100% SIGNAL PODCAST

There are great stories in the security industry that aren’t being told. Fascinating people who fly below the radar and aren’t being heard. We know because we encounter them in hallways, hotel lobbies and just about everywhere imaginable across the globe. Everytime we think “I wish I had recorded that conversation so that everyone could hear it…” Our goal with Security Voices is to provide a place for clear-headed dialogue with great people that’s unencumbered by the hyperbole and shouting that’s far too common in security circles. We don’t have anything against sponsors or sales pitches, but they run counter to our goal of cutting through the noise,  so we don’t have either. We’re aiming for 100% clear signal. 

Got feedback? Drop us an email: info@securityvoices.org

rich_mogull_edited.jpg

34/ RICH MOGULL

Rich Mogull- CEO/Securosis, CISO/DisruptOps

Our conversation with Rich Mogull was intended to provide an analyst view point on public cloud security. While Rich certainly delivered on this promise, the episode turned into something more important: therapy. 

 

If you find yourself wondering if you’re burnt out from cyber security and life in general, this is for you. Our conversation with Rich starts with the work he does in disaster response, focusing on his recent time responding to the COVID-19 pandemic as a paramedic.  He explains how key concepts of anti-fragility from responder culture such as “trench foot” and “changing your socks” also apply to the rough and tumble world of cyber security— especially in assessing yourself for burnout.

 

If you find yourself drowning in work and straining to catch up to the rest of the organization's push to the public cloud, this is for you.  We discuss how this happens quite naturally in most places, resulting in a dysfunctional norm of security teams inadvertently being left behind but still responsible for protecting the public cloud. Rich lays out a recipe for getting back on track, starting with making sure it simply isn’t time to throw in the towel and find a better gig.

 

If multi-cloud seems impossible to defend with the skills and resources you have, you’re probably right. Rich takes us through the mind-boggling complexity of what it takes to stay on top of a single public cloud environment, let alone several. He doesn’t mince words in his unflattering assessment of the challenges with all 3 major cloud service providers: Amazon, Google & Microsoft.

We wrap up with a hopeful look at what lies ahead for protecting the public cloud. Rich and Dave share examples of how long standing problems such as re-architecting are now solvable and operational challenges can truly be simplified when mantras like “shift left” move from buzzword bingo to new reality.

 

About Rich

Rich is the CEO of Securosis, a security research and analysis firm, and the CISO of DisruptOps, a cloud security automation platform based on his research. He has over 25 years of security experience and currently specializes in cloud security and DevSecOps, having started working hands-on in cloud nearly 10 years ago. He is also the principal course designer of the Cloud Security Alliance training class, primary author of the latest version of the CSA Security Guidance, and actively works on developing hands-on cloud security techniques. Prior to founding Securosis and DisruptOps, Rich was a Research Vice President at Gartner on the security team. Prior to his seven years at Gartner, Rich worked as an independent consultant, web application developer, software development manager at the University of Colorado, and systems and network administrator. He is also an active disaster response paramedic.

120010703_620274071963940_39661626348757

33/ ZACH MUSGRAVE 

Engineering Manager, Infrastructure Security - Yelp

In our 1st episode of the cloud sec series, Teri provided an expert’s broad view of what’s happening with security in the public cloud. In this episode, Yelp’s Zach Musgrave does the opposite: we go into the trenches to understand what it takes to protect a fully cloud native business on a daily basis.

 

While Yelp was born in ‘04, 2 years before Amazon launched its first AWS service, it started its cloud native journey in 2013.  Their early transition makes the company one of the longest tenured organizations who have defended a cloud native business at scale. Zach shares the fundamentals of how they work, from security team org structure and success measurement to key relationships across the company.  We dig into the 2 different but critical aspects of security: 1) protecting the infrastructure (people & systems) and 2) policing the Yelp ecosystem itself (defending business operations).

 

Zach explains how DevSecOps at Yelp was adopted not out of buzzword compliance but plain necessity: the need to safeguard 500+ microservices in production simply breaks a traditional security model. We explore some of the misconceptions with DevSecOps and the amount of care and feeding  it takes to make it successful.  We also cover  Yelp’s tooling which centers on generous amounts of open source and their own projects including their current work on the Enhanced Berkeley Packet Filter (eBPF).

 

We wrap up with some strong feelings about multi-cloud and readiness for the zombie apocalypse (they’re related, trust us) alongside forecasting the future for security tech as the cloud native tsunami rolls on. Spoiler: there’s no reprieve for old school network security.

 

About Zach

Zach Musgrave leads the Infrastructure Security and Security Platform teams at Yelp. These teams manage risk, conduct incident response, and build systems to improve security posture. Covered mandates include data security, AWS cloud security, automated scanning, intrusion detection, and internal access control.

 

Before switching to security, Zach spent time as an engineer doing performance optimization, devops, observability, and various flavors of data engineering. Throughout it all, he has come to have a deep appreciation for the intricate interplay between business needs and risk prioritization within a rapidly evolving organization.

 

Zach received an M.S. in Computer Science and Engineering from the University of Michigan. Back in the day, he was an English major.

teri_radichel.jpeg

32/ TERI RADICHEL

Chief Executive Officer, 2nd Sight Lab

Initially led by software as a service (SaaS), the transition to the public cloud is one of the most important changes we’ve witnessed in information technology to date.  From the early days of SaaS to the current stage where adoption of infrastructure, platform and function as a service (IaaS, PaaS, FaaS) are catching on like wildfire, there’s an increasing awareness that the end state of this shift few aspects of how we do our jobs will be unchanged.  This Security Voices episode is the first of five where we dig into the details of how the public cloud is transforming cybersecurity.

 

Teri Radichel joins us to explain key concepts in public cloud technology, the differences from on-premises, migration options and more. If you’ve ever wondered what is meant by “lift and shift” or “cloud native”, this is for you.  Teri’s background as a trainer, author and researcher shines through as she describes both broad concepts in easily understood terms but she also doesn’t spare the details for those who are already cloud savvy.

 

Beyond the core concepts, Teri compares and contrasts the security models across Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP).  As she walks us through the differences between the three platforms, you get a sense of the complexity faced by those straddling an on-premise environment as well as the public cloud – not to mention several clouds at once.  From networking to identity and access management models, no cloud service provider is quite like the other.  Moreover, the fierce competition between Google, Microsoft and Amazon is driving such rapid changes in their platforms that any grip you have on exactly how things are is a slippery one at best.

 

In spite of the challenges, Teri explains her belief that one can achieve better security in the cloud than on-premises. Doing so requires thinking differently, however, such as Teri’s advice to handle data as we would handle money. We hope this episode lays the groundwork for you for understanding the current state of public cloud security as in the next show we dive into the trenches with a cloud security practitioner at Yelp.

About Teri

Teri Radichel has helped 1000's of companies with cloud security through consulting, writing, research, and training. Teri is the founding organizer of the Seattle AWS Architects and Engineers Meetup which has nearly 3000 members. She helped Capital One move production workloads to AWS. At another company, Teri led a team of 30 people in two counties and architected a SAAS IOT solution for firewalls connecting to the cloud. Her team implemented a secure CI/CD pipeline based on her whitepaper on event-driven security. She then moved into security research, writing articles for publications such as Light Reading and Infosecurity Magazine, and reverse engineering malware.

Teri is the CEO of 2nd Sight Lab and has helped companies from startups to Fortune 100 with cloud security assessments, pentests, audits, and training. Teri presents on cloud security at conferences such as RSA, AWS re:Invent, AWS re:Inforce, IANS Security Forums, Countermeasure, SANS Networking, SANS Cloud Summit, and BSides. She received the SANS Difference Makers Award for cloud security innovation. She writes a blog called Cloud Security and has written a book, Cybersecurity for Executives. You can follow her on Twitter @teriradichel.

  • Facebook
  • Twitter

© 2019 Security Voices.org