October 2, 2024 • 45 mins
In this episode we get to talk about Cloud Security. We will discuss the benefits of moving to the cloud, the different cloud providers, and how to secure resources in the cloud. Some of the key points discussed in the video include: The benefits of moving to the cloud, such as flexibility, scalability, and cost-effectiveness. The different cloud providers, such as AWS, Azure, and GCP. How to secure resources in the cloud, such as using multi-factor authentication, network segmentation, and encryption. The importance of having a cloud security posture management (CSPM) tool. The importance of being aware of the risks associated with using the cloud. Find some resources for learning more about cloud security, at the Cloud Security Alliance and SANS.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
We'll kick it off here.
(00:14):
Hope everyone's ready for Christmas and the holidays.
But good afternoon, everyone, or good morning if you're joining from the West Coast.
What is today, Andres?
It's Wednesday, December 13th and welcome to the latest episode of Security in 45.
We've got a great show for you today as we're going to talk about an introduction to securing
(00:37):
the cloud.
If you've been on the show before, no slides, just good conversation.
That's kind of the motto for the show.
Hope you all had a great Thanksgiving.
Christmas right around the corner.
Down in Miami, are you doing the traditional Thanksgiving?
Did you do the traditional Thanksgiving meal or how was it?
(00:57):
I actually did.
It was, I believe it was the second time I made, we made turkey.
I'm probably not going to take all the credit for that one.
It was good that night, but the next day it was terrible.
No good leftovers there.
Yeah, but no, Mike, this is nice.
(01:19):
Really I'm very excited for today.
We do have two great experts on cloud security.
We have Sudhir Desai and Edmund Nicholas from the security team of Cisco.
Two technical solution experts and this is going to be super exciting.
(01:39):
We're going to pretty much just talk about, you know, high level, how do we approach security
in the cloud.
And basically today is going to be part one of the two parts that we have on cloud security.
So today we're going to cover some basics.
We're going to go over a few pain points, things that we see in the cloud every day.
(02:03):
And then the next section, the next session, which is going to be next month, we're going
to talk about one of our own Cisco's product called multi-cloud defense.
We're going to touch a little bit on that today, but we're going to just leave it for
the next one.
So it's a great topic today.
Well, outstanding.
You know, in terms of cloud security as a topic, I think it's something that people
(02:28):
traditionally have less knowledge and awareness about compared to like a traditional on-premise
security stack, you know, in terms of vulnerabilities, how do we even approach that in terms of
security or do we even need to secure it?
So we're going to have a good conversation today.
Now like you mentioned, this is an introduction and we will follow up next session with more
(02:54):
detail.
Like you mentioned, Andre's multi-cloud defense.
Ed and Sudhir, we're so excited to have you guys.
Sudhir, I've known you a long time at Cisco.
You came in years ago with the Sourcefire for Firepower Acquisition and got to work
with you in TAC.
You're like a legend.
You've been working in the security field for over 25 years.
(03:14):
So this is going to be a great show.
Let's kick it off and we will get right to it.
Ed, first question we'll throw out to you.
Everybody's moving to the cloud.
Like what's with the trend of all these companies moving resources into the cloud?
Clearly there are benefits there.
Otherwise we wouldn't be do it.
(03:35):
I'll open that up to you.
Yeah, so first, thanks Mike, Andre's for having me and Sudhir here to talk about cloud security.
Really when I have these discussions around cloud security with folks, we really talk
about like, all right, what is the as a service model?
How do we consume this module?
(03:57):
Because that's really the difference here.
So at the very highest level, like the benefits of that as a service module is probably like
software as a service or SaaS as some people might say.
This is where you can just consume applications as needed.
We have things like Workday and SAP and Salesforce and there's thousands of billions of other
(04:17):
SaaS platforms out there, but you just consume them.
This is very beneficial because you don't have to deploy anything like that.
The second thing is what about like maybe platform as a service, like PaaS we call them.
So think of it this way.
Like database as a service.
That is a platform as a service.
So how do we consume that?
(04:39):
Think of something like a MongoDB.
That's a platform as a service.
They'll provide you the database and you can just go use the database any way you want.
Build your own tables, do all that type of thing, which is basically a platform and you
use it, you consume it as a service.
And then we're all familiar with infrastructure as a service.
(04:59):
And really what we think over here is like, we have virtual private clouds or VNets.
We have networks.
We have databases.
We have instances, that type of thing.
But we can spend these things out and down as we need them and consume them only as we
want them and be charged only as we need them.
So that's really the benefit of going to the cloud.
(05:23):
It's the service model that it provides.
That's really awesome.
Yeah, no.
It's interesting.
I mean, what I get to see about cloud is so many things combined, so many possibilities,
so many nice things and cool things that you can do.
(05:45):
So that always resonates with me because even though cloud has been around for a long time,
I don't know if it's probably 10 years, 15 years or something like that, but it's kind
of new for everybody, unless you're dedicated on working on cloud.
So that was really good.
(06:05):
Thank you for sharing that.
And one thing I think is interesting is how you just mentioned there's different ways
companies are using it.
You mentioned maybe just using a particular application as a service or doing that whole
platform as a service.
So I guess one of the benefits there I see is flexibility in terms of how your company
operates and you can truly get out of it what you want.
(06:28):
If you just want something as a service that's already made and you just get an account and
you can log in or do we want to kind of customize this with that platform as a service and get
that deployed?
Yeah, that's correct.
Awesome.
Well, Sudhir, I have the next question for you.
This one's going to be just a comparison.
(06:50):
Actually, we want you to go over, if you don't mind, the three main cloud providers that
we get to see and what are the differences if there's anything similar between them?
But if you can share your experience with us, that'll be awesome.
Yeah.
So in the US, at least the three major cloud providers I see are Google, Amazon and Microsoft
(07:16):
with Google Cloud Platform, AWS and Azure respectively.
By the US there are a couple, I know in East Asia, Alibaba or Alibaba is one of the major
ones.
And in Eastern Europe, we have Yandex.
So those are two others that are kind of to be aware of.
(07:37):
But definitely here in the US and between the three, I would say they are much more
similar than they are different because as we were talking about spinning up applications,
doing different things like that, all three of them give you the platform and say, hey,
give us your application, we'll host it.
(07:57):
Or they may have applications already existing from different vendors and all of them do
essentially the same thing.
But the main differences, and I think we'll chat about this a bit more further on in the
webinar, but a few of the main differences are that if you want something simple that
(08:17):
you can just spin up immediately without having to know a lot, definitely Azure could be a
way to go just because of how it's architected on the back end.
Or if you want something that's a bit more network control centric, or if you want something
that gives you more controls, Google Cloud is definitely one that does that.
(08:38):
Or like we have at Cisco with the majority of our applications being built first for
AWS just because we know how to do that and we know how to work with AWS.
And all three of them also provide the ability to do scaling and do load balancing across
(08:59):
instances such as Ed was working on a project earlier, I think it was with one of the Cisco
Lives where he presented on clustering within AWS with firewalls.
So you can just spin up a whole cluster and say, hey, give all these firewalls, you can
(09:19):
have much smaller firewalls so your cost is lower, but you have multiples of them.
And it round robins the traffic between those firewalls.
Or you can do load-based scaling.
So if you have the need to rapidly expand your firewalling capabilities, great.
You hit a button or you get an alarm coming in from the system saying, well, your load
(09:45):
is going above 80%.
Give me some more firewalls.
And so Terraform as the example for the automation side of it can go and spin up more firewalls
for you and then bring them back down once your load lowers.
So I think those are pretty much the benefits and then the little differences here and there.
(10:12):
It's interesting hearing like, yeah, it's a good point that I guess when you say they
are more similar as opposed to, I guess maybe that's the way I think of it is they're offering
the same basic service.
It's just how they're customizing it a little bit differently.
I mean, in terms of one offer has a bigger catalog of services and the other can have
their little unique parts about them.
(10:35):
Do you guys find that customers are using all three?
One customer, how common is it to be like, in my organization, I'm spreading out that
multi-cloud environment?
I mean, I see obviously in the larger enterprise, diversity is definitely good.
You don't want to have all your eggs in one basket.
(10:57):
And so a lot of my enterprise customers are saying, hey, we want to diversify in two,
three, maybe even four different public clouds or even private cloud.
So think of it that way.
So it's very normal for us to span across all.
That's why they have security to be able to reach into all three or four or five clouds
(11:20):
is very important, especially in the larger organizations.
And I was going to say, I've seen pretty much the same thing, especially after AWS East
went down a few months ago.
A couple of my customers said, well, we had everything in AWS that went very poorly for
(11:41):
us.
Let's diversify and get out into the other clouds.
I will say that the word multi-cloud started to make trends at that time.
What about cloud infrastructure?
I think it's confusing.
(12:05):
How do packets work in the cloud, for example?
If I'm real familiar with just the traditional IP based network, is that how the cloud works?
How's my data working there?
How do we talk about or learn about those differences?
Well, a little bit.
So IP is still IP and packets, datagrams are still packets and datagrams, but there is
(12:29):
a big difference.
And it's the way you want to consume it, especially when we're talking about securing the cloud,
but specifically what are you securing?
Because them constructs that you have in a traditional network, like you have your segments
and your VLANs, your route domains, you have your NAT, you have all this stuff that you're
used to having.
(12:50):
And we kind of have that all in public cloud as well, but it's different.
It's virtualized.
There's some things that you're not going to get, like there's no layer two in public
cloud.
So we have to take that into consideration.
But really, them boxes, them IP addresses, them VLANs, them static things that we're
used to configuring, they're not really there in the public cloud.
(13:15):
They're served a little bit differently.
So we serve services, right?
That segment, that segmentation inside a public cloud is a little bit different, right?
So in VPCs, like you think of a traditional network, right?
I have a segment, I have a VLAN, I have a subnet inside there, but you're not going
to be able to, you're not only going to be using them resources inside them VPCs, right?
(13:37):
You're going to be using resources that are extended way behind that.
Like we already talked about database as a service, right?
We have database, you're going to be using maybe some serverless functions.
You might be using like managed Kubernetes.
You may be using container services.
Like these are all things that we were able to spin up and spin down.
(13:59):
And obviously things that you can just build inside.
Like when I talk about the difference between what I get with AWS as compared to what I
get with Microsoft Azure is a lot of my services in Microsoft are going to be your standard
Microsoft services, right?
I'm going to get Exchange, I'm going to get AD inside the cloud and not have to worry
(14:20):
about it.
But in AWS, I might be more dev-centric, so more DevOps.
I might be using CI-CD code pipeline inside there.
Like these are things that we need to start to understand how to secure.
A lot of info on that one.
And it's, we get to see it.
(14:41):
We get to see a confusion.
I do remember when you mentioned the layer two piece, no ARP.
Yeah, it was interesting.
I know there's a few things in differences between the networking inside of Azure and
AWS, but that's interesting stuff to know.
(15:05):
And it's interesting, like, because as Ed, you were given that overview there, I was
kind of thinking about, yeah, you do hear about differences like with load balancing
with firewalls and certain caveats when you do that type of feature in the cloud in terms
of, yeah, like you said, there's no layer two network and you got to think about it
(15:27):
differently.
Definitely.
Yeah, well, think about it like I said, in every EC2 instance, there's more likely that
EC2 instance isn't just serving up one application.
That EC2 instance is probably doing multiple things, probably has containers built inside
of it.
You need to know how to secure that.
You need to know what's going on inside of that device.
So a firewall outside there or an IPS device outside is only going to give you north-south
(15:51):
visibility.
It's not going to give you what's going on east-west inside of the application itself.
Yeah, that's true.
Yes, people's moving to the cloud, but what about this?
And I don't know if everybody just asked the same question.
I think we do at some point, but we think is our data safe?
(16:13):
Can we assume that this thing going to be always available?
I know we mentioned some of the fails of multiple clouds and things like that, but what do you
think?
If you can share with us when somebody is thinking about that, what would you say?
(16:34):
I would say that there is no responsibility on the cloud vendor to keep it safe unless
you have entered into a specific contract with the cloud vendor to provide any sort
of security.
Going about this another way, I know in the federal space there are specific clouds, like
(16:58):
specific instances of AWS cloud or Azure that do provide a bit more security so that the
frameworks that those clouds have to meet, the security frameworks can be actually in
implemented.
So, there are additional pieces of security that are provided by the vendor in that case.
(17:19):
But for the most part, your data is your data.
You need to make sure that, again, utilizing the principle of least privilege, you need
to make sure that only the people, only the objects, only the other scripts that need
to have access to that specific data have access to that specific data.
(17:42):
And I think in the cloud, a lot of it, we just kind of think of like, yeah, we're just
tossing stuff to the cloud and it's accessible from anywhere.
But then we forget that the confidentiality, integrity, and availability of the data is
a big balancing game.
(18:03):
The most secure computer is in the Marianas trench encased in 10 feet of concrete.
But that's not feasible for availability of the data.
So you definitely need to make sure that when you put data into the cloud, that you're putting
acceptable industry recognized security around that.
(18:27):
We have a bunch of components here or products here at Cisco that can help with that.
I'm not going to get onto the Cisco piece.
But it's like whatever you do put the data, yeah, as I mentioned before, whatever you
put the data into the cloud, you have to make sure that you are taking responsibility for
that data and not just leaving it around.
(18:50):
Whether that's encryption, whether that's something like a web application firewall
front end in front of your applications, or if there are any data recovery sites you might
use, let's say, hey, I have three or four instances of this data.
We were talking about it before in terms of the multiple clouds where AWS may go down,
(19:15):
but do we have business continuity elsewhere in AWS with another region or Google Cloud
or Azure for the US market?
But yeah, it's definitely on you, the consumer, to ensure your data is protected at all times.
And I think it's important to know that there's a few, I don't want to say just procedures
(19:43):
or things, but just frameworks, like the one, the customer responsibility matrix and the
framework for cloud architecture.
So yeah, those are things that exist in the cloud world.
And I guess it's interesting and important to know them.
(20:06):
I just, before we get on to the next question briefly, I just think that's maybe the biggest
takeaway from today's conversation is, yeah, don't assume your data is safe in the cloud.
Like, and it's just further evidence of having your network and security teams working well
together.
Like it's one thing to make that data available, but like, man, don't make any assumptions
(20:27):
there.
Excellent.
Okay.
Since the cloud is not completely safe, how about some examples of recent attacks maybe
that some of us or some people on the call here today have maybe heard about, maybe on
the news, any that you'd want to touch on there?
(20:48):
And Mike, so there's a couple of things a couple of years ago.
I don't know if you guys remember, there's a big data breach at Facebook where they had
like 530 million user accounts compromised and nothing Facebook had to pay out $5 billion
in damages or something like that.
Something crazy.
And that was just exposed from a vulnerability within one of their applications.
(21:11):
Now, obviously vulnerability management is a big piece, but how do we tie that together
within the cloud itself?
Like taking another use case here, like a few years before that, inside that Alibaba
cloud, they got hacked for like a billion user accounts.
(21:32):
And that was done because of like their own misconfigured cloud resources had like no
authentication or authorization.
They just went in and took it.
And then obviously without the break any chops, but LinkedIn also leaked like 500 million
profiles, but that was from just like a bot on the web, just scraping data from it.
(21:55):
So the idea here is we really need to be able to secure the cloud itself, but like we also
need to secure what's in the cloud by using things like posture management.
So cloud security posture management is a big thing inside of cloud.
And what that does is allow you to see exactly what is exposed.
(22:17):
What's the attack surface of the cloud resources that you have out there?
And then also take it a step further, adding in the attack surface management as well.
So what's that blast radius within that cloud?
How far can an attacker actually get into your environment?
I always take a say, like, I mean, we talked about this the other day, but when you have
(22:41):
like an S3 bucket that's just exposed to the public, that's pretty easy to figure out.
So, you know, any cloud security posture management is going to say, yeah, don't do this.
This is bad.
Right.
But what happens if that S3 bucket is then attached to an EC2 instance that is attached
to a web front end that is exposing that, and there's some sort of vulnerability within
(23:03):
there that allows all the data in your S3 bucket to be exposed on that web front end.
Like, these are things that we need to map together in cloud security posture management,
attack surface management, and a whole bunch of other products and solutions that I'll
talk about maybe a little bit later will kind of give you more information around what's
(23:25):
going on around your application and your cloud.
Yeah.
I know we've talked internally at some point about those things, like, for example, and
we gave a really good example, but I've also seen a lot of S3 buckets being publicly available
(23:48):
just because they were misconfigured or there were some sloppy configurations that, you
know, were not finished, were not locked down in the ass.
And then we get to see a lot of data being exfiltrated from those customers.
And at that point, it's part of that message about the customer responsibility, right?
(24:12):
So it's a risk.
Definitely it's a risk.
And that number, like the Facebook one, like $5 billion, it's just incredible to think
about.
I mean, talk about saving money by being proactive with your security as opposed to paying after.
I mean, it's incredible.
Yeah.
Facebook's big, but $5 billion stings Facebook.
(24:34):
Yeah.
This is going to be a super open question, but what do we do?
What are the first things that we do?
We start thinking of when we start deploying these things, workloads to the cloud and things
like that.
How do we prevent attacks?
How do we secure resources that we have inside of the cloud?
(24:56):
What are options?
If we see that as an alternative.
Yeah.
So I can take that really quickly.
I would say utilize the tools in the cloud.
Each cloud provider has a set of security tools that are built for it.
(25:16):
And then if you have multiple clouds, or even if you have a single cloud provider, but you
want to normalize that your risk exposure across your entire infrastructure, you can
go with a product like Multi-Cloud Defense, which we'll talk about.
I think we have another session coming up on that, but something like Multi-Cloud Defense,
(25:40):
which gives you the ability to say, this is what our security posture needs to be.
We want that security posture to be, I guess I just gave a thumbs up somehow.
We want that security posture to be available across our entire environment, across each
one of our public cloud vendors that we're utilizing.
(26:03):
And so utilizing something like that as well to ensure that unified posture is a good thing.
Also multi-factor authentication is always good.
I know here at Cisco, it was a bit of a headache once we migrated to multi-factor with Duo,
but now that we've really gotten into, now that we've really seen how easy it is to use
(26:30):
multi-factor authentication once it has been set up, because I think that's the biggest
hurdle is actually getting everything set up.
Once you get a good workflow going, even through multi-factor authentication, it doesn't take
much longer than what it did before to actually get, to have that data available to you.
(26:51):
And again, as I said before, it's definitely about that balance between availability and
security or availability and confidentiality, where as long as you have access and you're
ensuring that access is controlled, that you're good to go.
I will also say that on the backend, it would also help something like multi-cloud defense
(27:15):
or any other log storage that you can have to go through and check your audit logs and
make sure that you have a product that will help you looking through audit logs and flagging
any anomalous behavior, such as a service account that you don't expect to change permissions
(27:36):
on a file as an example.
Well, what if it does change permissions on a file?
You may never know unless you have something on the backend saying, hey, we see this behavior,
we think it's bad, let's escalate an incident for it.
I think one thing that's coming around within Cisco at least that we can do it, that we
(27:58):
can help use is like FDR, where it can push events to the foreground that you may want
to say, you should look at this behavior, it doesn't look good to us, let's just make
sure it is actually good or it's bad, and then we can go forward and do more of a deep
(28:19):
dive investigation on it.
That's true.
I think we do have some interesting capabilities inside of FDR that can see that traffic, and
they can raise events or incidents and things like that, so that's a pretty cool interesting
plug on XDR.
(28:40):
I like that idea, Sudhir, that's like a good proactive approach.
Ed gave the example of Facebook having to pay all that money back, but to your point,
you were just bringing up something that's proactive.
Maybe it's just anomalous, it's an incident, or maybe it's an event, not a true incident,
but we're just being proactive about it.
(29:02):
The other thing that just came to my mind is with something like XDR, whether it's Cisco
XDR or not, but combining all our telemetry from the on-prem that we're familiar with,
but also with the cloud and those flow logs that we've been talking, so very cool.
(29:23):
I think we've been having a really interesting conversation, and if you want to learn more
about this type of thing, how did you guys get started, or where do you recommend someone
listening to this?
I want to learn a little bit more about the cloud, how it works, and securing it specifically.
Where's a good place to get started without getting bombarded with too many details?
(29:47):
Yeah, I always tell people to go to the Cloud Security Alliance homepage, so that's cloudsecurityalliance.org.
This will get you up and running as far as anything cloud, anything cloud-native.
It'll give you best practices, it'll go through cloud compliance, it'll give you top threats.
(30:08):
It'll give you all that type of stuff if you're taking a look and digging into, hey, what's
the cloud actually exposed to?
And then obviously the other ones is SANS, because SANS.org does a really good job of
bringing together some very detailed information around cloud security awareness, cloud security
(30:31):
awareness training, DevSecOps, AppSec, so application security.
The one thing that people, I think, get a little bit confused around is what's the difference
between DevOps, DevSecOps, and application security?
They're all really different things, but DevSecOps is really just part of DevOps, but it's got
(30:56):
its own little niche.
And then the other thing that I really want people to start to dive into, and I would
say the biggest thing, is cloud-native application protection.
So I talked a little bit earlier about cloud security posture management, attack surface
management.
(31:16):
Well, a lot of tools out there today are geared towards taking them, too, as well as workload
protection, container Kubernetes protection, API security, CI, CD security, repo security,
all this stuff, code security, application security, and rolling it in the one platform
(31:39):
so you can start pivoting through all these things into one interface.
So now, if I have an EC2 instance that's running Kubernetes master or is running a Kubernetes
stuff, and it has containers running on it, and it's got workloads running it, and then
workloads have APIs, and then APIs and code are running through a CI, CD pipeline, you
(32:01):
want to stitch this all together and give you one holistic view of all the security
in there.
And that's what CNAP, cloud-native application protection, is going to be able to give you.
So the first one you mentioned was cloudsecurityalliance.org, and then CNAP.
What does CNAP stand for one more time?
(32:24):
Cloud-native application protection platform.
Write this down because I'm going to check these out as well, so thank you.
We always get to learn so much when we do this.
I know.
I love these.
All right.
I guess we're going to move to the next one, and this is going to be pretty much a segue
(32:46):
into multi-cloud defenses that we're going to ponder off to our next episode or next
month.
But I know everybody on this call knows that Cisco came up recently with a new thing called
the Cloud Protection Suite.
(33:08):
This is if you can tell us a little bit about what...
And this is just going to be a point product inside of this suite of software for our customers.
But if you don't mind, Siddharth, if you can expand on the multi-cloud defense, what is
it?
(33:28):
We're going to expand more on it, but if you can give us a little teaser on that and add
if at the end you want to add something, feel free to add it.
Yeah, sure.
So multi-cloud defense, what I mentioned briefly before, Cisco, as you guys know, loves snapping
(33:48):
up companies that provide extra security for us.
I came from an acquisition 10 years ago now, 11 years ago now, and we're always trying
to innovate as well as purchase to innovate.
And so recently we purchased Valtix, which essentially is the same thing as multi-cloud
(34:11):
defense.
And their three main products were protecting Oracle Cloud, AWS, as well as Azure Cloud.
And that's kind of the background.
And I will say if you haven't heard of it or you're not familiar with it, and maybe
(34:33):
you're familiar with Tetration or Secure Workload, where we have agents that run inside of a
virtualization environment that dictate the firewall status and the firewall rules of
every single workload running within that environment, that's essentially what multi-cloud
(34:54):
defense, what Valtix is and what they do.
And so what we can do is we say, hey, actually, as I mentioned before regarding that single
security posture, normalizing your risk profile, it allows you to say, cool, we have a set
of APIs on the side.
We're going to go in.
We're going to set up some virtual private containers.
(35:17):
We're going to set up some networks inside of the cloud.
And we're going to pass all the data through, make sure that it is secure, make sure that
the firewalls in those pieces of software do what they need to do and make sure that
your data is safe.
That's kind of the 10,000 foot view of multi-cloud defense.
(35:41):
But yeah.
I always like to tell people the multi-cloud defense is take all them firewalls.
You can't take a physical firewall and stick it in the cloud.
It doesn't fit.
The idea is take a security appliance, put it into your cloud, cloud natively.
(36:01):
What that means is let's use cloud constructs to build it.
Let's not stick a firewall in there.
And then let's allow that to then inspect all the data as it's going through your VPCs
and between VPCs, ingress, egress, everything, and then apply things like traditional firewall
(36:22):
rules, but also web application firewall, IPS, AV, anti-malware, so on and so on.
This way you don't have to worry about stitching, routing stuff through a firewall anymore.
It just does it natively.
And then you have that one policy over all three different clouds.
So AWS, Azure, GCP, you have one policy.
(36:45):
And then you have all your dynamic rules and dynamic objects bubbled up into that one policy.
And then you're ready to go.
And you deploy the whole thing via automation.
Does that one, just to kind of round this up, does the one policy mean I don't have
to know about the details of each individual cloud?
(37:06):
Does that help with that?
Okay.
Yes, exactly.
Okay.
Well, that's going to be a great, great topic for next month, but a nice little overview
there.
Quick time check.
We're looking good, Andres.
I think we've got time for some dad jokes here if you guys are okay with this.
(37:26):
Now let's get right to it.
So really interesting question I was thinking about, because we're talking about data storage
in the cloud.
And I've heard people ask about this.
Is it true that if it's raining, that we need to be a little concerned about our data getting
wet and potentially corrupt?
(37:49):
Yeah, no, I think you definitely have to worry about that.
I don't know how to kind of explain how that happens, but if it rains, you're screwed.
So now that seems to me like we need a product for that, like some type of waterproof thing
(38:09):
that can go around our resources in the cloud.
Excellent.
Okay.
We already have it.
It's called Umbrella.
All right.
I hope I don't mess this one up, but here's a million dollar idea probably.
(38:31):
If anybody going to steal it, just let me know.
But is it a good idea or maybe a stupid idea?
But what about a security application, security app where if you cough on your computer, your
antivirus will tell you, will start running and tell you if you're sick or not.
What about that?
(38:53):
I think you're a little bit late to that one, man.
I think Apple already does it.
So you can cough on your phone and it'll be like, oh, you're contagious.
Stay away from others.
Yeah.
I think it's more like COVID one time.
That's a great idea, but we're going to think of something else if we want to retire early.
(39:13):
Yeah, I know.
Someone's already done that.
One thing, some people, it's been like a trend, a lot of people going vegan and even just
like vegetarian, but have you heard about that new technique people are doing when they
go to the grocery store so that they don't walk down the canned meat aisle and get tempted?
(39:37):
They have, it's called like a spam filter.
That's terrible.
Who doesn't like spam?
I know.
I mean, I think even vegetarians should like it.
Exactly.
It's fake.
Who doesn't eat that?
(39:57):
All right.
All right.
The next one is going to be fun, but have you guys heard about this cyber criminal that
was able to get into heaven?
Funny thing is that he apparently found the password to the gate that had not been changed
in about 2000 years.
Oh man.
(40:18):
You know, you would think they'd have better security than that.
Or at least like, or at least like an MFA, even with the bad password, if they have basic
MFA in heaven, they still wouldn't have been able to get in.
I got to go confession just from hearing that.
Right.
What do we got?
(40:41):
Time for two more, you think?
We started a little bit late.
What do you think, Andre?
Two more?
What would sting more?
If you were like, you know, paying ransomware because you did not have your security in
layers or having to peel actual layers of onions.
(41:05):
Onions.
Onions.
Onions.
Yeah.
Onions are the worst.
But what if it was Facebook for $5 billion?
I'll take 5 billion.
All right.
And I guess the last one, this one is very, very with the theme of this month, but does
(41:31):
Santa have any cybersecurity concerns?
I don't know.
I think maybe seeing as he is who he is, he may be worried about Talos shutting down his
botnet.
I don't know.
(41:56):
Well I know I have truly enjoyed this session.
I think one of the best sessions we've had.
Just a quick recap of today's topic.
So I thought it was interesting talking about the benefits of moving to the cloud.
We all know everyone's doing it, but why are they doing it?
But getting that as a service model that's just instantly available and then having the
(42:19):
redundancy and the availability is huge.
We talked about and compared AWS to Azure, GCP.
Sudhir you touched nicely on maybe thinking about them being kind of more similar than
they are different, but they each have their unique differences in terms of what they're
offering, how they work, and then in terms of offerings of each cloud.
(42:44):
And then Ed, nice example comparing kind of like quote unquote routing between an on-prem
network and then moving to the cloud where we've got APIs and we've got containerization
there.
And then the risks in the cloud.
I thought one of the main takeaways, I said this earlier, but just being aware of that
(43:04):
misconception that just because you drop something in the cloud doesn't mean it's secure.
So just being aware that safety and security do need to be layered in on top of whatever
you put there.
So just some takeaways for me.
Yeah.
And from my point of view, I think just thinking about those specific tech tags that we talked
(43:29):
about a few minutes ago, make sure that if you're implementing things to a cloud, make
sure you secure them.
If you don't know, if you're not sure what you need to secure, I guess there's an app
for that.
There's a few services for that, of course.
Then I know along the hand with that one, cloud security posture management, that's
(43:51):
another thing that be on the lookout for.
And the next few things, basics on securing the cloud, make sure that you go and we're
probably going to put it on the event on the communication community space that we have
for the cloud security alliance.
(44:11):
This is a really good recommendation.
Same thing for cloud native application protection.
There's more information there.
Again, same thing that I just mentioned, there's an app for that.
And the last part on multi-cloud defense.
There's actually three things that I do really like about multi-cloud defense, just to give
(44:35):
you some info for, to look for the next webinar, network visibility, routing and connectivity,
and then security automation.
Those are three key pillars of the actual multi-cloud defense piece.
So super, super nice, Mike.
I guess this has been another one that it's super, super informative and I've learned
(44:58):
a lot.
Don't forget to fill out the survey at the end, Aiden from Indiana State University won
our survey fill out challenge.
He's sporting some nice swag right now, but I do want to give a special thank you to Ed
and Sudhir, just amazing conversation.
Thank you both so much for, and not just for the show, but all you do in the industry to
(45:21):
help keep people around the world secure.
Our next call is going to be part two.
So January 17th, Cisco's cloud native security solution.
Again, it's called multi-cloud defense.
Again, please fill out the survey if you can so you can wear a hoodie or whatever you want.
We'll send out a gift card to the winner there.
I hope you all have enjoyed the session as much as I have.
(45:44):
Happy holidays, everyone.
We will see you in 2024.
Thanks guys.
We'll kick it off here.
(00:14):
Hope everyone's ready for Christmas and the holidays.
But good afternoon, everyone, or good morning if you're joining from the West Coast.
What is today, Andres?
It's Wednesday, December 13th and welcome to the latest episode of Security in 45.
We've got a great show for you today as we're going to talk about an introduction to securing
(00:37):
the cloud.
If you've been on the show before, no slides, just good conversation.
That's kind of the motto for the show.
Hope you all had a great Thanksgiving.
Christmas right around the corner.
Down in Miami, are you doing the traditional Thanksgiving?
Did you do the traditional Thanksgiving meal or how was it?
(00:57):
I actually did.
It was, I believe it was the second time I made, we made turkey.
I'm probably not going to take all the credit for that one.
It was good that night, but the next day it was terrible.
No good leftovers there.
Yeah, but no, Mike, this is nice.
(01:19):
Really I'm very excited for today.
We do have two great experts on cloud security.
We have Sudhir Desai and Edmund Nicholas from the security team of Cisco.
Two technical solution experts and this is going to be super exciting.
(01:39):
We're going to pretty much just talk about, you know, high level, how do we approach security
in the cloud.
And basically today is going to be part one of the two parts that we have on cloud security.
So today we're going to cover some basics.
We're going to go over a few pain points, things that we see in the cloud every day.
(02:03):
And then the next section, the next session, which is going to be next month, we're going
to talk about one of our own Cisco's product called multi-cloud defense.
We're going to touch a little bit on that today, but we're going to just leave it for
the next one.
So it's a great topic today.
Well, outstanding.
You know, in terms of cloud security as a topic, I think it's something that people
(02:28):
traditionally have less knowledge and awareness about compared to like a traditional on-premise
security stack, you know, in terms of vulnerabilities, how do we even approach that in terms of
security or do we even need to secure it?
So we're going to have a good conversation today.
Now like you mentioned, this is an introduction and we will follow up next session with more
(02:54):
detail.
Like you mentioned, Andre's multi-cloud defense.
Ed and Sudhir, we're so excited to have you guys.
Sudhir, I've known you a long time at Cisco.
You came in years ago with the Sourcefire for Firepower Acquisition and got to work
with you in TAC.
You're like a legend.
You've been working in the security field for over 25 years.
(03:14):
So this is going to be a great show.
Let's kick it off and we will get right to it.
Ed, first question we'll throw out to you.
Everybody's moving to the cloud.
Like what's with the trend of all these companies moving resources into the cloud?
Clearly there are benefits there.
Otherwise we wouldn't be do it.
(03:35):
I'll open that up to you.
Yeah, so first, thanks Mike, Andre's for having me and Sudhir here to talk about cloud security.
Really when I have these discussions around cloud security with folks, we really talk
about like, all right, what is the as a service model?
How do we consume this module?
(03:57):
Because that's really the difference here.
So at the very highest level, like the benefits of that as a service module is probably like
software as a service or SaaS as some people might say.
This is where you can just consume applications as needed.
We have things like Workday and SAP and Salesforce and there's thousands of billions of other
(04:17):
SaaS platforms out there, but you just consume them.
This is very beneficial because you don't have to deploy anything like that.
The second thing is what about like maybe platform as a service, like PaaS we call them.
So think of it this way.
Like database as a service.
That is a platform as a service.
So how do we consume that?
(04:39):
Think of something like a MongoDB.
That's a platform as a service.
They'll provide you the database and you can just go use the database any way you want.
Build your own tables, do all that type of thing, which is basically a platform and you
use it, you consume it as a service.
And then we're all familiar with infrastructure as a service.
(04:59):
And really what we think over here is like, we have virtual private clouds or VNets.
We have networks.
We have databases.
We have instances, that type of thing.
But we can spend these things out and down as we need them and consume them only as we
want them and be charged only as we need them.
So that's really the benefit of going to the cloud.
(05:23):
It's the service model that it provides.
That's really awesome.
Yeah, no.
It's interesting.
I mean, what I get to see about cloud is so many things combined, so many possibilities,
so many nice things and cool things that you can do.
(05:45):
So that always resonates with me because even though cloud has been around for a long time,
I don't know if it's probably 10 years, 15 years or something like that, but it's kind
of new for everybody, unless you're dedicated on working on cloud.
So that was really good.
(06:05):
Thank you for sharing that.
And one thing I think is interesting is how you just mentioned there's different ways
companies are using it.
You mentioned maybe just using a particular application as a service or doing that whole
platform as a service.
So I guess one of the benefits there I see is flexibility in terms of how your company
operates and you can truly get out of it what you want.
(06:28):
If you just want something as a service that's already made and you just get an account and
you can log in or do we want to kind of customize this with that platform as a service and get
that deployed?
Yeah, that's correct.
Awesome.
Well, Sudhir, I have the next question for you.
This one's going to be just a comparison.
(06:50):
Actually, we want you to go over, if you don't mind, the three main cloud providers that
we get to see and what are the differences if there's anything similar between them?
But if you can share your experience with us, that'll be awesome.
Yeah.
So in the US, at least the three major cloud providers I see are Google, Amazon and Microsoft
(07:16):
with Google Cloud Platform, AWS and Azure respectively.
By the US there are a couple, I know in East Asia, Alibaba or Alibaba is one of the major
ones.
And in Eastern Europe, we have Yandex.
So those are two others that are kind of to be aware of.
(07:37):
But definitely here in the US and between the three, I would say they are much more
similar than they are different because as we were talking about spinning up applications,
doing different things like that, all three of them give you the platform and say, hey,
give us your application, we'll host it.
(07:57):
Or they may have applications already existing from different vendors and all of them do
essentially the same thing.
But the main differences, and I think we'll chat about this a bit more further on in the
webinar, but a few of the main differences are that if you want something simple that
(08:17):
you can just spin up immediately without having to know a lot, definitely Azure could be a
way to go just because of how it's architected on the back end.
Or if you want something that's a bit more network control centric, or if you want something
that gives you more controls, Google Cloud is definitely one that does that.
(08:38):
Or like we have at Cisco with the majority of our applications being built first for
AWS just because we know how to do that and we know how to work with AWS.
And all three of them also provide the ability to do scaling and do load balancing across
(08:59):
instances such as Ed was working on a project earlier, I think it was with one of the Cisco
Lives where he presented on clustering within AWS with firewalls.
So you can just spin up a whole cluster and say, hey, give all these firewalls, you can
(09:19):
have much smaller firewalls so your cost is lower, but you have multiples of them.
And it round robins the traffic between those firewalls.
Or you can do load-based scaling.
So if you have the need to rapidly expand your firewalling capabilities, great.
You hit a button or you get an alarm coming in from the system saying, well, your load
(09:45):
is going above 80%.
Give me some more firewalls.
And so Terraform as the example for the automation side of it can go and spin up more firewalls
for you and then bring them back down once your load lowers.
So I think those are pretty much the benefits and then the little differences here and there.
(10:12):
It's interesting hearing like, yeah, it's a good point that I guess when you say they
are more similar as opposed to, I guess maybe that's the way I think of it is they're offering
the same basic service.
It's just how they're customizing it a little bit differently.
I mean, in terms of one offer has a bigger catalog of services and the other can have
their little unique parts about them.
(10:35):
Do you guys find that customers are using all three?
One customer, how common is it to be like, in my organization, I'm spreading out that
multi-cloud environment?
I mean, I see obviously in the larger enterprise, diversity is definitely good.
You don't want to have all your eggs in one basket.
(10:57):
And so a lot of my enterprise customers are saying, hey, we want to diversify in two,
three, maybe even four different public clouds or even private cloud.
So think of it that way.
So it's very normal for us to span across all.
That's why they have security to be able to reach into all three or four or five clouds
(11:20):
is very important, especially in the larger organizations.
And I was going to say, I've seen pretty much the same thing, especially after AWS East
went down a few months ago.
A couple of my customers said, well, we had everything in AWS that went very poorly for
(11:41):
us.
Let's diversify and get out into the other clouds.
I will say that the word multi-cloud started to make trends at that time.
What about cloud infrastructure?
I think it's confusing.
(12:05):
How do packets work in the cloud, for example?
If I'm real familiar with just the traditional IP based network, is that how the cloud works?
How's my data working there?
How do we talk about or learn about those differences?
Well, a little bit.
So IP is still IP and packets, datagrams are still packets and datagrams, but there is
(12:29):
a big difference.
And it's the way you want to consume it, especially when we're talking about securing the cloud,
but specifically what are you securing?
Because them constructs that you have in a traditional network, like you have your segments
and your VLANs, your route domains, you have your NAT, you have all this stuff that you're
used to having.
(12:50):
And we kind of have that all in public cloud as well, but it's different.
It's virtualized.
There's some things that you're not going to get, like there's no layer two in public
cloud.
So we have to take that into consideration.
But really, them boxes, them IP addresses, them VLANs, them static things that we're
used to configuring, they're not really there in the public cloud.
(13:15):
They're served a little bit differently.
So we serve services, right?
That segment, that segmentation inside a public cloud is a little bit different, right?
So in VPCs, like you think of a traditional network, right?
I have a segment, I have a VLAN, I have a subnet inside there, but you're not going
to be able to, you're not only going to be using them resources inside them VPCs, right?
(13:37):
You're going to be using resources that are extended way behind that.
Like we already talked about database as a service, right?
We have database, you're going to be using maybe some serverless functions.
You might be using like managed Kubernetes.
You may be using container services.
Like these are all things that we were able to spin up and spin down.
(13:59):
And obviously things that you can just build inside.
Like when I talk about the difference between what I get with AWS as compared to what I
get with Microsoft Azure is a lot of my services in Microsoft are going to be your standard
Microsoft services, right?
I'm going to get Exchange, I'm going to get AD inside the cloud and not have to worry
(14:20):
about it.
But in AWS, I might be more dev-centric, so more DevOps.
I might be using CI-CD code pipeline inside there.
Like these are things that we need to start to understand how to secure.
A lot of info on that one.
And it's, we get to see it.
(14:41):
We get to see a confusion.
I do remember when you mentioned the layer two piece, no ARP.
Yeah, it was interesting.
I know there's a few things in differences between the networking inside of Azure and
AWS, but that's interesting stuff to know.
(15:05):
And it's interesting, like, because as Ed, you were given that overview there, I was
kind of thinking about, yeah, you do hear about differences like with load balancing
with firewalls and certain caveats when you do that type of feature in the cloud in terms
of, yeah, like you said, there's no layer two network and you got to think about it
(15:27):
differently.
Definitely.
Yeah, well, think about it like I said, in every EC2 instance, there's more likely that
EC2 instance isn't just serving up one application.
That EC2 instance is probably doing multiple things, probably has containers built inside
of it.
You need to know how to secure that.
You need to know what's going on inside of that device.
So a firewall outside there or an IPS device outside is only going to give you north-south
(15:51):
visibility.
It's not going to give you what's going on east-west inside of the application itself.
Yeah, that's true.
Yes, people's moving to the cloud, but what about this?
And I don't know if everybody just asked the same question.
I think we do at some point, but we think is our data safe?
(16:13):
Can we assume that this thing going to be always available?
I know we mentioned some of the fails of multiple clouds and things like that, but what do you
think?
If you can share with us when somebody is thinking about that, what would you say?
(16:34):
I would say that there is no responsibility on the cloud vendor to keep it safe unless
you have entered into a specific contract with the cloud vendor to provide any sort
of security.
Going about this another way, I know in the federal space there are specific clouds, like
(16:58):
specific instances of AWS cloud or Azure that do provide a bit more security so that the
frameworks that those clouds have to meet, the security frameworks can be actually in
implemented.
So, there are additional pieces of security that are provided by the vendor in that case.
(17:19):
But for the most part, your data is your data.
You need to make sure that, again, utilizing the principle of least privilege, you need
to make sure that only the people, only the objects, only the other scripts that need
to have access to that specific data have access to that specific data.
(17:42):
And I think in the cloud, a lot of it, we just kind of think of like, yeah, we're just
tossing stuff to the cloud and it's accessible from anywhere.
But then we forget that the confidentiality, integrity, and availability of the data is
a big balancing game.
(18:03):
The most secure computer is in the Marianas trench encased in 10 feet of concrete.
But that's not feasible for availability of the data.
So you definitely need to make sure that when you put data into the cloud, that you're putting
acceptable industry recognized security around that.
(18:27):
We have a bunch of components here or products here at Cisco that can help with that.
I'm not going to get onto the Cisco piece.
But it's like whatever you do put the data, yeah, as I mentioned before, whatever you
put the data into the cloud, you have to make sure that you are taking responsibility for
that data and not just leaving it around.
(18:50):
Whether that's encryption, whether that's something like a web application firewall
front end in front of your applications, or if there are any data recovery sites you might
use, let's say, hey, I have three or four instances of this data.
We were talking about it before in terms of the multiple clouds where AWS may go down,
(19:15):
but do we have business continuity elsewhere in AWS with another region or Google Cloud
or Azure for the US market?
But yeah, it's definitely on you, the consumer, to ensure your data is protected at all times.
And I think it's important to know that there's a few, I don't want to say just procedures
(19:43):
or things, but just frameworks, like the one, the customer responsibility matrix and the
framework for cloud architecture.
So yeah, those are things that exist in the cloud world.
And I guess it's interesting and important to know them.
(20:06):
I just, before we get on to the next question briefly, I just think that's maybe the biggest
takeaway from today's conversation is, yeah, don't assume your data is safe in the cloud.
Like, and it's just further evidence of having your network and security teams working well
together.
Like it's one thing to make that data available, but like, man, don't make any assumptions
(20:27):
there.
Excellent.
Okay.
Since the cloud is not completely safe, how about some examples of recent attacks maybe
that some of us or some people on the call here today have maybe heard about, maybe on
the news, any that you'd want to touch on there?
(20:48):
And Mike, so there's a couple of things a couple of years ago.
I don't know if you guys remember, there's a big data breach at Facebook where they had
like 530 million user accounts compromised and nothing Facebook had to pay out $5 billion
in damages or something like that.
Something crazy.
And that was just exposed from a vulnerability within one of their applications.
(21:11):
Now, obviously vulnerability management is a big piece, but how do we tie that together
within the cloud itself?
Like taking another use case here, like a few years before that, inside that Alibaba
cloud, they got hacked for like a billion user accounts.
(21:32):
And that was done because of like their own misconfigured cloud resources had like no
authentication or authorization.
They just went in and took it.
And then obviously without the break any chops, but LinkedIn also leaked like 500 million
profiles, but that was from just like a bot on the web, just scraping data from it.
(21:55):
So the idea here is we really need to be able to secure the cloud itself, but like we also
need to secure what's in the cloud by using things like posture management.
So cloud security posture management is a big thing inside of cloud.
And what that does is allow you to see exactly what is exposed.
(22:17):
What's the attack surface of the cloud resources that you have out there?
And then also take it a step further, adding in the attack surface management as well.
So what's that blast radius within that cloud?
How far can an attacker actually get into your environment?
I always take a say, like, I mean, we talked about this the other day, but when you have
(22:41):
like an S3 bucket that's just exposed to the public, that's pretty easy to figure out.
So, you know, any cloud security posture management is going to say, yeah, don't do this.
This is bad.
Right.
But what happens if that S3 bucket is then attached to an EC2 instance that is attached
to a web front end that is exposing that, and there's some sort of vulnerability within
(23:03):
there that allows all the data in your S3 bucket to be exposed on that web front end.
Like, these are things that we need to map together in cloud security posture management,
attack surface management, and a whole bunch of other products and solutions that I'll
talk about maybe a little bit later will kind of give you more information around what's
(23:25):
going on around your application and your cloud.
Yeah.
I know we've talked internally at some point about those things, like, for example, and
we gave a really good example, but I've also seen a lot of S3 buckets being publicly available
(23:48):
just because they were misconfigured or there were some sloppy configurations that, you
know, were not finished, were not locked down in the ass.
And then we get to see a lot of data being exfiltrated from those customers.
And at that point, it's part of that message about the customer responsibility, right?
(24:12):
So it's a risk.
Definitely it's a risk.
And that number, like the Facebook one, like $5 billion, it's just incredible to think
about.
I mean, talk about saving money by being proactive with your security as opposed to paying after.
I mean, it's incredible.
Yeah.
Facebook's big, but $5 billion stings Facebook.
(24:34):
Yeah.
This is going to be a super open question, but what do we do?
What are the first things that we do?
We start thinking of when we start deploying these things, workloads to the cloud and things
like that.
How do we prevent attacks?
How do we secure resources that we have inside of the cloud?
(24:56):
What are options?
If we see that as an alternative.
Yeah.
So I can take that really quickly.
I would say utilize the tools in the cloud.
Each cloud provider has a set of security tools that are built for it.
(25:16):
And then if you have multiple clouds, or even if you have a single cloud provider, but you
want to normalize that your risk exposure across your entire infrastructure, you can
go with a product like Multi-Cloud Defense, which we'll talk about.
I think we have another session coming up on that, but something like Multi-Cloud Defense,
(25:40):
which gives you the ability to say, this is what our security posture needs to be.
We want that security posture to be, I guess I just gave a thumbs up somehow.
We want that security posture to be available across our entire environment, across each
one of our public cloud vendors that we're utilizing.
(26:03):
And so utilizing something like that as well to ensure that unified posture is a good thing.
Also multi-factor authentication is always good.
I know here at Cisco, it was a bit of a headache once we migrated to multi-factor with Duo,
but now that we've really gotten into, now that we've really seen how easy it is to use
(26:30):
multi-factor authentication once it has been set up, because I think that's the biggest
hurdle is actually getting everything set up.
Once you get a good workflow going, even through multi-factor authentication, it doesn't take
much longer than what it did before to actually get, to have that data available to you.
(26:51):
And again, as I said before, it's definitely about that balance between availability and
security or availability and confidentiality, where as long as you have access and you're
ensuring that access is controlled, that you're good to go.
I will also say that on the backend, it would also help something like multi-cloud defense
(27:15):
or any other log storage that you can have to go through and check your audit logs and
make sure that you have a product that will help you looking through audit logs and flagging
any anomalous behavior, such as a service account that you don't expect to change permissions
(27:36):
on a file as an example.
Well, what if it does change permissions on a file?
You may never know unless you have something on the backend saying, hey, we see this behavior,
we think it's bad, let's escalate an incident for it.
I think one thing that's coming around within Cisco at least that we can do it, that we
(27:58):
can help use is like FDR, where it can push events to the foreground that you may want
to say, you should look at this behavior, it doesn't look good to us, let's just make
sure it is actually good or it's bad, and then we can go forward and do more of a deep
(28:19):
dive investigation on it.
That's true.
I think we do have some interesting capabilities inside of FDR that can see that traffic, and
they can raise events or incidents and things like that, so that's a pretty cool interesting
plug on XDR.
(28:40):
I like that idea, Sudhir, that's like a good proactive approach.
Ed gave the example of Facebook having to pay all that money back, but to your point,
you were just bringing up something that's proactive.
Maybe it's just anomalous, it's an incident, or maybe it's an event, not a true incident,
but we're just being proactive about it.
(29:02):
The other thing that just came to my mind is with something like XDR, whether it's Cisco
XDR or not, but combining all our telemetry from the on-prem that we're familiar with,
but also with the cloud and those flow logs that we've been talking, so very cool.
(29:23):
I think we've been having a really interesting conversation, and if you want to learn more
about this type of thing, how did you guys get started, or where do you recommend someone
listening to this?
I want to learn a little bit more about the cloud, how it works, and securing it specifically.
Where's a good place to get started without getting bombarded with too many details?
(29:47):
Yeah, I always tell people to go to the Cloud Security Alliance homepage, so that's cloudsecurityalliance.org.
This will get you up and running as far as anything cloud, anything cloud-native.
It'll give you best practices, it'll go through cloud compliance, it'll give you top threats.
(30:08):
It'll give you all that type of stuff if you're taking a look and digging into, hey, what's
the cloud actually exposed to?
And then obviously the other ones is SANS, because SANS.org does a really good job of
bringing together some very detailed information around cloud security awareness, cloud security
(30:31):
awareness training, DevSecOps, AppSec, so application security.
The one thing that people, I think, get a little bit confused around is what's the difference
between DevOps, DevSecOps, and application security?
They're all really different things, but DevSecOps is really just part of DevOps, but it's got
(30:56):
its own little niche.
And then the other thing that I really want people to start to dive into, and I would
say the biggest thing, is cloud-native application protection.
So I talked a little bit earlier about cloud security posture management, attack surface
management.
(31:16):
Well, a lot of tools out there today are geared towards taking them, too, as well as workload
protection, container Kubernetes protection, API security, CI, CD security, repo security,
all this stuff, code security, application security, and rolling it in the one platform
(31:39):
so you can start pivoting through all these things into one interface.
So now, if I have an EC2 instance that's running Kubernetes master or is running a Kubernetes
stuff, and it has containers running on it, and it's got workloads running it, and then
workloads have APIs, and then APIs and code are running through a CI, CD pipeline, you
(32:01):
want to stitch this all together and give you one holistic view of all the security
in there.
And that's what CNAP, cloud-native application protection, is going to be able to give you.
So the first one you mentioned was cloudsecurityalliance.org, and then CNAP.
What does CNAP stand for one more time?
(32:24):
Cloud-native application protection platform.
Write this down because I'm going to check these out as well, so thank you.
We always get to learn so much when we do this.
I know.
I love these.
All right.
I guess we're going to move to the next one, and this is going to be pretty much a segue
(32:46):
into multi-cloud defenses that we're going to ponder off to our next episode or next
month.
But I know everybody on this call knows that Cisco came up recently with a new thing called
the Cloud Protection Suite.
(33:08):
This is if you can tell us a little bit about what...
And this is just going to be a point product inside of this suite of software for our customers.
But if you don't mind, Siddharth, if you can expand on the multi-cloud defense, what is
it?
(33:28):
We're going to expand more on it, but if you can give us a little teaser on that and add
if at the end you want to add something, feel free to add it.
Yeah, sure.
So multi-cloud defense, what I mentioned briefly before, Cisco, as you guys know, loves snapping
(33:48):
up companies that provide extra security for us.
I came from an acquisition 10 years ago now, 11 years ago now, and we're always trying
to innovate as well as purchase to innovate.
And so recently we purchased Valtix, which essentially is the same thing as multi-cloud
(34:11):
defense.
And their three main products were protecting Oracle Cloud, AWS, as well as Azure Cloud.
And that's kind of the background.
And I will say if you haven't heard of it or you're not familiar with it, and maybe
(34:33):
you're familiar with Tetration or Secure Workload, where we have agents that run inside of a
virtualization environment that dictate the firewall status and the firewall rules of
every single workload running within that environment, that's essentially what multi-cloud
(34:54):
defense, what Valtix is and what they do.
And so what we can do is we say, hey, actually, as I mentioned before regarding that single
security posture, normalizing your risk profile, it allows you to say, cool, we have a set
of APIs on the side.
We're going to go in.
We're going to set up some virtual private containers.
(35:17):
We're going to set up some networks inside of the cloud.
And we're going to pass all the data through, make sure that it is secure, make sure that
the firewalls in those pieces of software do what they need to do and make sure that
your data is safe.
That's kind of the 10,000 foot view of multi-cloud defense.
(35:41):
But yeah.
I always like to tell people the multi-cloud defense is take all them firewalls.
You can't take a physical firewall and stick it in the cloud.
It doesn't fit.
The idea is take a security appliance, put it into your cloud, cloud natively.
(36:01):
What that means is let's use cloud constructs to build it.
Let's not stick a firewall in there.
And then let's allow that to then inspect all the data as it's going through your VPCs
and between VPCs, ingress, egress, everything, and then apply things like traditional firewall
(36:22):
rules, but also web application firewall, IPS, AV, anti-malware, so on and so on.
This way you don't have to worry about stitching, routing stuff through a firewall anymore.
It just does it natively.
And then you have that one policy over all three different clouds.
So AWS, Azure, GCP, you have one policy.
(36:45):
And then you have all your dynamic rules and dynamic objects bubbled up into that one policy.
And then you're ready to go.
And you deploy the whole thing via automation.
Does that one, just to kind of round this up, does the one policy mean I don't have
to know about the details of each individual cloud?
(37:06):
Does that help with that?
Okay.
Yes, exactly.
Okay.
Well, that's going to be a great, great topic for next month, but a nice little overview
there.
Quick time check.
We're looking good, Andres.
I think we've got time for some dad jokes here if you guys are okay with this.
(37:26):
Now let's get right to it.
So really interesting question I was thinking about, because we're talking about data storage
in the cloud.
And I've heard people ask about this.
Is it true that if it's raining, that we need to be a little concerned about our data getting
wet and potentially corrupt?
(37:49):
Yeah, no, I think you definitely have to worry about that.
I don't know how to kind of explain how that happens, but if it rains, you're screwed.
So now that seems to me like we need a product for that, like some type of waterproof thing
(38:09):
that can go around our resources in the cloud.
Excellent.
Okay.
We already have it.
It's called Umbrella.
All right.
I hope I don't mess this one up, but here's a million dollar idea probably.
(38:31):
If anybody going to steal it, just let me know.
But is it a good idea or maybe a stupid idea?
But what about a security application, security app where if you cough on your computer, your
antivirus will tell you, will start running and tell you if you're sick or not.
What about that?
(38:53):
I think you're a little bit late to that one, man.
I think Apple already does it.
So you can cough on your phone and it'll be like, oh, you're contagious.
Stay away from others.
Yeah.
I think it's more like COVID one time.
That's a great idea, but we're going to think of something else if we want to retire early.
(39:13):
Yeah, I know.
Someone's already done that.
One thing, some people, it's been like a trend, a lot of people going vegan and even just
like vegetarian, but have you heard about that new technique people are doing when they
go to the grocery store so that they don't walk down the canned meat aisle and get tempted?
(39:37):
They have, it's called like a spam filter.
That's terrible.
Who doesn't like spam?
I know.
I mean, I think even vegetarians should like it.
Exactly.
It's fake.
Who doesn't eat that?
(39:57):
All right.
All right.
The next one is going to be fun, but have you guys heard about this cyber criminal that
was able to get into heaven?
Funny thing is that he apparently found the password to the gate that had not been changed
in about 2000 years.
Oh man.
(40:18):
You know, you would think they'd have better security than that.
Or at least like, or at least like an MFA, even with the bad password, if they have basic
MFA in heaven, they still wouldn't have been able to get in.
I got to go confession just from hearing that.
Right.
What do we got?
(40:41):
Time for two more, you think?
We started a little bit late.
What do you think, Andre?
Two more?
What would sting more?
If you were like, you know, paying ransomware because you did not have your security in
layers or having to peel actual layers of onions.
(41:05):
Onions.
Onions.
Onions.
Yeah.
Onions are the worst.
But what if it was Facebook for $5 billion?
I'll take 5 billion.
All right.
And I guess the last one, this one is very, very with the theme of this month, but does
(41:31):
Santa have any cybersecurity concerns?
I don't know.
I think maybe seeing as he is who he is, he may be worried about Talos shutting down his
botnet.
I don't know.
(41:56):
Well I know I have truly enjoyed this session.
I think one of the best sessions we've had.
Just a quick recap of today's topic.
So I thought it was interesting talking about the benefits of moving to the cloud.
We all know everyone's doing it, but why are they doing it?
But getting that as a service model that's just instantly available and then having the
(42:19):
redundancy and the availability is huge.
We talked about and compared AWS to Azure, GCP.
Sudhir you touched nicely on maybe thinking about them being kind of more similar than
they are different, but they each have their unique differences in terms of what they're
offering, how they work, and then in terms of offerings of each cloud.
(42:44):
And then Ed, nice example comparing kind of like quote unquote routing between an on-prem
network and then moving to the cloud where we've got APIs and we've got containerization
there.
And then the risks in the cloud.
I thought one of the main takeaways, I said this earlier, but just being aware of that
(43:04):
misconception that just because you drop something in the cloud doesn't mean it's secure.
So just being aware that safety and security do need to be layered in on top of whatever
you put there.
So just some takeaways for me.
Yeah.
And from my point of view, I think just thinking about those specific tech tags that we talked
(43:29):
about a few minutes ago, make sure that if you're implementing things to a cloud, make
sure you secure them.
If you don't know, if you're not sure what you need to secure, I guess there's an app
for that.
There's a few services for that, of course.
Then I know along the hand with that one, cloud security posture management, that's
(43:51):
another thing that be on the lookout for.
And the next few things, basics on securing the cloud, make sure that you go and we're
probably going to put it on the event on the communication community space that we have
for the cloud security alliance.
(44:11):
This is a really good recommendation.
Same thing for cloud native application protection.
There's more information there.
Again, same thing that I just mentioned, there's an app for that.
And the last part on multi-cloud defense.
There's actually three things that I do really like about multi-cloud defense, just to give
(44:35):
you some info for, to look for the next webinar, network visibility, routing and connectivity,
and then security automation.
Those are three key pillars of the actual multi-cloud defense piece.
So super, super nice, Mike.
I guess this has been another one that it's super, super informative and I've learned
(44:58):
a lot.
Don't forget to fill out the survey at the end, Aiden from Indiana State University won
our survey fill out challenge.
He's sporting some nice swag right now, but I do want to give a special thank you to Ed
and Sudhir, just amazing conversation.
Thank you both so much for, and not just for the show, but all you do in the industry to
(45:21):
help keep people around the world secure.
Our next call is going to be part two.
So January 17th, Cisco's cloud native security solution.
Again, it's called multi-cloud defense.
Again, please fill out the survey if you can so you can wear a hoodie or whatever you want.
We'll send out a gift card to the winner there.
I hope you all have enjoyed the session as much as I have.
(45:44):
Happy holidays, everyone.
We will see you in 2024.
Thanks guys.
Popular Podcasts
Are You A Charlotte?
In 1997, actress Kristin Davis’ life was forever changed when she took on the role of Charlotte York in Sex and the City. As we watched Carrie, Samantha, Miranda and Charlotte navigate relationships in NYC, the show helped push once unacceptable conversation topics out of the shadows and altered the narrative around women and sex. We all saw ourselves in them as they searched for fulfillment in life, sex and friendships. Now, Kristin Davis wants to connect with you, the fans, and share untold stories and all the behind the scenes. Together, with Kristin and special guests, what will begin with Sex and the City will evolve into talks about themes that are still so relevant today. "Are you a Charlotte?" is much more than just rewatching this beloved show, it brings the past and the present together as we talk with heart, humor and of course some optimism.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com