressure on cloud providers, for example, to release CBEs for the vulnerabilities discovered on their platforms so people can figure out how to protect themselves. And then the other side is the pivoting is much more of a focus on attackers. Like that's just the core stuff they're trying to do now. Hey, I got a laptop. Let's see if I can get into their Amazon, Azure or Google.
Britta Glade:
So lots of cloudy with chances of all kinds of challenges ahead of us. Parting question to both of you, Rich, I'm going to start with you and then Shawn, what's the single most important thing for enterprises to do in 2022 in and around their cloud security strategy? If you had to boil it to one, what would be your word of wisdom?
Rich Mogull:
Focus on IAM like, that's it. I mean, I'm not kidding all the big public cloud security failures is not these like subtle vulnerabilities that've been released over the past few weeks or anything else. It's just somebody screws up their IAM, which is their cloud configuration. The misconfigurations, you know it's fine. If you mess up a security group role and somebody can compromise an instance or VM running in your environment, that's like old school network attack stuff. We already know how to manage those things, but managing and securing identity and access management that is a critical part of the management plane. Focus on that. Turn on your MFA, get down to lease privilege, like pay attention to that. Don't give Devs admin access to absolutely everything. I mean, there's just piles of piles of work there that will take many organizations years to work through because it is legitimately difficult.
Shawn Harris:
I would say implementation governance. The concept that has occurred in our industry for cloud that is, is that organizations can get a cloud service account and grant developers full access to that cloud service account and wait for the wonderful implementation that is created with no oversight. So oversight and governance in 2022 is going to be big. You know Rich mentioned identity governance, that is, it's huge. As he just mentioned, being able to have full unfettered access to the cloud service account and being able to make decisions on the fly that negatively affect the security of the enterprise is now a very real thing.
Britta Glade:
Well, this has been a very rich dense conversation here. Thank you so much Rich and Shawn for this conversation and I'm really looking forward to the cloud security track at RSA Conference. I know you guys have called out some really amazing sessions. And listeners thank you so much for joining us as well. To find products and solutions related to cloud security we invite you to visit rsaconference.com/marketplace, where you'll find an entire ecosystem of cybersecurity vendors and service providers who can assist with your specific needs. Please keep this conversation going on your social channels, using #RSAC and be sure to visit rsaconference.com for new content posted year round. Gentlemen, thanks for joining.