Episode Transcript
[00:00:00] Speaker A: Todd, what an absolute pleasure to have you on the show today. Thank you for joining.
[00:00:04] Speaker B: Thank you, Ari. I really appreciate the opportunity to be here.
[00:00:08] Speaker A: I'm going to jump right in. Over the last 20 to 30 years, the shift to the cloud has brought some pros and cons. And I'll quote a movie and say nobody really understands the cloud. So let's jump into that a little bit. And I want to look at this from a security perspective. What have we gained and lost in this transition to the cloud?
[00:00:31] Speaker B: Well, I think the most important thing we've gained is one leg of the security triad, which is really availability. There are certainly other benefits to the cloud, but I think from a security perspective, you know, you have confidentiality, integrity and availability.
You know, when you use AWS or Google Cloud computer, they're one of their basic guarantees is that if you spend enough money, we'll make sure your stuff is 100% available or, you know, five nines or whatever your SLA actually is. But it's usually much higher than you could get on your own. So I think that's been a huge advantage. I think certainly at the smaller end of the scale and the higher end of the scale, you have economies of scale that you didn't have when you ran your own data center for everything. But I think we've lost a couple of things. We've lost control of our security and privacy in a lot of ways. It's very much a black box. I would say that the one thing I would say remind everybody is that the cloud is not servers in the sky. You are renting somebody else's computers, their networks, their data center. And so at the end of the day, you are extending trust to them. But you don't have a right of inspection. For the most part, you take it on faith that they're doing the right things. And so there are certain things that you can't do in the cloud or that you have to do differently, which is why a lot of times the government has to use Gov cloud instead of the commercial side of the house and things like that. And while you're starting to see a rise in products that focus on. And when I say client, in this case, I really mean, you know, the hyperscalers, customers, the cloud providers, customers where the encryption and the data, some of the data processing is done by the customers before it's even shared with the cloud provider just to solve that problem. And then you have folks like 37 signals that are kind of going in the other direction and saying, no, we're pulling all our stuff back in house. We're, we're going back to the data center model. So I think it's a net win for most people most of the time. But I think on the security front and on the, certainly on the understanding the pricing models trend, they're all very transparent about it. But it's very difficult to calculate 12 dimensions of cost with any accuracy. So I think that's.
We've lost that too.
[00:03:18] Speaker A: Yeah, there's a little bit of a bait and switch happening there. Right. Because when you're small and you have very little computing needs and very little, I would say, networking needs, that's a big cost driver. Then you're like, oh, this is great. My bill's $100. But then when you start growing, you're like, well, hold on, this would be cheaper if I would do it myself.
So you kind of lose that ability. I had a CTO that said that Lambda is the biggest scam because it's really their ability to lock you into their platform. You know, I'm not sure I agree with that argument, but it definitely is an aspect of it to a certain degree.
[00:03:52] Speaker B: Absolutely. But the bigger bait and switch, I think, is the idea that the cloud reduces the labor cost. And it does at certain scales. Right. If you don't have a big IT department, you know, running, you know, your security department can, can run some of the AWS tools, for example, to do logging and analytics and whatever. But past a certain point, I mean, you need people to run your EC2 compute instances and your logging infrastructure and to put the firewalls and load bands, balancers in your cloud network. So you haven't done away with networking. You've just shifted who owns the actual physical network from who has to manage it. AWS dedicates several pages, for example, to their split responsibility model. But I don't think that that gets talked about a lot when people make this strategic decision. And maybe, maybe that's part of what's been lost too.
[00:04:56] Speaker A: Yeah, that's an incredibly important point. I want to come back to the split responsibility model because I think that's really important for executives to understand. But before that, a critical point is that when we just had our own it, we were, we had, you know, millions of different methods of doing things. It was, it was a form of security through obscurity in some way. The problem is now we've consolidated it incredibly. So we have everything running on basically three large platforms.
[00:05:28] Speaker B: Yeah.
[00:05:29] Speaker A: What that means is that hacking those platforms, finding a vulnerability there, the payout is huge.
Is this something you think that you're, we're going to see in the future? People saying, okay look, I want to go away from this consolidated risk?
[00:05:45] Speaker B: I, you know, it's funny, I know what you're talking about. This argument has been around since Microsoft rose to prominence and the idea of a monoculture, yes, I think is an important one. However, having said that, I still think that there's enough variation and complexity, especially when, when you, when you count not just the three, the big three, but, but you know, without intending any slight to them, I, I happen to like them, you know, but the second tier providers, DigitalOcean, REC, Space, Heroku, and some of those are actually running on, you know, AWS or Azure infrastructure too. And so, but, but at the end of the day they're, they're, they, there are enough layers and enough complexity. In the early days when, you know, AWS was EC2 and S3 and a handful of other services, I think that argument carried a lot more weight now that it's 200 and some separate services.
And quite frankly, a lot of people who are using Compute instances are really still running data centers. They're just running it in the cloud. I don't know that that's the biggest risk to security. It's a risk, but I think it falls out of maybe the top five or ten biggest items of risk, which are I think a little bit more associated with the fact that you are renting other people's computers.
[00:07:20] Speaker A: That brings me to my follow up question. What should we be thinking about when it comes to the top risk elements? Right. How should we even look at the ecosystem or lay of the land?
[00:07:31] Speaker B: There's a pure security answer to that and then there's a business focused answer to that. And if you want to complicate matters further, there's a customer and privacy perspective to that as well. So there are a couple of lenses you can put on that. And I think that the traditional way that we have thought about security goes away in the cloud. The idea that there's a perimeter, the idea that you can control everybody who has potentially has access to your systems isn't really true in the cloud, no matter, no matter what the cloud providers say. However, from the standpoint of the average company's ability to do a reasonable job with fewer dedicated resources and to address some of those core security concerns in some prepackaged ways, ways I think that's actually improved with cloud infrastructure. And I'm not necessarily defending that as the gold standard, but I'm saying That some of the things that you used to see all the time in the industry, you know, basically people not changing the default passwords on their routers and just really basic things like that are less of a problem now because I think they're the cloud providers layer on identity management and multifactor authentication and things like that for at least the administrators of the accounts by default in most cases, which I don't think necessarily always is top of mind when you're doing it in house.
[00:09:15] Speaker A: That's a really important point because it's true that we're consolidating risk, but we're also consolidating protection efforts. When you think about it, you know, there is, there are very few private companies that will pay a million dollars to pen testers to succeed to penetrate their environment. Right. Like nobody's doing that except for the big three. And, you know, nobody has the size of the security teams that are rolling out mandatory policies to make sure that you're secure. The chances that you will be vulnerable just by making a mistake is huge if you're running your own infrastructure. But that brings me back to this idea of the shared accountability, right?
[00:09:52] Speaker B: Yes.
[00:09:52] Speaker A: On the one hand, you know, I'm managing the configuration of my system. I might, you know, and I apologize for name dropping some AWS techniques, but, you know, I might not have guardduty turned on. I might not have, you know, inspector turned on. I might not have all these things or be paying attention to them. So how does that basically balance out what I'm doing versus what Amazon's doing? I mean, the patching of my servers at the end of the day are my responsibility.
[00:10:18] Speaker B: Yes. And this is kind of the modern question, right? This is the 21st century problem that we're all looking at, which is that at the end of the day, a lot of the things that we are outsourcing from a business perspective is risk. Right. There are three things you can do with risk. You can mitigate it, you can accept it, or you can transfer it. And to some extent, I think businesses believe whether or not it's true, they believe they are transferring most of these risks to the cloud. And to some extent the cloud providers, yes, if you know where to look, they're very clear about what is really being transferred and what is not. But they are also selling mitigations, right? Hey, your stuff gets, you know, somebody hacks into your system and steals your data or defaces your website or whatever, and you've paid for Amazon Glacier or other things. You've got Recovery options. And again, these are things that would just be another cost center in house. And so it doesn't do away with those business continuity risks and those security risks, but it opens the door, at least to, on some level, prepackaging the solutions as well. The reason I'm not cheering that more though is that the underlying issue of security being seen purely as a cost center is no better and possibly no worse under the modern cloud paradigm than it was before. But it's definitely not something that I think most companies are really thinking about. They're thinking about compliance when they outsource this stuff. And aws, and I keep saying AWS because they're the top of mind, right? They're the 800 pound gorilla. But Azure, Google, Cloud, all of the others, they are essentially selling compliance. And if you look at their compliance pages, they have dozens of certifications. We comply with this, we comply with it, We're HIPAA compliant, we're PCI compliant, we're of these things. Right. But compliance is not security.
[00:12:39] Speaker A: And hold on, let's, let's back into that for a second.
[00:12:43] Speaker B: Sure.
[00:12:44] Speaker A: That that was a non trivial understanding that I had when I went through my first ISO 2701 working with the consultant. I would argue that compliance sometimes is security, but sometimes it's, it's not at all. So break this down to us, you know.
[00:13:01] Speaker B: Sure.
[00:13:01] Speaker A: When is compliance security? What are the, what are the risks of just being compliant with really not improving your security posture?
[00:13:10] Speaker B: Well, you know, arguing by allegory and similes is always a little risky. But there's a great meme on the Internet and anybody who takes five minutes can find it. There was, there's a picture, there's a closeup picture of a gate with a lock on it and underneath it says compliant. And then it pans back and you see that the gate is standing in the middle of a field and there's no fence and they're like, no security because. Right. I mean, a lot of times compliance is a checklist. You either do it or you don't do it. And a lot of the compliance items are related to security. Right. If you're doing these things, you have met some security objective. So I don't want to imply that every security framework or compliance framework is worthless, just that it's insufficient by itself. It's a piece of what makes us secure. And so when companies think just in terms of compliance and some things are more security oriented than others.
Great case in point being SOC audits, which aren't even. They're really reports. Right. But people treat them like they're the gold standard of security auditing. And from a business perspective, you have to have them, but they don't actually guarantee anything other than the fact that in, you know, third party says that management is doing what management says they're doing.
[00:14:53] Speaker A: That's incredibly important. Really what these audits are, ISO, soc and others, is say what you're going to do and then do it right. There is no measurement of the level to which you're doing it properly. In fact, in the audit processes, what they're going to do is they're going to say, okay, just show me evidence that you're doing what you said you were doing. That's it. So my argument is compliance is really level zero. It's a language for us to talk about in terms of, you know, what are the different buckets that we need to think about.
[00:15:27] Speaker B: Yes.
[00:15:28] Speaker A: And then from there, the maturity of your security posture. I don't know that there is a great way for us to measure that today.
[00:15:36] Speaker B: Well, you know, you just hit on something that is kind of a soapbox of mine, which is that we don't measure process maturity. I'm not saying practitioners don't, I'm not saying experts don't. I'm not even saying that there aren't businesses that don't do that. I'm saying culturally, the business culture is not focusing on process maturity around security. They're looking at it as have we met the minimum so that we don't get shut down.
[00:16:15] Speaker A: Or get sued and.
[00:16:17] Speaker B: Be liable or sued or whatever. Listen, we had the, you know, the credit agencies, you know, there was a 145 million people had their Social Security numbers exposed a couple years ago. The penalties were literally barely a slap on the wrist.
So when people talk about threat modeling in a business setting, faces will go blank. Like, what do you mean, threat modeling? We just want to know that we're compliant and we can do business. But some of that threat modeling is about those costs, not even just financial or regulatory, but damage to the brand, damage to public trust, damage to the individual customers that, you know, companies are serving.
And so when we ignore that and just talk about are we compliant? It's not really taking that broader picture into mind. It's just taking the short term business objective in mind. And I don't want to make that sound like that's always the fault of the business leaders. I think to some extent we have just a massive disconnect in our society about the importance of security and privacy.
What that takes, why it matters, and the fact that it's not about always a technology solution. And I don't want to bang too hard on this point, but I'll just say one more thing and kind of let it go at that. In my experience, the process maturity and the ability to think about what is it we're really trying to defend against and why. Not only is a better solution in the long run, not only is it a cheaper option for the business, but at the end of the day it shifts the conversation from, well, look, we don't want to spend half a million dollars remediating this old piece of equipment that rely on to why are we doing things this way when we could be standing out from our competitors in a positive way by showing that we care about customer privacy and security and all of these things that the compliance frameworks are supposed to measure, but they do through proxy metrics.
[00:18:53] Speaker A: Yeah, I think that's a great, a great point. There's a huge opportunity here for just, you know, showcasing your business that you're going way beyond compliance. And I would argue that the way that the industry should reposition compliance is that it's level zero and there's a level one, two, three beyond compliance. I think that's a really important point. If we don't at least acknowledge our gaps, then we won't be able to address them.
[00:19:20] Speaker B: Absolutely, Absolutely. I couldn't agree more.
[00:19:23] Speaker A: Todd, let me ask you this. I want to do a sharp shift, with your permission, into identity.
I look at spam and I think about this massive amount of spam would just go away if we identified who is the know your customer when it comes to buying domains, when it comes to buying hosting, when it comes to buying email service and Outlook. I mean, to me, Microsoft, godaddy, and there's hundreds of more, you know, players in this industry, they're making money off spam to a certain degree. And I mean, if they had know your customer requirements, wouldn't a big portion of that go away? I'll make my argument even stronger. Snapchat, right? Huge pedophilia issues with Snapchat. Know your customer also like that would completely change the picture. Why aren't we doing more when it comes to identity management and verification?
[00:20:18] Speaker B: I think there are pros and cons to doing that. And let me start by saying that some of the problems that we talk about when we talk about things like spam are legacy problems. Very few people today, you know, again, if you're an older business person, you know what a fax machine is if you're new to the workforce, you don't, you've never seen one, or it's been in a museum. Email was never designed for the level of security that we really ultimately expect from it. And one of the reasons we have problems is largely because of the monoculture that's been created with email. And I can talk about that in more detail if you think it's interesting. But there is a monoculture. The email protocols have been around for so long, they were never designed for this. There have been many, many efforts over the past 40 years to design better communications protocols, more secure, but at the end of the day, email can't. Email can't be fixed. It is the nature of the protocol and the platform to be easy to hijack using technology that people didn't have 40 years ago.
But even back then, people had problems. It was just more manageable because there were fewer email systems, smaller volumes, less automation of the spam. But your question is really about identity. But email is a good use case because unless you start bolting on additional security measures that quite frankly most people find complicated and burdensome, you actually can't authenticate most emails that the average consumer is dealing with. Now, again, business to business, you know, within government and other specialized industries, that's, that's a little bit different. But for the average person, there is no meaningful way for them to authenticate an email. And I would argue that many efforts and many businesses have been built around that idea. I mean, listen, I love Proton. And before it turned out that they actually had a whole lot less security than everybody that they told everybody. Hushmail used to have a great reputation because it was built by the PGP people. You know, they lost a little luster along the way, but people have been trying to fix that for a long time and I don't think that's salvageable. The question of identity, though, goes to privacy, right? Because at a certain point it's one thing, if you're saying, hey, you're getting emails from PayPal, why can't we authenticate those? Well, why can't the emails from your bank be properly authenticated or things like that? But if we take a more global view, I mean, we have countries where freedom of the press, freedom of speech are a lot less protected than they are here in the United States. Do we want to create an ecosystem where only essentially government approved services, communications, really anything tied to the domain infrastructure, infrastructure? I mean, we do have that today. It's not obvious to most people, but the US really still fundamentally owns the entire domain naming system and much of the infrastructure. The DNS roots, for example, there's so much power that's really centralized in what was supposed to be a decentralized communication system that what you do is you look at whistleblowers are a great example. If you can't get an email account without showing three forms of id, can you blow the whistle? And I think that that's something that we have to think about when we talk about that.
Is the cure worse than the disease?
[00:24:40] Speaker A: I mean, I would say that if we went down this path that would create a black market for sure. There's a need here and you know, black markets tend to fill needs when there's over government regulation. So I would agree with that. But on the other hand there, you know, when we're not looking at, you know, organized crime, we're not looking at malicious attacks by, you know, countries when it's just your run of a mill, you know, criminal doing something wrong, abusing systems that are so easy to abuse and be anonymous. It asks, begs the question, are we doing enough? And we're not going to answer that today, but I think it is. Talking about it is valuable.
[00:25:19] Speaker B: But I will tell you just on a philosophical level, I think that the argument that because there are bad people in the world that good people should pay the price to, I think it's just, it's not a sustainable argument. And I think that's been the crux of the privacy and security debate for as long as I've been in the business. I don't think it's going to go away. I think, and it does evolve with the technology. But at the end of the day I fall on the side of saying I think the price we pay for freedom is sometimes the inconvenience of dealing with the fact that there are bad actors in the world and we can't necessarily prevent everything that they might do.
[00:26:08] Speaker A: That's incredibly insightful. There is a dynamic trade off between, you know, our fundamentals of freedom, freedom of speech and you know, the ability for other people to abuse those freedoms. I appreciate it. Todd. We have only one scripted question in this interview and it's a difficult one at that. If you had to go back to 20 something year old Todd, what would you advise him?
[00:26:32] Speaker B: 20 year old Todd had a lot of, a lot of experience with very rigorous cybersecurity. And it was a security first approach to many things. Right. Technology was the solution. Technology could fix anything. And you know, just like the question about what, you know, what can solve the spam problem? Right. The assumption was if you apply the right technical controls, you could fix it. I have some shaggy dog stories about some of the, some of the early anti spam tools that were available, the Bayesian filters and proof of work headers in emails and things like that a lot of us struggled with and you know, because we were looking for that technical solution. What 20 year old Todd didn't know though is that one, almost every problem is a people problem. And two, that from a career perspective, business has to come first. And if you want to succeed in security, you don't do it by telling people what a scary world it is out there and all the things that can go wrong because they know that, but they're tired of hearing it.
What 20 year old Todd needed to know was that your best friend in security isn't the IT guys or the finance people or the auditors, it's the salespeople, it's the marketing people. And that at the end of the day, if you're, if you define your, their risks, which in turn, if they're doing their jobs, reflect their clients and customers risks.
[00:28:21] Speaker A: Right.
[00:28:22] Speaker B: You are serving the public good, but you are also taking an approach that is scalable, much more achievable and in the long run just more effective.
If you don't mind, I have one shaggy dog story that I think illustrates this really well.
[00:28:41] Speaker A: Go ahead.
[00:28:42] Speaker B: I did some work for a pharmaceutical company many years ago and you know, as happens in any heavily regulated industry, they, you know, they had some security problems and the regulatory oversight, the body had sent them a you've been naughty letter and they had to do something about it. And so this was at a time when the particular systems in question didn't have any technical countermeasures. I mean there really were no, there was nothing you could buy off the shelf that would solve their problem.
So they hired a whole lot of people for a whole lot of money before they came to me. And I went in and I took a look at the problem and I quickly realized that this, this was not solvable the way they would like to solve it. And I realized that what's their goal? Their goal is to keep selling pharmaceuticals, to be able to keep making them. So how can we do that? Well, what I did was I went off and I spent a couple of weeks putting together a new process. And it was very, it was an administrative control. It was, it was about yay thick, right? I mean it was a, it was a hefty tone. But, but when you got right down to it. It was just a manual process of checking that things were the way they were supposed to be and being able to produce the right evidence to the auditors. And I went to them with this and they said, the regulatory agency will never ever accept something that simple.
I mean, it was again, there was a lot of how to do it, but I mean it boiled down to a handful of checklist items, wouldn't even fill half a page in terms of what we were really trying to accomplish. And I said, listen, I know this seems too easy, but it meets the goal, it meets your business goal, it meets the regulatory goal. Give it a try. What do you have to lose at this point? They did not only did they close their findings with stellar success, it was so easy and so obvious in hindsight.
They actually rolled it out to not just to that manufacturing plant, but to the entire company. And to the best of my knowledge, they're still using it today. Now, 20 year old Todd wouldn't have known how to do that. And 20 year old Todd couldn't have sold it because he couldn't have convinced them to try it his way. But I think that the valuable lesson here is that the solutions that people want aren't always the solutions that they ask for. Sometimes what people do, if you ever heard it called the XY an XY problematic, you have problem X and you've decided that solution Y is the way to fix it. You see, you spend all your time chasing after solution Y, but you're not really solving for X anymore. You're just, you've gone down this other rabbit hole.
And so to me it's all about going back to those root causes. And if I can borrow from the agile movement what is the simplest thing that could possibly work?
And that's usually the right answer from a cybersecurity perspective.
[00:32:10] Speaker A: I couldn't agree more. The famous saying is right. I don't have the time to write a one pager letter, so I'm writing you seven pages. I can't remember who's the politician that is acclaimed to saying that.
[00:32:20] Speaker B: I like that though.
[00:32:22] Speaker A: Todd, thank you so much for your time today. This has been an absolute pleasure. I appreciate you.
[00:32:27] Speaker B: Thank you, Ari. It's been absolutely my pleasure and look forward to talking to you again.
