Cloud Crunch
Cloud Crunch

Episode · 6 months ago

S2E12: 5 Strategies to Maximize Your Cloud’s Value: Strategies 3 & 4 - Increase Your Cloud’s Security & Ensure Compliance

ABOUT THIS EPISODE

When thinking about ways to maximize the value of your cloud, two important factors to consider are security and compliance. These strategies go hand-in-hand but are vastly different. Security and compliance expert, Ken Weinreich, joins us today to discuss ways security and compliance can improve your cloud use.

...involve Solve, evolve, welcome to cloudCrunch the podcast for any large enterprise planning on moving to or isin the midst of moving to the cloud hosted by the cloud computing expertsFrom Second Watch, Ian will be chief architect Cloud Solutions and SkipBerry, executive director of Cloud Enablement. And now here are your hostsof Cloud Crunch. Welcome back, everybody. If you'vemissed the last couple of episodes, we've been talking about strategies youcan use to increase the value of being on the cloud. Last week we discussedaccelerating application development with Dev Ops. This week we want toconsider two strategies that go hand in hand and that people often think of asinterchangeable although they're not. But more to come on that later. Andalso increasing your clouds security and ensuring compliance. Today we'rejoined by Kenwyne Rich, who is one of our colleagues. He's the galacticexecutive director of Manage Services. I say that because he is in charge ofit not only worldwide, but much beyond that Ken Welcome. Thank you. Hey,Welcome. Yeah, Skips good to be back. Yeah, skips here to this week on thisepisode and we work pretty extensively with Ken out there in the field. Hetouches many, many large enterprise customers that we have, and so he hastremendous experience with what's going on in the trends out there. Butobviously security is paramount for everybody as we're recording this inlate December 2020. There's been a lot of news about breaches by foreignactors and obviously other state actors is well out their corporate espionage.Who knows what else is going on? So the threats to real they're not slowingdown. And so we were hoping that everybody does take their security veryseriously. So Ken, let's just dive right into it. I'm gonna start off withjust one question for you, and this helps me, too, because I butcher thissometimes and I actually know better. But it will help us understand this.People often use the terms compliance...

...insecurity interchangeably, but clearlythere's a difference. Could you help our audience understand what thedifferences are and frankly, me? Sure, I mean, the way that that I kind ofalways look at him to be different is compliance is really just a set offrameworks and standards and policies. It's it's how you're going to be secureand how you're going to prove that you're secure. And then security isobviously the controls and the mechanisms that you used to enforcethose policies. Well, that was pretty straightforward. Yeah. Good luckgetting me into really understand that? Just kidding, huh? It's not. It isn'tthat complex, right? At the end of the day, I think, you know, as we evolveand it's not really different in the cloud Accurate statement can I think so.I mean, a lot of the things transfer, you know, from your on premise systemsor or even not even enterprise i t. But obviously there are some things thatwere, you know, pretty unique to the way that the cloud operates. You know,the ephemeral nature of resource is and what not. You might have to approachthings a little bit differently. So did a survey recently. You know, for all ofour enterprise customers, security is obviously a top of mind for all theones that we're dealing with. And I would imagine that holds truethroughout enterprise. How do we tell executives and directors, vicepresidents, all those that are considered, you know, cloud environmentis truly secure. Well, I mean, having a good plan is always a good place tostart. I think like it. It's kind of hard, Uh, you know, an I t. I think ah,lot of us are used to buildings and planes as they're flying, but that'snot really what you want to do from a security perspective. You wanna have apretty good outline of what you want to do and how you're going to do it andthen execute upon it. So, you know, if you got a good plan, you've gotmilestones, and you've got, you know, different things that you can pointback to, and, you know, that's a good step towards security. I don't thinkyou ever really done. But, you know, you do something, do it well, and thenyou find the next thing to kind of continue toe overall hard. Yourenvironment systems, whatever might be.

So, Ken, you know, often what we getinvolved with initially is we're asked for our clients to kind of come in andsay help me understand where we are. Those types of engagement usually looklike, um, assessment. And what are some of the things that we can use in thoseassessments for our clients or the people out there that they can reallyunderstand what's going on with the latest best practices. Othervulnerabilities. Then how do you approach some of the remediationactivities with that? There are, you know, a number of different tools thatyou're able to take advantage of. That, you know, will give you an overallpicture or landscape of where your environment matches up to commonvulnerabilities. Things that you know they've seen executed on the wild, thatair, other vulnerabilities that you know you're not following industry bestbest practices and standards. Those tools do a great job of kind of givingyou an assessment of where you're at. There's obviously a lot of coordinationand work that goes into remediating the findings of those and then also therefinement. You know, a very any of the security tools will give you a verybroad sense of what you could be doing. Some of those air applicable. You know,some of them are not eso. You know, having some experts with you to helpyou understand. You know what makes sense to implement and how to implementit is really important. And you know, then once once you have a good idea ofwhere you are and you can address some of the some of the obvious deficienciesyou might have in your environment, then you can start going out and beingproactive in doing things like threat hunting and, you know, looking forproblems before they find you. So can you just mentioned threat hunting? Canyou explain to us what that is? So sure, Yeah, so threat hunting. I mean,there's there's a lot to it, but but really, it's just in. It's an activityin which you have security analysts looking at your environment and they'reout there and they're actively either looking for potential vulnerabilitiesand then trying to exploit them on your behalf or following the lead of, youknow, maybe some detection is that maybe are found in your environmentthat may or may not have been...

...legitimate and kind of tracing thoseback to see if they were maybe a more targeted attack. And there's thingsthat you can do from a higher level to broaden security of your environment,so that includes penetration testing as an example, penetration test things apart of it. But, I mean, we're talking about cloud security, right? You kindof forget about some of the non cloud things. Obviously, there's no datacenter that you know, the majority of our clients to be worried about because,you know, the cloud vendor kind of handles that for you, but there areother. You know, the social aspect of this that you need to worry about, youknow, things like phishing and spear fishing. You know, people targetingyour business from one way or another that may not only be things that youcould put technical pieces in place for, like some of this comes down to processand training to make sure that you know the weakest link in anybody's securityis really the people s o to make sure they understand what to look out forand how not to, you know, overexpose. You know, your client or your business.You know, it's it's way could spend a lot of time putting up differenttechnical guard rails and safeguards to help protect your environment. But ifyou've got someone who has privileged access and they do somethingunwillingly or they're exploited, I mean, you can't put a lot of technicalchange around that. It's really consented. Training. No, no, you cannot.We've all heard those stories, of course as well. And it's unfortunate, Ithink, yeah, awareness is very critical to that from a from the world ofmanaged. I know from a you know, services engagement wise. You know,we're usually on that on the on the leading edge of identifying doing theassessment and what have you What about ongoing keeping our customers protected?What kind of what areas do you? How do you practice that from your perspective?Yeah, we have some men from a security perspective and from a complianceperspective, We You know, Second Watch does a lot for our clients there. Ah,lot of clients like to have a separate entity doing their compliance just froman auditing perspective it makes it makes it easier for them to say, youknow, they bring in stock, they're...

...doing a start to assessment, and theywant to point to another vendor and say, Show me you know who access myenvironment, who you granted access to why you granted them access. Show methe entire audit trail of how that's worked out. So one of the things weoffer is we offer that service where you know, we could be that that trustedthird party, essentially so that our clients can have that ought ability.And we also have a number of from a security perspective. We have a numberof offerings that we employ for our customers everything from the mostsimple where we're looking at industry best practices on how you're rotatingkeys and passwords. And you know what you're putting in security groups andwhether or not you're making buckets public all the way up. Thio. You know,management of Web application firewalls and having like a more broad look atthe border of the cloud and what's happening. You're looking at trafficthat's happening over the network. What's going in, what's going out And,you know, looking at that for various threats, sifting through that data andagain, that's sort of where the threat how it starts to come in, is when yougot a whole bunch of data that maybe doesn't look like it has been exploitedor there's a there's a vulnerability. But to take that data and then kind oflook further to see if maybe there's something that could be exploited,although that it's different than security compliance is there as well.And some would call that the natural twin. I guess the security, butdeploying and managing cloud infrastructure obviously requires somenew skills and tooling and software management and all those types ofthings. But let's talk about what we see out there as far as skillenhancements that companies really need toe implement anything you're seeingout there again. Eso there's from a compliance perspective. We havepartnered with some of our partners, and we've put some pieces in place asfar as how you provisioned infrastructure in the cloud. I mean,one of the common patterns we see is with how she corpus and terror form,and using things like evolved to make sure that corporate policies were beingapplied to the cloud. When things are being provisioned like it's, it's a loteasier to stop something from being...

...deployed in a manner in which it's notsafe, rather than detecting it as being vulnerable and remediating it after thefact. So from a compliance perspective, we like to look at that that that wouldbe a new skill set the idea of, like, limping prior to deployment glintingWhat's limiting? Uh, you know, just as you could imagine a lint roller on yourclothes, right, Getting the lint off. It's kind of the same kind of analogyto when you're deploying things like code or infrastructure is code. In thiscase, you want to essentially apply policies against that code to make surethat the standards that have been defined are deployed essentiallyguardrails, bad code from making it into the world. So this ispredominantly infrastructure is code. Yeah, you've mentioned has She Corp.Which we do work with as well and a great platform for a lot of cloudactivities, both security and compliance, of course, automation. Whatare some of the other automation things that you're seeing out there that arehelpful to kind of reduce the level of effort in order Thio maintaincompliance. Uh, I mean, CCD pipelines are a great way to maintain compliancein the cloud. Um, kind of follows the same principles, but from, um, orcontinuous perspective. You know, deploying infrastructure that isephemeral by nature is inherently a little bit more secure than than havingservers that have that are built and not touched and live around forever.And, you know, by being able to quickly redeploy or make changes to thatinfrastructure, using something like a C A C D pipeline. I think, I think,ultimately improves your your cloud security or your cloud. But healthperspective. Because, you know, if if you did find some of the type ofvulnerability, it's it's really easy to change it because everything isephemeral. Yeah, it's a it's the, you know, the Dev SEC ops kind of scenario,right? Its's from the from the onset.

It's secure. So yeah, some, you know,bigger, I would say managing methods, right? How do we maintain compliancegoing forward as the sprawl happens? And you know where we get intosituations like if you think of like, you know, virtual machines foreverybody, right? And people just widespread deployed and everything. Howdo we go about keeping compliance and a big environment that just keeps ongrowing and growing? Is it different? Traditional prom E. I mean, all of ourclients are a little bit different. I don't know if it's inherently thatdifferent. You know, having someone who's responsible for for keeping aneye on those things is very, very important and, you know, continuing todo that, I think it's it's important to have someone be accountable and also tocontinue to hold them accountable, having regular check ins monthly,quarterly or you're reviewing what has been done from a you know, remediationperspective, what is being planned to be the implemented, you know, toe tokind of be proactive in that nature and, you know, regularly checking to makesure that your policies are making sense. One of the, you know, one of theleading causes. I think of people deploying things, you know, Shadow I texists because policies were too strict, right? So, you know, I think it'simportant to take a look at those policies and those standards that youhave maybe maybe not the policies, but the way in which you're you'reimplementing them in your environment to make sure that they match yourbusiness needs. Because if you make it really hard, you know, for yourengineers and builders to to go and do what they need to do, they might find away around it, and if they do that, then you kind of lose all of thestrength that you have planning and building and putting those walls up soreassessing is important, I think. Good point. So there's a lot of differentways that you can kind of ensure your compliance and security and all thosetypes of things. But from compliance standpoint, if your cloudinfrastructure there's a lot of industry standards out there, whichones are you seeing most frequently at this point? Sure, Yeah, eso secondwatches a sock to audited company. We...

...just finished our yearly sock audit,you know, so that we could make that report available to all of our clientsand potential clients. And so we implement that framework and a lot ofour clients do as well. You know, we CCS in a lot of our client environments.They implement a lot of those frameworks, whether it be gold imagesor various other like, cloud platform hardening techniques way assist ourclients in implementing those and then missed and PC I are available andprevalent in a number of our clients as well. Interesting. Hopefully there's,uh, you know, not not new legislation coming, but obviously it's continuousinvolvement and refinement around these right, educating ourselves. How aboutcustomers getting educated? I know from, you know, professional servicesengagement. We traditionally don't educate our customers in these spaces.But where we do again, that analysis around compliance or what have you?What about from a manage side of the business, you know, to findopportunities to help customers evolve, adapt to whatever new some of these arewhen they're changing? Yeah, we s Oh, my team. You know, the manage servicesteam is second watch. I've got a number of CSP certified, you know, individualson my team and, you know, they act as a liaison to our client toe, help them tofind some of these standards and e mean right There is some education that wegive them, like where it's were there to be collaborative. We work as youknow, with our partners, which are our clients. You know, we we partner withthem, but we've even, you know, offered an extended that c s sp training to afew of our clients as well. I mean, they were interested in when we weretalking about it and, you know, we find that getting them educated and kind ofhaving them talk, you know, either on the same level as us or, you know, inthe same ballpark really helps, because then they could turn around andchampion that inside their own, you know, corporation and and it just kindof extends our extend our reach people to help them. I think that's Kiki andbeing able to have the same vernacular and parlance, you know, to give that tothe customers to be armed with, to go...

...have their discussions, you know,laterally upward, etcetera. That's a great uh, and not just a value add forsecond watches a shameless plug. But just anybody that's considering thesefaces is really understand what the what the jargon is and what theimplications are. You know you're doing yourself in your organization a reallya true service at that point. So good point now. Now, looking forward to thefuture, obviously, can you're you're out there dealing with this all thetime. What are some of the trends or it could be tools or anything? What, whatexcites you about what's coming out around security and compliance, orareas that you've been dabbling in the most? Well, I mean, obviously it's avery busy time with the news as of late, right with with some of the tools thathave have been Ah, yes, yeah, eso I mean, there are a number of tools thatI think a really interesting sentinel on Azure is is a very interesting kindof a framework and platform that ah, lot of our clients are really startingto dive into. There's been a number of new AWS services that came out aroundreinvent that, that kind of focus in more on the security and on the networkof of the Cloud, which is is, you know, in a public cloud you're always alittle bit removed from how much data you can see and how exposed the networkis. But you know, all the cloud providers are starting to peel thatback a little bit more so that, you know, their clients are able to get abetter understanding of what's happening. And you could feel betterabout putting safeguards in place there. So those are the things that I think areally interesting. I think we're starting to see the d commoditizationof the public cloud and you know, Amazon and Azure and Google they're allThey're all starting to back up a little bit. And they're giving theirclients the ability to use that infrastructure more, more like they'reused to using and less less like a walled garden. I think that's gonna begood, because it allows you toe to, you know, make the changes as you think isbest for you and not you know what? What? The CSP they called providedgives you? Yeah. I mean, obviously, as a group, they're seeing so many threatactivities going on that it's I think...

...it's a great friend that they'restarting to kind of lift up. Let's see what's going on in there. So that'sfantastic. Yes, it is. Well, Ken, hey, I really want to thank you for yourtime. We know you're busy out there in the trenches dealing with obviouslysecurity compliance amongst other issues. But now it's interesting thatyou hear your perspective, so thanks for your time, Skip. Always good tohave you here, Mike. Wise. Ian. Ken. Thank you again. A swell. Thanks forhaving me. So next week we're gonna take a look at 1/5 and final strategyto increasing your clouds value reducing spend while acceleratingapplication deployment. So thanks again everybody for tuning in. If you haveany questions, comments or suggestions, please email us at Cloud crunch atsecond watch dot com. You've been listening to Cloud Crunchwith Ian Willoughby and Skip Very. For more information, check out the blogged.Second watch dot com slash company slash vlog or reach out to second watchon Twitter.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (30)