Ashish Rajan: [00:00:00] Hey Chris! Welcome.

Chris Hughes: How’s it going?

Ashish Rajan: Thanks for coming in, man. I doubt people don’t know you, but for the one person that doesn’t know you on my stream, I would love for you to give a short intro about who you are and how you got into CyberSecurity.

Chris Hughes: Yeah, definitely. I’ve been in the cybersecurity space almost 20 years. At this point, I started off in the U S air force and then got from there and worked as a civilian in the Navy as a government employee for the Navy doing cloud and cloud security. And then from there work at a federal agency that does FedRAMP for those familiar were FedRAMP.

I was a part of the technical board doing FedRAMP for a bit of time and then spent some time on industry. Supporting various entities within the United States department of defense and then pivoted and some commercial work telecommunications and others. And then recently co-founded a company named Aquia where I’m focused on cloud security, cybersecurity, and dev sec ops and the public sector.

So things like federal government, department of defense and that kind of thing, and also teaches an adjunct at a couple of universities and their graduate cyber street programs involved with groups like cloud security Alliance and you know, due to being inspired by you. I, I actually started a podcast called resilience cyber as well.[00:01:00]

Ashish Rajan: That’s awesome, man. I think th there’s so much more to, I love the fact that so many aspects of human you teaching you have your own startup as well, and you’re doing the podcast as well. So it’s amazing. And I think that kind of is a good segue into another acronym from the cloud security space that Gartner has introduced us to.

And I keep hearing about this and I’m sure a lot of people hear about this as well. I’m sure what people are familiar with, what SaaS is?, but why do you think SaaS security is suddenly becoming the talk of the town?

Chris Hughes: I think it’s a, we spent so much time, you know, as organizations started going through cloud migration and adoption, and then kind of maturing in that space around cloud and cloud migration.

Now we started to look and see, like, you know, as organizations are using, say two to three. Providers, AWS GCP and Azure, for example, they’ve used in 10 to hundreds of SaaS providers, like some studies show, you know SMBs, for example, maybe using up to a hundred SaaS providers where large enterprises could be used in 280 or more SaaS providers.

So it’s an aspect of cloud security never gets a lot of attention and I think more and more people are [00:02:00] realizing that, wait, there’s actually like a lot of data. There’s a lot of things we have going on from a SaaS perspective around business continuity and critical functions within our organization.

And we’re not paying any attention to SaaS and SaaS. Security

Ashish Rajan: that’s true because now that I think about Office 365, G suite, all those are SaaS services. Technically they’re not really actual, like we don’t really have an exchange load anymore. We just go for offices.

Chris Hughes: Yep. Yeah. I mean, everyone gets a, you know, you use these for so many things, whether it’s communications, collaboration, you know you slack, JIRA confluence on and on and on, you know, box storage services.

It just keeps going. And we’re using them for so many different business functions. But from a student perspective, we don’t really think about it. And part of it’s a, you know, obviously the age old shared responsibility model, right. Especially in SaaS, you know, people tend to be. Of the cloud. They get lulled into thinking the cloud providers doing everything.

And you think about SaaS. They definitely think of cloud cloud providers doing everything. They have no responsibility, but it’s still their data, their customers’ data. They still have access management responsibilities incident response implications. There’s a lot of things that they’re still responsible for.

It. Oh,

Ashish Rajan: That kind of [00:03:00] reminded me cause I was having a talk with someone and they even mentioned that some SaaS services, like if you were a Salesforce, as an example has a lot of confidential data, like as in first name, last name, PII, like new name it. And how often are people auditing the security posture of the Salesforce, I guess that maybe that’s a good segue into this. So what is SaaS security posture management.

Chris Hughes: Yeah. That’s so it’s, it’s definitely, you know, similar term, you know, for folks familiar with us. CSPM your cloud security posture management. It’s the same concept except for your SaaS footprint as an organization.

And I know you actually had a recent episode where you talked about what was it? It was a CSPM you know, CNAP.

Acronyms, keep going and going. And I will say like Gartner, they just released a report recently. And he talked about SSPM and how it’s like the one of the four top things you need to have as part of your cloud migration journey. I think people are realizing like, you know, there’s this whole SaaS footprint and the data expos control identities, etc, and people aren’t paying any attention to it.

So when you think of [00:04:00] SSPM, Tools, I can go out there and integrate with your existing SaaS utilization, you know, with our Salesforce, Box, you know, JIRA confluence on and on, and look in those environments and see what kind of data you have. Who’s it exposed to? What kind of identities are there, how the permissions, you know, how do your compliance posture look like for different frameworks that you might be adhering to, for example?

So it’s the same concept of thinking of cost for your password management, but it’s in the context of SaaS, for example,

Ashish Rajan: For people who may be looking at this field and going, oh, maybe I should look at SaaS security as well.

Where does one start? There’s so many, do you mentioned 200, like, cause you know, I feel like the cloud security problem with the CS team is a lot more easier. How many clouds do you have? Maybe one of the three most popular, maybe all three, but 200 sounds like a large enough.

But it doesn’t be

Chris Hughes: That’s the thing. It really is a large number, you know, when you think about from the vendor security vendor perspective and organizational perspective, where do you start? You know, when you talk about CSPM, the security vendor only needs to worry about how do I integrate with AWS, for example, how do I integrate with Azure?

And that can open up a whole massive opportunity then for them from a business [00:05:00] perspective. And then from a security perspective, they only need to worry about like one to three, you know, platforms, for example, but when SaaS these SaaS security SSPM vendors, for example, or. And providing tooling and integrations and findings telemetry for the SaaS offerings, but there’s so many of them, you know, so I think what I’ve seen so far as like these SSPM vendors are starting with the big ones, like you’ve talked about Salesforce they’re starting with some of the humongous ones that everyone’s using.

Everyone has a lot of activity on a lot of data on things like that. And they’re starting with those and building integrations with them via API APIs and, you know, creating configuration best practices where there’s align with like a CIS benchmark or vendor guidance, things of that nature and started tackling them from that angle.

And the same thing from an organizational perspective, you know, obviously if you’re using 200 SaaS offerings, you just kinda like, where do I start? Well, which one do you have the most data in? Which one is the most sensitive to you? Which one’s the most critical from a business continuity perspective where we have the biggest implication, you know, from a cyber incident, for example, and starting with that perspective is a good way to go about it.

Ashish Rajan: I’ve got a question here from Tom which says, would you say SSPM is a new [00:06:00] third-party risk management?

Chris Hughes: It could be right. Cause all these all these SaaS or any, any entity are you using the con you know, use for business continuity or collaboration or anything you’re using it for is essentially an extension of your enterprise footprint, you know, from an it perspective right now. So you need to vet these and that’s a critical part of SaaS security, you know, not necessarily SSPM, but think of like SaaS security and SaaS governance

a big issue with SaaS also with. You know, some of these studies are showing that, you know, only 25% of SaaS utlization is implemented by the, a it or cyber sturdy team. For example, a lot of it’s shadow it. It’s like the new shadow it, except for anyone in the organization can quickly spin up SaaS and start putting organizations, your data, their identities from the organization.

There is so easy for people to do. So thinking about like, you know, say only a quarter of those 280 or a hundred SaaS apps, the it team even knows about. So a big problem is just getting a handle around. You talked about asset management, always being one of the critical, CIS security controls, for example asset management, from the perspective of your SaaS footprint is just getting an inventory of like what SaaS are even consuming and that can [00:07:00] be a problem for if, depending on an organization that could be.

Big problem, trying to track that, that down, you know, you, of course you can do manual methods like surveys and asking folks and trying to pull it from database. Does it might have that kind of information in place, but you’re hoping everyone can tell you or never even knows, or you ask the right people, the right questions.

Another method to go about doing that is getting. Like technical measures in place, like a CASB or something that you can kind of have as like a proxy and, and capture some of the information for you and tell you what’s being utilized before you can even implement SSPM you need to know what are you, what are you even using?

What are we consuming? You know, where are we putting our data? What, what SaaS offerings are we even interact?

Ashish Rajan: And Tom is raising an interesting point, which made me think about a SaaS product that I came across recently, a SaaS products, and generally have integration across the board at lot of places.

Some of them actually talk back into your organization. So in a way, this could be a supply chain risk as well. So not just from a third party, because you’re telling someone to come and make a change, an outsider to come and make a change or into your organization. I think the example that I’m thinking of.

Well, something like, [00:08:00] oh, Calendly is a great example. Calendly that people use. All of us use it. We use Gmail. It allows us to kind of book into our calendars. We don’t really ask, Hey, Hey, what else do they have access to? I don’t know. Like they probably can read my emails as well. If I give him the message.

Yeah,

Chris Hughes: that’s part of vetting these SaaS offerings, once you get a handle on what you’re using, you also need to have like an intake process in terms of , say you have a business unit or someone within the organization, a stakeholder that comes to you and says, Hey, we want to use SaaS X.

Well, you might need to look at that and say like, what certifications do they have? Do they have FedRAMP? Did they have SOC2 do they have ISO etc, etc. Do they have, you know, CCM from Cloud Security Alliance? Do they have any certifications? And then can we see like their you know, their internal policies around access control and incident response, how are they handling customer data?

How are they handling identity access management? Because like you’re saying, all these SaaS vendors, for example, could have integrations and access into your environment too. So not only can they be compromised and have your data in their environment, but they may have the ability to reach into your environment.

So they definitely pose a risk to you. And it’s part of the broader third party, risk management or supply chain chain security conversation. Yeah.[00:09:00]

Ashish Rajan: . Especially when like these years when supply chain is kind of becoming the talk of the town with all the hacks that are happening on your supply chain third parties.

And you don’t even find out until much later, so having some kind of agreement that, Hey, if they get hacked, they should probably notify you that they’ve actually experienced a security incident. And not just cause like, I don’t know how many people actually do like security review of their third parties.

Chris Hughes: Yeah, obviously getting more and more conversation. Like you said, supply chain security is, is the critical topic of the day. And understandably so, you know, and I think malicious actors are starting to see, like, if I compromise Ashish’s, organization, I compromise more organization, but if I compromise say like a box or, you know, some Salesforce or some massive organization that reaches into.

Thousands and thousands of enterprises as a cascading impact across the entire supply chain. And, and, you know, it’s a lot easier to go there and get a lot of our region to a lot of organizations rather than just targeting one organization.

Ashish Rajan: Thinking about this from maybe there’s a, there’s a line there as well, where usually the CSPM has been a conversation for say the non-corporate security side, you know, because SaaS products are [00:10:00] usually being used by internal staff.

Say it’s not something which may be customer facing. So if you are, I don’t know if it’s any bank out there, you have on AWS and Azure that’s being faced by your customers, but these are services that are used by your internal stuff. So is there like a difference in probably who they can be working with?

Because, you know, we talk about, Hey, we should work with dev ops teams, but there is no dev ops team in, in like a SaaS SSPM kind of world. So who do you see getting more involved in these conversations from the security side and from the corporate security side?

Chris Hughes: Yeah, I definitely think it’s a great question.

Like you said, if you’re using an IaaS environment, you’re likely doing some kind of application development and putting something public facing for customers during an act with, but the SaaS applications they’re often serving your internal business functions, as you mentioned. And then you look at the whole COVID 19 situation.

Proliferation of the remote workforce, the SaaS offerings have become like a linchpin. So your business continuity and keeping your organization going, but people never look at those and address, like from an incident response or business continuity perspective, [00:11:00] how do we need to update things? Like what if one of these SaaS apps have a, have an outage where they get compromised?

Where does that have an impact on our organization? People don’t even look at that. So in terms of who gets involved. I think you should have your street team involved. Obviously the business units that are consuming them need to be involved and understand the risks associated with using them and their responsibilities of using them.

And then you definitely may want to get your legal team involved. And you talked about service level agreements and things of that nature. You might need to get your legal team involved your privacy team, depending on the nature of the data you’re putting in those environments. All of these teams need to be involved in that current.

Ashish Rajan: We’ve kind of given people a foundation for what is SSPM and why should they care about it? Maybe where can even start as well. And when I wonder if there is some work being done around best practices, cause sounds like it’s fairly new as well. And I mean, I guess that’s why it’s one of the trending month as well, but is there any guidance, like I know there’s a, you mentioned CIS benchmark earlier.

You mentioned CSA. earlier. Where do people go for finding our what’s a good benchmark to say, measure all these SaaS services?.

Chris Hughes: Yeah, [00:12:00] there’s definitely some some guidance out there, you know, from, from leading vendors in this space, you know, just throwing a few names out there organizations like AppOmni Netskope, obsidian, security, you know, the SSPM vendors things of that nature.

There’s also, you know, guidance from like, if you look at ISC2 and some of the organizations that produce credentials, like. CCSP, cloud certified security professionals, a great vendor neutral certification that addresses a risk associated with SaaS and best practices.

And then also Cloud Security Alliance. I’m actually involved in our working group. They’re a SaaS security best practices working group, and we’re putting together a white paper on this topic. We have about 50. Almost 20 people at this point involved, you know, from all over the world leveraging their expertise in different areas.

You know, whether it’s application security business continuity, incident response at any access management and they’re providing guidance on how to how to handle, you know, SaaS security, best practices, basically. So we’re excited about getting that guidance out there to the industry.

Ashish Rajan: Oh yeah.

That’d be awesome. Cause I think it’s a perfect segue because I’ve got a question. Hi a first time listener. Welcome. Welcome. I, for some reason, I can’t see your name around a look at LinkedIn, but welcome to the feed. Is there a due diligence checklist or [00:13:00] scorecard for the,

Chris Hughes: I don’t know. I want to say no because there’s very well could be, but I don’t know if there’s a great one that I can point to right away.

You know, for me personally, the way I’m approaching it, the organization I’m working with and some of the clients we’re working with is that we kind of look at it across five domains, you know, from an identity access management, data protection, application security. Logging and incident response and business continuity across those five pillars and looking at those things.

And, you know, each of those have you know, kind of critical things that you should look at within those domains. Now I’d be happy to dive into those or provide, you know, for the conversation for folks that are interested to.

Ashish Rajan: I find that I’ve already got a CSPM. I’ve got SSPM as well. And this could be a general opinion as well. You find this as just adding more complexity to the cloud security space itself, like you almost feel like you’re starting to get some handle on the cloud security side with the CSPM or CWPP or CNAPP or whatever those new abbreviations.

Now we’ve added one more onto it. Like what’s your general opinion about the cloud security space and its complexity now?

Chris Hughes: No, I mean, it’s dude, that’s a really good question, but the truth is [00:14:00] like, it is an incredibly complex and dynamic ecosystem and landscape that we’re dealing with.

And as you mentioned, like their CWPP that their CSBM on and on and on and on. From toolings that we have to get used to. I think that it doesn’t add complexity. I think that the, the reality is like we’re using these, we’re using these service providers. They have access to our environment. We’re putting critical data in their environment.

We have identity and access management in their environment. We have very little visibility in terms of the implications for them from an incident response or business continuity perspective, the complexity is already there. The truth is we’re just starting to realize like, Hey, this is something that we need to be addressing.

This is something we need to be paying attention to. We’re using it for a lot of critical business functions that can impact us both internally. And then also if we’re using them for business functions and say we have an interruption or an incident, it could have external implications for our customers as well.

So the complexity is already there. And it is a complex problem, no doubt about it, but I think it’s something that we’re just starting to look at and just starting to address, you know, and, and the alternative is honestly burying our head in the sand and saying we’re using 100 or 200 SaaS apps putting data there.

It may be sensitive, may have an impact on us, but we’re just. Talk about [00:15:00] that. We’re just not going to address that. And I think the alternative is obviously much worse than starting to wrestle with the problem and you can get some governance and, you know, a rigor around it, but

Ashish Rajan: before it becomes too much out of control, it’s funny, you kind of mentioned that fact that 200 is doesn’t sound unrealistic because every now and then you say, oh, you should use another SaaS service for this.

I noticed that. So it kind of slowly piles up. And you don’t even realize because I think what was one of the companies that I was working with kind of worked on something called late third party onboarding kind of checklist. It wasn’t like the, like a proper security compliance checklist, but it was more for the fact that, Hey, if I were to use a new service, make sure you kind of just touch base with, especially for deals, with data that needs to be transferred over because there’s a fine line.

There is that they could be SaaS providers. You used to connect to something else, but you don’t necessarily store anything of your own, but there’s your identity. That’s been, if they get compromised, I’m thinking of how I’ve been pwned kind of website, where you kind of have your email address. Cause you kind of say Darryl people, Hey, use your actual work email to sign up for these third party sites.

A lot more to go and kind of go in there, but [00:16:00] I’m grateful that you kinda came in here, man. I, I think what I’m going to do is toward the end of the YouTube stream, I’m going to leave a few more for people who may be curious about CWPP and CNAPP, I’m going to leave a thing on the side somewhere for people to kind of check out those episodes, but any, any parting towards, for folks who may be listening to this and going , this is going to be really complex.

Thanks Chris and Ashish for introducing me to another. Layer of things that I have to work on. Any, any parting piece of advice would be, would fall feeling overwhelmed by the new.

Chris Hughes: Yeah, definitely. I, a couple of things I wanted to say real quick, you did ask earlier about kind of a best practice checklist.

There are, you know, guidance from a cloud security lines like Tia CA IQ, I think is the acronym. And I may have butchered that, but it’s like a checklist, but it’s a massive amount of questions. And you can have a lot of fatigue between your team and vendors doing that over and over across hundreds of apps, for example That’s that’s not, that is something you could use, but not necessarily the easiest thing to use.

Right. But in terms of where to start, I would definitely focus on those five critical domains. Like I said, like identity, access management, data protection, application, security, logging, and incident response [00:17:00] and business continuity you know, and then at a high level, just getting get a handle on what you’re using.

Right. Getting an inventory of what’s being used. How do we intake new requests to. And introduce new SaaS to the environment. Do we have a standardized process? Is there certain artifacts we asked for to help you to a assessment of the level of risk from the vendor and starting to work with them and put data in their environment, and then in getting that out to the community within your organization that utilize, and then, you know, implementing obviously like tooling, like SSPM to start to take a look at your current footprint and see how secure are we, how much data do we have exposed?

You know, are we implementing configuration best practices? Are we aligning with things like CIS benchmarks? And then are we aligning with compliance frameworks that we may need to comply with this.

Ashish Rajan: Yeah, I think that’s good. That’s good advice. And a good as a good note to end the stream as well.

Thanks everyone for joining and thank you. Thanks Chris. For coming into my a hundred episode, man, making it special. I appreciate that. And for everyone else, feel free to try and tune in on the weekend where we talk about another trending topic on cloud security.

But until next time, we’ll see you soon. Thanks so much for tuning in. I see here. Peace.

‍