What is Cyber Resilience in Cloud?

View Show Notes and Transcript

Episode Description

What Chris Hughes & Dr. Nikki Robinson discussed:

  • 00:00 Introduction
  • 05:25 Designing for Resiliency in Cloud
  • 09:23 On-Prem Vs Cloud – How Disaster Recovery & Business Continuity are different?
  • 11:13 Disaster Recovery for AWS 15:47 Vulnerability Management in Cloud
  • 21:53 Maturing Vulnerability Management in Cloud
  • 23:54 AWS Certifications
  • 34:34 Maturity Scale for Cyber Resilience
  • 39:24 Using Cloud Native Services
  • 42:21 Patch Management in AWS
  • And much more…

THANKS, Chris & Dr. Nikki!

If you enjoyed this session with Chris Hughes & Dr. Nikki Robinson, let him know by clicking on the link below and sending them a quick shout out at Linkedin:

Click here to thank Chris Hughes at Linkedin!

Click here to thank Dr. Nikki Robinson at Linkedin!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at [email protected].

Resources from This Episode:

  • Tools & services, discussed during the Interview

Transcript

Hello, hello, and welcome to another episode of Virtual Coffee with Ashish

I get excited about these episodes because I get to have friends over and they take over the podcast and I can just sit in the backstage and just listen to these amazing people talk. So today’s topic without further ado is what is cyber resiliency in cloud? And I’ve got a Resilient Cyber Podcast here.

So Dr. Nikki and Chris Hughes, welcome to the show and I’m so grateful that you accepted the invite. And I’m also excited that you’re going to educate the cloud security podcast audience about Cyber Resiliency .

But before we get into that, and before I just take my hands off the rain and to give it over to you folks, can you tell us a bit about yourself?

Dr. Nikki Robinson: Okay. So I’m Dr. Nikki Robinson. I am a security architect by day and an adjunct professor by night. Got my doc in cybersecurity, specialize in vulnerability management, vulnerability, chaining, risk management, all that good stuff.

And that’s.

Chris Hughes: And then Chris Hughes here about 20 years, roughly in cybersecurity. Mostly in cloud security last, like several years, I’d say six or seven years at this point, working in the public sector in the United States for [00:01:00] federal agencies, department of defense, as well as commercial industry.

I also teach as an adjunct at a couple of different universities in the United States and , pretty passionate about all things, cloud security, staying involved with groups like cloud security Alliance, cloud native computing foundation, and other groups.

Ashish Rajan: Awesome. And I think I should do, you should also mention that you’re our guest from season one as well.

So there’s an episode for that as well. So cyber resiliency and I am excited about this and I want you to get into this as well. So I’m going to go to the backstage and I will see all of you in a bit.

Chris Hughes: I just wanted to say thanks for having us on, , you mentioned the podcast and being a guest , part of my cloud learning journey honestly, has been following the show and just the diverse, , the guests that you’ve had on the range of expertise and insights.

I’ve learned an incredible amount just by listening to the show. So I’m always honored to get the chance to come on, , being a long-time listener and fan of the show myself,

Ashish Rajan: for sure. Thank you. All right.

Dr. Nikki Robinson: Okay. Thanks. Yeah. So I guess we’re going to kind of take it away. We’ve got a couple of different topics we’re going to talk about with cloud security.

Do you want to talk a little bit about the podcast first? We can talk a little bit about the resilient cyber podcast.

Chris Hughes: Ironically enough, again, somewhat inspired by Ashish he had an episode with the [00:02:00] folks from Hecker valley studio. I feel like it was, another individual, I think his name is Chris.

Who’s a CISO as well. And they were throwing out the idea of like why others should look into starting a podcast. And that’s what got me thinking about it. And I knew Dr. Nikki. , seeing some of her work and seeing her thoughts around some topics. And I was really interested in having a co-host, so I didn’t have to do this all by myself.

Like Ashish does. That was I’ll reach out to Dr. Nikki. And that’s where we kind of founded the idea of the cyber resilient cyber podcast. We’re coming up on like our last few episodes actually of season one. We have a 22 or 23 episodes live 22. I think it is a couple more to go. And yeah, it’s been an adventure and I’ve learned so much just listening and talking to folks and I don’t know about you, but it’s really been a great expense.

Dr. Nikki Robinson: Oh a hundred percent. Like I remember when he brought this idea to me and I was like, oh my gosh. Yes, this would be amazing. And just getting to talk about, , like, we’re going to talk about cloud AWS security here today. But getting to talk about all kinds of topics and sort of bringing them into AWS security today.

I’m pretty excited about that too. So we wanted to hit you guys with a couple of different topics. So first we wanted to talk about resiliency. That’s sort of what we’re known for, what we talk a lot about on our podcast.

[00:03:00] So we wanted to talk about what that kind of means. In AWS security and in the cloud. So, Chris, what do you think some of the key considerations, some of the most important things that we kind of need to consider when we’re designing systems specifically for resiliency in the cloud?

Chris Hughes: Yeah, definitely.

And some of these aspects that I’m going to touch on are not necessarily cloud, right. AWS specific, but I am going to talk about how cloud is unique in the regard of building resilience systems, basically. But some of the core concepts that definitely keep in mind are going to be concepts such as RTO, RPO, and service level agreements.

So RTO is essentially the recovery time objective. That’s how much time a system can be inoperable, , based to a disruption or some kind of incident of some sort before you have to restore it and get it back functioning in your business. Doesn’t suffer. It recoverable incident essentially. And then same thing on the RPO front is how much data can you afford to lose before, an operation becomes inoperable or irrecoverable for your organization and starts to damage you to a point where you can’t recover from, and then service level agreements are something I throw out there because , any organization is operating.

Whether you have internal stakeholders or external stakeholders, you lucky that you [00:04:00] likely have some kind of service level agreements in place. How quickly you need to restore services essentially. And that’s something to keep in mind when you’re building on AWS. So as far as AWS in building resilient systems go, , AWS essentially thinks of like RPO and RTO and, disaster recovery as part of the broader concept of business continuity and business continuity planning, right.

Which is maintaining operations for your organization, , throughout disruptions or incidents that may occur. And they kind of think of it through their lens of four different frames, have what’s called backup and restore. Pilot light, warm standby, and then multi-site active, active.

And each of those different architectures of deployments are kind of dictated based on, like I said, your RPO, your RTO and your SOS. So think of like backup and restore is just having a backup of your data, right. That you can restore from, and you don’t have any services running in a different region or availability zone.

And I definitely want to dive into that a bit because in AWS what’s different about this than on-premise infrastructures is AWS operates. Yeah, their architecture in a sense that they have what’s called availability zones. It’s kind of a collection of data centers in a geographical region. And they call that an availability zone, but they may have us east one, for example [00:05:00] then they also have a broader concept, a bigger concept called regions.

So you have a collection of . Availability zones, essentially. And these all kind of form together to create like fault isolation zones and you can architect your services, , your systems appropriately based on those concepts. But going on from the backup and restore point on from that, it would be the concept of a pilot.

So instead of just like having data backed up and nothing running anywhere else you may have some core services running in place and other availabilities on, for example, or another region, , but just your core services. It may take some time to bring things back up and get things back online.

And then moving on from that is what you would call like a warm standby. That’s where you have even more services. , your business critical services are running in a different region or different availability zone, for example. And you’re able to restore them much. And then ultimately at the, , kind of the meet the peak maturity, if you have like the most intense RPO RTO or service level agreements you’d have like a multi-site active deployment.

So you have your services running in not just one region or availability zone, but multiple regions and availability zones and that, so that, , even if you have like some kind of geographical incident that takes out USC Swan, you can stay [00:06:00] stable, stay functioning, , maybe you have some degradation of service or something like that.

But you’re ultimately staying functioning for your customers. And that’s kind of the way to think about it, with SF, each of those come with their own costs, right? How quickly you want to be able to restore how resilient you want your system to be, is going to have a cost associated with it. So that’s all kind of key considerations for people to take into account as they approach resiliency on AWS.

Dr. Nikki Robinson: I think those are great points. And especially because when we talk about resiliency, now we talk about it a lot differently than we used to. When we talked about on-prem, , we talked about like a warm site and the hot site and a cold site, things like that. Kind of in that on-premise versus cloud flavor how do you think Dr.

And business continuity are really different? I mean, we hit a couple of them, but different than.

Chris Hughes: Yeah, there’s definitely some significant differences. , a couple, like I talked about, it’s just like that geographical redundancy that AWS offers their customers. Right? And this is all for

the same for leading cloud service providers.

I do want to add not just AWS, but if I’m a small business, for example, and I needed to have geographical redundancy on both coasts of the United States, what would it cost me to have, , your data centers and those in those locations, fully functional with power [00:07:00] utilities and everything needed to kind of restore operations or even have, , fully.

Multi-site operations underway, right? It would be incredibly expensive. But if I’m using the cloud and using AWS, I can leverage those services for a much more affordable price. Cause they kind of have economies of scale in that regard that they do this for, , thousands and thousands of organizations, thousands of customers.

And you’re able to take advantage of that as a small business or any organization of any size, honestly. Some other aspects that are unique to the cloud is kind of evolution that we’ve seen with moving towards infrastructure as code, no longer do you have to have physical server racks where you’re standing up equipment, , you’re plugging things in running cables, in everything running in that, in that sense, you can have a, essentially a code, , a repository of your architecture of your systems that can quickly be taking and restored and deployed into another event.

, with an AWS or even if you’re using like a say using a vendor agnostic approach, like Terraform, for example, you could even take that and deploy into another cloud service provider entirely. If you needed to say AWS had some kind of major incident where they were fully inoperable and trying to take that infrastructure as code and deploy into another cloud service provider, even.

So that’s another major distinction and [00:08:00] difference between traditional on-premise techniques.

Dr. Nikki Robinson: Right. The ability to sort of lift, and shift and move quickly. Yeah. So what are the kind of based on that when we’re talking about DR and recovery. What kind of recovery options are available when we’re talking about AWS?

Specifically for

Chris Hughes: Dr. Yeah, that’s actually what I touched on earlier in regards to our kind of jumped ahead of you there. That’s what I touched on earlier in regards to like the four tiers of maturity or different levels of restoration, right. From backup and restore, , pilot, light, warm standby, or multi-site deployments.

And that’s kind of the way that AWS views that That resiliency or reliability aspect of their operations. And then, , something to highlight too, with regards to the cloud that I wanted to mention before I forgot when you said what’s unique to the cloud versus on premise is cloud. , you can’t ever have the conversation to cloud without discussing the shared responsibility model.

If you’re on premise, , you’re kind of, unless you have like a data center, scenario where you have like data center operations provided by a third party, in the cloud, you have the shared responsibility model. So AWS is ultimately responsible for that physical infrastructure, those facilities, the utilities, , fire , concerns, all those kinds of things that you traditionally would have to do yourself.

You have the shared risk shared [00:09:00] responsibility model. Now where the cloud service provider is responsible for a core set of these services. And then you, as well as a consumer, I should say, are responsible for some of those as well. So that’s something to keep in mind with cloud that’s different is.

Know, in the case of an incident, in the case of interruption of some sort, what is the cloud service provider responsible for? What are they going to maintain and keep up and running and where our service level agreements around that, going back to the SOA is again, and then, , me as a cloud service consumer, what am I responsible for?

And then what kind of requirements do I have based on my business requirements, , internally or externally to customers and things of that nature that I need to make sure I’m right. So what I’m

Dr. Nikki Robinson: kind of hearing is there are plenty of opportunities, plenty of options available, lots of different services and types of models that you can use when you’re kind of either building in AWS or any cloud, but a lot of considerations that you have to sort of understand, when you’re considering Dr.

Business continuity, kind of what data is most important, what services and systems are most important. Kind of when. Either moving to the cloud or you’re already in the cloud, but you still need to consider

Chris Hughes: those things. It’s kind of a multifaceted in the sense that that gets a [00:10:00] maturity scenario, where as you get more mature in your cloud adoption and migration and journey, you can start to, , kind of move up towards maybe, , having that, multi-site deployment architecture kind of scenario, or maybe it’s dictated by your business requirements.

Like I said, some organizations, they can handle more downtime than others without it negatively impacting the organization. , whether it’s financially, operationally, , think of like medical organizations, for example, , critical financial industry type stuff.

That’s all going to be different for each organization. And then, , something else I wanted to touch on there is as you mature into , your disaster recovery, your business continuity and moving towards resiliency is the concept of, , tabletop exercises or even more as we’re starting to hear about is chaos.

, going into your environment and intentionally causing disruption and causing things to go wrong, because you don’t want to run to a scenario where something happens and you’re like, oh, well, we thought, , we had this in place with what’s going on. Why are we not, we should be good.

Right? No, we’ve never tested it. We’ve never , kind of tested the resiliency of our systems. And that’s where I think tabletop exercises. And then even beyond tabletop, just, , obviously it’s hypothetical chaos engineering is much more practical and hands-on where it’s going to go in [00:11:00] there and it’s going to disrupt some things and you want to yeah.

You want to make sure you have that sustain, , resiliency, , you wanna make sure you have a resilient system in place that can respond to these incidents, whether it’s known or unknown type things. I mean,

Dr. Nikki Robinson: Just quick note, when you mentioned chaos engineering. When I heard this term recently, like within the last few weeks, and I was like, what is this?

I need to investigate this because it was like, what a cool job. It’s sort of how we think about pen testers, right. That they’re in, they’re just sort of figure out what’s going to go wrong.

Chris Hughes: So yeah. , to you and the audience to check out something called chaos monkey. I think it was , open source by Netflix, if I’m not mistaken , that they created basically a do this kind of thing.

Imagine trying to provide services to millions of customers at scale. Like they do, you need to make sure, like you don’t have interruptions, like things stay functional and it’s really a new kind of unique space that’s emerging. I think it’s going to grow and grow with organizations as they start testing the resiliency of their systems.

Honestly. Yeah. So from there, let’s move on to our next section. And we had set up to discuss, which is vulnerability management in the cloud. I know vulnerability management is always a topic on top of mind for you. , as we move to the cloud, I feel like we do talk about a lot of topics, , like as I just talked about infrastructure as code and, , shared responsibility model and all these kinds [00:12:00] of things, but vulnerability management doesn’t get a lot of conversation.

I feel like as, quite as much as it used to , why do you feel like we don’t talk about vulnerability management as much.

Dr. Nikki Robinson: This is great. This is something I really wanted to talk about when I knew that we would sort of be doing this takeover episode because vulnerability management , it’s not an exciting topic.

It’s not something super fun that people like love to talk about. Like they don’t want to talk about their hundreds of critical vulnerabilities. It’s just not something they want to do. I think the other part is there was this misconception, , it was several years ago and maybe it still exists in some small pockets today, but that vulnerability management wasn’t really a concern when you moved to the cloud, that it was like, oh, well, we’re putting everything in the cloud.

It’s not a problem anymore. We don’t have to worry about patches and things like that. And I was like, oh no, no, no, that’s not what that means. It depends on your, your model, right? Like your service model that you choose. You may be responsible for some of that. , if you’re using SAAS , probably not, but if you are using a platform as a service or infrastructure as a service, you need to understand kind of what you’re responsible for.

So you need to understand is the OS level. And my responsibility is the application layer, [00:13:00] my responsibility. Is it not? So that way you can sort of figure out, do I need a patch? How am I going to patch? What does my system look like in general? Right. So am I using VMs? Am I using containers?

How am I actually building my environment? So I think it’s not really talked about because people. , it’s kind of an older terminology. And so people are kind of like, ah, it’s just patches. And as we talk about this a little bit more, it’s like, Nope, vulnerability management is not just patch management.

It’s secure configuration. It’s looking at settings and controls. , like going back to active directory days, like we’re talking about group policy, we’re talking about settings. Like we’re talking about real settings within the system.IAM so. It’s a huge bucket.

Chris Hughes: It’s actually something I was glad you highlighted is cause like, , a lot of folks think of vulnerability management through the lens of, of, , packing, like you said, and just, , to touch on a couple of things you brought up, there are the scenarios where you can take advantage of the cloud service offerings.

Like AWS has AWS systems, manager, patch manager it’s called, and you can basically schedule routine updates to , your AMS or instances that you have in your environment and schedule patches to occur on certain. A time interval that works for you as an organization, for example, or you can lean into, , PAAS and SAAS offerings and [00:14:00] basically alleviate, , some of that aspect of patch management, at least, to your organization as well, which is a great option for smaller organizations with our core competencies around, patching and it operations and things like.

Right, right. Definitely some things worth highlighting. And then, , you mentioned configurations and that’s like critic, cause , moving to the cloud, it’s basically had been proven that the overwhelming number of cloud data breaches and data leaks are due to customer misconfigurations. So you need to make sure you have secure configurations in place, , make sure you’re working with the right folks at your organization, whether you’re hiring them, upskilling the existing workforce, bringing in an external advisers, whoever the case is, because if you don’t, you can definitely put your organization there.

Dr. Nikki Robinson: For sure. And you hit on like an important point there where we’re talking about secure configuration and it is consistently security. Misconfiguration is in the top 10 and in the last version was number six in the Owasp top 10. That it’s just, I mean, it’s secure misconfiguration across the board, but I’m sure we’ve heard our fair share of S3.

That maybe were misconfigured. So , it can happen. And so it’s something to sort of be aware of and be conscious of, as part of the vulnerability [00:15:00] management.

Chris Hughes: Yeah, absolutely. The insecure buckets is definitely one. That’s gotten many of many of folks. And then, , that’s where I think that in the cloud paradigm, we’re seeing a lot, like a new focus on more modern tooling, like, , cloud security, password management.

I noticed something that Ashish actually, we had someone on that talked about recently is like CSPM cloud security, posture management, , CWPP cloud workload protection. Whatever. I forget all the acronyms, but there’s a lot more modern cloud, native tooling in place around security vulnerabilities and things that need to be taken advantage of.

Dr. Nikki Robinson: I was just going to add on that, to that. Yeah. There are a lot of really great things that you can leverage if you’re moving to the cloud or if you are, , starting all of your systems, beginning your systems, cloud native, , starting there then, then that’s great too.

There are a lot of things that are available. A lot of tools, a lot of configurations, it’s just about sort of being aware of them that they do exist and that, , you might have to learn how to configure them differently than you would with systems.

Chris Hughes: Yeah. And there’s, I mean, there’s a lot of unique things you can do in this regard.

Like, , I talked about infrastructure as code in the beginning. I know Ashish had a sponsor named bridge crew. , you can go out and you can leverage, , open source infrastructure as code from repositories that are out there to help you get things up and running [00:16:00] much more quicker, but there may be vulnerabilities in those that you’re not aware of.

And it’s like, oh, this is so much faster. Yes. But now you’ve just put yourself in a very. Situation. And that’s where tooling like bridge crew, for example, and others comes into play. , another thing I really am a fan of with regards to the cloud is creating things such as, golden AMIs golden images, , we’ve all had golden images but having those golden images it’s kind of around secured and, , up to snuff with your organization requirements, whether it’s like a CIS benchmark or whatever the case is, , hardened.

So you can take it and deploy that on demand situation basis.

Dr. Nikki Robinson: A hundred percent. And when you’re doing security assessments or, , you’re doing continuous monitoring, things like that, you sort of have that configured baseline, these sort of controls that , are supposed to be in place.

And it’s very similar to what you would be doing on prem that you would be in cloud is just basically making sure that. A those secure configurations are still there that nothing changed. And that if something does need to change, , it goes through the proper change controls to make sure that it gets put in place.

But that, that baseline is constantly updated to make sure that yes it is using whatever the latest version might be like patches, any of that good stuff that, that would all be [00:17:00] there in the baseline. And it makes it so much easier. Just for administrative overhead. Yeah,

Chris Hughes: I’d say that’s like definitely a more mature way of approaching vulnerability management and secure configurations and posture in the cloud.

I did want to ask one last question before we move on, , if we didn’t touch on it already. But what are something you say that, , security professionals can do to mature their vulnerability management programs, , in the cloud context,

Dr. Nikki Robinson: for sure. Containers. I think containers are a really, really great step forward.

, from virtualization, from VMs where you’re like having a VM template and you have, , a container now where you’re sort of virtualizing that OS layer, which is fantastic. I love that. So I think that there are a lot of benefits to using containers. You still have some security configurations and some settings that you need to make sure are in place.

But I would say logging and monitoring, if you can really get your alerting down, if you can really get your logging set up properly. It makes life so much easier. You have fewer alerts that you have to watch for when you’ve got those baselines, you have sort of a tailored out alerts that you don’t have to look at any more when you kind of know like, Hey, this is expected, kind of security and expected functionality.

And if something. Then I get like a real [00:18:00] alert. So I would say kind of making sure you’re focused on logging and continuous monitoring, and always being on the lookout for different types of security tooling within AWS, , within there they’re constantly evolving and changing. And so I think keeping up to date with kind of what’s going on, in the cloud, whatever cloud deployment you may have just kind of keeping up to date with what they’re doing, because they’re constantly evolving and changing.

Chris Hughes: Yeah, I can’t emphasize that enough. Just to kind of add to what you said. There’s like leaning into some of those native services. Like obviously it’s not going to cover every situation, cover all your use case requirements, that kind of thing, but leaning into those native services, CloudWatch, CloudTrail, utilizing AWS security hub.

I love recommending folks to use security hub. Yeah, they have both in benchmarks. You could run across environments for CIS benchmarks, for AWS security, best practices, running those across your environments and seeing how you’re doing. And there’s also a lot of open source, , things out there such as Prowler, cloud custodian.

, there’s some tons and tons of resources. And I know. Previous guests like Scott Piper and others as Ashish has had on have talked about that. So with that said, I know our last kind of discussion areas, AWS certification. You want to touch on that? Yeah.

Dr. Nikki Robinson: So [00:19:00] we wanted to sort of talk about certifications because, , especially for AWS and a number of the other cloud providers as well, but for AWS, their certification sort of roadmap has sort of exploded in the last few years.

There are a number of different because it’s become so huge. There’s a number of different ways that you can sort of go. In AWS. So we sort of wanted to hit on this from a practical standpoint, , if anybody’s interested in getting into AWS or learning more specifically from the security standpoint , where should they start, Chris?

What should they do?

Chris Hughes: I’d be open to sharing my journey. Right. , when I first started off with AWS, didn’t have the cloud practitioner certification. I don’t think it didn’t exist yet, but AWS kind of constructs their certifications in different tiers. They have what’s the associate level, which has, , AWS solution architect, associate CIS ops and then also developer certification as well.

And then below that they have AWS CCP, the cloud certified practitioner, that’s like the entry level cert. So definitely a great place to start if you’re not familiar with cloud. And AWS is that CCP certification. Then I’m going beyond that. They have their professional level certifications, which is dev ops professional and a solution architect [00:20:00] professional.

And then they also have specialty tracks. As you said, it kind of really brought the specialty track has really expanded, quite a bit, , things such as networking security and machine learning. There’s so many different specialties. I don’t even know them all.

Dr. Nikki Robinson: It’s a networking specialty now, too.

Yeah. Yeah.

Chris Hughes: From my perspective, I have eight AWS certifications. I started off just like thinking, Hey, like I need to learn about cloud in AWS security. I’ll take the solution architect associate and then security and that’ll be it. But here I am, , eight certifications later. I was like, well, what about networking?

And what about developer? , what about dev ops? What about solution architect pro? But , I think a lot of people. You be overwhelmed when they first look at it. Like, I can’t learn all of this. There’s so much, I’ll say several things on that front is like, don’t be discouraged to learn , kind of fail along the way I failed the solution architect associate exam.

Once I failed the solution architect professional exam, once I failed the networking exam, one. I hold all those exams now. I’ve had things come up like throughout the process. That was incredibly stressful. I’ve I failed once and then went back to take the exam and I lost power at the facility.

I was testing it halfway through the exam. So you’re stressed. Like, , you just want to pass, you failed once already the facility lost power. I’d leave it. Didn’t save my progress. I had to come back and [00:21:00] take the exam again for a third time. Oh, that’s fine. Yeah. So, but , and also throughout that process, like it all builds on each other.

Like, so the things I was learning, from the associate level, like built on know the professional level, built on that. And then things I was learning from the specialties, for example, , contribute to things that I had to know for the professional level and vice versa. So don’t be hesitant to jump into that.

And one thing I’ll say is like, don’t also be hesitant to get hands on. It was something that you wanted to stress is getting hands on with your learning. You can read, you can read and read and read, but unless you get in those in virtual environments, , create instances, play with the native security services, , if you don’t have it, especially if you don’t have an opportunity.

And on the hand, on the job training and experience, get in those virtual lab environments and learning. No use those sites. There’s so many sites like, , a cloud guru Pluralsight, Udemy , so many different sites that there were video courses, hands-on labs , so many ways you can learn.

So don’t hesitate to get out there and just, , get experienced like that.

Dr. Nikki Robinson: Yeah. A hundred percent. Have to echo that because I think it’s one of those things being in security in general. I think the more hands-on you can be. With the actual environment that you’re securing really understanding what those configuration [00:22:00] settings look like, what box you need to check those types of things.

Like, I think those are so important because, from a security standpoint, I need to understand what I’m recommending. So if I’m telling you to check that box, I need to understand what that means, functionality and security. So I’m a big believer in that too. Just getting hands on with the tooling, the products, understanding what they are, what they mean, the different levels that you can get, because a lot of the.

In-house sort of AWS security. Have different tiers. So understanding what those different tiers mean, what you get at each tier what’s manual, what’s automated, what support level you have things like that. I think those are super crucial to understanding not just the certifications, but really how to use the technology and make sure that, , when you’re making recommendations, because the last thing we want to do with security is say like, oh yeah, just check that box.

That’s totally fine. And then they check the box and then everything breaks. That’s the last thing we want to do. So,

Chris Hughes: Yeah. I also wanted to throw a nod out to like, also be open to, , learning vendor agnostic certifications. Like before I jumped into the AWS certifications that I’ve pursued.

The first certification around cloud I ever got was a CCSP through [00:23:00] ISC squared, the certified cloud security professional exam. And that kind of laid the groundwork for me around shared responsibility, cloud computing. What is cloud computing? Like? What are some of the key. Security considerations in the cloud around like the encryption and key management, key ownership, all these different things that you want to look at from a security perspective, that that exam really helped.

And then there’s also the CCS K , which is from the cloud security Alliance, which is another great one. It kind of vendor agnostic baseline. , security certification and then they also have a one that’s very new that I’ve actually been reading about and studying a little bit myself and, , throwing around the idea of taking a test, but I don’t need any more tests, but I don’t know what are you busy or something?

Yeah, I’ll probably end up, I mean, I know, but the CCA K, which is a cer certified cloud auditing knowledge or something like that, it stands for basically, it’s like to bring, , cause auditors are a key part of like the security environment around compliance. Third party attestation, all that kind of thing.

Auditors need to be familiar with cloud and cloud computing too. So that’s definitely a certain certification I think they should look to.

Dr. Nikki Robinson: Yeah. And I’d love to, I want to echo what you’re saying because , I certainly, from the academic standpoint, I think it is really important to understand sort of the [00:24:00] theoretical, that baseline knowledge sort of understanding that sort of foundational terminology and concepts, because you can help apply those to whatever provider you may end up using that you might have different terminology, you need to learn or differently, , levels to sort of understand within there. But at least if you have that foundational knowledge you can sort of leverage that into whatever cloud environment you may end up in.

Chris Hughes: That’s spot on is like, , definitely there’s nuance between Azure and AWS and Google cloud, for example. But the fundamental concepts are the same. They tend to stay the same, , around, the core services and the things that you need to think of from a security perspective, tend to stay the same across the various cloud providers.

So you’re definitely spot on in that, right.

Dr. Nikki Robinson: The one other piece of advice that I wanted to provide for anybody who’s considering going for either AWS certifications or anything like that don’t be too scared to take it. Just go take it because so I failed the first time I took the.

Cloud practitioner exam as well, because I was like, oh, I’ll, , I only had two weeks to study and I had scheduled the test and then I went to take it and I think I missed it by like one question or something. And I was so bummed, [00:25:00] but don’t be afraid to just take it that’s okay. Right. Like it’s okay to fail and then go back and take it again when you’re ready to take it again.

But

Chris Hughes: yeah. I just wanted to agree with that because like I said, failed AWS exams, I think three times now between like the eight exams that I’ve taken. And like you build it up in your head about this huge deal. Like, I don’t want people to know. I failed, like, , suck, I can’t learn this.

I’m not smart enough, whatever you’re telling yourself it’s nonsense. And I’ll say like, yeah. And not only that, but like having failed and then went back. Like I know the material even better than I did the first time. I know it really well now because I had to go back and study more, work harder and do more labbing and things like that.

So don’t be afraid to fail. It’s all part of the journey.

Dr. Nikki Robinson: Yeah, for sure. A hundred percent. A hundred percent.

Chris Hughes: Yeah. So that, that takes us to our end of our interview and of our takeover of Ashish’s podcast. So definitely I just want to personally say thank you to Ashish and the audience a huge, thank you.

Yeah. Huge fan of the show. Yes.

Ashish Rajan: Well, I was having the conversation about how both of you became resilient by giving more certifications. No matter how many times you got failed, it opened me up to be open about my thing as well. Fail the AWS professional one. The first. Was so much in cloud for four years.

Yeah. [00:26:00] Four years of working in AWS. I got this like the first time where my walking in, like, I don’t even know why they’re asking me to do this. I just, I’m just gonna walk in and I’ll be walking. Yeah, those three hours was the worst hours of my life.

Chris Hughes: It’s super hard exam. You need to know like almost every AWS service that there is with that exam.

And then I, I also think it’s part of the society we live in. Like, we have a highlight reel with LinkedIn or whatever. We’re like, oh, another person passing another test. I feel like the story of us failing is definitely more common than you hear about. Cause like people aren’t comfortable sharing it, , just.

There shouldn’t be anything bigger, crazy about it. Just like if you fail it’s okay. Go back in there again. Yeah,

Dr. Nikki Robinson: exactly. Just try to

Chris Hughes: keep trying, right.

Ashish Rajan: Yep. I love how it . Kind of comes back to the theme of the conversation as well, because when you’re trying to build resilient systems, , what have you been talking about?

It is you’re preparing for failure. You’re not preparing for what a successful system would look like. We are preparing for what it, shit goes down. What are you going to do? Are you going to be okay? Are you going to be resilient? I loved the conversation and I was following it along and I did. I personally had a couple of questions.

I love what you guys did with vulnerability management. where , it was not [00:27:00] just about patching.

I’m so thankful that you said it’s not just about patching every time I talk about this to anyone else, like, oh, I got patching covered. I’m like, no, let’s talk about the next data breach. But the question is to both of you and whoever wants to answer, is, what’s the maturity scale that you would say for resiliency?

Like I’m considering myself to be, I guess we have people who are startups from based on different countries. we’ve got people who are mature organizations as well, and you guys touched on different topics. If I were to start today and go, okay, what should I go first? Like vulnerability management blue-green or what am I doing?

So I, I would give, cause I think based on knowledge by both of you has given so much, so I would love to give them some direction. We can this start today. And if they were to kind of start from startup to becoming like a big company, what would you both recommend? Whoever wants to ,

Chris Hughes: this can be a lengthy conversation, but a couple of key, like considerations and things I recommendations I would throw out is like, Configurations is huge in the cloud. There’s so many different, , nuance configurations you can make that really can come back to bite you.

So that’s why I mentioned like looking into things like a security hub and using CIS [00:28:00] benchmark, , they’re scanned through security hub, AWS security foundation, scanning through security hub, using native services, like trusted advisor is going to go out there and tell you some of these things that you have wrong, that you should definitely take a look at, , around like your root account and just basic configuration things that can really come back to bite you.

And then also from the workload perspective, And starting with like a secure baseline, you’re using a CIS benchmark or a DOD NIST for example, if you’re in the department of defense or a federal government in the United States, , whatever kind of regulatory things you can lean into to have like a hardened baseline, start with that.

And you can even look to pull some of these things from the AWS marketplace, for example they have things out there that you can take advantage of to help harden and speed up your deployment processes. So that’s some of the key considerations out there.

Dr. Nikki Robinson: Yeah. And, and I would say just to sort of add on there I would highly recommend pulling up a chair for security at the beginning at the very, very beginning, have someone who’s a security SME .

Whether it’s a CISO or a consultant or somebody that you bring in to help you understand risk management as a whole, not necessarily just vulnerability management, but understanding your risk as a whole. And they can help sort of give you a [00:29:00] guideline, a maturity model that you can use to say, Hey. These are your assets.

These are your most important assets. This is what resiliency means to you because resiliency is really subjective, I think, to the organization. And especially if they’re doing, application development, things like that, like it, they’re going to have different objectives and goals than someone who might be using SAAS products.

So I would highly recommend bringing in a risk advisor.

Chris Hughes: Yeah. I mean, I can’t emphasize where she said enough is like, it’s a journey. It’s a different thing for each organization. Like you don’t just jump from being a startup to being like a Netflix and having chaos monkey going around breaking it’s a process.

, it’s a spectrum. So start where you are, , make sure you have the right folks involved to help you.

Ashish Rajan: I I’m listening to all this and going so ISO 27, sorry. SOC two type two. Doesn’t mean I’m secure. Is that what you’re saying?

Chris Hughes: It’s a good thing to look to, right? It’s a great place to

Dr. Nikki Robinson: start.

It’s a great place to start.

Ashish Rajan: I think we’ve made a few friends over here as well. I’ve got Robert here who mentioned that he failed twice. Yeah. So CISSP was a tough journey, but I learned so much eventually he passed and made some great connections along the way . That’s a good one.

Dr. Nikki Robinson: Oh yeah. I’m happy to raise my hand and say I failed the [00:30:00] CISSP the first time too. I thought I knew exactly what I was going into.

I walked in and got the questions and I was like, oh my God. I was not prepared. I was not prepared at all, but then I went into, took it the second time and I felt great, like felt great the second time passed the second time. No problem. So, , it happens. It

Ashish Rajan: certainly happens. Yeah, it definitely does.

And I I’m so glad we could open up that conversation. I think Chris, what you mentioned with the LinkedIn thing. Yeah. I mean, you see people come in and they upgrade the status . Like I got certified in Azure or AWS has been everything else. It’s like hundreds of likes in there and I feel bad for like, whoever doesn’t have that certificate.

And probably is too young, I guess, to be affected by it. And then you go like, oh my God, I just feel full for those folks who are just going to sit through multiple attempts of these exams. But there is hope at the end of the day,

Chris Hughes: I was going to say, I think there’s also like a hunger out there for people to be honest.

I failed the Azure security exam before I pass that one as well. I made a LinkedIn article about what I learned by failing, like all the things I learned about Azure security while failing the exam. And I actually made it into like a Marco’s Sec List , his, [00:31:00] like his distribution that he has, it really picked up and resonated with people.

Like, , just being honest about the process and, ,

Ashish Rajan: funny enough, right. As a society, we are definitely going into a part where it’s all about accolades. It’s all about how amazing we are at. Hey, this is what I learned from failing. So talk about talking about failing. It just reminded me of another thing that you guys touched on, which I found really fascinating as well, the RTO RPO conversation.

Right. Are there like AWS tools or can they be cloud native, I guess? Is it easier to design if it’s cloud native? If I want to say RDO five minutes, so design architectural around there would that’d be easy enough. And then that can comply with my strategy as well.

Is that

Chris Hughes: possible? I think there’s definitely some native capabilities that like we couldn’t do on premise and legacy infrastructure and architecture is on premise, like leaning into like, , S3 cross-region replication, for example, like, , or some of the dynamo, DB, , replication capabilities that they have.

For example, that’s just stuff that you could just use. And click a couple of things on on-premise and now all of a sudden your data’s going to, , across regions, across the continent kind of scenario. So there’s definitely some native services do lean into that I think can help there for sure.

Awesome.

Ashish Rajan: And what about vulnerability management then [00:32:00] as well? At least, I don’t know of any vulnerability scan

Dr. Nikki Robinson: Yeah. So inspector and there are like I said, I’m pretty sure inspector has different tiers as well. , you can . Tailor your environment to kind of, what you can kind of pay for and kind of what you’re expecting.

You can always use other tools. , let’s say you have, for example, tenable already in your on-premise environment and you want to leverage it in your AWS deployment. You can as well, you can set up a scanner, go ahead and scan the environment and sort of start there. So you can, you can use the tools you already have if you’re not quite ready to deploy new tools or use, , cloud native tools.

So there are a number of, of options.

Ashish Rajan: Awesome. Yeah. Cause I think there’s this form that I’m part of the outreach regularly talk often talk about the fact that how some of the existing tools were designed for on-premise and when you try and move them into a cloud, there’s a bit of a challenge, I guess, a bit of a learning curve there as well.

, I’m not going to open that Pandora’s box. I was going to say

Dr. Nikki Robinson: that would take us another hour.

Ashish Rajan: I’m going to hold off on this, but I really enjoyed this conversation and I I’m pretty sure everyone else said as well. I’m pretty sure they’ll love to hear more about this. So where can they get to hear your [00:33:00] podcast? I’m assuming an apple spotify , but I’m going to let you guys talk about this. I do appreciate the time you’ve spent with us and I would love for them to know where they can hang out with you guys.

And where they can find your podcast

Chris Hughes: yeah, I would say in terms of the podcast, you can find us pretty much anywhere podcasts are available. It’s through apple podcast. Spotify are the two big ones. Apple podcasts seems to be where everyone listens for the most part. But it also distributes to other other channels as well.

And then, , where can you find me LinkedIn? I’m always on LinkedIn talking to people. That’s how I met Ashish that’s how I met Nikki. I love the community around cybersecurity on LinkedIn. So you can definitely find me there. Yep,

Dr. Nikki Robinson: same here. I’m on LinkedIn. That is certainly my primary area that I’m at.

It’s Dr. Nikki Robinson at LinkedIn. That’s

Ashish Rajan: awesome. As you said that there was a delayed response from questions, whether there are a few questions coming in as well. Do you mind if I take a couple of minutes, say, Roxanne has a question. What is the best way to do patch management in AWS? ,

Chris Hughes: best way subjective. It honestly depends on your organization, your competencies, your skills, like what kind of things you already have in place around processes and things like that.

But with that said, , I didn’t mention earlier the native service, AWS systems manager, patch manager, that’s something you can lean into to [00:34:00] kind of get a governance and standardized way of patching. , whether you have a schedule that works for your organization around, , disruptions, or, , maybe downtime, things like that.

So lean into that native service, check it out, see what it can do.

Ashish Rajan: Yep. And I think also it depends on the kind of compute you are using as well. Right. Having two containers on the golden, AMI as well, so many different ways of approaching it. But I guess hopefully that answers your question Roxanne, but she’s a regular listener as well.

Thanks for. , this episode is going to be live on the audio platform as the apple podcast as well later tonight and before America wakes up, but next week is a new month and we starting with cloud native actually.

So that’s a perfect way to end this talking about cloud native. So thank you so much for going in, and I am looking forward to having more of these conversations . Awesome. Thank you so much. Thank you. All right, everyone. I’ll see you next time.