Getting Infrastructure as Code (IaC) Security Culture right!

View Show Notes and Transcript

Episode Description

What We Discuss with Yoni Leitersdorf:

  • What is digital transformation and why do we need it?
  • Infrastructure as Code and Infrastructure as Code Security
  • What drives digital transformation?
  • Who owns infrastructure as code in organisations?
  • Do security folks need to know how to code?
  • How to do configuration hardening well?
  • How to sell or drive infrastructure as code security to your organisation?
  • How to measure if IAC is being properly implemented in your organisation?
  • The future of Infrastructure as Code
  • And much more…

THANKS, Yoni Leitersdorf!

If you enjoyed this session with Yoni Leitersdorf, let him know by clicking on the link below and sending her a quick shout out at Twitter:

Click here to thank Yoni Leitersdorf at Twitter!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

  • Tools & services, discussed during the Interview

Ashish Rajan: Thanks for coming to the show.

So for people who may not know of you I guess how’d, you got to your current role and tell us a bit about yourself.

Yoni Leitersdorf: Sure. So so my name is Yani. I’m originally from Israel. Although I live in the U S now in California. And my background is in software development. So I, I got into coding at a very young age.

And in Israel you do a military service. So most people go guys and gals go and do a military service. So I did one for five years in the IDF and Israeli defense forces specifically around cybersecurity. So that was my foray into cybersecurity until then I was more of a developer.

But then, you know, age 19 to a, to 24 was my time in cybersecurity. That’s generally my background.

Ashish Rajan: Wow. Okay. And that’s how you got into cybersecurity.

Yoni Leitersdorf: Yeah. Yeah. So got into it through the military. And then I and then I started working at a company called checkpoint.

They’re a firewall vendor that is used by a lot of enterprises today, all over the world. And after a couple of [00:01:00] years there decided I wanted to start my own company. And that’s a that’s in Denny and in Cod rail that we’re going to talk a bit about today. Sweet.

Ashish Rajan: Yeah.

Awesome. So my first question, usually, because it is cloud security podcast is. What does cloud security mean for you? It seems to have a very different definitions for everyone. So what you believe is cloud security?

Yoni Leitersdorf: Yeah. So to me it’s a necessity. So we, especially with now with COVID, but even before.

We’re seeing a lot of organizations going through digital transformation and spinning up a lot of new services and applications. You know, a lot of things, for example, I order, and there was a, there was a delivery guy here about an hour ago. I ordered online for some stuff and it just shows up and all of that are new applications and new services that didn’t exist before now for the application teams that build those services.

It’s a lot easier to go into the cloud because everything is very elastic and agile there. So it’s easy to spin up a new service and new application, compute, storage, all that stuff, very easy to do in the cloud. And therefore a lot of [00:02:00] them go into the cloud. The problem is that if they don’t do it securely, then I as a consumer and I’m impacted.

So, you know, what I just ordered is stored in the cloud. Somebody could. Go and hack that. And then that could be a problem for me because maybe somebody knows what I ordered or they know my address or they know my credit card number, all kinds of other things. So to me, cloud security is a necessity for our way of life and our future as well.

So the more we do this, the more we use the cloud, we have to have security in there so that both the consumers like myself or yourself and everyone else here, and the companies themselves, so that everybody’s secure. We’re not exposed to bad things.

Ashish Rajan: we definitely dont want to be exposed to bad things for sure.

I got a comment back from Vineet. Everyone. A very impressive journey. There you go. You’ve already impressing people over here. Since you define cloud security and we definitely don’t want bad things to happen to anyone something else would you and I were talking about about this earlier, and for me [00:03:00] personally, I feel this is where the infrastructure.

As a code conversation kind of came ito the whole digital transformation. Yep. And a lot of people kind of have a different definition of it. So maybe you can start with what is digital transformation, why it was required and what does a successful one look like? I almost like covering the end to end gamut if you don’t mind.

And if it’s a totally long answer, I’m happy to wait.

Yoni Leitersdorf: Yeah. So I’ll, I’ll give you a great example. One of the things that people all over the world hate to do is go to the DMV, to the department of motor vehicles, where do you get your license and your car’s license and all that? Because you know that if you go there, we’re going to waste an entire day and you’re going to come up frustrated because whatever you want it to do, maybe didn’t work out the way that you want it.

It’s like it’s a global thing. Every single country I’ve ever been to going to the DMV is in the bud. All of a sudden COVID came in and COVID have a lot of bad things to it, of course, health and, and people, et cetera. But one of the things that it caused is it forced the DMV. To think differently because the DMV [00:04:00] now couldn’t have anyone come in, but you still need licenses and you still need cars moving around and motorcycles, et cetera.

So for example, here in California, it forced the DMV. To completely digitize. And now you can do everything you wanted to do with the DMV. You can do it online. Now you can fill out a form. You can email them, like things do you. And I maybe look very obvious. in 2021 and 2020, or not obvious in the California DMV up until a few months ago where they were forced to do it, and now everything is digital.

And I got two new licenses for cars and change the address on my license. And I did all of that without visiting the DMV. That is digital transformation when it works. Oh my

Ashish Rajan: God. Yes. Oh my God. I think we definitely went down that path and I a hundred percent agree, no matter which part of the world you go in, for some reason there is always a department.

You just do not want to go. And, you know, for sure you might as well write off your entire day tell everyone’s just cause yeah, I, I’ve got a story with my license as well, but I’m not going to go into, but [00:05:00] a successful digital transmission to your point is. Addressing something, which is, I guess physical in the world primarily paper driven or some other way, I guess sounds like a really slow process to a more digital world where anyone can access the information from anywhere.

And cloud is something that enabled it. I don’t pretend to be dumb over here.

Yoni Leitersdorf: So yeah, so cloud is what enables it, because if you think, and I was not obviously in the DMVs process myself, but if I look at it from the outside, I see that they built new applications and I see that those applications are running on a cloud provider.

You can actually look at the code and see, you know, which one they’re using and we’ll get into that here. But you can see that they actually built those applications using a cloud provider because they knew that they need to do this rapidly. You know, people come and go to the DMV. We have to solve the problem quickly.

Let’s figure out how to do it really, really fast and spinning up infrastructure in a normal sense in kind of on-prem type infrastructure [00:06:00] can take months easily in a data center. But if you go to the cloud, it’s very, very fast and therefore they chose the cloud. Similarly, by the way, here in California, they rolled out the vaccination program.

And when you look at it, if you go to my turn.ca.gov, you see again, they’re using cloud. So it’s very clear that. They are using it because it’s a lot faster and it gets them to their goal a lot faster. And, you know, I’m all pro that I think that’s, that’s a great thing.

Ashish Rajan: Awesome. So let’s talk about infrastructure as code.

And infrastructure as security. So infrastructure as code, why do you need it, I guess, in a digital transformation, why does it matter? And let’s touch upon, let’s start with the whole cultural aspect of it in terms of what do you believe is required to kind of start off the whole journey of infrastructure as code security.

Yoni Leitersdorf: Yeah. Sure. So so let’s talk a moment about what is infrastructure as code? So before infrastructure as code, basically what you have is servers and storage in a data center, and [00:07:00] basically engineers IT engineers who would make configuration changes to the infrastructure. For example, they would maybe.

Rack a new appliance and turn it on and connect it to the network. Or they’d go in using SSH and make a change or something like that. So before infrastructure as code, people were basically making modifications all the time to adapt the infrastructure to the business needs. Now that creates a huge mess because nobody knows what’s going on.

It’s very hard to track what is being changed and by who and when, and if you want to roll back a change, that’s, you know, that’s very hard to do so managing infrastructure historically has been a huge challenge. And, you know, a lot of tools were built to try to deal with that. But now with infrastructure as code, things are different because instead of going and making changes to a live environment yourself, you know, as an engineer you can actually define what is the environment that you want in a file.

You can just build a file and say, this is what I need. This is what I want it to look like. And then you have a tool. It could be [00:08:00] Terraform could be Ansible. It could be, chef could be a whole bunch of different things. But they take that file and they build it for you. That allows you to fully understand what you’re building and how you’re building.

And when you’re making changes to it, it’s in a much more controlled manner. So infrastructure as code is really. A huge solution for how we’ve been doing infrastructure for years and now, you know, making that a lot better now. With it, it’s opening a great opportunity around security. And maybe I’ll give an example from a bit of a different world.

So imagine you have a house you’re building a home. Okay. And you’ve got a contractor is building the home for you. And when the contractor is done building the home. They’re completed. Everything’s done. Then you go and walk around the home and then you realize that the window is too low or the wall is not where it should be.

Or, you know, the door is not where it should be. And you go to a contractor, did the contract and say, okay, I need you to move these two walls, move this window, close this window, move the door over there. And by the way, the roof is in the wrong [00:09:00] direction. The contractor is going to look at you and say, okay, we very expensive.

You want to do that? And that’s how people have been running infrastructure for years and doing security for infrastructure. They’ve been looking at the production environment after was built and saying, Oh, I need to make all these changes. Now with infrastructure as code, you have an opportunity to look at the plan.

So imagine the home that you were building. You look at the floor plan before the home is built. You look at the floor plan and you can see the windows, the doors, the walls, the rooms, everything, and you can change the floor plan when it’s still a plan and before everything is built and therefore it’s a lot cheaper to make those changes.

So similarly in the world of security for infrastructure as code now do security before you built anything. And it’s a lot easier to fix something then than it is after everything’s built. So again, to me, it’s a huge opportunity.

Ashish Rajan: That’s a great example. I love the plan analogy as well. So I’m definitely going to steal that one day.

I’ve got a question here from Vineet – is digital transformation happening [00:10:00] due to unforeseen circumstances or the company’s innovation culture? Curious to know your opinion?

Yoni Leitersdorf: It depends. I think some companies had the innovation culture before going into COVID. You know, I can say I’ve been a consumer of many companies who were looking ahead and solving a lot of problems before COVID and digitizing everything.

I think parts of the airline industry, for example, Are a great example for that. So United airlines, which I use often, they have moved into a more digital experience before COVID was using their mobile app and their website. And, you know, everything was, was smooth before. So a lot of companies were doing that before COVID, but I think what COVID did.

Was it forced a lot of other companies who were laggards who were kind of like, ah, we don’t have to do this. You know, maybe some government entities that were not as inclined to do something like this and forced everyone down that funnel of we have to digitize. So some companies are this and some are that

Ashish Rajan: awesome.

Great question as well [00:11:00] Vineet so. Now we spoke about infrastructure as code. We spoke about infrastructure as code security sounds like interesting. I mean, you’ve, you’ve got me, you’ve sold the idea to me, but who’s going to run this in my organization. Like, I’m just I’m going to be the little, all the cloud security engineer or secure engineer, or maybe just on that and just an enthusiast who’s on the DevOps side, looking into this with the DevOps team on it, or SRE, like who’s going to own this.

Yoni Leitersdorf: That’s a great question. So who cares about security, security people? The people on the IT security side of the house, they’re the people who care about security developers. And I, I feel free to say this cause I’m a software developer in my origin developers. Yeah. Don’t really want to spend time on security.

They care about it. They understand that it’s important. I think the developer out there understands that security is important, but I have never met a single developer in my life that wakes up in the morning and says, I want to do security today. They never do that. They wake up and they say, okay, I got a ticket.

[00:12:00] I got to get done. Or. Wow. I have amazing architecture or design for a feature we’ve been talking about. You know, they get excited about code. They get excited about building things. They don’t get excited about security. So I don’t think you’re going to find a lot of developers who are going to want to be the security person you know, but.

You know, with that said there’s been an interesting dynamic over the past 10, 15 years. And it’s dynamic is slightly changing, but the dynamic was developers build an application. And then at the end of their process, security comes in kind of like, you know, like a Hawk. They come down at them and they say, Oh, I’m going to review everything that you’ve built.

And you know, this is not according to our controls. This is not according to policy. This is not according to a HIPAA and PCI DSS and all of that. So security comes at the end of it. And they tell the developer and the development team, everything that they did wrong. And so developers don’t like that.

And naturally developers started not being big fans of security. But I think that we now have the opportunity [00:13:00] to change that. So forward thinking organizations are starting to say, you know, how about we actually build a partnership between developers and security? We get them closer. So how about we teach security?

How it is, what’s the experience of developing code and how about we teach developers more about security? So there’s this kind of cross embedded between companies. And I’ve seen this recently, by the way, Twilio, for example, posted a blog posts a couple of weeks ago about the concept of embedding and bending security and software development and vice versa.

So as these teams are getting closer we’re seeing a lot more cooperation between them. And then that goes back to your question of who should own IAC security. My opinion is that SRE teams and dev ops teams can now own IAC security, because what is happening is security. Is telling them these are the controls and the requirements that we have of our cloud, but we’ll et you pick whatever tool you want.

And then the S3 and dev ops team can pick whatever tool that works for them in ISE [00:14:00] security. And then and then both sides are happy because developers are using the tool that works for them. And security knows that the developers are following the security requirements. So both sides are happy.

Ashish Rajan: That’s an interesting way to put it. So do you reckon if. Is there like a, almost like a staged process to this or a day one. I come in and Hey, Mr. SRE, miss SRE. You’re responsible for IAC security. Yeah. You go over the

Yoni Leitersdorf: document and know there’s this, there’s this saying? Which I don’t even know if it’s true, but there’s a saying about how do you, how do you cook a frog?

You put it in cold water and you slowly warm it. And I don’t know. I’ve never cooked the frog. Yeah,

Ashish Rajan: I’m going to Google that later, but

Yoni Leitersdorf: I don’t know if it’s true or not, but you know, when you, sometimes there are things that if you, you know, if you go all out and immediately, there’s a really strong rejection to it.

But if you go slowly into the process, then there’s more acceptance. So. If you’re kind of coming from the perspective of let’s work closer together, dev ops and security or [00:15:00] SRE and security let’s work closer together. Let’s set a couple of early goals that we want to focus on.

And go and pursue those goals and then, you know, kind of do it in a stage or a staggered approach. I think that would work a lot better, but it’s clear to me that dev ops and SREs are all the ones who are gonna own it. I mean today. So, you know, obviously we have cloud rail tool in IAC security.

Yeah, our users today are largely SRE and dev ops people. There were some cloud security engineers but they seem to be a lot more coming from dev ops and SRE because of the dynamic I just described.

Ashish Rajan: Oh, right. But that’s an interesting one. I love the fact that you kind of going, so are there any examples that you can share?

Like for example I’m listening to this, I’m inspired by what your Yani said. I’m like, Oh my God, you only mentioned I can do this slowly. So what’s a good spot to start, especially if like they’ve already been doing cloud for some time. They’ve already done transformation. I’ve heard it for the first time. I’m inspired. Where do I [00:16:00] start?

Yoni Leitersdorf: Okay. So infrastructure as code security generally gets deployed within CIS.

So I know you had the Barak from Bridgecrew a couple of weeks ago. So checkov gets deployed in CI cloud rail. Our tool gets deployed in CI. And then there are others as well. So generally these tools, they get deployed CI, right? So everybody kind of goes into there. But I think when you, when you look at it as a tool perspective, and we can talk about people in process in a few minutes, but if you look at it from a tool perspective, you need to start at a very low level with that tool.

So don’t stop to see the CIC pipeline yet. Using the infrastructure as code tool start with just kind of a learning mode. No cloudtrail does that. And you can do that actually with Chekhov as well, and you know, in some way but basically you just start. From getting visibility. You start from seeing what is happening in your pipeline.

What code is being passed through what security issues that code has you start from there. And once you start getting visibility and you [00:17:00] understand, okay, these are the mistakes we’re making. These are the security issues we have. Then you start inching things up, then you start saying, okay, I’m going to fix, you know, I’ve got maybe 20 things that it found I’ll fix three.

Or maybe I’ll set the tool to enforce some of the checks that I want to have, you know, the first three are the first five, but you always start from not interrupting the CI pipeline and then slowly going and increasing enforcement. You don’t go all out on day one because then you’re going to get kicked out.

Ashish Rajan: That’s really interesting. Would you say then security has to learn how to code then? Do you know how you were saying earlier that the development side, some that security needs to familiarize themselves with? Now I think some people will have different approaches to where they might go. I want to automate on the else, but do you find that like security has to kind of become almost because I’m coming from this is.

A lot of security people have come from a Sys admin background network security background, not everyone comes from a development background unless you’re an application security and you kind of [00:18:00] pick that up through pen testing or whatever. So I always get this from other people. So I’m curious to know your opinion on this.

Does that mean they have to learn Java, Python and whatever, like become coders for this to be successful?

Yoni Leitersdorf: So first of all, I think they need to understand the concepts. There’s a lot of security people that I spoke with over the years and that I mentioned dev ops or Python to them, and they knew the term, but it didn’t know what it meant.

So for example, if you ask them, you know, what does dev ops, how does it look like. And they’re like, well, it’s a process that our developers use to, you know, make sure your stuff doesn’t break. I’m like, okay. You know, maybe you could have a deeper understanding, or I remember one of our customers actually that I spoke with on another, we have two products.

So on the other product He said that he really wanted to learn Python because it’s an exciting language, but it didn’t know how it worked inside. And I think security needs to learn these concepts. Maybe they don’t need to become the best Python developer out there. [00:19:00] I can tell you I’m not the best Python developer out there by far.

But they need to understand what is dev ops and how it looks like and how the stages look like, and, you know, peek into the Jenkins or circle CI or whatever CI platform that you’re using. They need to look in and understand what the jobs are, the stages and how it works. And what does it mean when it’s successful and what does mean when it failed?

And then also look a bit about how Python works and how your developers work on a daily basis. So I think. Understanding those concepts is important and understanding those concept is just a matter of doing a couple of online courses and, you know, investing maybe 80 hours of your time to get to know those concepts.

So I think that. Security should do. If they want, you know, bonus points or how they, you know, they call them brownie points here in the U S yep. Ryan code. Yeah.

Ashish Rajan: good answer. My friend so we’ve spoken about the job that security needs to do, who needs to own this? Do you see, like, I’m curious in terms of challenges in an [00:20:00] organization whether its small, big, what kind of challenges are you seeing people. Adopting this culture, I guess. Well,

Yoni Leitersdorf: so if you think about it, there’s two, a solution.

There’s always three elements. There’s the tools, the people and the processes. Right? So we talked a bit about the tools. We talked a bit. About the people, themselves security and developers needing to know one another. Now it’s time for processes. So processes are often dictated from the top down.

There is somebody that is, you know, maybe the business owner or a VP of something they come and they say, I want to build a certain process. I want us to have a process where. Development and security are integrated together, or security checks are included as part of our pipeline, or there’s a weekly review of software developers and security representatives working together.

Or, you know, we’re doing it over Slack or whatever, right. But processes have to be in there. So that they will end up working together. So I can take an example from our company. We have our developers, of course. And we [00:21:00] have the security side within, in Denny. And when we wanted to do cloud security than initially it was the security side using a cloud security posture management tool that listed a hundred different issues in our cloud environment.

And what they did is they opened JIRA tickets for the developers and they told the developers here, JIRA tickets for you and fix them. And then developer said No, we’re not, it’s going to take us two weeks to close a single JIRA ticket, and it’s not in the main focus of what we need to do. And, you know, if you have a problem talking to my boss, right.

That the bad process, that is a process that failed, right. Throwing JIRA tickets at developers is not a process. It’s, you know, maybe you being lazy when you do that. So the right process is what we, you know, we’ll we built after that was to say, okay, We have certain requirements on the cloud security side, let’s find a tool.

And infrastructure as code tool that can implement those requirements. Okay. Now we ended up building our own cloud rail [00:22:00] because, you know, we looked at all this, but we ended up building our own. And now that we have that tool in place, now let’s define the process so that when the tool finds issues, developers have to fix it as part of the CI pipeline.

But. We will only prioritize certain issues. So, you know, once you build a process differently in a way that actually fits the different teams and the culture. Now things can start working. So we’ve been doing that for example, for a year now, and that has drastically improved our cloud security posture.

Our cloud security looks a lot better today than it did a year ago, but that’s because we understood what was failing. And yes, we replaced the tool, but we also built the right process around it and people understood the importance of doing it. So then it became successful.

Ashish Rajan: great question.

And a good segue into a question that came in. Mr. Tamar So Tamar has a question when it comes to configuration, hardening, how we can achieve this without blowing things up. That’s an interesting one.

[00:23:00] Yoni Leitersdorf: That’s a great question. So if you’re doing, if you’re doing configuration hardening after something is in production, then that is really hard. It’s like, you know, in those movies where there’s a bomb and you’re trying to figure out what wire to cut and, you know, the guy’s sweaty and the clock is going back.

So it’s kind of similar to that. You know, you’re sitting there. I hope we don’t screw production

is a challenge. And I think that’s why we barely see people fixing things in production. However, if you can build the right processes and you can do security analysis, Early in the process then configuration hardening is a lot less of an issue because you’re fixing the configuration during design and then you’re testing it.

So if you have a test environment or a staging or user acceptance, testing, whatever, you know, whatever you have. You’re doing the hardening there already. And if something blows up before it goes into production so essentially doing the fixes early is what will solve that problem.

Ashish Rajan: Cool. And have you seen examples of something that’s like if the bomb’s already there and you’re in a situation where to the red via the white [00:24:00] wire, have you seen something work in that situation?

Yoni Leitersdorf: Well, so you take precautions in that case. So first of all, you do it on a Sunday or Saturday, you know, depending on your business needs and your business ebbs and flows and load. So obviously you do it during a, you know, a more relaxed time. And again, you involve developers and SRE and security in the process.

You don’t leave any of the teams out because. You know, you need to work together to solve the problem. Yeah, I’ve seen it work, but it’s, it’s a lot harder to do.

Ashish Rajan: Yeah. Maybe another thing that I’ve had experienced personally, and some of the other guests kind of shared as well. Maybe I can add that to it.

And maybe I’d love to hear your opinion on this as well. Some of the approaches that people came up with. The way they went about this was every business has mission-critical applications, right? Everyone’s on board with it. No one wants to touch it. No one wants to screw with it. So, and this may come across like an anti pattern where you try and find what that most critical thing is and identify what’s [00:25:00] wrong with it.

If it’s from a security perspective, you find something’s wrong with the pointing that out. We’ll definitely get people working on it. So this is one approach that someone tried where. Things that critical that irrespective doesn’t matter IFE automation or whatever. I just want this to be super secure because this is why my business is running.

And then there is another conversation that I came across was around the option. Do I get for people listening into this security champions program, but not from a, I guess you’re doing a software analysis or. Static code analysis. You could be doing a static analysis of infrastructure as code, but you’re basically trying to identify people who are naturally inclined for security.

So there could be your Trojan horses and sounds like wrong, but it’s technically your friend as well because they want the same thing as you do. They want to do security the right way, because this they’re really proud of the code that they’ve written and they want to make sure there are no kinks in their armor.

So if you tell them, Hey, [00:26:00] You may want to change this a little bit. And I personally found those two options have worked in organization, but to your point, our organization still come back and say, not do not care want to proceed my feature. Number one on one, one, five. So.

Yoni Leitersdorf: Well, just a, they don’t care.

It’s more, a matter of priority. They say, listen, yeah, we care, but it’s going to take two weeks or a month to solve. Is that the best use of our time? Or do you, would you rather us do other things and we see it all the time, but you know, that’s one of the advantages of having executives. So if you know, to your first off, and if something is a severe problem, you go to a VP or a CXO and you tell them, listen, this is a severe problem.

And if we don’t fix it, you’re going to be in the news. Yep. We wants to be in the news for the things like this. So the executive will come down and say, can we fix this? So that, that is also a way to do it.

Ashish Rajan: Yeah. And I think the first option is more in terms of I guess going where, like, to what matters for the organization, instead of like, as a [00:27:00] security people, I feel like we’ve actually gone into a state where sometimes we just like, well, my CIS benchmarks says, blah, blah, blah.

It doesn’t apply. So I mean, I’m obviously going with extreme examples. I’m sure there are better examples out there of people who have kind of found better options. I’d love to hear from other people as well, what they have.

Experienced it work in their organization. Cause I definitely feel the culture piece is so difficult and so unique to an organization like option one would totally fail in a very developer driven world as well. No matter how high the stakes option two would really work in a developer driven world. So yeah, I’ll be keen to know from other people as well, if someone has to drop it and hopefully Mr.

Tomorrow, I didn’t screw up your first name and I’ll be answering your question as well. Cool. All right. So the next question we have obviously spoke about challenges in terms of a smaller organization, bigger organization, and kind of how to find the, basically a middle ground where everyone can work together when it comes to senior management.

[00:28:00] And this is maybe for enterprise. What have you seen work well in terms of selling the idea of infrastructure as code security.

Yoni Leitersdorf: Hmm, that depends on the senior management. So if you think about senior management and a lot of management, but usually even, usually in senior, it’s more expressed. They think about what they’re measured on very often.

So, you know, what, if I’m measured on uptime or what if I’m measured on delivery of applications or what if I’m measured on, you know, security of the applications and whether we have security issues. So, yeah. A lot of times, senior management, they think about what they’re being measured on. And then they also think about what is important for the organization and they try to align the two and they try to make their decisions based on that.

Right. So if your senior manager is measured on applications being delivered as fast as possible, Then when you want to sell them on IAC security, you need to tell, sell them on. This is going to make us run faster. [00:29:00] Why? Because without IAC security, the security team is going to come at the end of the process right before we go to production and tell us about all the problems we have, and then we’re going to need to go back and fix them.

And you’re going to miss your goals. Right. So that is a way of selling IAC security or another way, if it’s a, if it’s an executive that cares about security a lot, then you sell them about this is going to help us build a more secure environment and meet our cloud security requirements. So I think you need to understand how the executive thinks and.

And what moves them. A couple of days ago, I was talking to a CTO at a big financial organization. And he said he cares about regulation because as finance, they have, there are a lot of regulations. And the biggest thing for him is not violating any of them because he knows that’s going to really hurt the business.

So anything that makes sure that they’re following regulation and following, and they’re not gonna fail an audit. He cares about, and therefore IAC security as relevant for him. [00:30:00] Yeah it depends on what motivate the executive.

Ashish Rajan: , so what kind of support can we expect from a senior management to make it successful and.

No, I guess it’s kind of answers the why that four days they do it, like, cause they have obviously the they’re aligning it to what they’re measured against and in some way, aligned to what the businesses are going towards as well. Like what kind of support can they provide to maybe because we have a few senior management in the crowd as well.

So how can they support this in their organization or drive this in the organization?

Yoni Leitersdorf: So I would start with the people. I would start with working with the developers, security, SRE, I would work with the people and and help them see the need and help them see why it’s important for the organization and why it’s important for their roles to do this and to be part of this.

So that’s the first thing I would handle. The second thing, I would help them select tool and provide budget for that tool because good tools, cost money and therefore, you need to make sure that they have the money to buy it, because if you tell them, go check out a tool [00:31:00] and then the tool comes back with, I don’t know, a $15,000 price tag.

And he said, Oh, I can’t do that. Then you have to make sure they have the budget. So it’s the people, then the tool. And then once the tool is selected, you help them think about the processes and you help identify an individual responsible for building the process together. So I think as executives, you start, why buy.

Helping people understand why this is important, giving them the resources, they need to choose a tool and then helping them think about the process or at least, you know, finding an individual that can help them do that. And that way they will, they will be successful with

Ashish Rajan: it. Awesome. Great answer so we’ve kind of covered like a lot of spectrums in infrastructure as code security from a people process perspective keen to know, how do you measure this, that you’re doing well in implementing this in your, in your, I guess organization?

Yoni Leitersdorf: First of all, I can tell you I’m big on measurement and you mentioned senior management, senior management generally is also big on measurement and in well-functioning organizations, [00:32:00] senior management, CXOs VPs, you know, executives.

They’re big on measurement. They want to understand how this is now better. You know, if the score before was 10 and now it’s 90, you know, that’s good. You want to do this, right? So you want to go up that executives, they like graphs. It needs to go like this. Right. So they’re big into measurement. So when we looked at IAC security and measuring IAC security, what we did was we said, okay, let’s look at how many cloud security issues we see in our live cloud environment.

Okay. And then let’s see out of those, how many actually get solved and how much work it was to solve those issues. Right. And usually when you’re solving a problem in your live cloud environment, it’s a lot of hours, a lot of days to solve a problem. Okay, so you start with that and then you go and say, okay, I’m going to implement IAC security.

And what I want to measure is how many issues are found by my IAC security tool. And then how are they resolved over time? [00:33:00] So let’s say it started with you know, it ran a hundred, 150 different checks and out of the 150 different checks. 17 were violated. you had an issue. Okay. How long does it take me to resolve those 17?

And how many of them were resolved? Is it all the 17 or maybe just 12. And then I look at that over time, so I want to see how infrastructure as code or my infrastructure, how it improves over time. And that’s the way that, that we measured it and it showed a lot of success for us.

And we actually see the vast majority of cloud security issues that we solve. Are within IAC security and not in public cloud security or, the analysis of our production environment. So we see that in the data and I think everybody’s going to see similar results in the coming years.

Ashish Rajan: That is awesome. I think that’s a good segway into a question that came from the Anika whose an avid listener as well. Any Recommendations, embedding compliance standards like HIPAA and PCI is to do the development team. We create JIRA tickets, but like you said, we get pushback from the dev and [00:34:00] can cloudtrail help?

Yoni Leitersdorf: Yeah. Yeah. And by the way, the cloud trail cloud, real thing that happened to you now happens sometimes. So people

Ashish Rajan: say like, Oh,

Yoni Leitersdorf: well, we called it. We called cloud rail cloud rail because it’s guardrails for cloud. It’s really up our alley. Right? Yeah. But it can sometimes confuse. I know I’ve, I’ve made that mistake a couple of times.

Ashish Rajan: No, it definitely makes it easy to remember the.

Yoni Leitersdorf: Yeah. So and, and to answer the question you need to think, first of all, sit with a development team and understand what technologies they use. So are they using infrastructure as code? Are they using Terraform or Ansible or chef or puppet or anything like that?

And what environment is this in? Is it like, you know, AWS and Azure and GCP, or is it a different environment, but first understand how they look at the world. Okay. Understand how their dev ops processes look like and how they’re building their environment. You know, dev ops is CI and CD. So how does the continuous integration work and how are they merging code together?

And then also [00:35:00] look at how they’re deploying the code. So first. Understand them. That’s the first thing I think you need to do once you have, then you can start talking about tooling. So cloudrail yes. Can help with something like that. And we help teams actually enforce compliance standards by.

Taking our tool cloud rail and injecting it into the CI pipeline. So what it does is it looks at like something like Terraform. So let’s see we have a Terraform plan. It goes into cloud rail, cloud rail checks to see that it’s secure and meeting all of your compliance standards.

And if all is good to go, then it can continue through. If not all is good to go. It gives a thumbs down, stops the CI pipeline and the developer is notified with what the issue was and what they need to do to fix it. So definitely we can help with that. But before you even look at a tool, I would recommend go through the development team, understand how they see the world, understand their tooling, their technologies, their processes, and then look at, okay, what are my options for helping here?

And I think they will also respect your recommendation a lot more when you understand their world.

[00:36:00] Ashish Rajan: Learn the game, learn the game. Yep. That’s pretty much it. Hopefully that answers your question, Anika. I’ve got one more question. What do you feel where’s this going with infrastructure as a code security?

You know, we kind of touched about CSPM earlier as well. It’s kind of like, it’s almost like few generations have kind of happened already in cloud security world. Out of Curiosity. Where do you see this go? And I guess, is this something that. We should we talking about, we haven’t started talking about it yet.

Yoni Leitersdorf: . I’ve been in the industry for many years over two decades at this point and You know, we’ve, we’ve seen technologies change. We’ve seen servers go into virtualization. We’ve seen security become, you know, more advanced from a non-state full security to stateful inspection.

We’ve seen all kinds of improvements over the years, but I think infrastructure as code as a concept and security for infrastructure as code is a huge leap. That we haven’t had in many years, a huge leap forward in our ability to do things. Right. So I think it’s, I think it’s going to change the future.

I think that. [00:37:00] Anything that we do today around cloud and even non-cloud environments, everything is going to change because now everything is described in code and it’s a huge jump forward. That again, I’ve never, I’ve I haven’t seen in many, many years. What I think is going to happen five years from now is that really, almost everything is going to be in code.

So even organizations that are not using IAC today, they’re going to use it in five years because there’s no other way. I mean, there’s nothing else. That makes sense. I’m a logical person. And most people here I think are probably logical and there’s no other logical conclusion other than having everything in code infrastructure, as code policy, as code Alder, as code acronym and those things.

It just, it’s the only way that makes sense. And I think that’s what we’re going to see. Everything is going to be in code in the coming years and it’s going to be to our benefit. Awesome.

Ashish Rajan: That’s a great answer as well, as you mentioned it. I just imagined my in my head out of the AI machine learning world has started talking about no code and now they have algorithms that pick up and you don’t need to create code anymore.

[00:38:00] I’m like, Oh, that’s like, But I, I never heard that and felt is that even real? Like, how will you do something without coding something? But if you’re coding somewhere to get to a no coDe place, but you know, I’m not, I’m not going to be the judge for them, but I love what you said. I definitely believe the future is going to be primarily in a code.

So tools like this are in terms of static analysis of tools of the co de whether it’s your infrastructure as code or something else that you’re doing as a policy. They definitely have a real chance of surviving in the future. I do appreciate this, man. I do love for people to kind of have a followup conversation with you.

If they’re keen, where can they find you on social media to reach out to you? So

Yoni Leitersdorf: I’m on Twitter. I’ve got a Yona Davl Y O N a D a V L. And I’m very anyone here. Who’s not on the cloud security Slack channel that you and I are on and many others are on. If you’re not on it and cloud security.

Get on it and you need an invite, so [00:39:00] it can, you can reach to out to ashish or myself and get it on there. I’m really active there. So you can reach out to me just DME on that Slack.

Ashish Rajan: This does greatest ones, so we’ve had a few more comments came in, but I think they’re all relevant as well.

I think Payal came in with a comment with the biggest challenge in big organizations are making dev teams adopting the best security practices much before tools highlight issues. Most of the time it is rework redeployment and gets delayed because of so very well said

I love the fact that everyone that I’ve bought into as a guest on the podcast so far people I want to come bring back. So I’m looking forward to having you back again soon, my friend, but for the moment.

I will see everyone else next week. And hopefully I’ll get you back on this sooner as well, but I hope you have an awesome rest of the day, man. Enjoy celebrate the beginnings of Passover.

Yoni Leitersdorf: Thank you. Thank you very much. And thank you for having me here and for the time I really enjoyed it.

Hopefully.

Ashish Rajan: Yeah, man. I enjoyed the coversation as well. All right, I’ll catch you soon then.

No items found.
More Videos