Cloud Crunch
Cloud Crunch

Episode · 1 year ago

S2E12: 5 Strategies to Maximize Your Cloud’s Value: Strategies 3 & 4 - Increase Your Cloud’s Security & Ensure Compliance

ABOUT THIS EPISODE

When thinking about ways to maximize the value of your cloud, two important factors to consider are security and compliance. These strategies go hand-in-hand but are vastly different. Security and compliance expert, Ken Weinreich, joins us today to discuss ways security and compliance can improve your cloud use.

...involve Solve, evolve, welcome to cloud Crunch the podcast for any large enterprise planning on moving to or is in the midst of moving to the cloud hosted by the cloud computing experts From Second Watch, Ian will be chief architect Cloud Solutions and Skip Berry, executive director of Cloud Enablement. And now here are your hosts of Cloud Crunch. Welcome back, everybody. If you've missed the last couple of episodes, we've been talking about strategies you can use to increase the value of being on the cloud. Last week we discussed accelerating application development with Dev Ops. This week we want to consider two strategies that go hand in hand and that people often think of as interchangeable although they're not. But more to come on that later. And also increasing your clouds security and ensuring compliance. Today we're joined by Kenwyne Rich, who is one of our colleagues. He's the galactic executive director of Manage Services. I say that because he is in charge of it not only worldwide, but much beyond that Ken Welcome. Thank you. Hey, Welcome. Yeah, Skips good to be back. Yeah, skips here to this week on this episode and we work pretty extensively with Ken out there in the field. He touches many, many large enterprise customers that we have, and so he has tremendous experience with what's going on in the trends out there. But obviously security is paramount for everybody as we're recording this in late December 2020. There's been a lot of news about breaches by foreign actors and obviously other state actors is well out their corporate espionage. Who knows what else is going on? So the threats to real they're not slowing down. And so we were hoping that everybody does take their security very seriously. So Ken, let's just dive right into it. I'm gonna start off with just one question for you, and this helps me, too, because I butcher this sometimes and I actually know better. But it will help us understand this. People often use the terms compliance...

...insecurity interchangeably, but clearly there's a difference. Could you help our audience understand what the differences are and frankly, me? Sure, I mean, the way that that I kind of always look at him to be different is compliance is really just a set of frameworks and standards and policies. It's it's how you're going to be secure and how you're going to prove that you're secure. And then security is obviously the controls and the mechanisms that you used to enforce those policies. Well, that was pretty straightforward. Yeah. Good luck getting me into really understand that? Just kidding, huh? It's not. It isn't that complex, right? At the end of the day, I think, you know, as we evolve and it's not really different in the cloud Accurate statement can I think so. I mean, a lot of the things transfer, you know, from your on premise systems or or even not even enterprise i t. But obviously there are some things that were, you know, pretty unique to the way that the cloud operates. You know, the ephemeral nature of resource is and what not. You might have to approach things a little bit differently. So did a survey recently. You know, for all of our enterprise customers, security is obviously a top of mind for all the ones that we're dealing with. And I would imagine that holds true throughout enterprise. How do we tell executives and directors, vice presidents, all those that are considered, you know, cloud environment is truly secure. Well, I mean, having a good plan is always a good place to start. I think like it. It's kind of hard, Uh, you know, an I t. I think ah, lot of us are used to buildings and planes as they're flying, but that's not really what you want to do from a security perspective. You wanna have a pretty good outline of what you want to do and how you're going to do it and then execute upon it. So, you know, if you got a good plan, you've got milestones, and you've got, you know, different things that you can point back to, and, you know, that's a good step towards security. I don't think you ever really done. But, you know, you do something, do it well, and then you find the next thing to kind of continue toe overall hard. Your environment systems, whatever might be.

So, Ken, you know, often what we get involved with initially is we're asked for our clients to kind of come in and say help me understand where we are. Those types of engagement usually look like, um, assessment. And what are some of the things that we can use in those assessments for our clients or the people out there that they can really understand what's going on with the latest best practices. Other vulnerabilities. Then how do you approach some of the remediation activities with that? There are, you know, a number of different tools that you're able to take advantage of. That, you know, will give you an overall picture or landscape of where your environment matches up to common vulnerabilities. Things that you know they've seen executed on the wild, that air, other vulnerabilities that you know you're not following industry best best practices and standards. Those tools do a great job of kind of giving you an assessment of where you're at. There's obviously a lot of coordination and work that goes into remediating the findings of those and then also the refinement. You know, a very any of the security tools will give you a very broad sense of what you could be doing. Some of those air applicable. You know, some of them are not eso. You know, having some experts with you to help you understand. You know what makes sense to implement and how to implement it is really important. And you know, then once once you have a good idea of where you are and you can address some of the some of the obvious deficiencies you might have in your environment, then you can start going out and being proactive in doing things like threat hunting and, you know, looking for problems before they find you. So can you just mentioned threat hunting? Can you explain to us what that is? So sure, Yeah, so threat hunting. I mean, there's there's a lot to it, but but really, it's just in. It's an activity in which you have security analysts looking at your environment and they're out there and they're actively either looking for potential vulnerabilities and then trying to exploit them on your behalf or following the lead of, you know, maybe some detection is that maybe are found in your environment that may or may not have been...

...legitimate and kind of tracing those back to see if they were maybe a more targeted attack. And there's things that you can do from a higher level to broaden security of your environment, so that includes penetration testing as an example, penetration test things a part of it. But, I mean, we're talking about cloud security, right? You kind of forget about some of the non cloud things. Obviously, there's no data center that you know, the majority of our clients to be worried about because, you know, the cloud vendor kind of handles that for you, but there are other. You know, the social aspect of this that you need to worry about, you know, things like phishing and spear fishing. You know, people targeting your business from one way or another that may not only be things that you could put technical pieces in place for, like some of this comes down to process and training to make sure that you know the weakest link in anybody's security is really the people s o to make sure they understand what to look out for and how not to, you know, overexpose. You know, your client or your business. You know, it's it's way could spend a lot of time putting up different technical guard rails and safeguards to help protect your environment. But if you've got someone who has privileged access and they do something unwillingly or they're exploited, I mean, you can't put a lot of technical change around that. It's really consented. Training. No, no, you cannot. We've all heard those stories, of course as well. And it's unfortunate, I think, yeah, awareness is very critical to that from a from the world of managed. I know from a you know, services engagement wise. You know, we're usually on that on the on the leading edge of identifying doing the assessment and what have you What about ongoing keeping our customers protected? What kind of what areas do you? How do you practice that from your perspective? Yeah, we have some men from a security perspective and from a compliance perspective, We You know, Second Watch does a lot for our clients there. Ah, lot of clients like to have a separate entity doing their compliance just from an auditing perspective it makes it makes it easier for them to say, you know, they bring in stock, they're...

...doing a start to assessment, and they want to point to another vendor and say, Show me you know who access my environment, who you granted access to why you granted them access. Show me the entire audit trail of how that's worked out. So one of the things we offer is we offer that service where you know, we could be that that trusted third party, essentially so that our clients can have that ought ability. And we also have a number of from a security perspective. We have a number of offerings that we employ for our customers everything from the most simple where we're looking at industry best practices on how you're rotating keys and passwords. And you know what you're putting in security groups and whether or not you're making buckets public all the way up. Thio. You know, management of Web application firewalls and having like a more broad look at the border of the cloud and what's happening. You're looking at traffic that's happening over the network. What's going in, what's going out And, you know, looking at that for various threats, sifting through that data and again, that's sort of where the threat how it starts to come in, is when you got a whole bunch of data that maybe doesn't look like it has been exploited or there's a there's a vulnerability. But to take that data and then kind of look further to see if maybe there's something that could be exploited, although that it's different than security compliance is there as well. And some would call that the natural twin. I guess the security, but deploying and managing cloud infrastructure obviously requires some new skills and tooling and software management and all those types of things. But let's talk about what we see out there as far as skill enhancements that companies really need toe implement anything you're seeing out there again. Eso there's from a compliance perspective. We have partnered with some of our partners, and we've put some pieces in place as far as how you provisioned infrastructure in the cloud. I mean, one of the common patterns we see is with how she corpus and terror form, and using things like evolved to make sure that corporate policies were being applied to the cloud. When things are being provisioned like it's, it's a lot easier to stop something from being...

...deployed in a manner in which it's not safe, rather than detecting it as being vulnerable and remediating it after the fact. So from a compliance perspective, we like to look at that that that would be a new skill set the idea of, like, limping prior to deployment glinting What's limiting? Uh, you know, just as you could imagine a lint roller on your clothes, right, Getting the lint off. It's kind of the same kind of analogy to when you're deploying things like code or infrastructure is code. In this case, you want to essentially apply policies against that code to make sure that the standards that have been defined are deployed essentially guardrails, bad code from making it into the world. So this is predominantly infrastructure is code. Yeah, you've mentioned has She Corp. Which we do work with as well and a great platform for a lot of cloud activities, both security and compliance, of course, automation. What are some of the other automation things that you're seeing out there that are helpful to kind of reduce the level of effort in order Thio maintain compliance. Uh, I mean, CCD pipelines are a great way to maintain compliance in the cloud. Um, kind of follows the same principles, but from, um, or continuous perspective. You know, deploying infrastructure that is ephemeral by nature is inherently a little bit more secure than than having servers that have that are built and not touched and live around forever. And, you know, by being able to quickly redeploy or make changes to that infrastructure, using something like a C A C D pipeline. I think, I think, ultimately improves your your cloud security or your cloud. But health perspective. Because, you know, if if you did find some of the type of vulnerability, it's it's really easy to change it because everything is ephemeral. Yeah, it's a it's the, you know, the Dev SEC ops kind of scenario, right? Its's from the from the onset.

It's secure. So yeah, some, you know, bigger, I would say managing methods, right? How do we maintain compliance going forward as the sprawl happens? And you know where we get into situations like if you think of like, you know, virtual machines for everybody, right? And people just widespread deployed and everything. How do we go about keeping compliance and a big environment that just keeps on growing and growing? Is it different? Traditional prom E. I mean, all of our clients are a little bit different. I don't know if it's inherently that different. You know, having someone who's responsible for for keeping an eye on those things is very, very important and, you know, continuing to do that, I think it's it's important to have someone be accountable and also to continue to hold them accountable, having regular check ins monthly, quarterly or you're reviewing what has been done from a you know, remediation perspective, what is being planned to be the implemented, you know, toe to kind of be proactive in that nature and, you know, regularly checking to make sure that your policies are making sense. One of the, you know, one of the leading causes. I think of people deploying things, you know, Shadow I t exists because policies were too strict, right? So, you know, I think it's important to take a look at those policies and those standards that you have maybe maybe not the policies, but the way in which you're you're implementing them in your environment to make sure that they match your business needs. Because if you make it really hard, you know, for your engineers and builders to to go and do what they need to do, they might find a way around it, and if they do that, then you kind of lose all of the strength that you have planning and building and putting those walls up so reassessing is important, I think. Good point. So there's a lot of different ways that you can kind of ensure your compliance and security and all those types of things. But from compliance standpoint, if your cloud infrastructure there's a lot of industry standards out there, which ones are you seeing most frequently at this point? Sure, Yeah, eso second watches a sock to audited company. We...

...just finished our yearly sock audit, you know, so that we could make that report available to all of our clients and potential clients. And so we implement that framework and a lot of our clients do as well. You know, we CCS in a lot of our client environments. They implement a lot of those frameworks, whether it be gold images or various other like, cloud platform hardening techniques way assist our clients in implementing those and then missed and PC I are available and prevalent in a number of our clients as well. Interesting. Hopefully there's, uh, you know, not not new legislation coming, but obviously it's continuous involvement and refinement around these right, educating ourselves. How about customers getting educated? I know from, you know, professional services engagement. We traditionally don't educate our customers in these spaces. But where we do again, that analysis around compliance or what have you? What about from a manage side of the business, you know, to find opportunities to help customers evolve, adapt to whatever new some of these are when they're changing? Yeah, we s Oh, my team. You know, the manage services team is second watch. I've got a number of CSP certified, you know, individuals on my team and, you know, they act as a liaison to our client toe, help them to find some of these standards and e mean right There is some education that we give them, like where it's were there to be collaborative. We work as you know, with our partners, which are our clients. You know, we we partner with them, but we've even, you know, offered an extended that c s sp training to a few of our clients as well. I mean, they were interested in when we were talking about it and, you know, we find that getting them educated and kind of having them talk, you know, either on the same level as us or, you know, in the same ballpark really helps, because then they could turn around and champion that inside their own, you know, corporation and and it just kind of extends our extend our reach people to help them. I think that's Kiki and being able to have the same vernacular and parlance, you know, to give that to the customers to be armed with, to go...

...have their discussions, you know, laterally upward, etcetera. That's a great uh, and not just a value add for second watches a shameless plug. But just anybody that's considering these faces is really understand what the what the jargon is and what the implications are. You know you're doing yourself in your organization a really a true service at that point. So good point now. Now, looking forward to the future, obviously, can you're you're out there dealing with this all the time. What are some of the trends or it could be tools or anything? What, what excites you about what's coming out around security and compliance, or areas that you've been dabbling in the most? Well, I mean, obviously it's a very busy time with the news as of late, right with with some of the tools that have have been Ah, yes, yeah, eso I mean, there are a number of tools that I think a really interesting sentinel on Azure is is a very interesting kind of a framework and platform that ah, lot of our clients are really starting to dive into. There's been a number of new AWS services that came out around reinvent that, that kind of focus in more on the security and on the network of of the Cloud, which is is, you know, in a public cloud you're always a little bit removed from how much data you can see and how exposed the network is. But you know, all the cloud providers are starting to peel that back a little bit more so that, you know, their clients are able to get a better understanding of what's happening. And you could feel better about putting safeguards in place there. So those are the things that I think a really interesting. I think we're starting to see the d commoditization of the public cloud and you know, Amazon and Azure and Google they're all They're all starting to back up a little bit. And they're giving their clients the ability to use that infrastructure more, more like they're used to using and less less like a walled garden. I think that's gonna be good, because it allows you toe to, you know, make the changes as you think is best for you and not you know what? What? The CSP they called provided gives you? Yeah. I mean, obviously, as a group, they're seeing so many threat activities going on that it's I think...

...it's a great friend that they're starting to kind of lift up. Let's see what's going on in there. So that's fantastic. Yes, it is. Well, Ken, hey, I really want to thank you for your time. We know you're busy out there in the trenches dealing with obviously security compliance amongst other issues. But now it's interesting that you hear your perspective, so thanks for your time, Skip. Always good to have you here, Mike. Wise. Ian. Ken. Thank you again. A swell. Thanks for having me. So next week we're gonna take a look at 1/5 and final strategy to increasing your clouds value reducing spend while accelerating application deployment. So thanks again everybody for tuning in. If you have any questions, comments or suggestions, please email us at Cloud crunch at second watch dot com. You've been listening to Cloud Crunch with Ian Willoughby and Skip Very. For more information, check out the blogged. Second watch dot com slash company slash vlog or reach out to second watch on Twitter.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (30)