Why Least Privilege Matters in Cloud Security?

View Show Notes and Transcript

What's the best way to navigate least privilege complexities in a multi cloud environment? And how is the role of identity management evolving? We spoke to Jeff Moncrief from Sonrai Security on why identity is the new network in the cloud-driven world. We speak about the challenges of implementing least privilege in cloud environments, the misconceptions surrounding identity roles, and the critical importance of segmenting access across public clouds just as rigorously as we did on-premises.Questions asked

00:00 Introduction
01:59 A bit about Jeff
03:01 How is identity different in the Cloud?
05:40 Misconceptions about least priviledge in the cloud
08:50 Cloud Native solutions for Permission Attack Surface Management
15:36 Common themes when addressing privilege in Cloud  
17:22 Starting point when dealing with identities
20:03 Frameworks when working through least privilege
23:21 Showing ROI on doing least privilege

Jeff Moncrief: [00:00:00] You've heard identity is the new perimeter, right? I don't agree with that. Identity is the new network. We must start saying that it is not about federated identity and multi factor authentication. That is just such a small piece of the puzzle. You've got to start thinking about from a cloud native perspective, that identity is the new network, nothing can live, breathe, or function in a cloud native environment without the identity fabric. It is the conduit with which everything breathes and communicate. We need to educate the market and the world that you've got to start thinking about segmenting the public cloud, the same way that you did on prem, but we don't segment at the network layer, we segment across the access fabric.

Ashish Rajan: This episode is for everyone who's been trying to solve least privilege in the cloud world. If you haven't tried doing least privilege, you may have tried it in on premise, you may have tried and making an attempt of it in cloud. But if you know what I'm talking about, least privilege is probably one of the hardest thing to do for identity in the cloud.

Specifically in 2024, when we have multiple AWS accounts, multiple subscriptions for Azure, multiple Google cloud accounts, [00:01:00] and probably some other cloud provider out there as well, all either sharing identity or having their own set of identity that they're dealing with. But least privilege overall has been challenging for a lot of people.

And in this conversation, I had Jeff from Sonrai Security. And we were talking about the challenges of doing least privilege and how you can flip your approach to perhaps Least privilege the other way instead of trying to go at it from hey I have resolved permission problems instead of looking at as a problem that I have to just go through all these Identities and reduce your permission.

There's a better way to look at this And that's what Jeff and I talk about in this episode. If you enjoy this episode and you're listening to us on Spotify or iTunes, I would really appreciate if you can drop us a review rating. If you're watching this on YouTube, feel free to like the video. So we know you want us to create more content like this.

Otherwise, I'll see you in the next episode of Cloud Security Podcast and enjoy this episode. And I'll talk to you soon.

Welcome to another episode of Cloud Security Podcast. Today, we're talking about least privilege. For this, I've got Jeff. Hey Jeff, thanks for coming on the show, man. Hey, good to be here.

Jeff Moncrief: Thanks for having me. Super excited.

Ashish Rajan: I'm excited as well. Maybe [00:02:00] to start off with, could you share a bit about yourself and what got you into the whole cybersecurity space, man?

Jeff Moncrief: Yeah, I've been in this space for, I feel old saying this, but 25 years, Ashish. I got started in this space back in 99 at what a lot of folks call the original internet security company in the world.

Internet security systems. As a lot of folks still refer to it because I'm here in Atlanta. It's out of Atlanta. So that's where I got my start was ISS, doing intrusion detection systems, end point protection, vulnerability assessment, all that stuff and supporting it. Like a lot of folks got their starts and careers in tech support.

I stayed in the field and I have done in summary, some form of. Pre or post sales, either, engineering or leadership role for all of those years leading up to, I've been here at Sonrai now for four years. Prior to that, I was at Cisco for five years and I've been focused just on securing public cloud workloads for about seven years now.

So I did some of that at Cisco from an infrastructure perspective in the public cloud, and I've been focused on platform for [00:03:00] the last four years since being here.

Ashish Rajan: And topic today, least privilege. I'll be honest. It's not the favourite topic for a lot of people. I think as someone who started his career in IAM, I probably would know this better than anyone else.

I want to leave it as soon as possible. Cause I, username, password, clearly people, but privilege, how would you define it and how would you say it's different for people from the on premise world into the cloud world? How is that different?

Jeff Moncrief: Yeah it's so different from the on prem world. We focused on securing what all the time?

The network, right? We've got to put in our firewalls. We've got to worry about network and endpoint protection and APTs and insider threats. And it's because it was everything lived and breathed and functioned from an on premise perspective back in the colo and data center days across the network, right?

Fast forward to today, everything is flipped. I'm sure as many folks as you talk to, you're like a celebrity, right? In this space, you've heard identity is the new perimeter, right? I don't agree with that. Identity is the new network. We must start saying that it is not about federated identity and multi factor authentication.

That is just such a small piece of the puzzle. You've [00:04:00] got to start thinking about from a cloud native perspective, that identity is the new network. Nothing can live, breathe or function in a cloud native environment without the identity fabric. It is. The conduit with which everything breathes and communicates.

So I think that's one of the biggest things that folks have to wrap their head around as it relates to the on premise environment versus the public cloud and on premise, we could, everything was contained like an active directory or maybe your your secrets manager or your password management solution.

And as it related to non human identities, all we had to worry about was service accounts or windows, or daemons on Linux boxes. But now, we have identity proliferation in the public cloud because everything relies on identities to function. Even think about, folks worried about securing VMs in the public cloud.

They don't think about that fact that VM can't function without accessing a role or a service principle or managed identity without that it's dead in the water. So it's just a, it's a completely different mindset. And then I think another [00:05:00] thing Ashish is ingress egress back on prem days. We had just two ingress egress points, right?

Now there's thousands because every service opens the door to just more and more ingress egress points. And I think that's where, back in the on prem days, as we had to segment, that's where firewalls came into play. We segmented with our firewalls, we plug into a customer's environment and we illuminate it today. As it relates to segmentation, everything's flat and that's frightening because everything can talk to everything. And we need to educate the market in the world that you've got to start thinking about segmenting the public cloud, the same way that you did on prem.

But we don't segment at the network layer. We segment across the access fabric.

Ashish Rajan: Oh, I love that. And I also love the fact that to what you said, segmentation is not looked at the same way in cloud and maybe just cannot be because as much as yes, there's a network in cloud, but the important key element there is that if you don't have an identity, it doesn't really matter how many network segmentations you have, you can't access them anyways.

So I think it's basically almost a no [00:06:00] brainer, but that makes me also think, are there any misconceptions? So probably, what are some of the concerns companies have with least privilege? So the thing, and there's a specific reason for me to go down the list of privilege, path, because I feel like as an IAM concept, people generally think, Oh yeah, username, password, role based access control.

But specifically around least privilege, do you find there are any misconceptions or things people carry on from the on premise world that they probably should unlearn in the cloud world?

Jeff Moncrief: From a misconception perspective, I think that one of the biggest things that is an eye opener when I speak to folks is I talk about cyber litter and cyber garbage.

And if you think about role proliferation and identity proliferation in the cloud, they're not thinking about that. They're thinking that, Hey, Bob or Jenny, they deployed this application six months ago or three years ago, and they don't need it anymore or whatever. So they just turned down the workloads, right?

Yeah. What they left behind with those identities. They weren't thinking about that, right? Cause back in the day, what did we do? We just delete, we took the server. We unracked it, stuck it over in the corner and that was it. That was your risk landscape. Maybe close the hole in the firewall that was pointing to it.

Yeah. [00:07:00] But now you've got all this cyber litter and cyber garbage that's left behind across the access fabric roles. And like you said, IAM identities and things like that. And so I think that's the first thing that folks need to be aware of is that it's insane. The amount of leftovers, if you will, from projects past and teams, past and employees past that you need to be thinking about, because those are all identities with permissions to go do things that folks can assume, right? So I think that's the first thing. And then I think another thing is when it gets to, least privilege in the cloud, folks need a strategy. And because this is so foreign to so many folks still, they don't really know where to start. So they start playing whack a mole. And I think that's super, super important.

You need a strategy and you need to be able to really focus on the most egregious risk up front. I wouldn't say that you should start with applying least privilege policies to every single identity. That's whack a mole. You don't even know if these identities have access to anything. You need the ability to illuminate the environment, understand what can talk to what from a relationship perspective. But I think the most important thing is they're [00:08:00] not thinking about the fact that I can log into AWS or Azure, whatever right now, Ashish, and I can just start deploying things in different services.

I can start deploying things in different regions. That's what you guys are thinking about. And that's what I've learned over the years here is, we call it the permissions attack surface. Focusing on the unused part of that attack surface, right? That's where you've got to reduce the risk.

It's just this massive landscape, right? For the picking, especially if there's a new credential dump out in GitHub or something like that. And I can just log right into the dead center of your cloud right now.

Ashish Rajan: Yeah.

Jeff Moncrief: And that's where that segmentation gets into play. It's super, super important that folks start to think about, okay, there's this vast part of my cloud.

The moment I create these accounts, that's unused, get rid of that, get that part of the attack surface off the table. So it's not even a conversation. Then you can start to focus on least privilege on the running part of your cloud. So there's a method to the madness.

Ashish Rajan: And I think it's an interesting term, permission attack surface management as well.

Do you find other native services, I feel like what you've hit over there is an interesting one because I think these days most [00:09:00] people are multi cloud most people have not just one account or one subscription, they have multiple subscriptions, multiple tenancies, multiple AWS accounts as well. Attack surface seems pretty wide.

Is there anything natively available from the cloud provider to your point, exposing the permission attack surface management.

Jeff Moncrief: There is, and no, not a ding on the CSPs, right? Because they're doing their best to give customers and folks a stop gap, right? Some sort of capability there. But yeah, all three of the major cloud service providers, whether it's AWS, Azure or GCP, they've got some limited capabilities for least privilege built in.

In AWS, you have, IAM Access Analyzer. GCP has a more direct capability. It's just showing you used and unused permissions at a ratio right there on those individual identities. And then Azure has what I would say is the most mature set of tools as it relates to visibility into least privilege through, what's Entra ID now, which was Azure Active Directory.

So there is some native tooling there, but here's the thing. It's just showing you used and unused permissions on an individual identity. [00:10:00] Okay. So that's the first thing. It's just a visibility component. The second thing is it starts to get really weak as we talk to non human identities versus person or human identities.

Okay. So that's the second thing. But I think the biggest concern that I've learned over the years is that those tools lack context. They can't tell you if that identity is a dead end or if that identity is key to a crucial lateral movement chain, going from a workload through your entire cloud, straight into the crown jewels, right?

So that doesn't have that visibility there from a context perspective. And then a lot of the tools in this space, whether it's cloud native tools or third party Ashish, it's a visibility tool. It's not about action. It's just giving you more things that you have to then go research and fix because we're talking about deleting things.

We're talking about removing permissions when we talk about least privilege. I always talk about this, right? It, there's this fear, there's this paralyzation when you even bring up the phrase least privilege because folks. are scared. They don't know if they can delete this [00:11:00] identity. It doesn't matter if it's a third party tool telling him it's not being used in 30 60 90 days or cloud native tool, right?

So there has to be a way to also address that fear. It doesn't matter which where you're getting your information from a visibility perspective. So that's one thing that, I'm super excited that Sonrai is innovating in that area.

Ashish Rajan: Would you say to your point about each one of those clouds?

Mhm. providers have some kind of an offering in terms of, Hey, you can use native tool, but they only allow for visibility without the context. Do you find that going back to the challenge thing that we were talking about for people who are trying to solve this in their organization, least privilege, specifically talking multi cloud visibility, does that extend to other clouds as well, or is visibility primarily I'm AWS, I only care about AWS.

And again, to what you said, we're not trying to say anything bad about any CSP, not that I'm sure they're trying to do their best as well. It's a really complex environment to run data center, as a lot of us have tried this before. Do you find there is a, in the way they're approaching it, does it extend to other clouds as well?

Or is it just primarily for their own cloud [00:12:00] provider.

Jeff Moncrief: So the question is, like in AWS, does it give visibility into the other cloud providers as it relates to least privilege?

Ashish Rajan: Yeah.

Jeff Moncrief: So that's where the story definitely starts to crumble as it relates to the tools and they're how comprehensive they are.

And that's really where third party tooling comes into play. So AWS doesn't really have any ability to provide visibility beyond it's own native identities has now IAM identity center, which is fantastic for single sign on those kinds of things. But even that focused just on AWS. GCP is the same, right? So GCP is really focused on just showing you least privilege as it relates to their own native identities. And then Azure they have, to my knowledge, what I would say is the only ability really to do cross cloud into the other cloud service providers. But even then, you're going to find that they've invested very heavily on Azure, which is amazing.

It's fantastic. But they are very weak when it comes to the other cloud providers. I think another thing that we have to think about is that this isn't just about, hey, there's a bunch of excessive permissions in the cloud and we have to go delete them. Or there's a bunch of unused [00:13:00] identities and we have to go delete them.

You've got to be thinking about ongoing maintenance, ongoing governance. Okay. That's amazing that you've been able to delete these identities and I'm just left with what I need. But what if there's like a critical identity where permission changes or someone nefariously accesses a break glass account when they shouldn't have, you need the ability to set trip wires.

Around all of these things, you need context about whether or not this identity leads to a sensitive data container. Let me ask you this. How powerful would it be to tell the opposite side of the identity story, meaning not these identities can access this piece of data. Start with the data. That piece of data, did you realize it has 46 different identities that can access it across 16 different accounts or subscriptions?

The majority of those are non person identities and it changes every day. What if you had that level of visibility, right? That's what folks aren't thinking about.

Ashish Rajan: Yeah.

Jeff Moncrief: And that's where I'm talking about whack a mole. You've got to have the context to understand what these identities can do and touch.

And that's where seriously, all these cloud native tools, they don't offer that.

Ashish Rajan: Would you say, cause you mentioned single sign on as well. A lot of people may think, hey, I've got [00:14:00] single sign on. I think I know exactly what Ashish's privileges in Azure AD or Entra ID or whatever, does that take care of least privilege or is that a misconstrued assumption there?

Jeff Moncrief: It's not misconstrued. Okay, so let's start with I'm gonna be on the record. SSO is a good thing. Okay. I don't want you Ashish going and building an AWS cloud for me that has bunches and dozens or hundreds of IAM identities in it. I'm talking about a mess, right? All with like in line policies versus managed policies.

Just everything that goes against best practices. Single Sign On is super, super important because it removes that problem to go create 1200 identities for my 1200 employees that might be doing things in the cloud, what I can do is pair that down into a very specific finite set of roles.

Okay. Yeah. That role, they can all come in and assume that's the whole point in the role. And then you can give that role very specific permissions. What we have found though, over the years though, is that folks over provision that role from a permission stamp. So these 1200 users that can come in and share a role, they have too many [00:15:00] permissions.

What we find is we watch the role and then over six months, maybe that role has 300 permissions, but all of those users, they really only use about 30. So you need the ability to pare that down. And the other thing is you need the ability to really understand who's coming in and who's doing what, right?

So you need the logging, you need the tracking. And that's where I think the beauty of Azure Active Directory and AWS IAM Identity Center, they come into place because they're giving visibility into who's coming in, who's actually leveraging that role, because maybe those 1200 people don't need access to it to begin with.

So it is beautiful, single sign on that is, but you've got to be still thinking about it from a least privilege, a visibility and a governance perspective.

Ashish Rajan: As you were saying this example, it hit me, the fact that actually single sign on and even least privileged for the matter has two layers to it as well.

One is the layer that, A, should Ashish even be able to access any of the cloud environments? That's another least privileged right there. And the other part is also, if Ashish is allowed to access the cloud and said cloud environment, what he or she should be able to do in that permission level. So there are almost two layers there as well.

Already adding to the [00:16:00] complexity of just this, I'm curious in the customer conversations you have, is there any common themes that come out in how people are addressing least privilege?

Jeff Moncrief: Yes. So common themes, I would say the biggest one is the scale of the problem. It's not an identity problem.

It's not an identity mess. The term I've used for years is that when we plug into the majority of mature cloud environments, it's an identity crisis. That's a big thing is that you have to understand that there's so many skeletons in the closet. There's so many admin level accounts. There's so many accounts.

They have things like IAM PassRole. They can just give themselves admin level accounts. So things like that, again, before you even get to least privilege, there's that massive unused attack surface. So it's just visibility into how big the problem was, obviously I'm not going to say who, but I've been on so many calls over the years where we light it up like a football stadium in the middle of the night.

Illuminate everything. We show all the skeletons and the cockroaches and what do they want to do? They want to shut the door, but you can't, right? You can't be naive at that point, right? So I think the scale of the problem, right? But then I think the other thing is the fear and the paralyzation. There's this fear of if I [00:17:00] delete something, it's going to break something and then i'm going to lose my job or I don't know if I can delete this identity because those folks are no longer here That project was three years ago.

I have no idea why that's There, right? So you have to go on this research project. Imagine doing that a scale. It becomes honestly, and this is a bold statement. It becomes something that you cannot achieve. You can't achieve it. It becomes an impossible task with how time consuming it is, right?

Ashish Rajan: I think it almost makes me feel to what you said we've been talking about the cloud native option, giving you visibility in terms of even starting this, to your point about paralyzation, people might just be like, Oh.

Damn. Yes, that's great. How do I even start? What's the ground zero for anyone to even start doing it? Even if they were to go, at this point in time, I want to start with native tooling first and go down this path and see how far can I go. Is there a starting point when there is already an identity crisis?

Jeff Moncrief: Yes, there is a starting point. Okay. And that gets us back to not focusing on individual identities across all your accounts and getting them to least privilege and paring them down to a certain level of permissions. The first thing that you have to do is you have to have [00:18:00] visibility into the unused environment.

I'm going to keep going back to that unused. 92 percent of the permissions fabric we find on average here is available open online and not used as it relates to services, regions and identities that are not being used, but exist with grants and entitlements, but they're not used 92%. That's fascinating.

Yeah. Wow. Fascinating. Only 8 percent living and breathing and doing anything. There's a method to the madness. Number one, visibility and removing the unused attack surface. What you're left with is the running cloud. Okay. So that's what you need for your applications to live and breathe.

Now that you can focus on truly stripping out the reads and the writes of that identity is truly shouldn't have that. And then looking at things like lateral movement attack paths. Okay, now I need these, this is how it's architected to live and breathe. I've gotten rid of everything unused, but I actually have these insane, like privileged escalation, toxic combination scenarios that I don't want to tolerate that risk.

So maybe there's a way that [00:19:00] we could rearchitect that a little better. And then the things that have to be there. Ashish. Whether those are break glass accounts, admin level accounts, whatever that might be that you've deemed Oh. This has to function, put those little trip wires around it, be alerted to drift, be alerted if someone accesses something that they should never access, either if it was nefarious or just an admin being lazy, right? You need those alerts. So there's that governance component as well. But that's what we've learned over the years is that you can't just light it up and start saying that has too many permissions or we need to get that one to at least focus on everything that's unused, then governing what's left and removing those more advanced identity risk scenarios.

And, start where it matters with crown jewels, start in prod, start in sensitive. And that's the other thing is that folks light up everything and they're worried about all these least privileged problems in a sandbox. Who cares, right? Focus where it matters. Work your way out from there. Zero trust where it matters from mindset, zero trust mindset from a privilege perspective down to, focusing on just things that are just super, super egregious in those less important zones.

Ashish Rajan: [00:20:00] No, that's awesome. And any frameworks you recommend as well as the people cause you almost went through what you said about this as well.

If people were to choose the path of either getting a third party or doing it themselves, we have a starting point. Is there any known or maybe perhaps a framework you recommend people can use as a maturity thing as they go down the path of doing least privilege in their organization including some of the challenges they might face and some you've already called out.

Jeff Moncrief: Yes. And this isn't, we're not reinventing the wheel here. So as it relates to frameworks. It gives you a guide. It gives you a starting point for years and years. That led to the birth of the CSPM movement, we'll call it and cloud security posture management tools with just reporting on CIS benchmarks.

PCI, the CSA's framework is the CCM, I think. So think about those frameworks five years ago, right? They were just saying, Hey, you've got an exposed S3 bucket or you don't have logging enabled. They were very configuration. This is on, this is off kind of thing. As far as what they reported on.

Yeah. Over the years, those frameworks, those standards, those organizations have gotten with the program that identity matters, least privilege [00:21:00] matters, so they all have a component now for years. Now they've had a component for least privilege. I think that what matters is the tooling that you use to grade and score on that, because a lot of that kind of first gen or even all the cloud native CSPM stuff barely touches the surface of least privilege.

Yeah. Okay. So you're going to be getting a false sense of security if you're grading and scoring on something that's not really focused and purpose built on also illuminating the permissions attack surface. And that's where you're going to get in trouble. And that's something that for years and years, I've always said to people, if you're not factoring in toxic combinations, unused identities, least privilege, lateral movement scenarios. into your scoring, then you have a false sense of security, right? And that's something that we've been doing around here for years is factoring all of that into PCI reports, CCM, all that stuff. It is what it is. I say, you get a better risk score. We're going to ding you a lot more,

Ashish Rajan: but it's going to tell you the truth.

I love what you mentioned about the framework, because some of them may not have matured with the time as well. Some of them are probably still stuck with misconfiguration. Some of them have matured to the point that you have a [00:22:00] sense of the fact that yes, probably I need to look at identity.

Cause at the end of the day, that's what matters. It's funny. I think when people start the conversation with identity is most important and then we go to misconfiguration, you're like, didn't we just say identity is most important? And we just switched the conversation to like misconfiguration.

Jeff Moncrief: Here's the thing, and this is something that we have to take into consideration, least privilege and visibility across the access fabric from a risk perspective.

For a lot of organizations over the years. It's been a nice to have not a need, the need to have that checkbox is my CIS benchmark, my PCI report, right? Even though they may understand that it matters, the business requires that they focus on basic report or whatever, just to, and again, those are great.

They're exposing risk, but it truly is a one piece of the puzzle. Now you cannot be secure by just doing CSPM reports anymore. You can, that is a part of a layer in defense strategy that you need to use, but you also need to be focusing on the permissions attack surface identity. IAM and how folks can just log straight into the middle of your cloud and have their [00:23:00] way.

They don't have to worry about the kill chain. They don't have to exploit workloads. They don't have to do any of that mess. They just log in. I've been saying that for years. They just log in for my laptop, right here, a dead center in your cloud with the AWS or Azure or GCP command line with a credential that I just grabbed out of the latest GitHub data exposure.

And it happens every week.

Ashish Rajan: And I think maybe one more question is around decision makers who are working on this to what he said, right? Most of the years, least privilege has always been looked at like a good to have yeah. We'd love to be RBAC. Yeah, up there. Definitely something which is important, but let's get to it after this feature is developed or let's get to this after this is done.

How would you see them talk about the ROI for this to the wider business or as in communicating back up the ladder in terms of why is it important or why it would be beneficial for them to spend time doing least privilege.

Jeff Moncrief: That's the challenge that I think has been just in front of my face and anyone that's trying to tackle this mess all these years.

It's so hard to show ROI with least [00:24:00] privilege because it's so hard to get there. It really is. And even when you get there, those 2000 identities that took you 10 months to secure, At that 10 month mark, you have to start over because there's 2000 more identities, right? So it's just a never ending almost the whole insanity thing, doing the same thing over and over again, expecting something different.

So that's again, what led us to create this Cloud Permissions Firewall, because you can remove 92 percent of that risk, that surface in a matter of days safely with the world's first permissions focused firewall. And I know that sounds salesy, but this is a way that you can actually go up the chain and you can show the execs, check out what we just did.

Watch that risk trend go straight down. And we did it safely without having to remove or delete anything, right? Because we've got this new capability in that's able to quarantine zombies, unused identities, that's able to disable unused services and parts of my cloud and just remove that entire part of the attack surface off the equation.

That's what I love is the ability, the fact that we're now going to be able to go up to those execs and say, [00:25:00] we're making big improvements. In days, instead of years.

Ashish Rajan: And where can people learn more about the entire space and Cloud Permissions Firewall, man, definitely plug that in there as well.

Jeff Moncrief: It's sonraisecurity.com.. That's our website. Hit me up on LinkedIn. As you can tell if this conversation here with Ashish, I love talking about this stuff. It's what I've lived and breathed for the last four years is securing the identity fabric over here at Sonrai. Go to the website. We offer free trial. It's very easy, painless, hands off.

In a matter of days, you can start to get visibility into this. Permissions attack surface that we call it.

Ashish Rajan: No, that's awesome, man. And I'll drop, definitely drop your LinkedIn as well as your link for Cloud Permissions Firewall as well. But this was a pretty awesome conversation, man. A, I was definitely impressed by the amount of experience you shared in terms of where you come from and how much time you spend in this specific problem, how people can show ROI as well.

So I appreciate you coming and sharing this with the audience as well, but thanks so much for coming on the show, man. I really appreciate this. Oh, this is, it's been my pleasure. I really appreciate having me on buddy. Thank you for listening or watching this episode of Cloud Security Podcast. We have been running for the past five years, so I'm sure we haven't covered everything cloud security yet.

And if there's a particular cloud [00:26:00] security topic that we can cover for you in an interview format on Cloud Security Podcast, or make a training video on tutorials on Cloud Security Bootcamp, definitely reach out to us on info at cloudsecuritypodcast. tv. By the way, if you're interested in AI and cybersecurity, as many cybersecurity leaders are, you might be interested in our sister AI Cybersecurity Podcast, which I run with former CSO of Robinhood, Caleb Sima, where we talk about everything AI and cybersecurity.

How can organizations deal with cybersecurity on AI systems, AI platforms, whatever AI has to bring next as an evolution of ChatGPT, and everything else continues. If you have any other suggestions, definitely drop them on info at CloudSecurityPodcast. tv. I'll drop that in the description and the show notes as well so you can reach out to us easily.

Otherwise, I will see you in the next episode. Peace.