33/ ZACH MUSGRAVE
Engineering Manager, Infrastructure Security - Yelp
In our 1st episode of the cloud sec series, Teri provided an expert’s broad view of what’s happening with security in the public cloud. In this episode, Yelp’s Zach Musgrave does the opposite: we go into the trenches to understand what it takes to protect a fully cloud native business on a daily basis.
While Yelp was born in ‘04, 2 years before Amazon launched its first AWS service, it started its cloud native journey in 2013. Their early transition makes the company one of the longest tenured organizations who have defended a cloud native business at scale. Zach shares the fundamentals of how they work, from security team org structure and success measurement to key relationships across the company. We dig into the 2 different but critical aspects of security: 1) protecting the infrastructure (people & systems) and 2) policing the Yelp ecosystem itself (defending business operations).
Zach explains how DevSecOps at Yelp was adopted not out of buzzword compliance but plain necessity: the need to safeguard 500+ microservices in production simply breaks a traditional security model. We explore some of the misconceptions with DevSecOps and the amount of care and feeding it takes to make it successful. We also cover Yelp’s tooling which centers on generous amounts of open source and their own projects including their current work on the Enhanced Berkeley Packet Filter (eBPF).
We wrap up with some strong feelings about multi-cloud and readiness for the zombie apocalypse (they’re related, trust us) alongside forecasting the future for security tech as the cloud native tsunami rolls on. Spoiler: there’s no reprieve for old school network security.
Zach Musgrave leads the Infrastructure Security and Security Platform teams at Yelp. These teams manage risk, conduct incident response, and build systems to improve security posture. Covered mandates include data security, AWS cloud security, automated scanning, intrusion detection, and internal access control.
Before switching to security, Zach spent time as an engineer doing performance optimization, devops, observability, and various flavors of data engineering. Throughout it all, he has come to have a deep appreciation for the intricate interplay between business needs and risk prioritization within a rapidly evolving organization.
Zach received an M.S. in Computer Science and Engineering from the University of Michigan. Back in the day, he was an English major.