Beyond the Firewall: Careers in Cloud Security

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Chris (00:00):
The mechanisms to create ciphertexts are pretty
interesting.
I'll say the methods.
I don't like the math, but themethods are fun.

Brian (00:09):
In some ways, I think they're too interesting.
If I may inject somethingslightly spicy and criticize
some of my colleagues.
I've seen way too many peopleon the review side of things
that come into.
You know that that are that.
You know you'd be surprised.
You know how high a percentageof of people the first thing

(00:32):
they'll ask when they're doing areview is is uh, what, what
random number generation are youusing in your encryption?
And it's like.
It's like hey, why do you, whydo you care?
I can, I can ssh from any anydesk here right into your data
center and there's nothing youknow you're worried about random
number generation Right exactly.

Tim (01:04):
Hello and welcome back to another episode of the Cables to
Clouds podcast.
I'm your host this week, tim atcarpe-dmvpn on Blue Sky, and
with me, as always, is my hostin need of a thesaurus for all
the adjectives Chris Miles atBGP Main on Blue Sky.
And this week we actually havea very special guest, new to the

(01:28):
podcast, and we brought himhere to talk about cloud
security careers because I thinknetworking and security go
really well together.
We've talked about it manytimes in the podcast and so we
actually just released or sorry,we released earlier an episode
with Cam, again from Oracle,about networking careers and

(01:48):
also interviewing with the techgiant from a network perspective
.
So Brian Eidelman is here fromOracle to help us get the other
flip side of that coin withsecurity.
So, Brian, just go ahead andintroduce yourself for the
listeners please.

Brian (02:07):
Yeah, thanks Tim, thanks Chris for having me on today.
And so I'm Brian Eidelman.
I'm a vice president of cloudengineering on the field side at
Oracle.
I lead a team of security andnetworking experts that work
with customers on one.
Networking experts that workwith customers on one.
You know, certifying OracleCloud Infrastructure, oci, as a

(02:28):
secure place to you know, animproved place to bring their
workloads and their applications, and then working with them on
designing their tenancy, puttingin place their security
controls, designing their cloudnetworks.
You know, to scale thehopefully many, many apps and
workloads.
And so Cam leads the networkingside of my team and I have a

(02:50):
bigger organization on thesecurity side.

Tim (02:52):
Oh, wow, awesome, yeah.
So I mean, how long have youbeen doing the security thing?
I know, obviously I'm not surehow long you've been at Oracle
but it sounds like you've beendoing the security for a while.

Brian (03:04):
Yeah, so I've been at Oracle 15.
So I've been doing securitypretty much my whole career.
My first, my first job out ofcollege was uh in uh making a
factory automation software forthe semiconductor industry, but
since then I've been in security.
Um I I come at security fromthe sort of uh developers point
of view, like developingsecurity tools.
Uh I I worked.
I was one of the originaldevelopers of uh nitegrityMinder

(03:24):
, which is a single sign-onsoftware.
Oh, wow you know, Okta is sortof the biggest, sort of the
today's version.
You know that's cloud-based andyou know so.
I was employee 50 there and wasdeveloping web server plugins
as part of a in that role and,um, I was uh worked.

(03:44):
It was employee 12 at infoblox,which is you guys probably know,
no info yeah, yeah, dns company, but we did a lot of security,
developed a radius product anduh and then I joined oracle
working again sort of in a rolein in or in on the engineering
side, but it was abouttwo-thirds customer facing
one-third internal projects,basically working on customer

(04:07):
adoption and refining theproducts of whatever was sort of
new from a security perspective.
And so in the early days thatwas Oracle's identity management
products and sort of the Javasecurity, and then it became
SaaS security and cloud securityand for the last five years
it's been, you know, OracleCloud Infrastructure security.

Tim (04:28):
Oh, wow.
So like security development.
Yeah, I don't think I've evermet a security developer before.

Brian (04:34):
actually, you know it's worth mentioning that you know I
went to college thinking I wasgoing to be a creative writing
major and ended up majoring inmath.
So you know I don't have atraditional computer science, or
certainly.
You know, back in those daysthere weren't security degrees
for sure, right, so yeah, forsure I dropped out of uh.

Tim (04:55):
Back date me now, but like back in, I think, 2001, I
dropped out of uh collegebecause it was um comp sci.
It was comp sci or nothingbasically at that point.
And, yeah, I did not want to bea developer or be the next
computer engineer kind of person.

Chris (05:11):
So yeah, totally Exactly the same.
I took one Java class and thenone calculus class and I was
like I'm done, I can't do this.
There was no networking courses, so I left.

Tim (05:20):
I think calculus was about the time I dropped out of that
as well.
I was thinking I would give ita go, and then I got to calculus
.
I was like, nah, I'm good,never mind, forget it, okay.
So yeah, we brought Brian herebecause he has some really good
experience and some big opinionsactually about what does it
look like if you want to go downthe career path of becoming a

(05:41):
cloud security expert, engineer,whatever practitioner, maybe
developer, I don't know want togo down the career path of
becoming a, like a cloudsecurity expert, engineer,
whatever practitioner, maybedeveloper, I don't know like
what is actually?
That's some of the stuff we'regoing to talk about, uh, today
is like what are the options, uh, with cloud security?
So I mean not not to stand onceremony, brian, like like we're
you know?
Where do we?
Where should we start?

Brian (06:02):
yeah, well, thanks.
I mean, one of the one of thereasons why I was excited to
come on the show and talk aboutthis subject is, I think you
know, cybersecurity has becomesort of popular.

Chris (06:11):
I don't know if you want to say that that's right.

Brian (06:14):
The general popular culture knows what it is.
But you know, I think there'san impression out there that you
know the two jobs.
A lot of people have thisimpression.
You know I could be an analyst,a security analyst or maybe
like ethical hacking is theother big thing.
Right White hat hacker, youknow, and certainly those jobs
are out there.
But you know there's a much,much bigger world out there in

(06:38):
cybersecurity.
There's, you know, there's allsorts of jobs working in all
sorts of different organizations.

Chris (06:45):
There's all sorts of jobs , working in all sorts of
different organizations.

Brian (06:54):
And you know, I really view it as sort of a?
You know, there's like athree-dimensional landscape
where, like across the x-axis,you have the type of job right
and there's, you know, yeah,there are those analyst and
ethical hacking positions, butthere's also, you know,
positions making securitypolicies, doing awareness and
training for big organizations.
There's a lot, you know thesedays, a lot.
You know a lot of compliancespecialists.
You know, with all thedifferent standards from, you

(07:17):
know, government standards, justgeneral corporate standards,
industry specific standards likeHIPAA, pci compliance.
You know there's threatresearchers.
You know there's cyberforensics.
There's, you know sort of thepath I've taken being a
developer of security tools.
There's, of course, you know,armies of consultants that help

(07:37):
people apply those securitytools.
You know there's.
You know the whole ecosystem onthe vendor side of those
security tools, of productmanagers and QA people and
people that sell the tools, andyou know.
So there's a ton of differentroles and then you know, and
then what sort of organizationyou work in matters a lot, right

(07:58):
?
So you can work in government,you can work in law enforcement,
you can work for privatecorporations.
You know you can work for inspecific industries again, you
know so and you knowuniversities, so you know that
and then finally, there's thattype of role right.
So you know you could be acompliance expert in banking.

(08:20):
Banking, you could be acompliance expert for a big
software company that spends alot of time communicating with
your customers about yourcompliance and how they can meet
their compliance needs withyour product.

Tim (08:34):
There's a lot out there.
Yeah, I mean, that's huge,right.
So, yeah, I like the way you'resaying it with this idea of an
XYZ axis.
It's kind of a cube, not like asquare, not like a plotted
point, but there's a lot ofintersection in all of that,
right, so you could be a pentester, but, like, are you a pen

(08:57):
tester for a vendor?
That's, like you know, tryingto work on customers that are
using the vendor software to,like, prove it works, or to, or
to, you know, find problems withthe software.
Or maybe you're, like you know,like a state.
You know, not that they exist,of course, but maybe you're
state sponsored maybe you're astate sponsored penetration

(09:18):
tester.
You know which is a completelydifferent.
The role is the same right, butI would imagine the application
of that skill set would bewildly different, right.

Brian (09:31):
That's right.
That's right.
Yeah, I think like theoperating environment and like
the surface area of theoperating environment matters a
lot, and so if you're you know,if you're working in a bank,
you're obviously you know.
Why do people rob these banks?
Because that's where the moneyis.

Chris (09:45):
That's where the money is .

Brian (09:48):
So there's obviously a certain focus there around what
banks are concerned about, butthey're also concerned about.
Banks have a lot of employeesand the way in to what's
valuable can be through allthose employees.

Tim (10:02):
Yeah, social engineering.

Brian (10:03):
There's a lot to monitor there, right, and there's
insider threats, but that'sdifferent than other companies,
different than if you're workingfor a vendor or at a university
or a hospital.

Tim (10:20):
Well, the compliance right.
The compliance is like thedifferent frameworks that you
have to be compliant with isdifferent in FinServ than, say,
hls, which is health and lifesciences, for example.
Completely different frameworksof compliance, right, different
roles, or just two, not roles,sorry.
Compliance officer at a bankversus a hospital right, like

(10:46):
that's a.
That's a totally differentz-axis vertical xyz yeah, that's
right.

Brian (10:51):
That's right, and then um you know, and those those are
right operational, operationalroles and and, uh, you know
where you might be in in theoffice of the cso but you know
you might be a security person,you know, on the development
team of an application you know,helping to develop their
security products and advisingthe rest of the developers on
secure coding standards.

(11:12):
You know, like one of my teams.
It's interesting sort ofgetting back to the compliance
side is.
You know we have a team ofcommon field CISOs.
They're former, fairly seniorfolks and then we have a couple,
some you know a junior team,sort of as part of that group
that you know worked in on theoperational side of things.
These are people that you know,former CISOs that now work for

(11:35):
Oracle.
You know, on interfacing with,you know, our customers security
teams, the CISOs of those,those organizations like the
ceasos of big banks and etc.
Governments and and, uh, youknow, and they do get heavy and
some of them are you know evenwithin that group there's
different sort ofspecializations.
There's some that are more deep,technical than others, but some

(11:58):
are very sort of legally minded.
I actually have a couple thatare for that are lawyers uh oh
wow.
Not, they're definitelypracticing, but they sort of
really live at that intersectionof the law and technology and
security.

Chris (12:12):
Who would have thought the law matters.
They spend a lot of time.

Brian (12:14):
Yeah right, they spend a lot of time with the Oracle
legal teams and our customerlegal teams and sort of help
make sure everyone's on the samepage about our commitments and
you know, customer commitments.

Chris (12:25):
Yeah, totally.

Brian (12:26):
And the cloud.
The cloud, you know it's cablesto cloud.
So you know, the cloud is veryinteresting from a security
point of view, right, becausethere's a division of
responsibilities and for everytype of cloud application
there's, you know, differentlevels of responsibility, right,
versus like infrastructure,versus PaaS, versus SaaS, and
that flows into the complianceside of things.

Tim (12:47):
Yeah.
So actually now, I mean, we'vementioned it X and Y a few times
.
I've even actually I think Isaid Z at one point, but like
what is the Z-axis like to this?
Then I think you might'vebriefly mentioned it, but like,
let's get on that a little bit,yeah, sure.

Brian (13:01):
So in my mind the Z axis are actually like technical
specializations, right.
So even within a given role andgiven organization, you do get
some specialization right.
So you guys are probably andyour viewers and listeners are
probably most familiar with,like network security, right,
and that is a specialization.
In fact, that was, you know,early in my career.
That was the only thing anyone,if I said, oh, I'm in internet

(13:25):
security, they said, oh, youmean firewalls?

Tim (13:27):
Right.

Brian (13:28):
No, no, I'm something called identity management.
Then I have to go explain whatidentity management is.
Maybe we'll talk about that ina little bit, but you know.
so that is you know, there arepeople that make a living with
doing firewalls and networksecurity and everything involved
with that.
But there's you.
There's other areas ofspecialization, so, for example,
encryption, right.
So if you're on the developmentside, if you're developing

(13:49):
applications, there's peoplethat are experts at doing the
encryption side of it.
They know the security of thedifferent.
These days the libraries arepretty friendly, but there's
still some work there.
In the old days you used toactually know the algorithms and
you'd be developing thelibraries.
These days, everyone opens SSLor different proprietary

(14:12):
libraries.
But you still need to know howto use them and what they really
mean with the different ciphersand the random number
generation part of theencryption.
But on the corporate andoperational side and the
compliance know the complianceside of it, there's people that
specialize in encryption thereand and say like, okay, all you
know that that go and review allthe applications for their big

(14:35):
you know big bank and you knowthat exists, to make sure
they're there, that all theencryption is being done
correctly, using the rightalgorithms and the right ciphers
and the right.
You know that the key managementside of things um, so you know,
that's another example.
You know, I mentioned identitymanagement, sort of what my my
area of focus for a lot of mycareer.
Uh, you know, and that'sdealing with, uh, you know,

(14:58):
authentication and authorizationand single sign on and who
users are and then you cloudsecurity is sort of the modern
thing.
So if you're hosting a bunch ofapplications on AWS or on OCI,
there's all the securityinvolved in that.

Tim (15:16):
So what's interesting is, of course, a lot of this stuff
is overlapped, right, so youcan't talk about encryption
without really talking aboutidentity management.
Right, because you're notpassing identity management
credentials, like whatever thatlooks like single sign on or
certificates, right, certificatebased identity management is
entirely based on encryption,like TLS encryption, for example
.
I took a.
So when I was doing my degreein cloud computing with Western

(15:41):
governors, I had to take a classon cryptography and it was
actually really I I won't sayinteresting, because actually,
if I'm being completely honest,it was a bunch of math and the
class was kind of boring.
But the creation ofcryptography and the science of
cryptography I found to beinteresting.

Chris (16:00):
The mechanisms to create ciphertexts are pretty
interesting.
I would say the methods.
I don't like the math, but themethods are fun.

Brian (16:09):
In some ways, I think they're too interesting.
If I may inject somethingslightly spicy and criticize
some of my colleagues.
I've seen way too many peopleon the review side of things
that come into.
You know that that are that.
You know you'd be surprised.
You know how high a percentageof people the first thing

(16:32):
they'll ask when they're doing areview is is what, what random
number generation are you usingin your encryption?
And it's like.
It's like hey, why do you?
Why do you care?
I can.
I can SSH from any desk hereright into your data center and
there's nothing.

Chris (16:47):
You know you're worried about random number generation.

Tim (16:49):
Right exactly.

Brian (16:51):
But no, no, that is.
You know it's interesting stuff, and you're absolutely right,
tim, that these things dooverlap.
And that's one thing that Ireally like about security is,
you know it sits at the nexus ofyou know, not just all the
other security technologies, butyou know just, there's security
in everything and to be aneffective person in security,

(17:12):
you need to know theenvironments and the
applications and the languages.
You know that you're runningand so, like, if you're going to
be doing security, you know ifyou're going to be looking at
security of you know anapplication, you might need to
know a lot about Java.
You know you need to get intoJava security, so you need to
learn a lot about Java and youneed to learn a lot about
application servers andnetworking and identity

(17:34):
management really especiallysits at.
You know the intersection ofall those things.
You know when I was doingdevelopment and you know a lot
about encryption.
You know, let's say I alwaystell Cam that I know enough
about networking to know what Idon't know, but you know, I did
you know I wrote like theworld's first commercial Apache

(17:56):
web server plug-in.
So I know a whole lot aboutLayer 7, probably more about the
HTTP spec than anybody.
But you know, so yeah, allthese things are interrelated.

Tim (18:09):
Yeah, so I mean, so let's actually let's get into.
So you're mentioning, likeidentity management obviously is
a big part of what you're into,so, or have been, should I say
into, so how has it gone fromlike the basic, like username
and password, to like wherewe're talking about modern-day
authentication or authorization?
It obviously includesencryption, but is it more

(18:31):
elegant?
Is there more to it now?
Yeah, there's a lot to it.

Brian (18:38):
It's really an area that's gotten.
Like I said, 15 years ago noone heard of it, but today Jim
Cramer's talking about Okta onCNBC.
They have like a $15 billionmarket cap and it's a pretty
widely recognized and importantarea of security.

Chris (18:59):
And yeah, there's authentication, right.

Brian (19:02):
We all hate passwords and password phishing and everyone
realizes that that's notsufficient.
So, like the next, pretty muchany application and every
enterprise of any importancerequires multi-factor
authentication, right?
So that's a big part of it.
And then you know that used tojust be.
You know they'd ask you someadditional questions that were

(19:23):
basically like you know, someknowledge-based authentication
that was basically just like abad, a bad second password.

Tim (19:30):
So you know, and then it went to like sms.

Brian (19:34):
You know it was.
You know that you know thewhole point of multi-factor
authentication is like usuallyit's you think, like an atm, is
like the good, like simple model.
It's something you have plussomething you know yeah both of
those and, um, you know, butit's gotten more sophisticated,
right?
So the sms, the point.
The point is that what you haveis your phone by virtue of

(19:55):
getting that text message.
But you know, of course, phonenumbers can be stolen and
spoofed.
Yep, I've seen that, and soit's gotten more sophisticated.

Chris (20:05):
And now the big trend these days is passwordless.

Brian (20:08):
It looks like the password's so useless, let's
just do away with it completely.
So much cost associated withmaintaining passwords.
People forget, it right People?
Beef up their help desks wheneveryone gets back from holiday
vacation because half theiremployees have forgotten their
password.
Everyone gets back from holidayvacation because you know half
their employees have forgottentheir password.
You know, but so you know noweveryone's ditching passwords,

(20:28):
and so it's only like somethingyou have or two things you have.

Tim (20:32):
Yeah, or you get a token right Now.
It's like token based.

Chris (20:34):
We're like hey, I want to log into this and it sends you
a token and then you use thetoken to log in.

Tim (20:40):
So, yeah, it ends up being something you have, you know
single sign-on.

Brian (20:43):
I mean that's been around for a long time but it's become
really universal in sort ofrequiring single sign-on.
And it used to just beweb-based single sign-on.
But now people want singlesign-on both to use like network
to steal network to north,south and east, west, or up and
down, left and right.
So or you know, up and downleft and right, you know from
you know.
So, for example like not justfrom across the different

(21:04):
applications that a user isusing, but down the stack.
So from, you know, from thebrowser to the web server, to
the app server, down to thedatabase and sort of, the full
fruition of that which is sortof at the intersection of
networking and security is, youknow, the zero trust networking
concepts yeah right, oh yeah,yeah, yeah, for certainly

(21:26):
getting the zero trust piece,because I mean I know that.

Tim (21:28):
so so I hear people talk about zero trust as, um, you
know, oh well, we can have, youknow, workloads.
What do you do for workloadsthat don't have zero trust?
And I agree generally that like, for example, workload to
workload communication is hardto say like, like, because
normally I think zero trust Ithink of identity, I think
identity is tied to like a zerotrust framework.
But then you have likeworkloads that don't have true

(21:50):
identities and so you have tolike identify them with some
other kind of fingerprint.
But I mean, you're still tryingto fingerprint them.
You're just not using a useraccount or something like that
to do that kind offingerprinting of that, of that
traffic or that workload.

Brian (22:02):
That gets into the emerging thing in identity
management these days isnon-human identity, that's right
.
If you're anyone that was atthe Gartner Identity Management
Conference.
It just happened, it was allabout that.
Or if you go to RSA, theIdentity Management Tracks it's
all about non-human identity.
That's interesting, not onlythat.
Identities even got to thepoint where it's like I would
say it's all about non-humanidentity.

Chris (22:22):
That's interesting, but not only that it's like
identities even got to the pointwhere it's like I would say
it's kind of like multi-tieredas well, because now we have the
concept of like privilegedaccess management related to
identity, right.
So it's like you have this oneidentity that gets you certain
access to a certain number ofthings at a given time.
But if you want some kind ofheightened credentials, there's
a whole market for Like.

(22:42):
How do you elevate your accessjust at a point in time to do,
you know, admin-based activities?

Tim (22:48):
Just-in-time access, Right yeah.

Chris (22:50):
So that's it kind of compounds on top of that right
that gets into like another areafrom tying it back to careers.

Brian (23:00):
There's like the emerging area of what's called like
DevSecOps.

Tim (23:03):
Yeah, okay, which I?

Brian (23:04):
think kind of overloaded.
When people talk aboutDevSecOps it can mean the
security of DevOps.
That's a huge field.
A lot of companies out thereare selling different tools.
It's obviously very important.
If you're a modern cloud-nativecompany and you're doing DevOps
, the security of that has to bebe, you know, correct and, like

(23:26):
you said, there's the privilegewho can, who can push releases,
you know who can you have tomake sure that you can't like
mimic a pipeline thing.

Tim (23:35):
And then on the.

Brian (23:36):
there is like the traditional, like sec ops side
of things too.
Okay, like I, I'm, you know,running the security operations
center.
What's really entailing that?
What's you know how can Iautomate as much as possible?

Tim (23:48):
Yeah, I think that's really good.
So how does this change when westart getting into the cloud?
I mean, obviously some of thisis just going to be the same,
just with the cloud, right.
But like the fact that thecloud is a managed service
provider right, like thatthey're only a managed service
provider right, like thatthey're not exposing everything
to you, so you know, it's likeyou're consuming, essentially, a
service right and you're tryingto secure that service.

(24:10):
So how does the whole cloudsecurity thing figure in to the
whole thing?

Brian (24:15):
I think a couple of ways.
I mean first review.
Like you know, it's a verydifferent conversation if we're
talking about like SaaS versusinfrastructure.
For sure, for sure.

Chris (24:21):
But you know there's.
It's a very differentconversation if we're talking
about like.

Brian (24:23):
SaaS versus infrastructure?
For sure, for sure.
But if we're talking aboutinfrastructure, which is
probably what I think interestsus most, you know it's, you know
I think things are democratizedin the cloud right.
The whole point of the cloud isyou want easy access to
everything you don't.
You know, in the old days ofon-prem right would install the
operating system and they'd getsome access to it Eventually.

(24:53):
If it was a production system,they'd be locked out from it and
then they'd have to askpermission to be let back in.
The whole efficiency of thecloud is about giving developers
direct access to theinfrastructure.

Chris (25:06):
But you have to put some guardrails in place, and so uh
you know, that's a big part ofcloud security.

Brian (25:08):
You know, I, I, my own team, like five, six years ago,
right, we had like our ocidevelopment environment and like
there's, like there's one guylike he stand up something, and
you know you, because you knowwhat ends up happening and
people like oh, like you know,trying something's not working.
Eventually they're like screwit, I'm just, you know, going to
remove all my network securitylists, open up SSH to the real,

(25:29):
you know, and then, right Inabout 15 minutes, you know,
those compute.
Yep, they're being like used forBitcoin in like Russia or China
or wherever.

Tim (25:39):
Yep, it doesn't take long.
That's true.
That is the, and what's funnyabout that is that, in the same
way that the cloud was built fordevelopers to be agile and not
have to worry about having toput in tickets for sysadmins to
spin up compute or for networkengineers to allocate VLANs and

(25:59):
IP addresses, there's also thisidea that developers wanted to
be agile and get around securitytoo, like security's not going
to care about this thing becauseit's my playground and it's not
connected to the corporatenetwork and all of this.
So the same agility storyexisted for developers until all
of a sudden, it doesn't,because now these are critical
business workloads that have tostart connecting on-prem.

(26:21):
Yeah, absolutely, absolutely.

Brian (26:24):
So you know it's about guardrails.
You know there's a class ofsecurity, cloud security posture
management, which is all aboutyou know, and there's all these
new cloud constructs that needappropriate security.
There's, you know, in the cloudit's easy to move data in and
out, right to exfiltrate data.

(26:44):
Um, the the network is a littlemore loosey-goosey, and so,
yeah, um.
So then that's part of, alsothe rise of, like, identity
management.
People say a common phrase is oh, identity is your new perimeter
just because you have the cloudand then you have all the
different devices that people,that people use um and so in
some ways it's pretty analogousto the differences in networking

(27:05):
right.
It's just there'svirtualization, you know
abstraction that just peopleneed to deal with.

Chris (27:12):
Yeah, I think that also helps with a lot of things in
the cloud being very API drivenas well.
There's multiple points forauthentication to happen, in the
way that some of these servicesand some of these you know
infrastructure type things havebeen built there.
So there's definitely morepoints for it.
But, as Tim said, you know,when you had developers building

(27:32):
this stuff, maybe 10 years agoprobably a lot of that was
skipped.
And now people are kind ofgoing in and retrofitting
security on top of a lot of thisstuff.

Brian (27:40):
So you know, and increasingly people are using,
you know, many clouds, right?
So you know we talk about it alot at Oracle.
I know you guys talk a lotabout your job too, but, you
know, I think that creates achallenge for certain people and
an opportunity for others, ifyou really can master multiple
cloud environments andunderstand how they're mostly

(28:02):
the same, you know, from asecurity and networking point of
view, and they all have similarconstructs, similar controls.

Tim (28:09):
I think it's the policy where people start falling down
right, like having a unifiedsecurity policy that can govern
multiple clouds.
Depending on you know they workvery differently from a
security and a networkperspective.
That's really the brass ring Ithink is being able to get to
that.

Brian (28:25):
Yeah, yeah, I think that gets into like a.
We could have a whole separatepodcast on that and sort of
single pane of glass versus,like you know, use some multiple
tools.
Yeah, for sure.

Tim (28:37):
But like, okay, so let's talk about but I don't want to
drop that because I think thisis really good and I think it
ties back to the whole point ofwhat we're talking about.
And again, we're talking aboutcloud security careers, right,
but I mean, in this case I'mtalking about in the podcast,
right, the podcast is very, aswe've been saying for many God

(28:59):
since the beginning, pretty muchthat like network and security
are pretty much joined at thehip, so we have to know them
both to some degree.
I mean, when I was anenterprise engineer, in addition
to being doing collab and DCand all this other stuff, the
two ones that I pretty much hadto have all the time in lockstep
were I was a firewall jockeyand I was also like a network
engineer, right, and you had todo both.
So I mean, what is and I don'tthink that changes significantly

(29:20):
in the cloud either but whatdoes that look like for you?
We're talking about networkingsecurity, especially in the
framework of cloud securitycareers.
What do you think?
Where's the burden of knowledgethere for somebody who's trying
to do that, trying to be thatcloud security person?

Brian (29:39):
Yeah, I mean there's definitely a huge, huge overlap
to be that cloud security person.
Yeah, I mean there's.
There's definitely a huge, hugeoverlap and and I think that
again, like the, the fruition ofthat is is like zero trust,
right when the overlap iscomplete at that point.
And I think that creates somechallenges for people that are
organization.
It was organizations that thathave this like separation of
security and networking, thekind of like they look at okay

(30:02):
with the zero, if they adoptzero trust, who's going to be in
charge?
Who's going to control?
How do we make changes?
Their heads explode, right, butyou know I think there are, you
know, and then like webapplication firewalls.
That's like the area thatreally like.

Tim (30:18):
Oh yeah.

Brian (30:18):
Total, total intersection .
There's other, you know, likenetwork, at least identity
management.
Usually there's a separate mostorganizations these days have a
separate identity managementteam.
That's sort of onto itself, andthen they sort of support
network security and supportdata security teams when they

(30:39):
need to do something with theidentity management systems.

Tim (30:41):
Man, I hate working with IAM teams when they when they
need to do something with theidentity management systems.
Man I hate working with.
I am I haven't found a cloudwhere I enjoy working with.
I am like identity accessmanagement like they're all
terrible, like from from myperspective as the technology is
terrible or the people areterrible no, no, no sorry I just
mean like when I think that'sfair but no, no, no, when I have
to, I'm just thinking to myself, like when I'm building in, say

(31:02):
, aws and Azure and Google Cloudor whatever, I'm building labs
and stuff, like I just remember,because you want to operate
from least privilege, right, youdon't want to just like give
yourself an administrator foreverything, but getting to that
point where you really figureout what is least privilege
actually look like the servicesare so intertwined just to get
something working that, likeyou'll find that, oh, I started

(31:24):
off and I only granted myselfthese permissions, and then I
found out that, oh, I can't evenlike build this service.
I can't even build thisconstruct because it's tied to
four other services that I don'thave IAM access to.
And you only find out when youtry to make it.

Brian (31:36):
Yeah, no, I know exactly what you mean.
Yeah, it can be a littlefrustrating because and it's not
always very well documented,right, exactly.
There's all the interplay ofall these resources and a lot of
trial.
And, like you said, the onlyway to make the cloud secure is
to deny by default, exactly, andso it's sort of a necessary

(31:58):
evil, it's almost like theapplications are now decoupled
and so is, yeah, right, thepolicy to access all of them,
right?
so and then the way to make iteasier is to is to templatize
and automate for sure okay, like, like, we like that's that's
why I'm a big believer in, likethe concept of a landing zone

(32:20):
where you know you design apattern for your applications
and say, okay, like you know,maybe I have three different
types of applications and I'mgoing to extend my ex, extend my
network and my policy model inone of three ways as I add a new
, a new application right forthat test and then prod, uh,

(32:40):
yeah for sure.
So that's a good example of whatwe deal with in security
careers right there.

Tim (32:46):
Yep, absolutely absolutely All right.
So, because it's the hot thing,we have to ask.
So the people working on cloudsecurity careers already have to
understand security.
Obviously they're going to needto know, depending on what
they're doing right, they mayneed to know some networking.
They probably need to know some.
On what they're doing right,they may they may need to know
some networking.
They probably need to know someidentity.

(33:07):
Uh, you know and and and allpoints in between, um, you know
where.
I haven't been keeping up withit, but, like the I'm, I know
that I've seen some stuff aboutuh.
We actually just reported onthe news not too long ago about
uh ai being involved in cyberattacks and like like a huge,
huge increase in cyber attacksin 2024 due to the advent of AI.
And is it like a script kittything where, like, all of a
sudden, everybody has a DDoScapability from their you know

(33:31):
code, from their chat GBT, orlike what do you?
I mean, what do you?
Where do you think it fits intothe whole cloud security career
thing?
The AI revolution, if you will,if we have to call it that?

Brian (33:41):
Well, I think.
I mean from a technology pointof view.
You know that, yeah, I mean,makes people are leveraging AI
in different types of attacks,which makes more sophisticated
attacks more prevalent.
There's the security, somereally interesting stuff going
on, you know, including incompliance around, as you can
imagine, around the security ofAI applications themselves.

(34:03):
Again, we're like you know thepurpose.
One of the purposes of AIapplications is to democratize
the data more people gettingaccess to the data being able to
, you know, rather than doinglike old school billing, you
know, reports with someintelligence app.
I'm just going to do somenatural language queries and you
know, show me, show me allaccounts payable over over 90

(34:25):
days.
You know, and you know my andthen show me show me just my top
20.

Chris (34:31):
Well, you know you, it's great to let the right people do
that kind of thing, but youdon't want to let everybody do
that.

Brian (34:36):
So now you know so, and then you know the people have
questions.
Okay, like you know, you know,I mean it's funny people like
right, there's a Epic rightwhich is the big in the United.

Chris (34:47):
States healthcare app.

Brian (34:54):
They now have a like AI thing that helps the doctors
write their notes, and so youknow you might, you might, we
all might get it going to thedoctor's office.
They might ask it.
So, okay, if I record this andyou know you have the ai help.
Well, like who's, are you usingmy, our conversation to train
your, your, uh, your ai, fartherlike where?
How long?
Where's?

Chris (35:09):
that data gonna live?
How long is it gonna?

Brian (35:11):
live, uh, and you know oracle's customers have the same
.
You know any sas application.
You know on the sas side thateveryone you know are.
You know, hey, oracle, you'redeveloping all these great AI
features for your HCM softwareand your ERP software but are
you using our data for that orno?
Well, we're not and we need toprove that we're not, and we

(35:34):
need to have the controls toshow our customers that we're
not.

Tim (35:38):
That's interesting, the idea of auditing, like the idea
of being able to prove on anaudit that you're not using.
I haven't considered that.
That's interesting.

Brian (35:47):
The idea of auditing, like the idea of being able to
prove on an audit that, likeyou're not, I haven't considered
that like as a that'sinteresting automated out and
and I think the you know, the,the people that have like sort
of the the best skills and thehighest level skills, you know,

(36:08):
from a technical point of view,are going to be the ones that
are even more empowered and andefficient, you know, and then
the soft skills become veryimportant because it's not just,
it's not just you know the, thetechnical skills that are going
to be automated out, it's thecommunication skills and
industry, certain specificknowledge, Like you said.

(36:28):
Maybe you know tech and the law,or you know tech and a certain
vertical market like healthcare.
Right that becomes morevaluable.

Chris (36:40):
I think from a security point of view this is just
speculating.

Brian (36:43):
Now we're getting a little bit into spec yeah,
that's fine, I think those,those lower level, like analyst
jobs are.
You know, it's probably notsomething that people want to
stay in a long time.

Chris (36:53):
I mean, it already is sort of not what people want.

Brian (36:54):
To stay in a long time, yeah, but they're hard jobs and
they're, you know, weird hoursand 24 7, but uh you know, those
are the ones that are mostright for AI automation right.

Tim (37:04):
Yeah, because, analysts, generally what you're doing is
you're analyzing a bunch of data, right, and trying to draw
insight from it, and so that isliterally what you would want an
AI to do, because the inferenceengine and all of that is kind
of built for that, right.
It was always on its way out,really.
Just now we've got a naturallanguage interface to make that

(37:27):
part of pulling out the insightseasier, right.
So, yeah, totally, totally agree, and I also agree that the
people that are going to be mostI won't say immune, but the
least affected probably by theidea of like, hey, is my job
going to get taken by AI,probably by the idea of like,
hey, is my job going to gettaken by AI, not just for
security but for networking, foreverything that there is
probably are going to be thepeople who are able to go more

(37:48):
T-shaped and be able to be yeah,I'm really good at this one
thing, but I understand multiplethings and I can correlate and
apply those multiple things thatI know, because AI is really
going to struggle withcorrelation, if you will,
between, like you said, I knowsecurity, but I also know this
vertical very well, but thecorrelation and drawing insights

(38:11):
between those two is going tobe a lot harder for an AI to do
because it's tokens all the waydown.
You don't have that thinkingability to correlate.
It's not quite there yet.

Brian (38:28):
Yeah, I think that's definitely true, a hundred
percent, and not not only and Ithink there's opportunity there
too, because it's it's not justthat those people that have
those skills are going to beimmune from their jobs being
taken by ai.
They'll be more empoweredbecause they, they, they are
adding more value some of thesort of the things that they
were relying on.
Just like the doctor isempowered by the notes and they

(38:48):
can see more patients in a dayor get to go home to their
families earlier in the day orwhatever.
The tech workers that havethose higher level skills are
empowered.
Just like with the cloud right,you know, I think we all, you
know, in the old days, right,you know software, you have
these huge long QA cycles, andyou know, and then people would

(39:10):
have to slow adoption of the newfeatures, and you know your
customers have QA cycles In thecloud.
You just boom.
You update it.
People immediately uptake thenew feature.
You monitor.
See how it's working Boom.

Chris (39:22):
Yeah exactly.
I think it's funny that thatconversation about the doctor
like it just kind of puts thisimage in my mind of maybe
someone going to the doctor andit's like a real, like you know,
kind of tinfoil hat kind ofperson just like grilling the
doctor about like where's mydata, how is it stored, how is
it encrypted, how long are youkeeping it?
I'm sure those areconversations doctors really
want to get into.

Tim (39:43):
They know all the answers to these questions too.

Brian (39:47):
You're going to add a year of, like cybersecurity
certification no-transcript andthis was interesting to me.

Tim (40:02):
So we were talking before the show about the kind of like
what the stuff we wanted tocover, and Brian was mentioning
that you know, like incybersecurity the idea of
certification is not nearly aswhat's the word I'm looking for.
It's just not as important, orit's not as it isn't used the
same way, I guess, as we usenetwork certifications and this

(40:25):
was this was surprising to me.
So, you know, with networkcertifications I think it was
you know, certificationsgenerally were initially this
idea that oh well, we're goingto certify that someone who's
already doing this job iscapable to a certain degree and
that's what the certification isfor.
But it ended up being this ideaof like actually it's more, it
ends up being more like alearning path, like follow this
learning path, pass it, and thenyou can pass the certification

(40:48):
and you know, then you're youknow what you need to know.
But it became more of atraining thing.
But like it's not really.
So you're telling me it's notreally a thing in cybersecurity.

Brian (41:01):
I do think, you know, I think that surprises people
because there are a lot ofsecurity sort of proliferation
of security certifications andyou know people offering
training for those, and I don'tmean to demean those at all, but

(41:25):
you know, I mean I'll just putit this way Like I, I was
probably like over 20 years inmy career and was like I think I
was a vice president before Igot my first certification of
any kind at all.
You know I, our our senior vicepresident, wanted everyone in
our organization to getcertified on on the Oracle cloud
itself and the series ofcertifications, and so you know,
I wanted to lead from the frontand actually made a goal for
myself to be the first one on myteam to to get all of them, and

(41:48):
and so I, you know.

Chris (41:49):
But those I did, I did, I got nice.
You know, I have uh nine or tencloud certifications oh, wow,
dude.

Brian (41:56):
So so you know, and I do see the value of them I think I
think what you were saying tohim about like them being a
learning path, right, it's agood um.
And for myself, you know, therewere certain ones I got where I
just took the test because Iknew it already, and there were
others that I had to study for,to varying degrees, and so you
know it does sort of a way ofacquiring, improving a certain

(42:18):
level of baseline knowledge.
But you know, security likewe've been talking about there's
, so it's a pretty vastknowledge.
But, um, you know, securitylike we've been talking about
there's, so it's a pretty vastand and I think that the
security certifications outthere are really geared at sort
of those corporate sort ofsecurity assurance and policy
type roles, um more than morethan you know you know there are
some ethical hackingcertifications and stuff, but I

(42:39):
think it's really, you know thatagain just like sort of
baseline knowledge, and I, youknow, my guess, is the most
ethical hackers out there, don'tit's?
really just about the real, realexperience.
And I think that's like anotherpoint is that you know, for
anyone looking to get into,chris and I were talking a
little about this earlier, likelooking to get into security.

(43:00):
You know the best way to do itis to.
You know most people when they,if you're in some sort of tech
job and security comes up, theyflee, they run away and if you
want to get into security, run,run towards it.
Become like curious aboutwhat's going on.
Raise your hand, volunteer toparticipate.
Some of the very best peopleI've hired have been people that
you know, don't have anysecurity.

(43:21):
Like I said, most of them don'thave any security certifications
.
They, you know, don't have anysecurity.
Like I said, most of them don'thave any security
certifications.
They, you know, but they don'teven necessarily have a long
security background but they'veshown their people that, like
I've worked with on projects andyou know that maybe they're
like a lead applicationarchitect but they, you know,
clearly know their security or,you know, taking the time to
learn.
I'm like, hey, you know youlike security.

(43:43):
Maybe you should think aboutfocusing on it full time.
And it's worked out well forthem.
Another colleague of mine whoruns our field CISO team.
I asked him about sort of whodid you used to hire when you
actually were a CISO and ranlike a SOC and a security desk
and he said I love to hire helpdesk people because they know

(44:05):
all about our environment and wecan teach them the security
side of it.
Also, advice I gave to someonewho runs the data security for a
large healthcare corporation.
He said, brian, I want to hiresome Oracle database security
experts.
What do I look for?
I said hire Oracle databaseexperts that know some security

(44:28):
versus security people that knowa little bit about the database
.

Chris (44:33):
Yeah, I think it's tough to give advice in this
department a little bitsometimes, because I feel like
the number one advice to getpeople going is, or or at least
like what.
What I see from a longevityperspective is just be curious,
like you have to be curiouspretty much endlessly, but
that's not a tangible thing,it's not really.

(44:53):
You can't really measure.
You know your curiosity, so Ithink that's good, like talking
about, like you know, trying toget involved, like try shadowing
, like that's always something Isuggest is I don't know if
that's just as prominent in thein the security space but like,
yeah, just like, engage with thepeople that you know are doing

(45:14):
these things and try to learn.
And you know, um, 99 times outof a hundred people are willing
to help you.
Um, sometimes people are, youknow, gatekeepers and et cetera.
But you know you'll, you'llmove on, you'll get past that.

Brian (45:21):
I think it's hard to be curious in a vacuum, but I think
it's easy to be curious Ifyou're already in tech.
It's easy to be curious aboutsecurity within the context of
what's happening in yourorganization with your projects.

Chris (45:35):
And again, most people run away.

Brian (45:37):
I think they run away because either they're
intimidated, they think it'sdifficult and it's not that
difficult.

Chris (45:46):
I mean some people find it boring.
But if you're interested in it,you don't find it boring.
I don't find it boring.
I think it's scary sometimes,because security is a vertical
that has a lot ofresume-generating events, it
seems.

Tim (45:57):
Well, network does too, infrastructure does too, to be
fair, you have to get pretty faraway from tech to not have an
RGE happen you know, like a BMS.
But no, this is really good andyeah, I think we're just about
out of time, but this has been areally good discussion.
We'll definitely have to haveBrian back.
Maybe we'll get into some ofthe other security stuff we

(46:20):
talked about.

Chris (46:21):
So yeah, definitely.

Tim (46:22):
Yeah, so we'll go ahead and stop here.
So, as always, thanks forlistening to the Cable's Clouds
podcast.
Make sure you buy our breakfastcereal and our home game.
Yeah, you can play as eitherTim or Chris.
You're not allowed to play asthe guests because we want the

(46:43):
guests to win.
Thank you.

Chris (46:48):
So thanks for hanging out , Brian.
Where can people find you?

Brian (46:51):
Yeah duh, linkedin is probably the best place.
Brian Eidelman at LinkedIn, ifyou're an Oracle customer, you
can talk to our team.

Tim (47:02):
If you're an Oracle customer, you actually already
have it.

Brian (47:04):
Ask whoever you're working with at Oracle that you
want to talk to Brian.
No, we'll make it happen.

Tim (47:09):
It's already on your speed dial if you're an Oracle
customer, so go ahead and givehim a call.
All right?
Well, thanks again forlistening and we'll see everyone
next time.

All Episodes

Episode Transcript

Popular Podcasts

Cold Case Files: Miami

Dateline NBC

Stuff You Should Know

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Beyond the Firewall: Careers in Cloud Security

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Cold Case Files: Miami

Dateline NBC

Stuff You Should Know

All Episodes

Beyond the Firewall: Careers in Cloud Security

Cold Case Files: Miami