Don't fall asleep at the wheel … in Cloud

i know chris is having a little bit of um issues with his um mike so chris are you available to do the introduction hey karen yes i am just had to unmute the double mute oh the dreaded double mute so um thank you karen and good afternoon and welcome back besides tampa 2021 and our second talking cloud track we sincerely appreciate your support and attendance in making this online conference a success in partnership with the cloud security alliance it looks like he is having some uh technical issues so i'll go ahead and do the introduction so um really give me just a second um so brent um peter he works at nielsen iq and he is part of our cloud

security um our cloud operations team and he is focused on protecting our cloud environments along with identity making sure we have proper guard rails across all of the different cloud providers that we support brent is a key contributor and leader in this space and definitely looking forward to his presentation as part of our csa tampa bay chapter in partnership with the b-sides group we have put together this cloud track and this presentation is um don't fall asleep at the will so um brent um let me hand it off to you thanks karen um i'm assuming you guys can hear me um so yeah so yeah my focus is really on cloud uh where i am at nielsen

so i run like karen saying around the cloud division i you know focus on identity um working on aspects of our portal to support our end user applications but ultimately support our cloud platform or all of our product production infrastructure uh coexist um as a company nielsen we have you know we recently have kind of split off i'm on our cpg retailer side of the business where i used to be on the media side that i came in through an acquisition um from a cloud perspective i you know i've touched all major you know been involved with aws for years um azure for the last few years and i've had experience with gcp but i've also embraced other clouds

around like packet and other bare metal clouds like internap um and also you know data center people forget you know clouds run in data center as well and i spent before this i spent about 10 years in the fintech arena and it was you know before cloud was really a thing and so we you know we spent a lot of time in data centers and you know we were just tapping into realizing the potential in cloud obviously there's more guardrails around security and privacy of the data but we started building out our own separate data centers or colos where we do calculation grids um during periodic points of the day and starting to think of things more in a cloud

manner when i was there um you know the commodity has hardware of laid servers to be replaced instead of you know troubleshooting every issue and think of everything more transient and immutable infrastructure um so you know my focus here is to kind of make the point that you know security needs to be embedded into all of the decisions that that we make and it needs to be across different teams as well the the aspects that i think are important are some of the the kind of tooling and other areas that i'll talk more about um as well so this you know kind of giving you a little brief rundown i've been in new york about 20 years and i've you know

been in the large enterprises startups and i've touched many of the the kind of clouds but i do find it very important that security should be in what we do in the day to day and basis for all the architectural and support decisions were made and not just from a side view from a static point in time more dynamic and apart at the table table stakes more or less um so you know i talked about why cloud these are the areas i really kind of want to focus on for this particular presentation um you know tooling what we bring to cloud and what we use there just having it doesn't necessarily solve all the problems

and neither does having the automation that might actually be cumbersome or hard to manage or if people leave it's tough to maintain so i just want to touch a bit on that um trust i mean i think you know i think the last presentation in previous ones we talk about kind of the least privilege methodology and just when we enter into projects or platforms or clouds we kind of think of it in that lens to make sure that we're building the racy accordingly architecture i mean like i mentioned i i find that you know historical pattern is that you know a lot of architect teams have a you know maybe a three or four maybe a two out of ten

when they think security and then you know they build their platform and then they bring it to security to get approved and they should be built in the idea security to be involved in part of a council or a guild or should be even embedded as these people these you know kids are coming out of college i mean these are the thought processes on how they're working into more of their self-service and automation and then how they want to make sure that their their environment is trusted especially especially as we get more into containers and kubernetes and shared clusters and then the complexities there we need to make sure that our security realm evolves um in the same direction and making sure

that we're staying lockstep in those directions i put optics because i think there's you know i want to make sure that there's there's things that are that are gated processes i want to make sure that you know we take we understand them and know why they're there and then maybe there's things that we can do as a community to help improve them um and just general questions that people are faced you know we could develop a solution today and things could change but you know security teams have already approved it you want to make sure how do we you know what what's what's the path to making sure that we feel comfortable we sleep at night

knowing that our environment is protected and in cost i mean i think this weighs into a lot of decisions i think you look at you know business requirements um you can we can call out a breach concern from a cve and there's lengthy line lead times you're getting it resolved and leadership will probably be more focused in a lot of cases on the client that's complaining the loudest as opposed to plugging that whole hole even though a potential breach would have more of a cost than losing that particular client so i think being proactive but understanding the cost and also thinking from a security perspective in that lens you know what does it mean when we think of a 10x

perspective what does it mean whenever we're looking at it from like a an egress perspective and i think egress is a good thing to call out and we'll talk about that a little bit later in um it wouldn't be a presentation without a good run or vocal uh quote i feel like i feel like i don't know i miss going to the re invents and uh i think the last one went to is like 40 000 people and so i'm hoping we get back to these conferences although that one's too big i think kubecon is probably more uh or even the b sizers you know i missed it last year um but i'm hoping to get back into these

i feel like the end user community talking is a the biggest asset that kind of comes a lot from these in the stimulation of ideas but this i just wanted i brought this quote in because obviously one of our goal i mean you know a big icon in in the cloud space uh and people listen to what he has to say but you know he talks about the top priority of being in security and the business businesses shouldn't be on the internet we we need to make sure that you know what we're planning for and building for and it's the same thing with the cloud the cloud is recognizing these providers that they need all these tools to keep

it protected but the thing they call out there is that you know there is parity between a lot of the cloud providers there's a a lag time some of them even use the same names for the services i've seen things in ollie cloud that's the same name in aws or vice versa and i think it's just important to call out that they can provide the services but if we don't leverage them and tune them to what our needs are it doesn't necessarily make our application secure and we also need to be involved in a feature roadmap i've seen like we i've seen examples where people have moved from appliance firewalls that were built more for

on-prem and then moved into cloud and said hey you know hey there's a firewall service that's being announced let's take advantage of this and we don't have to support these licenses on these cores for these firewalls and then they embrace it but there's still things that potentially gaps during the future roadmap like ips and ids i think that you know everybody's you know it's a quarter ahead a quarter ahead and these things are but just make sure that you can as somebody that's an influencer or dealing with cloud you can influence these feature roadmaps you know make votes make suggestions make them a part of you know what makes it the successful security platform so you can sleep at night um so i mean i

try to be proactive in that area and the same thing around support but i think that what the point is is that you know cloud providers can offer these services and they need to but we need to tune them and make them best use for our platforms we need to make sure that whatever automation we're using that we actually think of it in the lens of how our application operates and the costs that are associated with it tooling um tooling i mean i sometimes consider myself a tooling guy i look for the best tool for the job i think that you know my first kind of bullet here is kind of said it forget it is not for the faint

of heart and the idea here is that i try to and i encourage it to look at what we select for tooling and make sure that we are thinking future with it i try to stay and make sure that we look at things on an annual basis whether we sign a one year three year five year contract i'm looking for the thing that can replace it on an annual basis i want it and it's just mainly to keep our solutions honest help provide feedback for any you know the the tool that we have maybe there's things that they can add and they know that potentially there's other tools that we could jump to and i think that

it's important to know what the industry is saying and what the ecosystem has around those particular tools the other aspect of kind of the said it forget it is that you know i've seen us bring in and companies bring in tools and they have that answer whenever somebody asks like if you're looking for a if you're running kubernetes cluster and you want a a registry scan solution you bring in awkward or twist lock yes you can scan the registries and everybody asks from an rfp or a csa or you have it but are you getting compliance are you getting a hundred percent of your audit to success ratio do you have the automation to enforce it so

people you know they're pushing releases those builds are breaking so i think that just having the tool doesn't necessarily solve the problems and i think we know that but i think that it's really hard to anticipate the based on their cost models what we need day one so looking for a true up model is super useful but actually trying to enforce it with automation and if you can't get a fixed model for your early years as an adopter try to make sure you budget and accommodate for whatever is coming through where possible um you know selecting annually looking at an annual basis is super important um i've been with tools that i've looked at um

in for five years and i still have the same one but at least i know i feel comfortable that this is you know the direction that the you know without looking at a quadrant square of what the best one is this one fits us and this one works um i just want to call i like and just you know just take a step back right so i spent some time in the fintech area for 10 years and then i went to the startup area and before i got there i joined an ad tech startup but before i got there i would go to a lot of meetup groups and learn about all the different startups that were

were out and a lot of times there there's you know free dinner drinks and so there's some little bit like a bonus to it but you learn about all these different tools and so i stayed close to that community even now about the different tools and things that are that are being funded and the vc action that's going on so i just want to call it a few things in the security realm that i thought were kind of neat one was that we came across this uh it's like it's like essentially an access controls for databases take a database proxy that you can control you know where you're managing your users and your life cycle

uh policies of those users on it um a solution with strong vm and they've embraced more of sc ssh and rdp in controlling access there and they called out because we were essentially building our own solution we basically built our own kind of slack bot where developers needed access to a database that we would have a audit trail for it and a time box and provide them keys and it would expire and we'd have and it was and it worked and it was fine we'd had some stability issues as they'd run more queries but it was a central database that we had high transactional throughput so we couldn't in a as a massive in size so we just couldn't necessarily

maintain our dev and parity and and then you know a lot of development needed access to understand if there's issues or different configurations and so we didn't want to blindly allow them access the other thing is i see a lot of sprawl on databases you know essentially people whenever you ask for temporary access and to find it everything in the tech world isn't temporary you know even an environment oh we only need this for a few months it's up there three years later and it's used for three different purposes so i think having the controls at a proxy level is interesting especially we've even seen use of it from an ssh where we'd have large server farms where

we need to provide temporary access to help us troubleshoot an issue from the engineering side and we try to isolate only to our production support to have access to all of our hundreds of web servers now this would allow you to have a full transcript of what was written on it and audit and actually see that you know it's time box access and easy to push through like a slack channel as an integration um so a lot of these tools that are pre-built that you know take doesn't require that my teams access whenever at the time the other one that's interesting is agentless runtime scanner and i called this one out because this is a recent one this is

uh this one's uh whiz is a solution but it basically uh when i talked about like twist lock uh container scans of the registry you know if it doesn't have a vulnerability in time cds you know evolve you could run your your scan of the registry and then all of a sudden there's a vulnerability found but it's already in production and so and if you don't change it it'll sit there for a year i mean assuming you probably change it regularly but so it it would break in the the build runtime or the ci process but the but you should you know be aware that you know you could potentially have cv active in your environment that you're not

scanning in your container and so this one actually had an interesting one a solution for doing you know cloud controls and scanning where it actually takes the the services they're running and scans it that uses their engine to actually look in the volumes to see what's running on there to see if there are any vulnerabilities on whatever interval you can figure so these are just a couple of them i find that you know if we would have stuck with the existing ones maybe we wouldn't catch some of these issues in a more real time and they could easily become a breach or or an issue of concern so i think staying ahead of what tools are out

there and they may not always fit they may not always be cost effective but just knowing that and these will probably be the way you'll see other ones evolve and even the cloud providers will offer services or you might even be able to help you know curate the roadmap of the features for these clouds by saying these things so i think it's super important as a community to help with pushing these ideas um spoiler i think like i said meeting with these i see a lot of abstraction in abstraction i've seen you know abstracted terraform for it users so i think you know being able to make it easier to work in cloud using another tool on top of terraform and

some of it you know i'm i i you know i'm looking for the value in it and i think it depends on the maturity of the team but i think also we just have to be wary of you know who's in control and the custom protections that are around it i think that you know giving you know i.t access or people that maybe are not as cloud savvy um is good because it helps with the support side but we just have to make sure that the controls are curated to what they can do um and what they should be doing um next one zero trust i think there's a you know a bit of a debate on some of

the zero trust uh stuff i mean i think that it's easier for greenfield and i think that you know brownfield can be really hard so my my only advice is to start to look at it i haven't seen too many people going down this path yet at least in in my the circles that i'm in um but i think the layer seven and thinking more in a zero trust way is going to be the way forward i think that you know as we see more shared clusters uh supporting certain applications and we've gone through the pendulum shift of going from huge accounts to micro accounts or subscriptions um and now it's you know if you're running your aks

cluster now we want to we're looking at doing our own kind of shared clusters with divided name spaces and so no knowing where our micro segmentations are and depending more on access as opposed to you know a firewall being our protective garden guardrails for it i think is important i think that you know we need to look at it also from i'll talk about later i guess in the deck is it the cloud connect i mean we have to think about from our dmz perspective what that means if we're connecting into cloud what the accesses are the overhead on management of the firewalls whenever we're having applications or accessing because wherever you allow the potential bad

actor in then you've kind of allowed it and everywhere at that point um cloud native i talked a little bit about the you know the virtual sorry the the appliances on-prem versus you know making sure that you know what you're you're running in cloud is the best fit for cloud um like i said we moved to the or the uh cloud native firewalls um and i think it gave us more agility and the ability to to you know velocity on our subscription model and be able to create more automation in order to accelerate especially around different things around firewall rules and in areas where we have nsgs and different firewall groups and things like that

and just a recommendation as to you know starting a new job starting looking at your cloud or just starting your company is you know maintain kind of a racy on your your least privilege around you know different groups i think it easily you know you have kind of a leak of access pretty easily just because of a demand or what becomes important and i think that you know maintaining this as a reference model will keep teams honest and i think where you allow your privileges is you know you keep it to the least model you'll know exactly where to look um architecting from the back door i think is my concept is just in general from my

experiences in cloud i find that the cloud was pretty much created because the uh you know when i look at it working in a data center it took if you wanted a server you had the budget for it a year in advance and you had to actually have uh you know probably eight weeks to get whatever servers you wanted and in the time and working in that space you know we've reduced it you start to commoditize it you start to make it a you know sample uh like a single size and maybe we pre-build but i think that in general that cloud has taught us is that people want things faster the way they want it

and so they'll gain the system they'll think around it if i needed a server and it takes me eight weeks and the budget ahead i'm going to order 100 servers i'm going to 100 servers with everything i need all the firewalls and the memory and try to get it through because you know i don't know where my things are dynamic things aren't static in january we have to think in an agile fashion instead of waterfall and they might evolve and what my performance needs are so i call that out because i think that we have to look at you know cloud and security and in the fashion that things will change from what people have

access to once somebody's in cloud i mean they can use whatever tech innovation or services if you have hundreds of thousands of new services they're released from the cloud provider and they have an account there they essentially can run those i mean in the old fashioned in the old data center world you know it was a lengthy paperwork process and msa you get a success criterium a sales cycle people bugging you whether you want it or not and thinking cloud it helps with the agility to get there but also we need to be mindful that people are making decisions and think about how to handle it best i think you know having security in the mindset or at the table whenever

these discussions are made or even just in tune so they're aware of the audit trail the services that are running in cloud access points if you the other thing is the marketplace cloud sell marketplace option private or public and a lot of times they can curtail the actual legal paperwork or security reviews because it's just a click of a button and they're they're live with their services so i've seen one where like atlas didn't have the right level of access controls from their sas platform um the integration into being able to control those at an abstracted level and so you know security was able to catch that and then you know wait till these matured out and then we could actually

and it was offered to an integration um for federated access controls then things could move forward but in general you could have people running these in their own so you just have to be mindful i recommend you know having audits being in touch with the services that are being released and knowing your environment knowing your developers but also you know developers all the teams sre anybody that you have however you're structured with the potential coolest buzz team name make sure that security is part of what they're thinking um optics or illusions i i put this in here because these are kind of general questions that i that i think kind of come up and we

we kind of talk about them and i think that you know they stimulate debate but i think like from uh kubernetes and i say kate's what's your strategy i think that you know we're in you know i go to go on cubecon i've sent people there in general like how are we managing our namespaces and the ip space around it and are we thinking that way whenever we're looking at our in our cloud footprint like you have aks acs all these different container services we just need to know you know are we doing a shared model are we doing a distributed model and how are you managing your certs and your secrets for that matter

you know there's things like hashicorp and others that you can help with dynamic secrets or but we just have to make sure that however it's a it's this is part of the cycle as people you know we do application reviews of our applications right and so you can have an actual certified app people are aware of it the architecture diagram the services might not change the application might not change its functionality but the infrastructure might change and you know this might not always trigger some new security of your around it because everything is kind of staying the same and so it's just super important to understand from an infrastructure what it looks like and what we're evolving to

and we'll see more from a kubernetes in my opinion of where more applications are turning to the cost advantages and the ability to scale and their potential reduction and support resources in time i i think are you know what will catch the eye as more production workloads make its way into kate's immutable infrastructure i think i i don't know how far people are along on their journey or if it's even in consideration i think there's always that transient or ephemeral approach or um you know immutable and who has controls to it and do you really need you know admins if you're just going to shut it down i i think there's just some thought that

goes to it and it goes back to kind of gaming the system will come especially transient i've seen you know workloads where security tools are expensive but you pay per instance that's running um and it may take up resources so if you have an av scanner that needs to run and somebody's running t1 micros and aws they might complain if you have to put additional cpu contention possibility resources on it and you know if you they only even have access so i think it's just a shift in mentality of how they're managing your infrastructure but be at the table and understand what the approach is and figure out what it means for admin access into this infrastructure

and how we're able to control it and in the maturation of observability in the monitoring can you have everything through logging can you have everything through your tracing and if you have apm installed if you're leveraging that you know do you have all the insights and you don't actually need to have anyone physically log in you're protecting yourself a bit more you know shotgunning it versus having some multiple people on it trying to troubleshoot is a much better approach you can scale it out self-heal it things like that um rfps isos i've gone to you know roundtables around you know different compliance certs i've been involved in trying to build out an iso for you know company

i think a couple things to call out there one is that it's being involved in a lot of rfps that for clients that come in a lot of times it's commercial teams that come to tech teams with this and they say here's your csa questionnaire here's our you know the company they you know this is kind of the answers we want to see in order to get the business um but a lot of times the things we lean on they work but it might not be the right reasons so if they ask if you have an iso or sock you're like well we run most of our infrastructure in aws or azure yeah sure we do here's a copy of it

now is it hybrid do you have some on-prem do you have it for your data center provider is your application at the application level your platform is it completely certified the questions you know without doing those kind of questionnaires and i've done them you know people need to look through it kind of and understand the security model and how they're you know the thought process that goes into it i mean i'd recommend i wish you know any job i started now realizing it but that i basically started that if i in the process because i think that you know at least ask if there's one present and read through it and see if it's static see if it's updated because

a lot of these questions will kind of come up especially in particular role that i made of managing a cloud platform and also in a startup realm i think that you know if you're doing a startup it's much easier to do day one quote-unquote greenfield as opposed to going back and retrofitting policies just for the sake of having policies just so you can pass a sock i think it's good to embed those and think of it in that that light and see what makes sense so i wonder in time if these some of these will evolve i've seen some rfps where in the contract or even the msa that they try to put in penalties for

unresolved cvs versus annual pen tests now how many times have companies come back and actually use the pen test in my experience and said hey we need it annually or we're cutting our business not often um i think it's a it's a nice out if they you know they're not happy with the services but i think that maybe these these things could evolve to even you know maybe this is kind of a call out to new startups to think of a bet you know a way they could do it in a you know a less cumbersome process or a way to make it some way you know scan it or build it and start to make it easier for

for developers i've seen somebody build an open source you can do a lot of the the policy curating um in a certain format which is kind of neat but but i think there's just general questions i think come up and is it just these as more of you know like rfes and and some of these these certifications are you know people can say yes i have all these tools check you know it doesn't really mean i'm more secure and it may make the client feel you know more secure but are you using them right it's kind of like if you said that on your local desktop you know you're running stuff um that you you have av

you have all the security software to protect it but you give the user local admin rights i mean they can change it i mean so it just depends whether you know i would say that you should look at these policies from the start and make sure that you understand where the potential gaps are and then work towards it as your company is growing security costs i mentioned egress earlier so i'll call that out now is that i mean that's where a lot of the cost is driven just in cloud in general i think i look at all the services and i the services will change in price i've seen aws s3 drop in price i've seen you know

ri levers to be able to reduce your cost i see even seeing tools do arbitrages on marketplace rris and it helps you but i think from a network perspective you're bound by the carriers that these run on and i think that i haven't seen any price changes that i recall and so a lot of the security tools that i see whether it's firewall api um waff it's all based on the amount of traffic so sometimes it's if you have a high throughput of traffic sometimes these tools are are not cost effective in what you're trying to do and so you just have to think of it um be mindful of what those could be as

you you're presenting these ideas to protect it with cloud native solutions but also look out there because you can't be facing the same problem by yourself there's other ones who will be looking at it and you have to understand the cost and a lot of times there's opportunities for additional enterprise discounts edps things that can be negotiated depending on their volume that i i mean in my opinion i found out i think that the the you know in general that you will see more of a get ops model in the future i think more self-service um you know people doing and people thinking about it but the more they're driving towards self-service to actually push for um the ability to

commit and deploy instantaneously and this goes back to the latency you know people don't want to wait for things and if they do then they're going to find potentially find a way around it i mean if there's any type of loophole or they'll ask for more they can they figure out what works so i think enabling self-service will be a general direction we'll see more of more of in the future and just be mindful of the egress stuff and latency sensitive workloads you know we're using kafka or other messenger solutions meant bus solutions versus high volume and i've worked in a median inside of it where you know that's what we needed to do everything was real time

and super sensitive and also in a high volume on the kind of cbg retailer and so you're delivering on a weekly basis massive data sets globally and i think just making sure that your platform is secure but you're also mindful of the amount of data and building making sure that whenever architects are involved in looking at solutions that waff has to be considered i mean you have to consider how you're delivering files the tools that go in place is beyond just you know a simple architect team just trying to to cover a particular functionality it has to be secure the tls version that's just going in i mean these are all things that sometimes they

feel like are missed and it just should be you know you know at the table from the start multi-cloud as well obviously it picks up steam i think it's you build agnostic and think multi-cloud but just be mindful if we're talking sim wife firewall all these egress models are you are you maintaining your own sim and all that egress traffic do you you know what's that look like what's that look like if you you know your business grows and so i i think you know the cost i i called it out in the beginning is i think that you know leadership makes calls a lot on cost but don't ever be shy about the security lever to be

able to say you know there's a potential and this is the potential for the risk that we have here if we don't plug this hole or if we don't have this solution i think it's important to bring it up at the start and try to build it in or figure out what costs you know you can cut to make room for it i think that making it more secure and building it in a future-proof way is the best i think that you know certs dns all these things that you know maybe had a traditional way in a path i think in cloud they're more centralized and sometimes cloud native and then and enables access for the developers as

opposed to a centralized team to manage these things and so you just need to make sure that whenever you're building your guardrails so i we've i've been a part of projects where we've had guardrails in gcp azure and aws and it was it's like a full-time job to maintain you know what new services are coming out what we want to throw protections in for and some of it might be beyond security and just cost or stability we don't want them using a certain service it needs to be proved out and so the guardrails are great i mean it depends on the methodology i mean you don't want to confuse your end users um or your user consumers at cloud but

you also want to build it as fast as possible so they can get access to their kind of sub subscription or their sandbox and i always recommend thinking in a a whitelist blacklist model so your production whitelist um and then potentially uh from a developer environment blacklistings that you don't want them particularly testing um so just to recap uh you know go whenever you start new job or whenever you're building a new company or whatever where you are on your journey i think it's important to kind of go through those compliance certs understand what people put in for those answers understand what the stance is it's the same thing with rto rpo bcp strategy but i think

security sometimes you need to make sure that you are aware and you can answer these questions and as you learn maybe there's things that you can make a better process or improved so you have you understand the posture in the stance there i think think of the 10x model i think this goes across everything and that 10x is important you need to think about you know what if you get 10x number of clients 10x number of traffic 10x everything related to your the platform that's existing or the apple 10x number of applications what's the implications there in security and is that considered whenever you're growing and draw kpis around it whenever you are growing and it's a good thing it's a good

problem to have but just make sure if egress is too cost prohibitive at the moment and there's a chance that things could grow at that at that direction at least you have alerts in place be able to start thinking of a new solution start start thinking of it in that manner and be at the table and be present whenever the platform's being developed but also embedded into those architects minds it's part whether it's council guild be there think agnostically think from a a open source or maybe not open source but think of in a way that you need you need to be portable tech agnostic maybe not a cloud agnostic because you know you don't

a lot of the services you can you essentially you know whether it's a functional one it's a it's a lambda in the other but the underlying code can easily be ported over for serverless stuff but make sure that whenever you're building you're building it away from lock-in so you have the capability to think from a guardrails perspective around protecting these services that are running you can build it and make it more abstracted away and you can actually enforce these as guardrails on your cloud environment um i i talked about this earlier is you know assume annual assume that assess all the tools that you have on an annual basis and assume whether it's a light

assessment a big assessment you might find that you found that you could save 50 of money and it's more secure maybe maybe you know looking at it gives you some competitive advantage with your existing tool that you have you could go back and forth and continue to create some sort of competitive pricing annually and get the same services or more i think it's just important to understand the ecosystem and just be aware because you could also stay in the same solution forever um revolutions start with latency and this is where i begin with the the cloud that's where i believe cloud started was somebody sitting there waiting for to get access to a server and didn't

want to wait eight weeks or a year and this enabled it was a gateway that you could run up 100 servers and didn't have to tell people your exact budget and all of a sudden you know you're running in cloud you don't have to you have your own you know external access you're not managing your own internal software repo with guardrails and so you're able to maintain you're able to you know let the developer do what he wants to do but i think we we under the security umbrella need to make sure make sure that we have the guardrails in place that doesn't happen but this is just one step in the the revolution i think that

the more latency that is injected along the way people are going to find other solutions around it like the marketplace using new technologies are out there that may not be already offered in the start i think that you know same thing with firewalls i think you know moving to more of a self-service or get-offs model to changing you know whether it's your your policies to allow access your firewall rules you know i think we'll get people from you know leveraging what ports potentially open or how they're thinking about their their arcades cluster and their name spaces and where they're running our applications where there's already access and i think maybe most importantly is it i think that it's more than just a frame

of mind when we think of security especially in cloud because these accesses are available it needs to be at every level we need to think of it for all the teams whether it's sre devops no ops get ops whatever the coolest name is it's coming out these days um they just need to they need to make sure that it's a part of the process and what they're thinking and making sure that the environment is you know as secure as possible and they're thinking of it as the arc architect whenever they're looking at the solution and calling out anything in question and thinking about the tools to build with how to integrate as new things come out there

and i think if you do all those things i think you're a pretty good place for a cloud and managing it from a security perspective assuming you have the guardrails we we've gone down a path of like a vending machine style where we're still working on some of the automation around you know ipam or ddi to be able to auto allocate blocks and and be able to get people there sandbox subscriptions i've seen companies that essentially whenever you start you get your own sandbox aws account limited budget but at least you can experiment so i don't think we should slow down developers but i think we should make sure that we have all the things in place and

we're thinking maybe one step ahead of them in order to kind of protect and embed the security so they're not in you know going too fast and we're playing catch-up and so yeah so thanks if there's any questions feel free to reach out to me um i you know i do some of these presentations i try to incorporate because the kids are home um so this is them sleeping i think this is like the week before pandemic shut down and then i added like marvel because they're really into marble so i had a ghost about the deck just as uh something that kept them entertained as i was working on it i hope you guys noticed but um cool well

thank you hey brent we do have a question let me know if you guys have any questions feel free i think there's anything in uh chat i'll take a look at now um we don't have structures adequate for storage forensically sound data under legal how can you be assured that data hasn't changed required important um that's very good question i mean i think that it depends on how you structure your immutable infrastructure and how the data is getting there it depends on your pipeline and the type of data that's there a lot of times when i'm looking at pipelines we're not we're you're using your s3 buckets or your data lake as a repository for the data so your raw

data is stored in a central place and this is a place that can be archived encrypted however we're going to store it at rest and then whenever it's being processed and they're transformed then this is where you you know it's beyond you have your still raw data that came in and so you can protect that under a particular legal hold um for the i mean immutable i mean if you're sending it right to a server i mean it has to be looked at from an application perspective i think if it's immutable and you know there's malicious stuff going on there's storage that's isolated there has to be some level of admin access to it if this is the only

place that the the entry point is in um but so i think there has to be some thought around it based on the application structure but i think what i've seen in different patterns is you have you know potentially a data lake or um and then you're using emr or some spark process or or you know kafka you have you can control what controls there and have replicas and you're maintaining um your playback there it just depends on your structure and figure out what you know what the implications would be um so we'd have to you know look at if you have i'm happy to kind of take a look at it whatever the structure is if this is

more of a specialized question or if it's more generic

any uh any more questions or thoughts

i wanted to call out that um just as a reminder we are doing some um free our rewards for questions um and that is in reference to our giving out coffee so that will be a raffle that will be selected and we'll reach out to you to get some information on how to send the coffee so with that said it's really to encourage you guys to be part of this and ask questions so one last call for any questions before we close out this session

all right i don't hear any other questions or see any other questions so i'm great brent thank you so much for participating i really appreciate it as part of the um csa and tampa bay um uh excuse me the tampa bay b-sides event um we definitely um thank you for your time excellent no i appreciate it thanks for the invite to be here you know welcome in the future for future opportunities and always game for questions and good security and tech talk so i feel free to reach out to anybody awesome thank you so much