Cloud Infrastructure Security at Scale

View Show Notes and Transcript

Episode Description

What We Discuss with Srinath Kuruvadi:

  • 00:00 Intro
  • 02:35 Srinath Professional Background
  • 05:25 What is Cloud Security?
  • 07:24 Large Cloud Environment Challenges
  • 11:54 Is Security Skillset a challenge at scale?
  • 13:33 Security Challenge for Various Compute at scale?
  • 16:30 Threat Detection at Scale?
  • 21:45 Non Cloud Security Challenges in Cloud?
  • 27:08 Challenge of Keeping up with the Cloud Provider
  • 29:29 Does Compliance need to change first? – Audience Question
  • 33:47 Cloud Security Challenge with Open Source for Scale
  • 38:05 Scaling security in multi-cloud? Who is responsible for Infra?
  • 41:51 Does Automation makes transition to another CSP Easier?
  • 42:39 GCP Privilege Escalation Talk – BlackHat
  • 43:50 First 90 days if starting Cloud Security Today
  • 47:06 Example of a mature benchmark of Cloud security
  • 51:56 Why do people go for multi-cloud?
  • 55:35 CSP Inter-operatability
  • 57:05 Fun Section – Get to know Srinath
  • And much more…

THANKS, Srinath Kuruvadi!

If you enjoyed this session with Srinath Kuruvadi, let him know by clicking on the link below and sending him a quick shout out at Twitter:

Click here to thank Srinath Kuruvadi at Twitter!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

Ashish Rajan: Hey.

Srinath K: Hey, how are you doing?

Ashish Rajan: Good to have you on the show, man. I think it’s I’m really excited about this and . Thank you for coming in.

Srinath K: Absolutely big fan of the show.

Ashish Rajan: You and I have been talking for some time and we have been talking about interesting things outside of this as well, but for people who may not know who Srinath is, what was your path to your current role? Like if you can tell us a bit about yourself.

Srinath K: Yeah, absolutely. So I would say growing up in India, I was not one of those those kids who had a computer hidden in a basement where I get to tinker around and learn basic Fortran by video games. And, and that kind of got me into computer security or computer science and then computer security.

So it’s a different path. In fact, it’s a funny story. I was on my way to become a heart surgeon.

Ashish Rajan: Oh man. I would not believe it. Okay.

Srinath K: Life and that kind of stuff. But then as fate would have it in the last minute, they ended up changing and then picking computer science. It was an interesting switch. Again, one more funny story. I got into computer science and the first two years learned a couple of programming languages.

Then frankly, I couldn’t think of doing this for the rest of my life. Like [00:01:00] writing code, yeah,

Ashish Rajan: from a surgeon. Do you like I would write code. Okay. Go on. Keep going.

Srinath K: Yeah. So I think that’s when we learned C and Java in school and and, and so, you know, how programming languages don’t change much, .

They’re pretty constant, . Of course, to different environments. And then there’s like, that’s where the challenges come in and scale is switch systems, all those things like going out there just to pick up along the way. But it ended up being I was on the lookout for a field that has constant learning.

. , and security , is that field in my mind, it was always a cat and mouse. Learning that happens between in the field of security, does new attacks that are the defenders keep getting better at the attacks getting sophisticated. So in that way that the constant learning is what I was craving for.

And that’s how I got into into interested in. I started a voluntary group called NSF network security forum in my third year undergrad. And that cannot be a pretty successful group where people come together for security, awareness learning and all that. From there I picked up my Masters in US with a Thesis on Intrusion and Anomaly detection.

And then that landed me a [00:02:00] job at Google. That was my first job on the Information security engineering team. And since then the career has progress, mostly getting deeper and deeper into various areas of security, Google, Facebook Lyft, Mapbox, and now with Netflix yeah, I guess security is the only thing I know I’m almost forgotten Coding.

Ashish Rajan: No, nothing wrong with that, though. I’m sure a cloud keeps you on your toes as well for a bit. So that makes me question. So what does cloud security mean for you?

Srinath K: It’s different for different people. The way I think about it is it’s protecting your assets. When I say assets, it could be like applications infrastructure. It could be data that are hosted in the cloud from all kinds of threats. And when I say cloud I’m talking about, it could be like a public cloud, like AWS or Azure or Google cloud.

Or it could be a private cloud, like mostly what it was at Facebook. Facebook was mostly hosted in private cloud in at least last time I was there from 2014, 2015. And now it’s more complex. I’m going to say predicting I think in the cloud security also means how do you protect, ? So you use a bunch of tools and techniques to to make [00:03:00] sure you apply a bunch of like policies and controls.

And when I say policy and controls in the cloud terminology, it means like identity and access management, or it could be like configuration management and use some of these techniques to apply certain policies and controls to secure your data as an infrastructure. That’s how I think about cloud for example.

Ashish Rajan: So to your point, and we’re talking about large scale and worthwhile calling our cloud, there is a complex environment out there so it’s not just one AWS account or one Azure account or one Google cloud account.

A lot of people have kind of moved way beyond that over the years. And in talking about like a lost land. What are some of the obvious challenges that you see when you’re looking at a large environment of any cloud provider, whether it’s AWS, Azure or Google, like what, some of the challenges that you think that people would face.

Srinath K: The way I think about it is cloud itself brings a bunch of unique challenges , when I say unique challenges, it could be like you might be in an environment where that the environment is very complex. It could be like two public clouds talking to each other, or it could be one [00:04:00] public cloud and on-prem infrastructure, or it could be, one private cloud and one public cloud.

. So, and I have examples of these two, and that itself could be unique in the cloud, the increased attack surface, if you have some ingress port that is not secured in the, in the cloud , and hackers are out there looking to find , these misconfigurations and exploit them.

. So in that way, the attack surface becomes pretty large when he hosts something in the cloud, that there are always like a whole bunch of workloads, ? So it’s like workloads keep coming constantly and getting provision. And de-provision constantly, . So that, that’s another challenge in the cloud, which kind of brings us on sort of unique challenges as far as security is concerned.

And as you all know, , . Like, cloud misconfiguration is very easy. It’s almost like it’s one of those, you make a small mistake and the stakes are very high. . So that’s why it’s very important to pay attention to, to misconfigurations in the cloud. And so these are all, some of the many unique challenges.

. And compliance is another one. So there’s like a whole bunch of things that it’s two the unique challenges in the cloud. . And now when you to add the scale, like you asked, scale, just amplifies each of [00:05:00] these . Like scale, makes it harder to operate in a complex environment.

It makes it harder for when you have a dynamic workload set up that’s that’s going on. Scale also brings in a whole bunch of like limitations in the cloud, like the API coders and limits that you have to constantly battle. . I also see the current open-source tools and, and if I see things like Vendor solutions, .

Yeah, I have I’m yet to see some really scalable solutions out there. . They work fine with which 50,000 workloads, a hundred thousand workloads. But when you’re talking about million workloads, constantly provisioning and deprovisioning, . And that’s the kind of environment where some of these tools fall apart, like fall flat on the ground.

And there is also one more thing that we might want to think about here. . So I would say native solutions, , like cloud native solutions, for example, like AWS Config, Macie,GuardDuty Chronicle Google’s DLP, . This is all the native solutions provided by the cloud provider themselves.

And these scale well . I would say they are new. And yet to be battled tested, I would say like, I mean, I would say in the past two, four years is when you have seen some of these [00:06:00] mutual solutions that have come up, but they’re yet to be tested against the threats.

They are fairly expensive, ? If even you operate when you’re especially operating at scale. And one of the patterns that I’ve seen again, this is one of the many patterns. Is you tend to bifurcate your environment, oh, this is a risky, smaller environment where I can deploy these expensive solutions.

And while the rest of it, I will keep it on an automated autopilot wall where I can put in all kinds of controls and closely watch it, so you end up deploying different set of solutions into different worlds based on the risks that you have. And in that way you manage your risks and budget and all that at scale.

Ashish Rajan: That adds complexity because to your point, you’re almost training your staff to have two different kinds of skillsets. One is the cloud native skill set. Hey, we need to be able to use, I dunno, AWS security hub or AWS config better and in a most cost optimized way because clearly cost optimization is a thing in AWS or, I mean in cloud, in general.

So then the other half is about, [00:07:00] Hey, if you use open-source so. Then there is a limit size limitation. So then if scale is a challenge there. Yeah. So even defined a skillset becomes a challenge as well then.

Srinath K: Yeah. I would say it worked. . So, and I think but it’s not so different, . Because at the end of the day we are at the threats.

. And that could be things like a cloud asset being misconfigured, or it could be like a least privilege or a most privileged, I am role being exploited for some reason. . When you think about it from that angle, I do feel like if you put on your security engineering hat, I do feel like it’s not so much different.

In terms of, from a skillset perspective, of course, there’s all this research that goes in in the first three months or six months of deploying the solution, you’re going to tweak it tune it,. And, and reduce false positives and all that. And I hope when, you know, Some of these are going to convert at one layer.

? So for example, maybe it could be the response layer or maybe you put the alerting layer. . So everything contributes to this alerting layer. And from there, you’ll get the mind what we want to do with the output or with the outcomes of, of these tools that are being deployed.

And so that gives you kind of like a single pane of glass. [00:08:00] But in a way that it’s scales, it’s not expensive and it can be also manageable.

Ashish Rajan: I love the whole single pane of glass conversation as well, because sometimes it feels unrealistic because you have such complex infrastructure as well.

Like if you think about it, you have a compute , then you have container compute as well. Then you have serverless as well. And from a security perspective, you need to look at all of them, but there is no single vendor that does all of them, but if they do, they don’t do it at scale. Like, I’m sure there are challenges from that perspective as well.

Srinath K: Yes. Absolutely. Yeah. So this is again, one of the unique challenges of the cloud, ? I think the cloud providers keep launching services left and , every year we sit and stay in competetive and also frankly, meeting the demand of all kinds of unique applications that people want to launch.

. As a part of this there are technology, like what you mentioned, like compute heavy, serverless, containers. And in general things like what’s the latest one, like Akron, or what’s the latest one that AWS, this laundry things like that keep coming all the time. . So I would say I’m always, I like going back to the fundamentals,

so let’s go back to the fundamentals. What are my [00:09:00] threats? ? What is it I’m trying to protect are the bad guys are going to come after my, and my data on my end when I’m in my infrastructure, my apps. . And if you take a risk based approach to two such threats, then that is going to inform like, okay, how am I gonna say.

. So in that way you are going, you’re starting somewhere and then expanding based on the plants you have. And this essentially would give you a list of a must have checklist and a nice to have checklist. ? So talking about containers, I would say one of the must have things would be like, just in time credentials for containers, .

In my mind that’s must have, because I mean, computers run in different clouds and that they come and go, . , and we would like to secure it as much as possible. So in that way, though, the just-in-time credentials fits the must have bucket, like the rest of the thing, as I said, ssh access to a container, maybe it’s a nice to have.

. So depending of course, depending on the effects. So if you’re worried about insiders, maybe it’s not . So I think that gives you a bunch of checklist and then you go after that in a way to do it, to reduce the Risk based on the Threats that do that.

Ashish Rajan: Oh, I love it, man. This is already [00:10:00] taking a very interesting turn from my perspective, because, , I’m glad you went into the compute side of things.

I also, I’m glad that you spoke about the scale side of things. How does the detection look like in a scale? I’m just trying to think in terms of where there’s a cloud native approach and that is the vendor based approach, but now we have the split brain situation where we have a one side being looked after by this vendor, because your point they’re more risky as they need more eyeballs.

What’s the challenge with threat detection at scale?

Srinath K: Yeah. So, and I think when you say talking about detection. I also think we should not leave the prevention out of the picture. So let’s focus on the the native detection part that you started the conversation, ?

Yeah. So let’s take an example of VPC flow logs, so we see flow logs are pretty voluminous. There’s network flow logs happening, in like every packet that goes on in network, there’s a log for that. . So each of that at scale, it’s going to be like literally trillions of logs coming in an environment like again, like Netflix or Facebook or Google.

. And , that’s what I’m keeping in mind when I say scale. How do you pick out that needle in a haystack? . [00:11:00] So in a way that it’s not, you’re not swimming in an ocean of false positives. . And in that way, I think it’s a very hard problem to get to do the detection of scale.

So that’s where I’ve seen various approaches. In fact, we build one on Facebook where you take a layered approach. . So kind of look for like broad strokes detection that happens across the board. . And then look for suspicious events again, when you say you, I’m talking about. automated workload strive, which are essentially looking for these things.

And then you gradually go up the pyramid trying to reduce the noise along the way. . And, and in that way, you get to the step of the pyramid, which is going to give you like a small set of alerts that humans need to look at with, with a lot of context, with a lot of enrichment. On top of it, and then maybe there is room to escalate that, to do an incident, if you’re sure that it’s an attack on you, for sure that it’s, that it needs to be remediated.

So if I were to build from scratch, I would build something like that because it works well at scale because there are multiple layers and you can have checks and [00:12:00] balances based on the scale that you can handle in a cloud native world. I feel like I would still recommend when starting with threats and by doing a risk analysis and understanding.

This is the Threat I’m worried about, and that is, and currently I don’t have a solution for it. . So when you understand that, I would say, okay, now let me go look at what is that cloud native offering for that solution, maybe it exists. Maybe it doesn’t sometimes cloud native solutions could be a black box.

So there’s lots of data that happens once that is done. I would say, do a quick Build versus Buy analysis. ? So it was like, okay, should I build this something to address this gap? Or should I buy some, some vendor solutions that might work at that scale? . And, and so then you look at your business, but on the backend and budget and things like that.

And then see if you can go buy their solution or go build a solution, depending on the resources and engineering, and security engineering talent you have on the team. . So that’s how I would approach and detection at scale. And again, you can go into the detecion, prevention conversation

Ashish Rajan: I’m glad you called out both Threat detection and prevention. Although they bring their own challenges, they can be unique based on whether you go for a cloud native solution was at the vendor.

Basically. [00:13:00] I think for me personally, the whole at least what I find is an interesting piece of a conversation as well, is that when you’re trying to just catch up on the Threat detection, not just from your AWS or a cloud provider, but also from the tools maybe you may be using as well across the board.

Like you, I don’t know, you may have a particular version of windows or particular version of, and you’re like, there’s an critical patch that comes out. Great. Alright. So forget about that. Let’s just do this. And the sheer complexity at scale for me always made it fascinating. And I always find apart from what you just mentioned, it’s another layer of you want the development environment to be running at scale, not restricted by the kind of programs that they should be.

Oh, you can only use python and not anything else, even though TypeScript is the language of choice and makes it even better. But what that does for people like us is that, oh, now I have, I need a tool or something for TypeScript I needed to, or something for my containers. [00:14:00] bring that all back to like one single layer, , cause assets in cloud, also dynamic, you know, you’ve detected a threat, but by the time you got to it, the resource doesn’t even exist because I’m scaling.

And to your point, if you’re doing this through across like a million workload, I w what are some of the things that come to your mind with that kind of a challenge, I’m not even adding multiple clouds, this is like one cloud.

Srinath K: Yeah. So, that’s a good question. And, and this is something that we battle pretty often, ?

It’s not like one, you make a decision once and it’s like, it’s a done deal, ? Yeah. And it’s totally on top of our mind. I mean, look at the number of vendors we have in the space, like huge, like a lot of them. . I mean, frankly, as I said earlier, I’m yet to see a scale. It, you see a scalable tool that gives you a single pane of glass across all cloud environments.

, and that gives me visibility into all kinds of assets that care about. . And this is Maybe somebody is going to put something out there. We tried something at, at Netflix. We built a tool called security monkey, and that was a crossbar. Yeah. But that it’s so good still for our needs.

And we had to deprecate and we are building something now for [00:15:00] AWS specific. And then you get an extended multi-cloud and go forward. But this time we learned a whole bunch of lessons and that is going to help us do it better and things scale early on. . So there are, there is promise.

We also built a similar tool at Snap called panopticon and that tool worked really well for Google cloud. And but then the company started moving on a lot of stuff into AWS and wanted to go truly into a multi-cloud fashion. And then it’s quickly started becoming the scale started becoming a problem.

I don’t know how it works now. This is my information from 2016, but I do think that this is a problem that definitely plagues the industry. And frankly one school of thought here Ashish I feel maybe you don’t need to know all assets. You only had to go after the risky ones.

If you have a pulse on the risks that your business faces only go narrowly after those assets that you carry. For example let me give you an example. Let’s say if you’re worried about internet facing assets, ? So only go collect inventory, [00:16:00] like really everything that is internet facing, .

And have a good set of policies, single pane of glass for internet facing assets, . There are some Asset Inventory solution that’s out there who tried to get all S3 object data. . And it could be literally billions and billions of them. Why do you need that?

Maybe you just need bucket level access if your buckets are homogenous. . In that way, you might have some knobs, you can also go for shorter retention. You don’t have to keep it for all six months or all 12 months, . Or you might have to not go for real time assets. You can do go non real time.

If you were to collect. And scale, it becomes a problem, but there’s also on the flip side, if that is that one incident that hits your company and you needed that one piece of information from six months ago, that does not exist, then you’re in trouble. And so you are essentially taking a risk based on the threats you have.

And, it’s a risk management problem. . So I find, obviously these conversations come up with, I think security is, is it Risk Management?

Ashish Rajan: Yeah, it is . To your point about the internet facing assets as well. I want to give an exercise for people who are listening in.

Just to identify the number of internet facing assets at any given point in time. [00:17:00] It’s not easy. Like, you know, it sounds easy. Yeah. I just want to know, how many assets are internet facing and you go into this layer deep conversation of, are you talking about API gateways? Are you talking about servers?

Are you talking about easy two instances or man, even that simple thing is so complex sometimes.

Srinath K: Yeah. public buckets you have static assets being served out of public buckets. That could be public. And, yeah, you’re about that. And, thankfully at least at scale that I’ve seen in recent past, that’s manageable.

So in a way, if you’re narrowly focused on that particular problem, you can write tools are the tools that exist out there where you can at least go after that and get, some amount of ideas. Maybe you get to 80% or 90%.

Ashish Rajan: And I kind of like the approach as well that it went to identify at least that that’s a great point to come and go. Okay. So at least I know what my internet facing ones are. And then for applications that are hosted on the internet, I may have another approach. But to your point, at least you don’t feeling that it’s this mammoth of a thing that you have to take over and you know, spend, like, I don’t know. Cause I think to your point, I don’t know if I believe this, but I truly believe, but [00:18:00] you can spend hours.

Maybe even months and years trying to catch up, but by then, your cloud provider has already started creating new new softwares or was obsolete. You’re on a version three or something, which is on version 10 now. I mean the scale is a challenge from a pace of even the pace at which you are trying to keep up with the cloud provider.

Srinath K: Yeah, that is very, very true. So, so this is where I, I’m a big, big fan of, of simplicity, especially when you’re faced at scale, go with really simple solutions that is going to give you the biggest bang for buck, as opposed to getting into a conglomerate, sort of a big set of tools that you would like to operate and try to go after casting a wider net to take care of all the threats, all the risks.

So that is going to help a lot. The other thing is I typically see Vendor solutions, or open-source tools fall into two buckets. One is functionality, ? I think the like recently I looked at a demo of a tool called Orca security, ? So it looks very promising for multi-cloud.

It’s truly a single plane of glass [00:19:00] for, for all three major clouds. . You can drill down into two instances from there. You can go to containers from there. You can go to the vulnerable instances. And from there you can map it to CVE, and then it essentially shows you everything in your area. So functionality wise is there, but I work at scale because they are going to run into, they use this thing called Side scanning .

They are going to probably want into, to API limits and kernels and things like that. . So probably might not work for the Netflixes of the world or the Facebooks of the world. For scale, there was another group of companies where they only operate at scale, but the functionality is not there yet in terms of going after the sophisticated threats and attacks we face today.

So this is where , I think we typically see at scale company, it means building solutions that is ready, customized and keeping it as a secret sauce. Thankfully Netflix has taken away a transparent approach. And we try to put out as much as possible on all the learnings.

Even recently we open source tool called console me that we’ve been working on for the past three years and we’ve gotten a lot of community engagement.

Ashish Rajan: Kudos to everyone who gets involved in doing the open sourcing as well. [00:20:00] Sounds like I need to bring someone from Orca to talk about what they do .

I’ve got a comment here from Darpan an interesting part as well. , oftentimes, it’s the compliance framework that defines those inventory and retention policies. So is it about time that we should try and change the compliance framework first?

Srinath K: Yeah. Governance and compliance is again one of the unique aspects of the cloud, because there’s the shared responsibility model you need to understand who’s responsible for what aspect of the compliance. . So to answer Darpan’s question here as specifically, .

I feel, If you’re doing security engineering, . If you’re worried about the risks and threats, compliance should come along with you. . So you should already, so for example, this one, . Retention policy, let’s take that as an example, because the retention policy is, 30 days for anything.

Like, let’s say the CloudTrail Logs or something like that, that you have a compliance framework, . Is, but if for incident response, if you have 90 days, , because that’s, that gives you a bigger one, but so you already met your compliance obligation, but your requirements is more stringent than what the compliance framework.

. So I hope we prioritize security and, more security and privacy way more than compliance. [00:21:00] And of course compliance is an obligation. I don’t, I’m not indicating in any way we should ignore it. You might get into trouble. . But I would say if you put security first, then I think compliance should come along because it’s

how I recorded it.

Ashish Rajan: Yep. No, fair enough. And I think it’s worthwhile, it’s pretty well known in the industry that just being compliant doesn’t really mean you’re secure. It just means you’re compliant. That’s pretty much what that really means.

Keeping that whole scale conversation in mind as well. Risk and compliance , anyone listening to this, if they have kind of made that separate group of, Hey, these are my high-risk kind of assets that I need to absolutely be on the ball for .

Maybe there could be a way to approach that compliance and framework as well. So I think in some of the past examples what we used to do for PCI compliance, it’s probably one of the hardest ones I, I truly believe to, to get past we

FedRAMP, or are

they go those ones as well? So what doing was basically we would just like isolate those, that those environments completely from everything else is like absolutely separate AWS organization, separate everything.

It just means billing is complex for us, but that doesn’t matter [00:22:00] because you kind of have that separated and it’s like , that body of asset is that’s just how it’s going to be. But everything else can stay, go at scale without being best because these have to be PCI compliant.

Doesn’t mean everything has to be compliant and do code go through this rigorous process. So I definitely find a personal attachment to for that kind of conversation. I was going to ask with say what we spoke about compliance, as well. We spoke about maintaining visibility of asset, in dumps of approaching this as a new person.

So some people listening might be coming from a perspective that sounds like at scale would be a lot more challenging. They might just be at a much smaller scale. They may not have millions of assets that they might be looking at. You kind of touched on the layered approach earlier and outside of that.

Is there anything you’d recommend for like, should they, Obviously budget is a thing before going for a vendor, but what are some of the challenges? Why for the open source side of things you mentioned, I mean, Netflix does it themselves. You guys I’ve been releasing tools for awhile security monkey, the whole, the [00:23:00] Simian army.

The whole Simian army tool set that’s been released by Netflix is definitely great to check out. I would recommend people to do that. What are some of the other things that you look at from that perspective? Like from an open-source perspective?

Srinath K: Yeah. So, so frankly there are too many tools, so I have a spreadsheet, like, you know, layman’s way, . Where I keep track of all the tools that are coming that is specific to my area, like cloud infrastructure security. . And you believe it or not, that list is 80.

. 8 engineers. We cannot evaluate anything and everything that gets put out there. . In fact there was a hack project that I did recently, and I tried to go ahead and evaluate this tool. And it was like full of bugs and just didn’t work.

It didn’t work. The basic thing that it comments, forget scale and things like that. . So the barrier for putting a tool out there is pretty low today. . I’m saying like, Memphis is not perfect to where rightly, essentially put out about post-abortion and then keep continuing improving around it.

And that community participation makes it better and better as we call them. . So that aspect, so I would say Keeping your ear to the ground on what is becoming popular in terms of scale and [00:24:00] threats and, and, and maintainability, ? Like, is it fresh, ? So are people doing bug fixes and then visit?

Is it, there’s this still a python 2.7? Or is it like 3.8? . So that, that kind of thing would be very helpful. And earlier, if you remember, I mentioned you have this, your risky environment where there are a lot of unknowns, ? And there’s this, this huge enviornment where most of your business runs.

So I would say try these tools that you are not as popular, like your top five or top three that you have been hearing constantly about from a value add perspective in this environment. . See the value already are going to get out of it. If it makes sense, continue expanding that until you hit a scale.

. So in that way I think you are trying to take value out of everything that’s coming out of the open source community, but at the same time, you’re not just turning off your turning off yours towards something that is, that might be really good. And a fantastic outlet. like parliament is one idea, one example.

Yeah. So we looked at it and we use it. . So that kind of stuff would be very helpful to to see so that we don’t have to recreate stuff that if something [00:25:00] already exists. And so that’s the biggest advantage

Ashish Rajan: here. Yeah. And I think to your point, what, like calling out as well, when I think when people do release, open-source, they’re volunteering their time.

It’s not like they’re paid to do that. So I think, I definitely feel it’s what while giving it that respect that, Hey, someone just volunteered their hours, but they could’ve been doing anything. Watching Netflix, actually watching Netflix instead of working like mostly on like open source solution for it.

They put out time for this. So it’s worthwhile contributing back as well, if you can, in any way. Cause, and to your point, everyone’s trying to I guess grow the community because everyone realizes that there is a challenge and one individual or one team cannot solve this problem by themselves. So they kind of have to like almost get the community behind them.

And I’m sure we’ve only spoken about compliance status, scale, and compute, but there’s so many more challenges to go through this justice, one single conversation.

I’m going to shift gears a bit cause I’ve got a couple of questions that came from the audiences. I want to definitely, I mean, I want to tackle them as well which were, they could make it so they would send me the questions [00:26:00] across.

Vineet , is one of our regular, he said a Hi cause he’s giving an exam, like good luck with the examined. I’ve got Magno Logan’s question regarding scaling cloud security -. How do you scale security when you’re doing multicloud? That’s the first question followed by also with infra escort, who should be responsible for the security of that code and the infra that is created with it.

Srinath K: Let’s tackle the multicloud question first, ? So I think there are I’ve seen this done a few times now. I feel like un-trained staff is one big problem, ?

So typically what happens is, oh, you are really good at one cloud. And then everybody in the leadership decides, oh, we go going to go add a second cloud. . Are we gonna add a third cloud? . And the staff remains the same, the number of security engineers, developers, everybody remains the same. And now we have this 50% more capabilities, .

Or you need to pick up . And, and frankly public clouds are, have similar constructs and controls, but when it comes to the implementation, it’s very different. Like IAM in GCP is way different from,IAM in AWS here to give you an example. ? Yeah. And I also think [00:27:00] tools today don’t work seamlessly across multiple.

. We built a tool like that, Snapchat and, and we kind of it worked very well for Google cloud, but then when we decided to go into AWS too, . It’s not that we are going to get up to the cloud, but it’s going to still there. And then we can add it up this on top of it. We had to figure out like a, do a one-to-one mapping.

Oh, this here means this and that here means that. And let’s see how our developers are not going to get confused when they act, when they request access to cloud resources. . So it turned out to be a big exercise, like a three month long exercise and still while the businesses running at its own pace.

. Wow. Yeah. And, and so that kind of challenges always comes in when you come into multi-cloud, you also have the problem of identity management, ? So there is like, if you have one workload running in one place, What identity are you going to use to make the same workload run in the other cloud?

. Do you have, do you trust one cloud more than the other? You do more, you keep your identities in one and then move the workloads on the other side, in a seamless way. With all the auditing and continuous compliance and everything being in place. So it’s, it’s frankly can [00:28:00] get quickly, very messy when we are going down , the multi-cloud route.

So , I highly recommend doing a more thoughtful approach going after your well established well-drawn workloads, move those first, and then you can continue the unknown ones in a very staged fashion. . So that’s how I would recommend. There’s also the danger of duplication of controls.

Like let’s say if you were to do threat detection and remediation at scale, . You do it in one cloud, then you go ahead and then try to do the same thing. The other clouds we have seen in both the clouds, . Are you going to do remediation in both the places? Are you going to do it in one place that single pane of glass is lost?

Ashish Rajan: Does automation solve this? What you were saying earlier, your automation, one set of automation for AWS, and one set of automation for GCP, one set of automation for Azure.

I’m thinking about people who may be listening in. Well I’m only on one at the moment and I haven’t done automation. Now, if I add another one, it’s not as smooth, but it’s an easier transition if you’ve done some kind of automation in at least one of your cloud ?

Srinath K: So that’s a good question. Again, I always go back to your threats and risks, threats, [00:29:00] and risks, the same in both the clouds. If it is then maybe what you’re saying might make sense. Or if you have figured out automation in one, maybe that is going to give you a baseline to start somewhere to do it in the other cloud, but the other cloud itself might bring its own set of challenges.

To give you an example, ? Privilege escalation is very different in GCP versus the versus AWS, the way you look for privilege, escalation in AWS is very different, privilege escalation scenarios in GCP. There’s a nice BlackHat talk on this topic of privilege escalation in GCP that I would highly recommend your listeners to take a look.

Ashish Rajan: Yup. Yup. I think that Dylan gave the talk and Alison, we actually had them talk about this. If people haven’t heard the episode, we actually had a whole episode on, privilege escalation in Google cloud last month. hundred percent check the talk out.

Srinath K: Yeah. And I think you can not take automation in one and plug it into the other one? Of course the same framework, like Lambdas and remediation like integration with slack and those kinds of things you can borrow , and make it work.

Some of the frameworks, you can actually make it work, but that’s itself is very different and you might want to go a little bit deeper than what [00:30:00] then. Lifting and shifting and shifting and lifting,

Ashish Rajan: Let’s say if someone’s starting today and they’re listening to this and they may not have done automation or they might have done some automation, but they’re trying to figure out the, the security of it.

Like, what are some, the building blocks that they can start with? Like maybe identify assets active, which are risky, not risky than do a threat analysis. Like, what’s your thought on those? Like where does one start?

Srinath K: Yeah. It’s it’s like the first 90 days of a CISO, ? So you got to like, what are you, where are you gonna spend your time on?

. So I would say assets is, is the first thing. Like, you need to map out your attack surface, ? What are your, what is your attack surface? What is your exposure? And once you figured that out, then you need to determine everything that is behind it. Let’s say that you have, you have a a hundred internet facing apps.

So there is maybe a billions and trillions of cloud assets that support this a hundred immigrant facing apps. . So this is like the first order and second order and third order. So you’re essentially in a way mapping out, coming up with a graph based relationship of cloud assets. . And of course, a lot of tools for that too.

And after that you ask questions, . You ask questions, things like, okay, this app, doesn’t talk to this [00:31:00] app. But if I were to go and poke around, can they really talk? Are the security groups open between the two?

So this kind of, when you start asking these questions, then you start poking your environment and then saying, wait, that doesn’t make sense. Why, why is this set of apps stopping? That’s what I’ve asked. Maybe we should add a security group and block that and separate them because that’s our, for each, each of these classes of apps are different, ?

So in that, you’re kind of going deeper and deeper, almost like threat hunting, but at the configuration level, ? So in that way you go over like peeling the layers of an onion and harden your environment based on your asset visibility that you have. And again, I would say if you are a health care company, you got to like prioritize data security.

If you are like a FinTech, of course, you got to like prioritize compliance and PCI and those kinds of frameworks. . So and that’s where I think the threat & Risk come into picture. And based on that, you go hard. And , what makes sense based on your assets that you have?

Ashish Rajan: I love this conversation, I love where it’s going as well. Is there an example that you think of, if you were to benchmark what does a [00:32:00] mature cloud environment look in your mind from a security perspective

You can go as specific as you want, I’m curious in terms of one or two elements that like we could be identity access management, or could be as many asset management, whatever it may be. I’m just curious from your perspective, pick any don’t do not, I know it’s a super broad question.

Srinath K: I would say first of all, you got to align with your culture of the company, ? So once you align with the culture of the company, then you did the mind, what are the things that you are most worried about, from a, from a business point of view?

So from a mature environment perspective, I’m going to, if I were to come into an environment, we just that scale. And I want to like try to do my best in securing the everything possible. . Based on threats, I would say first step into prevention, ? Like try to put guard rails where obvious things are out of the way, ?

For example, if you have a connection between your company and under wonder where PII data is flowing, and nobody knows what’s going on, . You’ve got to stop the bleeding there. . You got to like put some controls and guard rails in there so that you should be [00:33:00] able to. Get some visibility into what is actually going on.

, and that is, that is where the prevention angle comes in. This is where I think Memphis has talked about guard rails up quite a bit in the previous talks and things. ? So once you have those in place, I would say I wouldn’t lean heavily into detection, ? So, because detection has like a ton of benefits, ?

So you can operate with limited staff. It’s hugely, you can rely a lot on automation. It’s low friction for developers. You have to, let’s see our developers move much faster and you can literally adapt to new threats much, easily. ? If you were to, let’s say there’s a new threat concert tomorrow, and you have to change a workflow that developers are used to unlock, .

That takes like maybe months and months of conversation. . And so instead, if you had a detection and you have like a quick way to get visibility into, if that were to happen, this alert on just go ahead and close the hole, if you have that perception set up. So that, that is one example of a maturity in your environment, , but you should align with your company’s culture, ?

So that is where the contract comes in. If you’re a environment is all about But he controlling, like, let’s say [00:34:00] so it’s a FinTech, highly regulated environment, . Detection is not going to help. . We are going to get into trouble with compliance and governance, but if it’s an environment like like freedom and responsibility, , like what we have at Netflix, .

The problem for the, for a large part, we trust our developers. . And we and we share information pretty transparently across, across the company. ? In that way you can lean more into, into detection. Of course we got to tap into prevention as much as possible, but you don’t have to go all the way, creating friction for your developers, but then somebody, you have to draw the line in.

And that’s where they both operate hand in hand towards a mature and alignment. Like what, you’re, what you’re suggesting. And one last thing I also want to mention, I mentioned is incident detection and response is basics, ? So. One way I would measure the maturity of a program is how ready are you for your, for an incident, ?

Let’s say if you do all a red team exercise and you figure out you’re scrambling for logs, it’s so easy to own your environment, the credentials are all over the place. The source code are in the repository, ? If you run into these kinds of problems, then it’s not a mature [00:35:00] environment, . That kind of is, this is a light bulb should go on.

And it’s like, okay, I have a lot of work to do. And I got to maybe start somewhere and slowly start chipping away at maturing my program. So one last thought on that is maturity is a range. It’s a sliding scale, you can essentially, you’re comfortable where you’re at or if you’re not, you got to keep moving .

That’s how I think it.

Ashish Rajan: A friend of mine said this very rightly, and I love the scale conversation as well, because what you mentioned with the fact that, you know there’s always like 40,000 things to do, even if you do one of them this week, you’re still much better than what you were yesterday.

So it’s not about doing all the 40,000 things in one day. So it’s weighing one step at a time. Like I think someone that I used to report to is I go, they asked me a question was how do you eat an elephant as the answer is one bite at a time. So that that’s for me has been always like, oh yeah, you grow, you don’t get to mature, like super mature tomorrow.

It’s like, there’s a scale to it. I’ve got a question here. And it’s probably the last one for the interview, Zinet, in your opinion, what are the main [00:36:00] reasons my organizations go for multicloud studies. Great discussion thought by the way. So why do you think people go for multicloud?

Srinath K: So I’ve got, I’ll get the obvious out of the way. Obvious cost reasons sometimes want to pit one cloud against the other, . And then get discounts from one or the other end. They might want to just try to say, Hey, if you, this month, if you give me more, a higher, a heavier discount, I’m going to move my, all my containers here are, if you’re not going to give me, I’m going to move there.

So you might want to get a knob. So you get to have a good control on the on the cost. ? So that, that could be one big reason why people might move to cloud. Multi-cloud. The other thing that I’ve seen is a lack of services. ? For example, when I was at Lyft, we had this problem where, the, the ML stuff on GCP was much better than it.

This was way back in 2018. I don’t know what it is now. . That was a reason why Lyft wanted to spin up stuffing in in Google cloud, for example. . So, and that was slowly, the data started leaving AWS and going to, and then the feature extraction and ML models started running in GCP. .

So that, that kind of was taking [00:37:00] off in that way. There were some services like spanner, which was on GCP that was not available on AWS. . So that the lack of services might be a reason why some people might prefer, moving more towards multi-cloud. Frankly I feel public clouds should invest time on interoperability.

So I, I very much love to see a day where cloud providers are working well with each other. They are working on standards, like open IDC, . For, for identities across clouds . Open, adopt, open standards. Cross cloud workloads, much easy cross cloud data center, data passports, much easier without saturating the pipe.

. So that kind of stuff would be would be really cool. But there are a bunch of these reasons which I’ve seen people might want to put them

Ashish Rajan: Awesome. The reason I was smiling as well, I was hoping you would mention it, but you haven’t solved. I’ll call it out.

It’s also because a lot of people have egos in it and everyone wants like, Hey, this is my car is because then your car kind of a conversation as well. I’m not going to call out names, but I think it’s an interesting human dynamics that play a role in this as well, too.

Srinath you’ve mentioned [00:38:00] excellent points about the services and the machine learning part, by the way. I think my understanding is Google’s are leading the way with ML. What I’ve found in a lot of times, even though that there was no reasoning for services, it was usually someone’s ego that got to the point like, Hey, I’ve got a credit card, I’m going to swipe it because that literally, that’s what it takes for you to start using Google cloud, even though you’ve been like 90% AWS.

So that was one more reason that happens as well. So there’s a human layer to that as well Zinet. I dunno if you’ve seen that yourself Srinath .

Srinath K: Yes, I have. I have, actually, this is, this reminds me off of a bittersweet memories from one of my past jobs

Ashish Rajan: where it is. It’s like, it’s not only my thing.

And, so Zinet agrees as well, she agrees on the ego part and thank you. But I also would love to see the interpretability of the, oh yeah. A hundred percent. Interpretability among the major CSPs, but unfortunately it’ll take a long time. I imagine for Google to work and for them to share data that in itself that’d be third world war.

I think that would be hard.

Srinath K: I think each of the cloud providers have done a great job in, in, they have made a [00:39:00] lot of our pain points go away and such less costs cost. ? I think the world is much better. This, the past decade over the decade before that it used to be all locked up in, in Google cloud data center or Google’s data centers or Facebook’s data center and Amazon data centers.

Now it’s available for the world. I think we are making a lot of progress, but they’re all businesses they’re in it to make money. And we all understand that, of that being the primary reason. And, but I think if the industry demands multi-cloud interoperability, then I think the cloud providers are going to work on it.

. Because the customers, I doubt some come from the company.

Ashish Rajan: Yeah. Cause I think the whole cloud native approach with CNCF and Kubernetes and all that that’s come through as well. That’s an attempt at doing the whole interopretability as well. I mean, instead of the cloud providers themselves come up with it and we don’t have to have this separate set of things that we can.

Srinath K: . That’s it? That is true. Yes, that’s . Yeah.

Ashish Rajan: So by the way, I can keep talking to you for hours, man. I’m just going to love your time as well. So I’ve got what I switch gears so switching gears to our fun section, this is just a three questions, nothing technical, just to get to know you a bit more as well. [00:40:00] And they are not super personal as well. You can totally answer this. So the first one, what do you spend most time on when you’re not working on cloud or technical?

Srinath K: Oh, how, how far back can I go or does it hurt?

Ashish Rajan: Well, however you want to go, it just something that you enjoy doing, but outside of your clotting, maybe cooking something recently.

Srinath K: Yeah. Yeah. So five years ago she had asked me what you’ve seen in the back of the wall. That’s what I used to do.

I used to travel a lot. So this is of the world and we used to be like sending postcards to ourselves from each of the countries we visited and then it turned them against the wall. So we are, we I took off like a year and a half break and visited about 30, 35 countries. And that was like a, a big I would highly recommend if you can, if you can, but it was a, a good Good way to take your mind off of security, Charlene and photography on the two things that I do outside work that I really enjoy, but the past year has been more I’m a new dad.

So more like parenthood, and and security that are definitely a lot operations, but compared to food insecurity, a lot of empathy for your customers, [00:41:00] for your engineers, for your, for your developers. ? And that’s, that’s sort of parenthood. A lot of turnover has been for me at least.

Ashish Rajan: So congratulations on becoming a father.

That’s awesome. And so, yeah, I’m sure now all three of you can send postcards now. Cool. The second question, what is something that you’re proud of, but it’s not on your social media.

Are you, are you someone who will post a lot on social media?

Srinath K: I used to work at Facebook

Ashish Rajan: now, basically everything that you’re doing, you’re proud of, but it’s not on social media.

Srinath K: . It isn’t social media, but it’s in more a one-on-one conversations and smaller groups and, but broadcast mode is I have dialed down a lot. . So, but I mean, your question is, is, is interesting. I would say

what I value more these days is more relationships, ? So I, I think I used to be a big believer, like two two decades ago. And then I got into like computer science and security and all that. . I was always fighting for the smartest solution, smartest tool. I gotta be better than the attacker side.

So that’s how I used to think. But I think over the past decade, it has taught me that. Security leadership is all about relationship building, ? If you were to take a practical [00:42:00] approach to security, then you have to invest heavily into people’s side of things, because people are the biggest part of the, of the ecosystem that we are trying to secure.

It’s not just competing. ? So I, I think I do spend quite a bit of time and that I don’t post in, on social media and others in relationship building, networking and, and, and things like that. So I mean, a call for your business. If you’re interested in connecting with me for a bigger reach out on LinkedIn, I’m always interested to hear stories, mentoring apprenticeship all those things are a great way to

Ashish Rajan: awesome.

Awesome. And I think that answered does, you know, discussion as well. Cause she was asking me, how do we connect with you? So I get you, so feel free to recharge me, not on on LinkedIn as well. And emus loves your idea on sending postcards. I love it as well. Cause I’m like, I’m going to try doing that in a way it’s, COVID safe to a good start traveling again.

I love the idea.

Srinath K: Well, so I want to add to the postcard idea. We also write what we liked about that country in that postcard. So like 10 years from now slip and see, oh, that’s what reminds me about that country. Maybe they were great at some drinks or maybe they are great at some [00:43:00] hospitality or maybe they are great at some like like taking advantage of tourists.

. For example, in Turkey for me. And so we used to write such highlights that kind of brings back old

Ashish Rajan: memories. Wow. Wow. That’s a great idea. And I’m definitely going to see that as well. Similar to Ms. I want to learn one last question for you before we wrap up what’s your favorite cuisine or restaurant that you can

Srinath K: share?

Oh, this is one thing that keeps changing, I would say now it used to be Italian. But now it’s more like new American. I would say that that’s been a thing because we are live here in bay area and there’s a whole bunch of new restaurants that are popping up. So

Ashish Rajan: that that’s our bug or what what’s, what’s considered like a new American.

So

Srinath K: it’s, it’s almost like the fusion . Fusion from the south and combined with some, some European, for example. . And so our, it could be our, let’s say if you were to think about a burger, but a flavor of a few European, or maybe if you’d like to add some with vegan twist on, on an existing, popular meat dish.

. So that could be like, like another one, ? So it’s almost like. When you hear a name, [00:44:00] it doesn’t ring a bell, but when your food shows up, it’s full of surprises. . So that’s how that’s.

Ashish Rajan: Yeah. Fair enough. Cool. I feel like once this we’re going to start clouding. I love to try the new American wave of food that awesome.

Dan, thank you so much for taking the time out. I really appreciate it. And I think I personally feel, I got a lot of value folks who heard this and left the comments and are still listening are definitely, I feel they have value as well. So you mentioned they can connect with you on LinkedIn. So I’ll definitely encourage people to do that.

But I totally enjoyed this and I can’t wait to have you again, Matt. I think this is going to be, I feel like I can talk to you for hours, so, but I’m going to give you back your back your Saturday evening. So you can go back and spend your time with your, with the little one. But thanks social coming in, man.

I really appreciate this.

Srinath K: It was a lot of fun and we should definitely.

Ashish Rajan: Awesome. And so for everyone else I’ve got my background music going. So again, just, but thanks so much for coming in and we will see you next weekend with another episode of cloud security podcast. Thanks everyone. See ya.

Srinath K: Bye.

More Videos