Cloud Security Today
What (actually) Works In Cloud Security
Some of the most pertinent issues in cloud security are also very foundational. Questions like where to start, what works, and also what doesn’t work, can leave teams feeling frustrated and at a loss over how to proceed. Here to help us unpack these important questions is Jonathan Villa, the Cloud Security Practice director at GuidePoint Security.
Jonathan’s career wasn’t always in security, he has spent time as an application developer, and as a pentester. All of this led him to build solutions in the cloud over a decade ago which organically transitioned into cloud security. In our conversation with Jonathan, we discuss what he learned about cloud security throughout his career, what he has found to be effective, both in terms of technology and managing teams. We explore important issues like how security has struggled with automation and how to address it. Later we address the challenges facing talent development in security and how to address them, including having leadership take a more long-term view and training junior staff members. Jonathan also discusses the RACI model, why so many companies struggle to implement it correctly and how best to be effective. Today’s episode offers key insight into cloud security, leadership, and the importance of teams, so make sure you tune in today!
Jonathan's LinkedIn profile
“I think that if security organizations really look to build more, they may attract more talent with development experience.” — Jonathan Villa [0:08:07]
“When you look at the average tenure of a CISO, I don't know what it is now, it's like two years or something like that. It's like, how do you build a long-term talent development model if the leaders themselves are gone every two years?” — Jonathan Villa [0:20:39]
Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).
Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.
Some of the most pertinent issues in cloud security are also very foundational. Questions like where to start, what works, and also what doesn’t work, can leave teams feeling frustrated and at a loss over how to proceed. Here to help us unpack these important questions is Jonathan Villa, the Cloud Security Practice director at GuidePoint Security.
Jonathan’s career wasn’t always in security, he has spent time as an application developer, and as a pentester. All of this led him to build solutions in the cloud over a decade ago which organically transitioned into cloud security. In our conversation with Jonathan, we discuss what he learned about cloud security throughout his career, what he has found to be effective, both in terms of technology and managing teams. We explore important issues like how security has struggled with automation and how to address it. Later we address the challenges facing talent development in security and how to address them, including having leadership take a more long-term view and training junior staff members. Jonathan also discusses the RACI model, why so many companies struggle to implement it correctly and how best to be effective. Today’s episode offers key insight into cloud security, leadership, and the importance of teams, so make sure you tune in today!
Jonathan's LinkedIn profile
“I think that if security organizations really look to build more, they may attract more talent with development experience.” — Jonathan Villa [0:08:07]
“When you look at the average tenure of a CISO, I don't know what it is now, it's like two years or something like that. It's like, how do you build a long-term talent development model if the leaders themselves are gone every two years?” — Jonathan Villa [0:20:39]
Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).
Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.
**NOTE: Generated via ML. Expect crazy stuff to be translated that may have never actually been said by the host or guest :-) ***
[INTRODUCTION]
[00:00:30] MC: One of the hardest things about cloud security is sometimes just simply knowing where to start, what works, and what doesn't. And so, what we've attempted to do on today's episode is really dig in with an expert, who, interestingly enough, doesn't come from a traditional security background. Hopefully, what you'll pull from today's episode are just a couple things that work well, because we talk about not just the technology, but also the people side of cloud security. If we can ask one favor of you, can you rate the podcast saying that you just love it? Also, share that out on social media. Hope you enjoyed today's episode.
[INTERVIEW]
[00:01:10] MC: All right. Thank you for joining us for this edition of the Cloud Security Today podcast. So today, we've got Jonathan Villa from GuidePoint Security who's joining us. Let's just jump right in. So, Jonathan, tell us a little bit about yourself, and what you do at GuidePoint?
[00:01:28] JV: Awesome. Well, first, Matt, thanks for inviting me on. I'm excited, definitely love to talk about all things cloud security. So, let me see. My career is about 22 years old. I've spent time as an application developer, in application Pen tester, middleware admin, sysadmin, all kinds of other things in the consulting world. All that led me to building solutions in the cloud maybe over 12 years ago. I started pretty early with AWS. Definitely consider myself lucky to have found a career that also is my hobby.
At GuidePoint, I’m the cloud security practice director where I manage a professional services team of some very talented architects, engineers across the country that are definitely passionate about cloud security themselves. I also spent time working with clients covering different areas from training to delivery, as well as working with a lot of our vendors. At GuidePoint we’re bringing their cloud services and solutions to us.
[00:02:25] MC: That's great. So, one thing I love to ask people, because there's always – we always talk about in our industry, how there's this huge skills gap, and how do we address it. So, I know that there's a lot of people who, they want to get into cybersecurity. And I know that you – in one way, I was looking at your background on LinkedIn, and you just alluded to it that back in the day, you did a lot of lamp and J2E development. So, for somebody in security, that's actually really unique to have that background, right?
I see most people I see in security or audit, compliance, network security. I guess, without jumping too far ahead, but how has that background as a developer? Now you're living in the world of security, cloud security. How's that changed how you approach things?
[00:03:12] JV: So, really good question. I would say so you see all that right in my background. One thing that I don't have like this on my LinkedIn or my resume is how do I specifically get into security? Coincidentally, I got into security at the same time I started doing application development. I have the entrepreneurial spirit and when I found out or when I realized I can make money building websites or web applications, I did. Actually, the first application I built was actually a full-on website for my cousin's rock band in Texas. Four brothers, they were doing well before they got married. They all went off and had families.
But anyway, so I built this application and I found I can repeat that. So, I started, hosting. One day, I went to one of the sites that I was hosting, or one of the apps I was hosting, and I saw a foreign flag on there. It was like, there was just a little bit of hacktivism probably going on. So early on in my career, I kind of jumped into security as well. Knowing that I no longer wanted to be up for 72 hours trying to figure out how that happened.
My mindset was always kind of always around security, but I really loved building solutions, and it kind of just worked out for me. I started with doing PCI compliance when the standard came out. I kind of represented the app side because I had an application development background, and they all kind of just kind of flowed that way. So, going back to one of my responses before is that it's also been my hobby, where you look at somebody plays video games, you probably like playing a bunch of different ones. To me, network security, compliance, cloud, development, those are all just different games, and it's just fun.
[00:04:57] MC: That's awesome. I love that. I always love when I see – it’s not that often. But do you see someone who's in security that didn't kind of grow up, so to say, like in security. I think it always gives them – quite frankly, I think it gives them an edge. I think it's an edge.
[00:05:11] JV: I would agree with that. I mean, we look at, for example, the abstract world. When I talk to people that are there, I'm always curious, like, how did you get into abstract, for example. Some folks are like, you know, I wanted to get into security. That's the area that I wanted to get into. That's one way. The other route is, I used to be an application developer. So now they know the core, part of an application, or how they function, and then they got into security.
So, sometimes I think the practitioner moving into security, sometimes it brings a little bit more effectiveness in what they do, because they've walked the walk. Right?
[00:05:46] MC: That makes a ton of sense. So, I guess on the career side, what's the one thing that you wish you had known when you began your career? You can go back as far as you want or as recent as you want. But what's one of those things that you're just like, “Man, I wish I would have known that.”
[00:06:04] JV: Good question. So, I wish that I learned to build a team sooner than later. Not that I was – I mean, for a long time I was the, “I'll just do it guy”. But it wasn't from a control freak perspective. It was from a, “Hey, that's fun. I want to solve that problem.” Or just, I wanted to help. Whatever it was, I've always done it. But now, 21, 22 years later, as a manager, and building that team up, sometimes I wish I did this when I was like 28. I wish I enlisted the help of people and help them kind of get up to speed because, what do they say? More hands lessen the load or something like that? The amount of problems that I can solve, or we can solve as a team today, it's just awesome.
So long story short, I think what I would have done if I can go back is to really try to get people excited, and to build a team and say, “Hey, let's go do this together.”
[00:07:06] MC: It makes sense. That makes sense. So, one of the things that I think, in the security industry that is talked about a lot is just the whole reason, is the whole thing around just security and DevOps, security and developers that speak a different language. It's two different things. From your background, as a developer now being in security for a number of years, what do you typically see security doing wrong? Or how are they typically approaching that incorrectly when it comes to DevOps?
[00:07:36] JV: So, I’m thinking of something you just said about the kind of the traditional path to security rights, typically – or in security, it's typically been the network engineer or the auditor. That's kind of where their path has been. So, kind of piggybacking on that conversation.
I think, what security has, challenges, is not full-on embracing automation. I think what makes cloud fun is the building, is being able to build things and develop things, and not clicking buttons. So, I think that if security organizations really look to build more, they may attract more talent with development experience. Again, because that's part of the fun. Granted, you can't build everything, right? Obviously, maintaining custom built solutions. It's challenging, but I always tell people, like, isn't that what the business is doing themselves? We're protecting them. But yet, that's what they're doing. They're building and they're building these business applications, but they're not always just doing that. They're still using third party tools. They're bringing Datadog in Sumo Logic and SageMaker, to lessen their load. But at the end of the day, they're still building. It's fun. They’re solving problems. I think that security should kind of take that spirit and really encourage more of that builder mentality.
[00:08:56] MC: Yeah, I think that is something that's different. I think, kudos to the Netflix's and the Facebooks who have made that cool, where it's something that I've seen enterprises aspire to that. They may not hit it directly. But that is something I think that I can think of a number of customers I've spoken with just in the last few months, and everybody aspires to security automation. But I think where they struggle is just where do I start? Where do I start? I know I've got a couple routes to this. I can use CSP native tooling which may give me some level of automation, but I still need to stitch things together. I can go out and I can buy a third-party tool, or I can try – or as option three is like I can do something with open source, cobbling those things together. What's your take on kind of those three paths? How do you usually handle that?
[00:09:47] JV: So, definitely a mix. I'm going to say this now and I'll come back to it is the term at scale. So, at scale is, that’s the ambition. Is we want to be able to do everything at scale.
So, that's a good thing, right? But then when you're building, so when when you are building things yourself, that also becomes a challenge. How do you manage that? How do you maintain that at scale? I looked at it as, I kind of go back to my early days, before I got into IT, I actually wanted to be a carpenter and use the right tool for the job. First job I did, I didn't have a saw and I had just a hand – circular saw, but I remodeled my mom's basement. This is why my experience went on. I bought the tools, not automated, but to make things work better.
So, when you're looking at cloud security, it's a mix of that. It's a mix of the cloud native tools, because cloud is evolving so quickly, that even sometimes the third-party platforms, they still have to catch up. So, if you have the skill set on the security team, to let's say, develop a lambda function, to quickly respond to an event in cloud for a new service, but then you bring in a third-party tool that's more mature that can help you manage that at scale or in a multi cloud environment. So, definitely a mix, I think, of some of those approaches.
I want to comment on something you said earlier. You mentioned some folks like Netflix and Facebook. We talked about security approaching DevOps and those things, I think that's the really cool thing that I've seen, and I've encountered are the people that have left Facebook or have left Capital One, or have left Netflix, and they've now gone on and taken other jobs, and they're bringing in that spirit, they're bringing in that leadership, that experience, and they're helping these organizations get to where they want to be. It's not always going to get a consulting firm. Sometimes it's growing your team with the right people. And yeah, that's actually been – I love talking to a client. And they're like, “This is so and so head of cloud strategy, and they came from Cap One.” I'm like, “This is going to be a fun project.”
[00:12:07] MC: That's awesome. That's great. I think, with every industry that's experiencing rapid growth, there's always myths that are out there. When you think of a common myth about cloud security, what's one that you would just love to debunk? Is there one that's just a favorite one for you?
[00:12:26] JV: So, if there are people from GuidePoint listening to this, they'll get a chuckle out of this one. But that is that cloud is hard. A few years ago, we had a well-known security journalist as a guest speaker at an all hands company meeting. And he was acknowledging just a lot of the challenges in the security industry. One of the things he mentioned was, “Cloud is hard.” For a lot of our clients, that's exactly how they feel, that cloud is hard. It's difficult. It's challenging. The security folks can't keep up with the cloud engineers and operators. But then again, talking to many people, I think that they definitely feel that way.
But going back to the idea of building things, that everything is API driven today. Cloud is an API driven infrastructure. So, maybe I'm biased here. Maybe it's because I have development experience. But I was kind of finding it hard to believe that I can't write a lambda function to respond, analyze and correct something. Maybe it's not purely a cloud native function. But I feel like I can – we can always write something, because again, it's an API that might pull an event or get triggered by a CSPM tool. Or just some sort of interaction between services, it's kind of what I'm always trying to march towards. I always look at it too, like, the business is they're doing these things for profit. They're building out serverless applications to again, we talked about folks like Netflix and Cap One, they're building out things in the cloud. So why can't security do the same thing to protect the business?
Long story short, I think one myth is always that cloud is hard. I always say, no, I guess. You just get the right people involved and I think you'll get some good solutions.
[00:14:24] MC: Why do you think that is specifically like, when I say why do you think that is, but why do you think it's that because I hear that all the time as well. It's hard. It's too complex. It moves too quickly. And certainly, there's truth to those things. But why do you think it could be that security does find these things so hard? You're right, if I have a call and I'm speaking with a DevOps team, they don't think cloud’s hard. They don't think that automation is hard, but if I have that same call then with a compliance, audit, or just a security team, and identity team, I'm going to hear it's – I don't have the skills to automate it. It's hard. It's complex. Why do you think there's that dichotomy?
[00:15:04] JV: So, I think, and again, it kind of goes back to something you mentioned. A typical career path in security has been siloed. Network security folks, this is what they've done. They've been a Cisco admin for 25 years. They've been in an Active Directory admin for X amount of years. So, I think that when you look at the kind of the path that technology has taken, those folks that are in the traditional kind of world, whether they were managing their own data center, or they were now managing a couple cabinets in a co-located facility, they still kind of stayed right within their roles, their subject matter expertise. But all of a sudden, here comes cloud. It was kind of driven by those that were developing things. Again, API driven.
In 2007, I guess, I think it was, when AWS launch EC2, they didn't ship CDs out. They're like, “Here's an API.” So, the developers, those with that mindset, “Sure, give me credentials, I'm going to take that on.” So, they have that mentality that they can work and they can control that infrastructure, where I just think that those that have kind of remained in their path and their same path, they know how to configure a Cisco catalyst switch, but they've never really said, “Okay, maybe I don't have to do that anymore. Let me go just pick up this new way of thinking, I guess.” If that makes sense, I guess.
[00:16:33] MC: It does. I guess the question I would ask you then is you've done this – you’ve been through this process with probably hundreds of customers over the years, GuidePoint and then before. If someone's struggling with this, someone's listening to the podcast, and they're thinking, “I want automation. We're already in the cloud, maybe we've already invested in a CSPM tool. But I want to build this mentality within my team, within my security team.” Instead of thinking of paper-based checklists, but how do we automate those? Where do they start? I mean, what’s worked?
[00:17:08] JV: So, really, a good question. I feel like this a topic I've actually been talking about a lot lately. So, what's worked. I think, recruiting cloud knowledgeable people into the core governance, risk, and compliance teams. I think that a lot of the challenges that some organizations have is, it started at the top with their governance teams, and risk, again, risk teams and things like that. Again, they know security. They know security well. But now they have to secure cloud, whether it's IS PaaS or SaaS. And they may not know that ecosystem, well. They know the Paas management world. Again, they're kind of brick and mortar, but they sometimes struggle within themselves, with these new concepts.
What I've seen work well, and again, I've been having this conversation recently, because people are asking us. We're looking at RACI models and things like that, and people are asking us, “What do we need to do? Do we need to grow our headcount and things like that? And if we do, with what type of person?” So, the story that I've been telling them is, go and find a cloud knowledgeable person, go and recruit them and they're out there. To be fairly honest, they're expensive, but they're out there. Because they have that compliance background, they have that governance background, but they also have that technical knowledge of cloud, and they're able to help these teams translate.
I'll give an example. Mapping to NIST. NIST 800-53. I can't count anymore how many times I've seen a client's NIST mappings to cloud and there's so many not applicables or they point to the CSP. I'm kind of like, “Yeah, I don't know.” If you're approaching the letter of the law, I get it. But if you're trying to approach the spirit of the control, you can get creative and find a way to satisfy that control in the cloud.
Anyway, back to your original question here is, what works well? I think what works well is finding those that are knowledgeable in cloud to help those in security, who understand security, understand the risks and the spirit of trying to satisfy a control and just bringing and wedding them together. Like two schools of thought coming together. That I would say, works well, and I've seen clients that impressed me when they've made those decisions.
[SPONSOR MESSAGE]
[00:19:34] MC: Prisma Cloud secures infrastructure, applications, data, and entitlements across the world's largest clouds, all from a single unified solution. With a combination of cloud service provider API's, and a unified agent framework, users gain unmatched visibility and protection. And for our federal customers, Prisma Cloud is now FedRAMP Moderate. To find out more, go to prismacloud.io.
[INTERVIEW CONTINUED]
[00:20:02] MC: I think that's a good idea, because it seems like in security, we always try to go to that same well for talent. I want the person who's – sometimes I read job descriptions and I'm like, “Man, there's like one of those in the entire world, or two of them and they probably make million dollars a year.” Is that in your budget? Do they want to leave?
So, I think you're right, and that a lot of this does come from just the background of the “classic security person”. Also, I think there's some short sightedness on the part of security teams. And maybe this is because when you look at the average tenure of a SISO, I don't know what it is now, it's like two years or something like that. It's like, how do you build a long-term talent development model, if the leadership themselves has gone every two years? So, I think this is not a technology problem at all. I think this is a people side, taking the longer view around. I need to develop talent and I can't go back to those same talent pools that I always go to. I might have to look outside of it. I might have to bring somebody, for example. It may be somebody who's got three to five years of development experience, who wants to come over to security, I mean, to bring them in as a junior person, train them in the ways of security and then right, and then I might have to develop something like that. Have you seen those types of approaches work?
[00:21:23] JV: Yeah. Actually, as you're talking, I was thinking about an engagement we just finished up and I don't think he was the SISO, but he was a senior security kind of leader there. Just the way you described it, that's what they did. They went within the organization, they brought somebody up, but they knew that they were going to have to kind of train them up. It was a technical person. Actually, you kind of go back to something that one of the leaders on my team actually just said, is, because, we're also we're growing, right? Again, yeah, finding that talent is a challenge. I'm really big on quality over quantity.
One of the leaders on my team said, “You know, we could probably go after some DevOps folks, just purely hands on, very engineering minded folks and train them up into security.” We have our methodologies or processes and stuff. So anyway, I have seen it work. I've seen some clients do that. I guess now, I'm putting myself in the same boat there. I think that's what we want to do, too. I mean, you're right. It's a people, it's an industry problem, how do we bring in the new guard and get them trained up to take the reins here, when – I guess I'm kind of middle aged. My birthday was yesterday. I'm 42.
So, I have folks that are older than me that I've known for a long time, and I have people that I've met that are younger, it's like ensuring that that security train keeps going. And with the technology changing the way it is, we have to make sure that they stay educated in security and, and technical enough to protect what's down the road.
[00:22:59] MC: I love that. I guess changing gears a little bit, as you know, one of the teams that I lead at Palo Alto Networks is the unit 42 Cloud Threat Research Team. One of the things that we have consistently found in threat research is just the sheer number of misconfigurations in public cloud environments, especially compared to if you look at on prem environments, it's not even comparable. So, in a recent threat report, I want to get your feedback on this. Researchers found that 60% of organizations that they surveyed in the cloud, this is globally, not just a specific industry, had some type of insecure network configuration in their public cloud platforms. That number, it sounds so crazy high. But I've seen this has been consistent for years in the data, and the number really has not changed very much. Maybe this is tied into the automation conversation. I'm not sure, but obviously, organizations are doing something wrong, to have that number be so high. What are they doing wrong? What should they be doing about it? Because a lot of times when I talk to practitioners, executives, they see these numbers, they're scared, and they're like, how do I make sure that doesn't happen in my cloud environment?
[00:24:15] JV: So, it's definitely an alarming number, especially when you look at data is moved – all the data is moving to the cloud almost. So, that's a scary number. And thinking back on how I've found customer environments, when we go in and how we see them. It kind of makes me think about the shared responsibility model. I think that part of being responsible is, actually, I guess responding. I think a lot of folks understand the shared responsibility model, so they know that, okay, if I'm going to go into the cloud and I'm going to do this, keep it simple. They might make the right decision. They may go buy CSPM tool, so now they have that visibility. But security is people process and technology.
So, they go buy a CSPM tool, which is great. Now they've got the technology part of it covered. They have the awareness. But what about the process? Have they actually gone back and said, “We're going to do something with this information now.” I think that that is probably where I find a lot of clients is when we go in – I’ll give an example and not to show bias. But let's talk about Prisma Cloud. I haven't seen the console probably in over a year. But one of the questions that I would ask customers is, “Hey, so great, you're using Prisma Cloud? Is there a little red bubble there? Does it say like 999 plus?” And they'll say, “Yeah.” I'm like, “Okay, well, the plus part means that you have so many errors that Prisma is just like, you know what dude, you're in bad shape.”
But a lot of times we've found customers that are like – I mean, they make the right decisions in the procurement of technology, but they're not changing the processes within the organization. So, I guess that is an alarming number, that unit 42 is found. But it speaks back to, like you said earlier, they'd be more of a people in a process issue, not just by the technology. So again, just going back and thinking of some of the things we talked about is who manages that? Is that your kind of Cisco minded, and I don't mean to pick on that, it’s just what I think of. It just goes on forever. Is it that person? Is it that team that's managing your cloud environment now? Or do you have a cloud aware person who's managing it, and they make that decision to say, “You know what, I'm tired of this 999 plus, let's go in and put in some service control policies or Azure policies. Let's do something to fix this.”
So, it's alarming. That number is alarming. But I think the underlying problem is just organization is not putting the right process around of what they're doing.
[00:27:07] MC: You mentioned a couple times now, and I want to jump into it a little bit. You've mentioned the term RACI. So responsible, accountable, consulted and informed. I'm a huge believer in these things. From your perspective, when you go into an organization, you're contracted to do a security assessment on AWS or an Azure environment or whatever cloud environment. How often is it that you see an organization that's actually taken the time to do a RACI? I'm just curious, is there core – have you seen correlations between organizations that when you say, “Okay, tell me who's responsible for X in the cloud?” They go, “Oh, we have a RACI. Here it is.” I'm just curious, is there a correlation between organizations that have that down? And good hygiene or better hygiene versus one that just says, “I'm not really sure.” What does that look like?
[00:27:57] JV: Yeah, so that's interesting, because having a RACI model or a matrix, and then there's it actually being actionable.
[00:28:06] MC: Or they're following you, right?
[00:28:07] JV: Exactly. I've seen a lot of RACI matrices, and some of them are really impressive. This is awesome, you really thought of everything. But then going in, and then, you know, we'll do like a validation of the environment. So, we'll come in, and maybe we'll run a CSPM monitor or maybe we'll do something ourselves with some code that we have. But it's like, “Okay, this was your plan.” There's a song, the lyric is like, I'm just the soul whose intentions are good.
[00:28:35] MC: That's all.
[00:28:37] JV: I get it. Your heart is in the right place, but what's happening here is really not what you wanted. So again, a lot of folks have – I've seen, and I've been impressed by some RACIs that speak to cloud and they've covered a lot of really good areas. But unfortunately, I’m being honest here, unfortunately, I've not seen it realized, as well as it's been designed. I'm just kind of thinking off the top of my head here, I would say I probably seen more effective cloud security from organizations that are just adapting quickly, following that fail fast mentality. Their environments have been a lot more secure than those that have actually stepped and said, “You know, what we're going to put down again responsible, accountable, consulted and informed.” Whereas, again, those that are like, “We have a DevSecOps team, and they don't want to be woken up at two in the morning.” So, they've got SCPs going and all this stuff. I've seen that practical team a lot more secure than those that have put those both RACIs together.
[00:29:43] MC: So, someone can put the time into doing a RACI, and that's great. But if you don't have the processes in place to actually back it up, the automated processes, then you've wasted your time on the whole activity.
[00:29:56] JV: Yeah. I would agree with that. Actually, another thought that comes to mind thereto, those was RACIs, they take time to put together. Three months down the line, AWS or Azure might change how something works. They may launch a new service. So, they got to go back to the RACI and you have to update that. You have to, I guess, depending on how you've designed it.
But cloud was very fast. We've heard that a million times. So, I think that – I mean, it does go down to having some fundamental principles in place, because then you can kind of adapt. But it's hard to put that on paper, when AWS like tomorrow says, “Hey, we're going to make something easier for you. Here's a new enhancement.” Which is cool. But yeah, it's hard to stay on top of that stuff in a written manner.
[00:30:44] MC: It is. There's a lot of different frameworks out there. You mentioned NIST, there's the ISO. Is there one framework? If someone's looking, they're like, “Look, we're just getting started on the cloud journey. We want to map to a framework. There's a lot of them, is there one that you tend to favor more than any other one? And what's the reason behind that?”
[00:31:04] JV: Great question. I guess I would not say a framework, because we’ve done and seen some good mappings and bad mappings to high trust and to NIST and to – I mean, PCI is not a framework. But even to the controls there. The Cloud Security Alliance is cloud controls matrix is great, because it's for cloud. But then even with that, I've seen people go through the CCM and come across the HR domain or the data center domain or the endpoint domain. All of a sudden, they get into this not applicable, not applicable, not applicable, which could truly be not applicable. They kind of fall into this loose interpretation of a lot of other things are like, “Well, that's the CSPM responsibility.”
So, I wouldn't say that there's a framework I would choose. Again, it goes back to something I said earlier, where I think it's more about the attitude or the approach to any one of those. It’s, look at it, and try to figure out again, what the spirit of the control is. One example I bring up all the time, and I'll go back to NIST on it is the media protection. A control family. On paper, media protection, that’s the CSP’s responsibility. We don’t have to worry about the hardware and data sanitization or anything like that. But we've done some stuff with some customers that are like, we want to do everything – we want to squeeze as much water out of the sponge as we can. So, we've said, media protection. This particular control here, it has to do with trying to protect hardware from moving the data center. But you can interpret this to also mean ensuring that your EBS snapshots, your RDS snapshots, your AMIs aren't shared out to another account.
I'll tell you a quick story about that one. It's it's about our threat attack simulation team. But we have that in a control framework for a long time is probably going back five or six years, ensure that people aren't copying out these resources to accounts that don't belong to you. This was before, like resource policies were available and all that stuff. So, it was more just find a way to do this. We had a lot of pushback with different customers. It's not going to happen or whatever.
But one time, our threat attack simulation team was on a cloud penetration test, and a really cool thing is they were actually – with the permissions they had, they were actually able to copy an AMI out to one of the GuidePoint accounts, crack it open, launch it, and the developers had hard coded credentials to RDS and they went right back. Now, they told the customer, “Hey, if we were the bad guys, we would exfiltrate data, but we're not.”
So, for me, when they sent that message on Slack, I was like, “You just validated something I've been telling people for a long time. This is awesome.” So anyway, back to your question here. It's not so much a framework, I think it's more about the approach for me. Get as creative as possible to try to meet the spirit of that control, regardless of framework.
[00:34:06] MC: I love that. I love that. That's great. Well, Jonathan, you've been awesome to have on you've, I think dropped a lot of knowledge on the audience. So, one of the things I love to ask leaders, and just because I get this question both from other leaders, as well as those that are maybe more junior, how do you personally continue to learn in order to stay on top of things within your role? Because like you mentioned, I mean, AWS, Azure, Google, Ali Cloud. I mean, these guys are launching features daily. So, how do you stay on top of things in your role? What's your method?
[00:34:40] JV: Going back to one of your earlier questions, what would I have done differently in my career, is build a team. That is how I stay on top of things today, is my team. I'm very proud of the people that we've been able to recruit at GuidePoint, whether they are dedicated folks on my cloud team or they’re folks in the outisde world or somewhere else at GuidePoint. I've learned that not being the smartest person in the room is really, really cool. So, I think just surrounding myself with likeminded people and being able to go to them and ask about something, I could always go watch a YouTube video on it. I can always wait for reinvent and go to every single session. So much information out there.
[00:35:29] MC: Yeah, it is.
[00:35:30] JV: I'll be honest, I know a fair amount of Azure, none of it is hands on. All of it is only the people that are the experts in asking them. I just want to drop here too, not necessarily right about at GuidePoint, but just cloud security consultants in general. For those that are listening, if you have a partnership with a vendor or your consulting firm, if they're a partner, just call them up and say, like what you and I are doing today, can we just jump on a phone for an hour? I'm bringing four of my buddies and we’ll jump on. Let's just have a conversation and educate us. There's so much value in that, Matt. That's how. I just rely on smarter people that are around me.
[00:36:15] MC: So, don't try to know everything. Make sure you surround yourself with people that are even smarter.
[00:36:20] JV: Absolutely.
[00:36:20] MC: I love that advice. I love that advice. So, where can our listeners connect with you and GuidePoint? Where are you active? What's the best way if they want to connect with you?
[00:36:28] JV: So, there's definitely always our website, guidepointsecurity.com. I love to meet people too. So, you can always reach out to me on LinkedIn. I'm sure there'll be my name somewhere here.
[00:36:40] MC: Yeah, we'll put it in the show notes.
[00:36:42] JV: There you go. If you find my email address, feel free to send me an email. We have pretty good anti-spam protection and I just recently passed our phishing campaign.
[00:36:51] MC: Nice.
[00:36:51] JV: I think I'm okay with that. But yeah, I would say, check out our website. You can find me on LinkedIn. I'm always willing to talk to somebody. I would love to have conversations with people.
[00:37:01] MC: Awesome. Awesome. Well, Jonathan, enjoyed having you today. I'm sure a lot of people are going to walk away from this conversation, feeling like they've learned something. I appreciate you coming on. Thanks so much.
[00:37:11] JV: Thanks for the invite, Matt. Great talking to you again.
[00:37:13] MC: Great talking with you.
[END OF INTERVIEW]
[00:37:15] ANNOUNCER: Thank you for joining us for today's episode. To find out more, please visit us at cloudsecuritytoday.com.
[END]
