Santosh Bompally: [00:00:00] start with something small. Yeah. I would say look at the problem statement, what you wanna solve. Come up with your security baseline. Either pick a service of your choice, ensure you clearly define those parameters in the security on what those compliance requirements are. So this is a GRC thing, right?

We make sure all security settings are mapped to the compliance requirements. Yes. The reasons why we are adhering to those things, right? That is step one. The step two is basically, okay, now we have it mapped. How are you monitoring it? So that becomes your monitoring portion of CSPM.

Ashish Rajan: I'm gonna podcast today, we talking Santosh about let's just say exception management, which is not something I would've thought I'd be talking about. So I'm excited for this conversation to get my own personal opinions challenge. But Osh, welcome to the show, man. Thank you for coming. Thank you for having me.

Could you share a bit about yourself, what your professional journey has been like?

Santosh Bompally: Sure. I'm was like pretty much like curious into hacking. Since childhood and that was pretty exciting to begin with because the first time I figured about computer games. Basically what I was doing is I was basically not allowed.

So Oh fair. So basically what I did is did a [00:01:00] bias crack at a very young age. Oh, you are bio hacking. Okay. Wow. So basically I didn't with the battery, and it just, works out. Yeah. So that was the kind of mindset I had growing up. Yeah. So my parents really helped me there.

Pretty much I was having like at early ages in my life, I had access to computers, networks, and all these things. Yeah. So these are basically becoming my projects. Oh, mini projects at home office and all of that. So eventually I had my bachelor's in computer science.

Ashish Rajan: Yeah.

Santosh Bompally: And I had a passion towards cybersecurity.

I came here, did my master's in cybersecurity.

Ashish Rajan: Yeah.

Santosh Bompally: I worked in threat hunting and all that. Wow. Which gave me insights into how exactly cybersecurity works. Yeah. From attacker perspective.

Ashish Rajan: Yeah.

Santosh Bompally: And also I got an opportunity to work in different kind of like roles within cybersecurity.

Like GRC, compliance, risk management, and all that.

Ashish Rajan: Yeah.

Santosh Bompally: And that really gave me another perspective of how everything is coming together. Yeah. So currently with all these experiences and mashup of everything, I really enjoyed my journey throughout in cybersecurity. Okay. [00:02:00] So currently I am working with Humana.

Ashish Rajan: Yeah.

Santosh Bompally: And that's a world class team again. Yeah. I got the team to be excited about a lot of the innovative work that we do. Yes. Yeah.

Ashish Rajan: So that is the exception management topic you're gonna be talking about today. Yes. Fair. And I think it's interesting you've gone through threat management talk in yourself and then the GRC what, maybe to set the context, why is exception management a thing in organizations?

Santosh Bompally: The first thing, what I see is exception management has always been a tick mark. Okay. In the compliance world. Yep. Yep. So the thing is a, I got an exception, but is exception really monitored? Is the risk still out there? So that is the first thing we basically look into, yeah, because what's gonna happen is Hey, you granting an exception that is exception is not monitored. What that would basically do is you're literally exposing your threat landscape, right? Yeah. So attack surface is growing. If you're not monitoring it, you don't know what's gonna happen. Once you grant an exception, if it's not monitored properly, attack [00:03:00] can basically take leverage of it.

That, that was like a puzzle that we wanted to solve really as. Especially in the cloud space. Yeah. Okay. And that's the reason why, this really was intriguing yeah. Solving this problem. So yeah, that's pretty much we, what really got passionate was me basically to solve some of these things.

Ashish Rajan: It is funny. I think I almost, I. Almost feel, I don't know if you're one of many or you are many of one in this situation. 'cause a lot of people look at exception management as a human approval thing. I've done something, I want to get past this, especially security. I wanna get past security 'cause I somehow make this a low risk or a medium risk so I can get past this. That's in my, and at least in a lot of the work that I had done, exception manager is all about how do I get around security to just lower this, let's go higher than the security architect. Let's go higher than even that as well. Go, keep going higher until you you get to the exec level or whatever.

But you ended up taking this challenge as, Hey, I'm gonna automate this. Was there something specific that made you feel this? A why do you feel that was possible? 'cause as I was saying. [00:04:00] Traditionally, this has been looked as a human thing rather than, yeah. I can automate this.

Santosh Bompally: The first thing, what I was seeing is there is attacks out there, right?

Yeah. So if you're looking at Gartner Reports or any of the industry research out there last couple of weeks there have been like good breaches out there from security perspective. If you look into the configuration, why those are, yeah. Those are going pointing back to the old school things. Basically storage accounts open into the world. S3 is open to the world. Yep. All of these configurations are pretty standard security checks. Yep. What happens is like there is a good, legitimate reason why that has to be that way. Yep. And that is not monitored, right?

It is. Again, one of those things, right? Hey, check mark, but is it monitoring? So I'll be monitoring it. And also the other aspect, what I feel is developers

Ashish Rajan: Yeah.

Santosh Bompally: As they move across the different tools. So there needs to be consistent experience that we basically do in infrastructure as code scanning.

Cloud native policy, CSPM, when you integrate all these tools together, and if they, if you go through the manual process you're gonna be having exceptions in all these different. Tools which [00:05:00] developers have to basically go in line to do to the, to do the deployment. Yeah.

But what's gonna happen here is if you automate all of that, you are basically increasing the productivity.

Hey, this is what we do it. But the other problem, what we wanted to solve is really come with the standard approach for certified components. Yeah. For example, hey, you wanna deploy A, B, C, and D.

Okay, these are three different services. Maybe you might want to deploy a switch account, key vault, or any of the cloud services. This is a certified component for that.

Ashish Rajan: Yeah.

Santosh Bompally: And certified components would be having all security checks in it. So just run with it. Use it, and if you have any exception that you want, we always see exceptions as if you're having firewalls or anything like that, you wanna deploy virtual machines. Okay. Are you just deploying the firewall? Are you just going beyond the scope of what approved?

Ashish Rajan: The other thing is also the, at least in my mind, the challenge for automation was that there is always a aspects to snowflake's the exception request.

Which is just a point in time. I only needed this today. I would not need this tomorrow. But someone forgets [00:06:00] and there's no I always, I mean that just obviously could be an exception scenario as well, for the exception that we're talking about. But there are so many moving parts. Yeah. And you almost, I. Have not just the, to your point about the S3 bucket, you want key cloak, there's not just the cloud components, but the other security components that kind of make the entire application secure. Yeah, the security part of the application, with that in mind is there, was there like a technical challenge you had as you were trying to start this journey?

'cause I don't, where would you even start? That's where my, the first time I heard you talk about, I'm like, okay, I don't know where would you even start? Because most of the conversations Yes. S3 bucket, is that, would that be a CSPM, CNAPP? I'm obviously trying to answer this question, but I would love to hear what your what you're thinking here is.

Santosh Bompally: So the first thing is at least the role, what I am in gave me an opportunity to look into what's in the cloud. Okay. We had multiple attempts in the cloud to make it secure. Okay. All period of like 10 years. Yeah, of course. Yeah.

Ashish Rajan: Long enough time for you to know what, good, bad, ugly.

Santosh Bompally: [00:07:00] Yes. If you remember the day the first cloud started, every com, all communications will go through public endpoint, right? Yep. Yep. So it was A and B Docs and public then comes the private connect.

Ashish Rajan: Yep.

Santosh Bompally: And then comes the lift and shift. Yep. Now it's like containers, right? Yep. So we have gone through all those scenarios and we did see risks.

So what we see have seen is like when we are building this new capability called like 3.0. This is cloud 3.0 kind of thing. Yeah. Everything has to be as infrastructure, as code. Yep. Makes sense. So that's exactly what is the reason why we also want to automate exceptions so that all the certified components, whatever people wanna deploy, it's just available within seconds.

If they want to basically deploy anything and at the same time those exceptions, whatever we grant we wanted to make sure they're monitored because we have learned a lot. We have gone through audits, we have learned a lot. Sometimes there is a deviation from what gets getting approved.

What's inside the architecture diagram is not necessarily reflecting what's out there and a lot of these things that we have seen. And with the historic [00:08:00] knowledge of all the breaches too. So we are a heavily regulated industry. And we wanna make sure all the things that we are willing to innovate.

Yep. Weed it in a more safe and precise manner.

And we also wanna unlock developers, for example, to basically test out any capabilities. We wanted to make sure the, whatever they're testing out in the sandbox environment with new capabilities is just locked out. Yep. They pull the concept, it moves through the certified conference like journey and everything gets big there.

Ashish Rajan: Actually 'cause it's stressing that you've gone through the entire journey. 'cause then you have grown a li library of exceptions, for lack of a better word. At least you know what to start off with. Yes. I'm also curious with the container world that we're in, I'm gonna throw the AI pieces in there as well.

A lot of them are build on container workloads and all of that. Does the exception challenge become different between different kinds of compute? Like between a virtual machine versus a serverless function versus a container. And these days, if you go with Amazon, I think Amazon recommends you to have AI agents or whatever as a serverless component.

That's [00:09:00] what they promote. GCP has their own version. Azure has their own version, but predominantly most people are still containerized. Yes. So between these computes. Is the way exceptions being handled, is that different in terms of automation?

Santosh Bompally: It's pretty similar. Okay. Would, because all of the way we look at it is like all of these services do have some configuration settings baked inside them. Yeah. Any config. If you're deviating from secure configuration, then that's an exception. A solid example for that is for virtual machines. If you're trying to deploy a approved image, that's fine.

That's not an exception. But if you are going beyond the scope, maybe you, maybe we always see this with firewalls, right? There is specific vendor image that you'll have to pull. And that's gonna be an exception and we are gonna be automating it inside, all the life cycles. So that basically, whatever the exception that we grant, basically applied consistently across all the tools, which are in line.

Infrastructure code scanning? Yeah. Cloud native policies. For example, Azure policies, Google art policies, AWS SAPs, [00:10:00] and from the monitoring side any kind of CSPM tools that we have.

Ashish Rajan: Oh, so it's multi-cloud as well? Yes. Wait, so if wait. Okay. Let's take a step back then. Is the automation part you're referring to, is that more using policy as code across multiple cloud providers for against compute, but based on your security policy.

Santosh Bompally: That's right. So the first thing that we did is again we did go through multi-cloud approach. Yep. Yep. And we had to basically come up with a standard security baseline. No matter what, this is gonna be our security baseline.

And this security baseline would really help us to drive compliance with industry best practices. Yep. Where we have to demonstrate all of these things. Yep. For compliance and legal requirements kind of stuff. Yeah. But at the same time, what we do is we take those, make it policy as code, deploy it so that it basically gets deployed across all the platforms.

And the only missing part was exceptions. Yeah. Yeah. Fair. And that really solved that problem with the automating exceptions in the cloud. And the way I look at, it's like [00:11:00] you can be pretty much scale it to any tool. Yeah. Because it's at the end you basically having an orchestration layer, which basically looks at all the events coming from these different platforms and basically, triggers a function just goes and applies an exception.

Ashish Rajan: Interesting. I'm fascinated by this, because of the possibility here. But at the same time, does that mean you had to create a library of policies and IaC as code to what you were saying earlier, as well as a GRC team? Where does even anyone start? Because I imagine a lot of people in GRC, especially GRC, who listening or watching this conversation again I don't know man, Santosh is already technical. He's come from SOC and threat detection. That's why he could do this. Do you need to have that background to be able to build, start building this themselves? 'Cause obviously you have had years of cloud presence, quote unquote, to build that library. But a lot of people would be listening, watching this. I'm gonna start this today because what Santosh said made sense. It says already APIs. Where does one, I guess [00:12:00] what does, what's a good starting point as I'm trying to get to?

Santosh Bompally: Start with something small. Yeah. I would say look at the problem statement, what you wanna solve too. Yeah. So we the easiest thing is come up with your security baseline. Either pick a service of your choice. Ensure you clearly define those parameters in the security on what those compliance requirements are.

So this is a GRC thing, right? We make sure all security settings are mapped to the compliance requirements. Yes. The reasons why we are adhering to those things, right? So that is step one. The step two is basically, okay, now we have it mapped. How are you monitoring it? So that becomes your monitoring portion of CSPM?

Yep. Okay. To ensure like all the policies are linked properly in the CSPM

Ashish Rajan: Yep.

Santosh Bompally: Yep. To perform the monitoring. Now, once you have the monitoring, you have an understanding of, okay what is exactly the issue here, right? So you understand the compliance right portion of it. So once you know the issue, at that point of time, it becomes either a pattern.

For example, it's a developer thing, Hey, this is how it should look like. No. Or is it more Hey, this is an issue. We don't have a control for them. We need to solve it. That's exactly where you start [00:13:00] implementing infrastructure code scanning, cloud native policies and all these things together.

But once you start implementing more and more tools in your pipeline, those tools should also scale to some of the operational needs. So that's exactly another place where you can start like, the next approach to basically say, okay, now I have all these tools. I need to have centralized database or something.

Yep. I map all the policies which are in line from shift left to shift, right? Yep. And anytime when something changes from a configuration perspective right, or an exception perspective, I track them here and I automate it so that it at, it's at the end of the day, cloud gives you an opportunity to work with APIs and any tools out there come, pretty standard nowadays with those things.

Yeah. So it's basically utilizing them. And basically triggering an automation to basically go apply that exception. And the other portion of it is like continuous monitoring, because this is a key, right? Granting an exception is one portion of it. Continuous monitoring is a must.

Ashish Rajan: Yeah. Yeah.

Santosh Bompally: Because continuous monitoring will give you that visibility in saying, Hey, this is what you granted [00:14:00] for and this is exactly what it is.

Yeah. Because what we see here in GRC terminology is control self control self assessment. Okay. So that is done on a yearly or six months basis, right? Yeah. It's basically you're going to control asking just a checking mark Hey, these are things that we are solving. Yes. And okay, the best of your knowledge, this is how exactly the control works.

Yeah. But on this side, the flip side, this automation really ensures. Hey, continue. Some, there is someone watching you, right?

Yeah. Yeah. So it is just you are driving a car, you know the rules, you have like license and everything. You still have a cop sometimes who basically would check, Hey, you're still abiding the rules or how are you following it?

Yeah, that's exactly what I see. Like with compliance going on with this automation.

Ashish Rajan: That's pretty cool because. Actually, once you start building the database, what have you found as a good place to are we just storing the policies and GitHub and or GitLab or whatever your repository tool is?

Because I meant you mentioned the example of a storage account being open on the internet. I'm sure there are other [00:15:00] examples. Different regulatory standards may have different examples. And you had to mention you guys have regulatory standards as well. Sometimes it could be as simple as using your, it should be encrypted everywhere.

As a baseline. Yeah. Because I imagine a lot of people get stopped at the baseline part where, oh, that's the harder part. Like I don't know where to start, what standard to follow. Have you found any standards that were helpful apart from say, just going, I'm gonna go PCI, or I'm like, or would you recommend 'em to go straight to PCI or whatever the standard instead of using a CIS or something else?

Santosh Bompally: It depends on what you're trying to solve, right? Yeah. And which industry you're in. Yeah. Yeah. Every industry has its own patent. For example, we have HIPAA, high trusts and all those things that we'll have to comply to.

Ashish Rajan: Yeah.

Santosh Bompally: And the same thing if you have quick credit card or any of the transactions going through P-S-C-I-D-S-S again.

Yeah. So it's a combination of all those things. So the better piece to start is understand your compliance requirements needs from a regulatory perspective, and then, basically a lot of these things have, and one thing in common is the overlap on some of these things. [00:16:00] I see GRC tools coming up with some automation there, which will really help you to understand okay you know what exactly is the requirement.

Yeah. And that those requirements would flow to and architecture blueprint.

Ashish Rajan: Oh, okay. Yeah.

Santosh Bompally: Hey, this is a service I want to provision. Hey, this is secure setting, how it looks like. Maybe a storage account you're using, ensure you're doing private connect. Yep. Ensure you're ensuring like, your identity and access management is secured.

Yeah. All of that. Yeah. So once you have all of those kind of standard practices defined in the blueprint. So now that's a derivative from the policy to basically say, Hey, from the enterprise policy, to basically say we need to follow blueprint so that we can start creating certified components from this blueprint.

So these are nothing but your set home templates? Yep. Or any of that. People can basically use it because those are certified components, so that at any time when enterprise would like to pull applications or deploy applications, they can basically deploy them by using certified components. Because A, you're enabling scale.

Yeah, because. Developers don't have to write IAC code. And two, those [00:17:00] sort of side templates are periodically reviewed every time and they run for the security, kind of configuration in the pipeline to say, are they still valid? Or, do we have any additional checks coming in?

Ashish Rajan: Yep.

Santosh Bompally: And also that is gonna really help us understanding like, okay, if there's any deviation, we really have to fix the IAC so that, developers can basically start consuming and using it.

Ashish Rajan: Makes me feel, what's the good metrics to measure this? Because to your point, people start working on it.

They'll get to a point where I have a baseline now. 'cause I was advised by Santosh that, hey great recommendation is to make sure you have a baseline, which kind of makes sense depending on the compliance standard you have. Now, I'll start building a policy library of some sort. I, you start applying that to, to exception management using policies like your cloud native policy management tools which are whatever the cloud provider may be.

Azure, AWS, GCP doesn't really matter. Now at certain point there's always a I don't know, asset 27,001 may change. Or there's another change coming to whatever policy because AI is here or whatever. Or we have a new po new compliance channel because of [00:18:00] ai. I imagine the journey is to start again from what's the common baseline to what you just mentioned, and then start from where the exceptions are and what can be automated in terms of retiring, some of those exceptions.

How I get the point of, Hey, let's do a point in time self-control assessment where you've figured out, okay, every year I do one or every six months I do one. How does one know, what's a good time to retire a control? Because I imagine there's preventative controls is, you hear so much about it.

So what's your strategy for the lifecycle of this exception management?

Santosh Bompally: Yeah. I think when I look at retiring a control, right? It all drives by the business decision around what's the service and what's the business like impact?

Ashish Rajan: Yep.

Santosh Bompally: Yep. What's the business value?

We are driving through a service. So for example, you might be using certain services. Now I'm, I'm gonna give you an example. We use functions in the cloud. We use different web apps in the cloud. Yeah. Now, if you're moving towards a strategic approach saying you, I'm gonna use containers.

And everything is containerized, so then that becomes a point in time where you're saying, okay, now. The [00:19:00] strategy is to really motor containers. Eventually at some point of time you can be retiring those controls. That's right. Yeah. So once those controls are retired at least what I've seen in my professional journey so far is controls never get retired.

And just say that. Yes. Just add to the complexity. So I hear this all the time, we start like building cloud, we go left and right, start scaling left and right, and, it's gonna be sprawl. Yeah. It's soon and at the same time, there is always few services, which you really can't retire.

So at that point of time, that decision of like policy, retirement and all that that, that is something, I've not seen so far. Yeah. My journey. Yeah. Like in retired. And what I've seen more and more is like they're getting out of control.

Ashish Rajan: Which is the reality of the situation as well, because to your point we had this scenario where I think we wanted to shut down an application or whatever it was supposed to be retired.

But there was such a, what if we needed tomorrow? Yes. What if we needed like in six months time, let's just not completely switch it off, maybe reduce the resources on it. Yes. So it's not, it doesn't cost as [00:20:00] much. I, it's a pretty hard call. To make, especially if an organization has been in existence for a long time.

Yes. It's a hard call to make. Another thing with the exception handling then, what would you say is I. Different levels of maturity that people can use to measure. Obviously you've had years of doing this to build a library, build the baseline, all of that. For people who are trying to figure out, hey, what are different stages that I can think maturity can be, what's a good baseline that people should start with?

What can they move from? Hey, once you're here, this is the next stage, then you're really good. I'm sure there's an advanced stage as well. Yeah. How do you measure what's a good maturity to aim for people?

Santosh Bompally: Yeah. I think the first thing is understanding what you have. That comes with a CSPM, like overall understanding of, hey, the cloud pusher.

I've seen use cases where CSPM was not completely adopted to some of the isolated flows in the organization. Oh, okay. Okay. So just make sure that tool gets completely deployed and Oh, coverage is there. Yeah, coverage is a key aspect of it because that's [00:21:00] gonna help you to drive the approach.

Makes sense. So the first thing what I would start is cloud native policies are the key. So the cloud native policies, if you have them, they will start preventing misconfigurations moving forward. So at least that's the maturity level one we have to aim to at least moving forward, no more drifts.

If there are drifts, then probably existing drifts that, how do I need to fix it? Because runtime remediation is so expensive. Because I've seen use cases where we try to make changes. It's gonna be a downtime and things like that, ending up being in issues. So it's always good to have those issues fixed during the IaC time itself.

Yeah. So that we let them know, Hey, just fix this score. Yeah. Once you have the, this base level of maturity, now the next level is really coming up with certified components. Yep. So that. You can basically scale across the enterprise. Hey I need a service. A, okay, this is a server certified component for that, right?

Just go for that. Use it. And this is a blessed thing from security. You don't have to go through security again. The thing, the [00:22:00] goal really is to enablement, right? Yeah. Ensure developers move fast. Yeah. Break the thing is like you move fast, break fast, learn from it, right? Yeah. Yeah.

So that's the approach that we take and the more and more assessments that you'll have to go through from security perspective, it the more lead time, right? Yeah. With this kind of whole approach of certified components, we are pivoting away when you know, hey, these are the certified components.

These are already security architecture review, right? Yep. And you can just go and deploy. Just make sure the solution is just compliant with A, B, C, and D. Yeah. Which you're stating in your architecture.

Ashish Rajan: Yeah.

Santosh Bompally: So that's the game of cloud security with a combination of cloud native policies as like your phase one.

Ashish Rajan: Yeah.

Santosh Bompally: And eventually you're gonna be starting doing CSPM remediations once you're in that mature state. Yeah. To basically start remediating our existing resources. And also what I see, another gap here is. This only solves like 90, 90% of use case. You still have 10% of use case, whether it's a SaaS product Ah, or you have a [00:23:00] vendor to vendor integration.

Maybe you are doing a backups, maybe a backup vendor basically connects to your cloud. Yeah. You just like creates few things on behalf of them.

Ashish Rajan: Yeah.

Santosh Bompally: So their provisioning has also has to be compliant with your internal security standards. If not, it's gonna be failed. So having conversations around what's the requirements and how this has to be done, that's gonna really gonna raise a bar.

Ashish Rajan: Yeah.

Santosh Bompally: And that's really gonna help in the overall maturity.

Ashish Rajan: That's a yes. I think they didn't even think about SaaS components that are already plugged into your cloud environment okay.

Fair. Maybe the question then, now that we understand the maturity, where to start as well going back to the whole skillset of do people need to be engineering heavy or was there engineering at playing any role in this? 'cause I think as much as I would like to believe, 'cause you are technically yourself, so it's a bit different.

A lot of people would not be comfortable just to go, Hey, I don't know if my auditor would allow for this alter mid scope. What is this? What is this SEP thing that I'm looking at? You just show me the damn screenshot of what I need to look [00:24:00] at and it needs to be a screenshot from this week or today, or can you just point it where it is?

So how did you manage that? Or do you, are you finding that auditors are getting more mature, that they're okay to have a CSPM, CNAPP alert as, hey, yep. Okay. You're monitoring this. I can see that, and I have not seen an exception, so I'm happy that this is a good control that you're keeping.

Santosh Bompally: I think that's an happy medium,

Ashish Rajan: I would

Santosh Bompally: say.

Alright. Okay. Happy medium. Fair.

Ashish Rajan: So it's a work in progress. It's a work in progress.

Santosh Bompally: It's an happy medium. And again yes people are comfortable looking at the evidence of what we have. Yeah. And at the same time we are able to satisfy some of the requirements too. So that's really key in terms of monitoring some of these capabilities.

And the other aspect, what I see is AI, a lot of these things are coming out. Yeah. Ensuring they're deployed in a proper format, both for unlocking business is really critical.

And even we have, we've seen being a cloud first company, and a lot of AI things are going around from, Hey what do we make?

How do we make [00:25:00] humanizing health insurance? And we usually try to make the experience like seamless, right? Yep. Yep. So one of the things that we try to do is okay. We try to innovate out of stuff. Yep. With security in mind. That's it. That's like a good thing. And again seen, I'm not seeing many organizations doing it, but at least a few are currently doing it.

So having security baked inside the product design, start with the threat model. Start your analysis there. Yeah. Understand what the threats are, start protecting it, and your AI just becomes a part abnormal product. Yeah. It's not really it's a product. Again, if you're looking at DevSecOps of these things 10 years back, yeah.

These were all the new products and tools and that's how we see AI too. It's just like a kick. To existing developers, just increasing productivity. Yeah. And just deploying it in a safe and secure manner, consistent with the guardrails that you put in. And your exception basically becomes like your overarching governance, which basically checks and validates every time when there's configuration drift.

Ashish Rajan: Yeah.

Santosh Bompally: What exactly it does. Is it something approved or not? If it's something not approved, then it's immediately gonna send [00:26:00] to an alert. Yeah. If there is a deviation from it, then what's approved then that's really gonna help us and. Closing the loop with the people are trying to deploy it and saying, Hey, what did this coin the first place?

Ashish Rajan: Yeah. Yeah. And I think you'll get, you're able to get to it before it becomes a runtime problem. Yes. Fair. Those are most of the technical questions I had. I've got a few fun questions for you as well, man. First one being, what do you spend most of your time on when you're not trying to solve exception handling with automation.

Home automation really? You

Santosh Bompally: home automation,

Ashish Rajan: just

Santosh Bompally: walk in, lights, turn on. Yes. I'm a big home automation guy. I use home assistant with combination of different tools out there. So I like playing around spending my time with kids and also just working around automation project.

So that, that really keeps me passionate.

Ashish Rajan: Interesting. Wait, what I was gonna ask, what happens if you can't unlock your door, but I guess you don't have it in your door, you still use a manual? Yeah. Yeah. Like you were able to get in at your house to do the automation. Fair. Okay. Second question. What is something that you're proud of that is not on your social media?

Santosh Bompally: So I think the one thing I, that I would say is family, right? [00:27:00] Yeah. Family first. At the same time having a happy medium for both work and a family innovating stock balance. Yeah. Balancing it out.

Ashish Rajan: Yeah that's a key that

that is a difficult one to keep mandating as well.

So definitely something to be proud of. Third and the final one, what's your favorite food? Also, what's your favorite cuisine or restaurant that you can share?

Santosh Bompally: I'm mostly into Indian food. Yeah. And sometimes a little bit of Mediterranean kind of style. Oh, what kind of Mediterranean kebabs. Kebabs.

Yeah. Oh, kebabs salads. Oh, yeah.

Ashish Rajan: Fair. The Mediterranean salads are pretty amazing. Yeah. Favorite Indian food?

I eat everything in Indian yeah. Wait, what's if I, if you only had one, one to pick, what would it be? Tandoori items. Really? Yeah. Oh, okay. Oh, you must, okay. That's a good one to pick for.

Yeah. Where can people find you on the internet? They wanted to connect with you and talk more about I imagine a lot of GRC. We were definitely curious about how are you doing this? Tell me your secret. Is there a guitar repository somewhere that I can copy paste, but what, where can people find you on the internet to connect?

Santosh Bompally: So I'm on LinkedIn. So you can hit me on LinkedIn. That's the most proactive I am in.

Ashish Rajan: Oh, awesome.

Santosh Bompally: And I do participate in cloud security [00:28:00] alliance circles, ISACA I circles and IC square ones. If you ever see me, just say hi. Happy to discuss this further. Awesome. I'll leave your LinkedIn link as well.

Ashish Rajan: But thanks much for coming in. Thank you for having me. Thank you thanks everyone for watching and we'll see you next time. Thank you so much for listening and watching this episode of Cloud Security Podcast. If you've been enjoying content like this, you can find more episodes like these on www.cloudsecuritypodcast.tv

We are also publishing these episodes on social media as well, so you can definitely find these episodes there. Oh, by the way, just in case there was interest in learning about AI cybersecurity, we also have a sister podcast called AI Cybersecurity Podcast, which may be of interest as well. I'll leave the links in description for you to check them out, and also for our weekly newsletter where we do in-depth analysis of different topics within cloud security, ranging from identity endpoint all. Away. Up to what is the CNAPP or whatever, a new acronym that comes out tomorrow. Thank you so much for supporting, listening and watching. I'll see you next time.

‍