What's Up with Tech?

The Internet Has Become Your Enterprise Network, And That Changes Everything

Evan Kirstel

Share episode

Interested in being a guest? Email us at admin@evankirstel.com

Cloud security is facing a fundamental paradigm shift that most organizations haven't fully recognized. According to Aviatrix CEO Doug Merritt, we're overlooking a staggering 50-80% of our attack surface by failing to properly secure cloud workload communications.

The problem stems from three critical changes in how computing works today. First, the internet has essentially become our enterprise network – when your application calls an S3 bucket, that communication happens over the internet, not a controlled private network. Second, the traditional security perimeter hasn't disappeared; it's atomized from a handful of entry points to thousands or even hundreds of thousands of mini-perimeters. Every VPC, Kubernetes cluster, and API endpoint now requires its own security strategy. Third, modern workloads are largely ephemeral rather than long-lived, making them harder to secure with traditional approaches.

This security challenge is further complicated by multi-cloud environments, where security policies must consistently follow workloads across cloud boundaries. Meanwhile, the rise of generative AI creates both defensive opportunities and heightened risks, as attackers leverage these same technologies to map enterprise environments and find vulnerabilities with unprecedented speed and effectiveness. As Merritt explains, "Attackers think in graphs" – constructing comprehensive maps of your organization's resources to identify any possible entry point.

The solution requires a paradigm shift in how we approach cloud security. Aviatrix advocates for a "cloud native security fabric" built on zero trust principles specifically designed for cloud workloads. This approach focuses on four critical elements: controlling egress to prevent command-and-control communications, implementing east-west macro-segmentation to block lateral movement, applying micro-segmentation for granular control, and ensuring comprehensive encryption to protect data even if network infrastructure is compromised.

Ready to rethink your cloud security approach? Discover how zero trust principles can be applied to your cloud workloads to close critical security gaps and protect your most valuable digital assets.

Digital Disruption with Geoff Nielson
Discover how technology is reshaping our lives and livelihoods.

Listen on: Apple Podcasts   Spotify

Support the show

More at https://linktr.ee/EvanKirstel

Speaker 1:

Hey everybody, Fascinating chat today as we dive into the complex world of cloud security with a true innovator and expert in the field, Aviatrix. Doug. How are you Good? How are you, Evan? I'm doing well. Thanks so much for joining. Followed you guys for quite some time. Maybe start with the big picture introductions to yourself, and how do you describe Aviatrix these days? Start with the big picture introductions to yourself and how do you describe Aviatrix these days?

Speaker 2:

Yeah, we've gone through a few changes with Aviatrix over the past since I've joined and certainly over the past nine months.

Speaker 2:

The company Aviatrix at this point, is focused on a problem that we are incredibly excited and passionate about, which is the zero trust cloud workload problem that we see through the hundreds of customers we have as customers and the prospects we're working with, it turns out it's well over 50% of the potential attack surface for most organizations and we are evangelizing, leveraging our networking and network security heritage as a company to evangelize a category that we're calling the cloud native security fabric.

Speaker 2:

So it's a bit of an iteration. Aviatrix traditionally had been focused on ensuring that cloud networking, the way that organizations that move workloads to the cloud, the way that they push packets around inside of that cloud, that it's done as efficiently, with as much visibility, at the right cost structure, with the right set of capabilities, and the company had driven some success with that. We got well over 60 million in ARR focusing on that area. But as we worked with our customers we saw that why they really used us was for cloud security, cloud network security, and that's the enhancements that we've been doing with the company. But I may have jumped the gun on a soft intro of who's A-Matrix and who's Doug Merritt by jumping right to the punch point.

Speaker 1:

Well, let's get to it. I mean, the cloud marketplace is on fire. It's the way computing is done today, of course, and with all that innovation from the hyperscalers and others, the security model hasn't really kept pace. So you know what's fundamentally broken about cloud security, or the cloud security architecture, as it were, these days.

Speaker 2:

I think that's the right founding initial question, evan, which is the clouds have done so much work to ensure that the data centers that they've built are highly secure, that the data centers that they've built are highly secure, and to make people confident in moving workloads to the cloud. They did the appropriate thing by jumping up and down and talking about how secure their data centers are, and I agree completely. I don't think there's many data centers in the world that are more secure than the data centers that Microsoft or Amazon or Google or others manage as the foundation for all the stuff that organizations are moving into the cloud. Where I think people miss the message is there's two elements that are happening simultaneously. One, there's a shared responsibility model. The data centers are incredibly secure, but everything you put inside the cloud and every service you use inside the cloud has three buckets from Amazon something that's unbelievably pervasive is up to the organization to secure. So if the data center is breached which I think is highly unlikely it is one of the big hyperscalers. Responsibility and they're fully culpable. Responsibility and they're fully culpable. But all the breaches we hear about are data or other important elements being exfiltrated from the assets that organizations put inside the cloud, and so I think there's some confusion by some of the technical teams, different organizations I talked to, on that divide of responsibility, which I think then creates a little bit of laxness often and like what am I really responsible for and how important is it for me to pay attention to security within the cloud? But I think the more fundamental element is the way that security has been driven historically.

Speaker 2:

If we really go back and are trying to be grounded in first principle based on how did the cybersecurity world grow up? When you had your own data centers with no internet connection let's go back to like 1989 or 1990 or 1992, security was all physical. I would inspect the equipment before it went in, I would badge people, I'd make sure that I had secure facilities that people couldn't get into, because as soon as things operated inside a data center, if I did those things, we had a very trusted relationship. The SAP app could talk to the Oracle database without any concerns. The cyber world grew up because we started plugging the Internet pipes into those data centers for good reasons, and most cybersecurity was very grounded on how do we protect the data centers from the Internet. What happened with the cloud is a few really fundamental elements that I think also people haven't really conceptualized. One now, with your assets in the cloud, the internet is the enterprise network. When you make a call from an app to an S3 bucket, you're using the internet to actually get access to that data that you put into your Amazon service called S3. So the internet is now pretty much the enterprise backbone and it wasn't architected for the level of security going back to, how did cyber grow up in the first place that people want?

Speaker 2:

The second is that old castle emote perimeter defense piece. That was very appropriate for a data center driven world. You had a digestible number of printers, maybe you had four data centers, or eight or 12 or 15, but you controlled them. You knew what they look like, or eight or 12 or 15, but you controlled them. You knew what they looked like and you could actually manage those perimeters and keep the assets inside safe from the internet.

Speaker 2:

In the cloud, most organizations have thousands or tens of thousands or hundreds of thousands of mini perimeters. The perimeter didn't go away, it just atomized. Every virtual private cloud in an AWS instance or VNet within Azure, every Kubernetes cluster, every API endpoint, every MCP server. Going into the agentic world is typically internet addressable and needs a perimeter defense strategy. So now, instead of 10 perimeters, you've got thousands or tens of thousands, hundreds of thousands.

Speaker 2:

And then the third is most of the workloads are ephemeral, they're not long-lived. The VMs are pretty long-lived, but most of the stuff that people are doing today is serverless, and the combination of those three radically changes how you even think through network security. And that's the task we've taken upon ourselves at Aviatrix is help make this clear the world and help educate the CIOs and CISOs of like. What does that mean? Why should I care about what you're saying, doug? It means that you've got an attack surface that's probably 50 to 80 percent of all the interesting communications are happening. That is largely unguarded and in a world of Gen AI, it's this bad period. In a world of Gen AI, it's really bad. It's really bad.

Speaker 1:

So let's break that down the three cloud security challenges, the multiply perimeter, the internet becoming the network, new apps and app modernization taking place with Gen AI. When you talk to CISOs, what are they underestimating? What are the risks they're maybe ignoring or aren't aware of?

Speaker 2:

when you mention education, so the way that we're framing this is what we're trying to evangelize and bring to market is a zero trust cloud workload addition to the zero trust landscape, and I think what most CISOs I've talked to are missing is an understanding of what does it take, what are those workloads and why is bringing a zero trust framework to those workloads important? And is it their responsibility or is it somebody else's responsibility? And I think that part of the shared responsibility model we talked about with the hyperscalers, there's also a shared responsibility model with who actually deploys things into the cloud and who's accountable for security. And many CISOs are not responsible for the deployment. The CIO or the AppDev team or the DevOps team or the platform team is responsible for deployment, but they are fully accountable for the security. And trying to excuse me, semi-caught a cold with all my troubles this week, in fact, helping educate CISOs on the culpability what does that landscape look like and then the potential culpability they have, and then giving them an easier button to solve that problem, are the steps that we're going through right now. And there's logical confusion on oh, we've got a zero trust initiative, like we're working with Zena Skeller or Cloudflare or CrowdStrike on zero trust, and they are, and those are really important zero trust initiatives.

Speaker 2:

If I think about the three first principles, foundational elements of what can actually stop an attack or prevents attack there's three elements that are fundamental Identity If I always know it's Evan and I always monitor what Evan's doing and it's not spoof credentials, or you really reduce the chance of an attack.

Speaker 2:

Endpoint If I know what Evan is using to communicate and I can control that device, I greatly increase my cyber effectiveness. And then network, because you've got you on a device talking to something is all the interactions that are happening and the network is key for that. So what we are evangelizing is the zero trust network security elements inside the clouds that, once Evan is certified as being Evan and his device is understood to be effective and clean, and the packets, the requests, go in the cloud. Now it's a workload to workload. Zero trust problem I've got requests going from UI frameworks to app frameworks, to data frameworks, to Gen AI, mcp server frameworks, to third-party SaaS engines and back to Evan and all of that communication that's happening. Hundreds or thousands of packet pings within a cloud, within multiple clouds, within multiple clouds, and SaaS providers back to my on-prem data center. How do you ensure that those communications are safe and have zero trust, and that's the problem that we are excited about attacking.

Speaker 1:

So let's dive deeper. How do you actually help them uncover and address those blind spots? Help them uncover and address those blind spots, the visibility that they're lacking into their exposure. What's the approach on the product?

Speaker 2:

There's a couple of key elements that we view as foundational to the effectiveness of the Zero Trust Cloud workload orientation. One, going back to the internet, is the network. One going back to the internet is the network. Most workloads, let's say VPC or VNet or a Kubernetes cluster, by default are connected to the internet. The actual stance within Azure right now they're supposed to change that by September is as soon as you instantiate a VNet it automatically connects to the Internet. It's automatically given an Internet address. So the first piece is, rather than just have a direct connection, which is silly, or just putting a network address translation gateway there to try and give you some of that IP utilization and disguising, you really need egress security. You want to make sure that every single workload that is communicating across the internet that you are able to see where is it going to and what is it doing when it's going out to something out there. Is it actually going to Salesforcecom or is it going to a spoofed address? Or is it just blatantly going to a known nefarious address because someone got inside your network and is now pointing that workload to a command and control framework with a nefarious website that can begin the communication path? So egress for us, we believe, is one of the most important elements, because when you do a true network security assessment within our prospects or our customers, they're often shocked at the number of workloads that have direct Internet access without any type of visibility or control. The second piece that's critical is now. Let's assume that you've got better handle on what's happening with Internet communications.

Speaker 2:

There are still many paths for bad actors to get into your cloud environment. If you can stop command and control, that's the first piece. But assuming that there's some gateway somewhere, they then begin lateral movement. They generally do not come in to the most trusted assets. There's a whole multi-month or multi-year campaign for most of the bad actors to be super patient, inject their capability and begin command and control activities and then work their way east-west, laterally, from the less important assets that they don't care about to something much more important, to a key database that has customer information, or laterally to promote malware everywhere, so they can actually shut everything down and lock everything down, as we saw with MGM or we saw with UHG and Change Health.

Speaker 2:

So the second component for us is how do you deal with the least macro segmentation on an eSquare basis? How do you make sure that object A, workload A, is supposed to talk to workload B, and the movement that these bad actors are trying to make often will be from something that shouldn't ever have a communication channel to something else, and then they get credentials for that new thing. So that's absolutely critical, and the third phase for us becomes something more micro-segment, micro-segmentation oriented. Which is it? You can stop SAP from talking to bad website that they're not supposed to. But now, within those instances, assuming that they're talking to who they're supposed to talk to bad things can still happen. And how you take much more refined micro-segmentation to isolate activity there. And then the fourth element that we believe is really important is overall encryption more software-based encryption We've seen in the world at large.

Speaker 2:

there was an admittance about five or six months ago by the US government that our very valued telecommunications infrastructure has actually been compromised by third-party actors. And unless you have encryption at a higher level, you have to assume that there's a decent chance that a lot of your information is being exfiltrated and interrogated. And so the combination of those four we think is a really important eventual deployment for a full cloud data security. Fabric capability within an organization, fabric capability within an organization. But where you start as an organization really depends on what does your environment look like and what do you want to lock down first, and then second and then third, to give you higher confidence that your cyber risk is at a reasonable level.

Speaker 1:

Got it Very exciting. Let's touch on AI. The whole industry is excited about intelligent agents and automation and its role in cloud security, both in detection and defense. What's your point of view or perspective at Aviatrix?

Speaker 2:

important element here, and so, if I just finish that story, I was talking about the utilization of agentic AI and gen AI by organizations, which most of us are in the process of really pushing excuse me as quickly and aggressively as possible, just increases the number of workloads, the number of attack surfaces and the speed of change within most corporations' organizations' environment. So Gen AI, just from a deployment basis. Security for NAI and for AI within clouds is, I think, one of the propellants of why is a cloud-native security fabric so important. Why is a zero-trust cloud workloads framework so important? That is a good tailwind for someone like KBHRX and anyone that's trying to solve this problem.

Speaker 2:

The urgency for organizations is twofold. How do you, given that we're all trying to deploy agentech and gen AI to help our organizations, how do you train your team and get them leaning forward on? Utilizing agentech and gen AI to do a better job of defense is absolutely critical, and what are you doing to secure your AI and your other workloads is critical. But the other half that we've all been talking about that's super scary is now most of the organized bad actors that Gen AI has been out for many years, but on a broad basis with ChatGPT 4.0 in 2022. For almost three years now, they've mastered it pretty effectively and so the vigorousness and effectiveness of attacks that we're seeing from any type of organized group out there is continuing to raise, which I think makes the criticality of what we're evangelizing that much more urgent for folks. The criticality of what we're evangelizing that much more urgent for folks.

Speaker 2:

Attackers whether it's Gen AI, only Gen AI, assisted or non-Gen AI assisted attackers think in graphs. They're trying to really understand the landscape of an organization and find any insertion point, any movement that they can have within that graph of all the objects, the individuals, the endpoints and then the workloads, cloud workloads and others that exist for organization A, b or C. And understanding that GenJKI just increases the rate that they can develop these graphs and it increases the vulnerability that you have for insertion points and lateral movement, which goes back to you better lock down your egress, you better lock down your east-west and you better implement encryption everywhere that makes sense so that you can protect your state.

Speaker 1:

Got it and now multi-cloud has become sort of the de facto reality out there for many enterprises I'd say most enterprises. What additional risks are introduced with multiple clouds, whether it's compliance or other challenges that you're seeing in the field?

Speaker 2:

Yeah, I'd say trying to manage cloud security effectively, even within a single cloud, is a bit problematic, because you really want universe, you want effective coverage of your policies and reactions across your entire state, great solutions within each one of their clouds to provide both the pervasive coverage that you need and the easy operationalization and adaptability, given how change-filled clouds are. As soon as you get to multi-cloud and almost none of us are left out at this point in time we're both organically realizing hey, I need this workload in GCP because they're excellent here, I need this in Azure, I need this in OCI and this in AWS. And then acquisitions only make that worse because you wind up acquiring companies that have made those cloud choices as well. As soon as you get to multi-cloud, it becomes really problematic because the policy and the visibility and the enforcement needs to follow the workload Policy and visibility and the enforcement needs to follow the workload. And workload, as I said, is hard enough within one cloud, given the diversity that happens within that cloud.

Speaker 2:

But as soon as you've got the activity, consistent policy, consistent enforcement, consistent deep dive and diagnostics within those clouds, and so I think that the Gen AI wave the shift in cloud architecture that opens up this aperture, the Gen AI wave that's propelling more workloads and multi-cloud are the three core factors that mandate that CISOs and CIOs need to start thinking about this problem and looking at companies like Aviatrix as potential solutions for them.

Speaker 1:

Got it and you've been out there furiously talking to customers and partners, press media, everyone out there. What sort of dialogue and partners, press media, everyone out there what sort of dialogue are you hoping to spark with the security community as we get into next month, with DEF, CON and Black Hat and on and on with great events? What's the feedback and what are you hoping to?

Speaker 2:

learn. We are in the early stages. If I go back to Splunk back in 2014, 15, 16, when we were jumping up and down about security being a data problem, that was not a cool thing. That was, people were looking at different elements that they thought could help with security, and orientation is there's a foundational layer of the data layer that can serve all aspects of security and non-security to get the appropriate insight and awareness of what's happening in the security layer, with security overall. And finally, about 2018-19, when I was walking through RSA, I heard 80% of companies say, oh, security is a data problem. We've got that same journey, I think, with Aviatrix, which is helping to drive awareness of why is a Zero Trust Cloud workload stance so critical, why is it a missing piece on your Zero Trust journey? And there, when you look at CISA's framework, their Zero Trust maturity model, they actually call out how the elements that we're focused on network, network overall, different visibility aspects apply to all aspects of security and why it's important. But we are just for any of you out there that go to our website, have been going to our website and really are looking at our blogging activity, our podcasting activity, the words that we're using on the website. We began this pivot in fall and, month over month, we're really trying to drive a awareness and education and understanding of the problem and felt need on why this is something that people need to pay attention to and ultimately we've got to convince CISOs and IT teams to look at the whiteboard that they have with all their projects and put this cloud native security fabric category and the zero trust cloud workload problem up on that whiteboard in one of the top five positions if we want to help the world lock down this huge attack surface that that keeps me up at night.

Speaker 2:

It's, it's uh, it's become a personal mission at Aviatrix. There's been a series of quarters of getting more emotionally attached to what we're doing, a lot like Splunk. I love data. I've been in the data space for a huge chunk of my life and that's what attracted me to Splunk. But it took me, quarter after quarter, to get much more passionate about where we could use data to solve key problems. As we really rotated to cyber, it became a life's mission and that's where I am now with Aviatrix. My number one mission is how do I make people aware of this? And then number two is how do we through that? How do we help Aviatrix? But whether you ever look at us or not, please just pay attention to this problem, because we're all citizens and I use all these services and if I can't have confidence in my online life, our way of life looks really different than it does today. So there's a higher level mission and purpose to securing the world's digital fabric that we're super passionate about right now.

Speaker 1:

Wonderful. Well, that's a mic drop moment. There You're an optimist, clearly. Where do you see this level of maturity landing in a couple of years? I assume you think we're going to get there, if not fully, then partially.

Speaker 2:

Yeah, I don't think that we have a choice. I think humans react really well, for whatever reason. We wait until there's a crisis to truly pay attention and when we do, we react extremely well. The Gen AI initiative, the continued modernization and migration of workloads to cloud, like all those factors, as we're seeing, sadly, like there's not a day that goes by that I don't see some high visibility breach happen. Now I think that we will react. I've got high confidence we'll react and it's just like how much pain are we going to endure before we up the game and level across many organizations? But I have strong confidence in the resilience and adaptability of humans, so we'll find a way.

Speaker 1:

Well, wonderful sentiment. Thank you so much for joining and sharing the mission and vision and I appreciate your time onwards and upwards.

Speaker 2:

Well, thank you, and I appreciate yours as well. Thank you for having me on, and I hope that the weather stays beautiful in Boston. You enjoy a great weekend.

Speaker 1:

Thanks so much and thanks everyone for listening and watching and check out our new TV show at techimpacttv now on Fox business and Bloomberg. Take care everyone. Bye-bye.