July 1, 2025 • 27 mins
Interested in being a guest? Email us at admin@evankirstel.com
Cloud security is facing a fundamental paradigm shift that most organizations haven't fully recognized. According to Aviatrix CEO Doug Merritt, we're overlooking a staggering 50-80% of our attack surface by failing to properly secure cloud workload communications.
The problem stems from three critical changes in how computing works today. First, the internet has essentially become our enterprise network – when your application calls an S3 bucket, that communication happens over the internet, not a controlled private network. Second, the traditional security perimeter hasn't disappeared; it's atomized from a handful of entry points to thousands or even hundreds of thousands of mini-perimeters. Every VPC, Kubernetes cluster, and API endpoint now requires its own security strategy. Third, modern workloads are largely ephemeral rather than long-lived, making them harder to secure with traditional approaches.
This security challenge is further complicated by multi-cloud environments, where security policies must consistently follow workloads across cloud boundaries. Meanwhile, the rise of generative AI creates both defensive opportunities and heightened risks, as attackers leverage these same technologies to map enterprise environments and find vulnerabilities with unprecedented speed and effectiveness. As Merritt explains, "Attackers think in graphs" – constructing comprehensive maps of your organization's resources to identify any possible entry point.
The solution requires a paradigm shift in how we approach cloud security. Aviatrix advocates for a "cloud native security fabric" built on zero trust principles specifically designed for cloud workloads. This approach focuses on four critical elements: controlling egress to prevent command-and-control communications, implementing east-west macro-segmentation to block lateral movement, applying micro-segmentation for granular control, and ensuring comprehensive encryption to protect data even if network infrastructure is compromised.
Ready to rethink your cloud security approach? Discover how zero trust principles can be applied to your cloud workloads to close critical security gaps and protect your most valuable digital assets.
Discover how technology is reshaping our lives and livelihoods.
Listen on: Apple Podcasts Spotify
More at https://linktr.ee/EvanKirstel
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:01):
Hey everybody, Fascinating chat today as we
dive into the complex world ofcloud security with a true
innovator and expert in thefield, Aviatrix.
Doug.
How are you Good?
How are you, Evan?
I'm doing well.
Thanks so much for joining.
Followed you guys for quitesome time.
Maybe start with the bigpicture introductions to
(00:22):
yourself, and how do youdescribe Aviatrix these days?
Start with the big pictureintroductions to yourself and
how do you describe Aviatrixthese days?
Speaker 2 (00:27):
Yeah, we've gone through a few changes with
Aviatrix over the past sinceI've joined and certainly over
the past nine months.
The company Aviatrix at thispoint, is focused on a problem
that we are incredibly excitedand passionate about, which is
the zero trust cloud workloadproblem that we see through the
(00:49):
hundreds of customers we have ascustomers and the prospects
we're working with, it turns outit's well over 50% of the
potential attack surface formost organizations and we are
evangelizing, leveraging ournetworking and network security
heritage as a company toevangelize a category that we're
calling the cloud nativesecurity fabric.
(01:11):
So it's a bit of an iteration.
Aviatrix traditionally had beenfocused on ensuring that cloud
networking, the way thatorganizations that move
workloads to the cloud, the waythat they push packets around
inside of that cloud, that it'sdone as efficiently, with as
much visibility, at the rightcost structure, with the right
(01:35):
set of capabilities, and thecompany had driven some success
with that.
We got well over 60 million inARR focusing on that area.
But as we worked with ourcustomers we saw that why they
really used us was for cloudsecurity, cloud network security
(01:56):
, and that's the enhancementsthat we've been doing with the
company.
But I may have jumped the gunon a soft intro of who's
A-Matrix and who's Doug Merrittby jumping right to the punch
point.
Speaker 1 (02:09):
Well, let's get to it .
I mean, the cloud marketplaceis on fire.
It's the way computing is donetoday, of course, and with all
that innovation from thehyperscalers and others, the
security model hasn't reallykept pace.
So you know what'sfundamentally broken about cloud
security, or the cloud securityarchitecture, as it were, these
(02:29):
days.
Speaker 2 (02:31):
I think that's the right founding initial question,
evan, which is the clouds havedone so much work to ensure that
the data centers that they'vebuilt are highly secure, that
the data centers that they'vebuilt are highly secure, and to
make people confident in movingworkloads to the cloud.
They did the appropriate thingby jumping up and down and
(02:52):
talking about how secure theirdata centers are, and I agree
completely.
I don't think there's many datacenters in the world that are
more secure than the datacenters that Microsoft or Amazon
or Google or others manage asthe foundation for all the stuff
that organizations are movinginto the cloud.
Where I think people miss themessage is there's two elements
(03:14):
that are happeningsimultaneously.
One, there's a sharedresponsibility model.
The data centers are incrediblysecure, but everything you put
inside the cloud and everyservice you use inside the cloud
has three buckets from Amazonsomething that's unbelievably
pervasive is up to theorganization to secure.
So if the data center isbreached which I think is highly
(03:36):
unlikely it is one of the bighyperscalers.
Responsibility and they'refully culpable.
Responsibility and they'refully culpable.
But all the breaches we hearabout are data or other
important elements beingexfiltrated from the assets that
organizations put inside thecloud, and so I think there's
some confusion by some of thetechnical teams, different
(03:59):
organizations I talked to, onthat divide of responsibility,
which I think then creates alittle bit of laxness often and
like what am I reallyresponsible for and how
important is it for me to payattention to security within the
cloud?
But I think the morefundamental element is the way
that security has been drivenhistorically.
(04:22):
If we really go back and aretrying to be grounded in first
principle based on how did thecybersecurity world grow up?
When you had your own datacenters with no internet
connection let's go back to like1989 or 1990 or 1992, security
was all physical.
I would inspect the equipmentbefore it went in, I would badge
(04:43):
people, I'd make sure that Ihad secure facilities that
people couldn't get into,because as soon as things
operated inside a data center,if I did those things, we had a
very trusted relationship.
The SAP app could talk to theOracle database without any
concerns.
The cyber world grew up becausewe started plugging the
Internet pipes into those datacenters for good reasons, and
(05:06):
most cybersecurity was verygrounded on how do we protect
the data centers from theInternet.
What happened with the cloud isa few really fundamental
elements that I think alsopeople haven't really
conceptualized.
One now, with your assets inthe cloud, the internet is the
enterprise network.
When you make a call from anapp to an S3 bucket, you're
(05:31):
using the internet to actuallyget access to that data that you
put into your Amazon servicecalled S3.
So the internet is now prettymuch the enterprise backbone and
it wasn't architected for thelevel of security going back to,
how did cyber grow up in thefirst place that people want?
The second is that old castleemote perimeter defense piece.
(05:54):
That was very appropriate for adata center driven world.
You had a digestible number ofprinters, maybe you had four
data centers, or eight or 12 or15, but you controlled them.
You knew what they look like,or eight or 12 or 15, but you
controlled them.
You knew what they looked likeand you could actually manage
those perimeters and keep theassets inside safe from the
internet.
In the cloud, most organizationshave thousands or tens of
(06:14):
thousands or hundreds ofthousands of mini perimeters.
The perimeter didn't go away,it just atomized.
Every virtual private cloud inan AWS instance or VNet within
Azure, every Kubernetes cluster,every API endpoint, every MCP
server.
Going into the agentic world istypically internet addressable
and needs a perimeter defensestrategy.
(06:36):
So now, instead of 10perimeters, you've got thousands
or tens of thousands, hundredsof thousands.
And then the third is most ofthe workloads are ephemeral,
they're not long-lived.
The VMs are pretty long-lived,but most of the stuff that
people are doing today isserverless, and the combination
of those three radically changeshow you even think through
(06:59):
network security.
And that's the task we've takenupon ourselves at Aviatrix is
help make this clear the worldand help educate the CIOs and
CISOs of like.
What does that mean?
Why should I care about whatyou're saying, doug?
It means that you've got anattack surface that's probably
50 to 80 percent of all theinteresting communications are
(07:21):
happening.
That is largely unguarded andin a world of Gen AI, it's this
bad period.
In a world of Gen AI, it'sreally bad.
It's really bad.
Speaker 1 (07:32):
So let's break that down the three cloud security
challenges, the multiplyperimeter, the internet becoming
the network, new apps and appmodernization taking place with
Gen AI.
When you talk to CISOs, whatare they underestimating?
What are the risks they'remaybe ignoring or aren't aware
of?
Speaker 2 (07:51):
when you mention education, so the way that we're
framing this is what we'retrying to evangelize and bring
to market is a zero trust cloudworkload addition to the zero
trust landscape, and I thinkwhat most CISOs I've talked to
(08:11):
are missing is an understandingof what does it take, what are
those workloads and why isbringing a zero trust framework
to those workloads important?
And is it their responsibilityor is it somebody else's
responsibility?
And I think that part of theshared responsibility model we
talked about with thehyperscalers, there's also a
(08:33):
shared responsibility model withwho actually deploys things
into the cloud and who'saccountable for security.
And many CISOs are notresponsible for the deployment.
The CIO or the AppDev team orthe DevOps team or the platform
team is responsible fordeployment, but they are fully
accountable for the security.
And trying to excuse me,semi-caught a cold with all my
(08:58):
troubles this week, in fact,helping educate CISOs on the
culpability what does thatlandscape look like and then the
potential culpability they have, and then giving them an easier
button to solve that problem,are the steps that we're going
through right now.
And there's logical confusionon oh, we've got a zero trust
(09:23):
initiative, like we're workingwith Zena Skeller or Cloudflare
or CrowdStrike on zero trust,and they are, and those are
really important zero trustinitiatives.
If I think about the three firstprinciples, foundational
elements of what can actuallystop an attack or prevents
attack there's three elementsthat are fundamental Identity If
(09:45):
I always know it's Evan and Ialways monitor what Evan's doing
and it's not spoof credentials,or you really reduce the chance
of an attack.
Endpoint If I know what Evan isusing to communicate and I can
control that device, I greatlyincrease my cyber effectiveness.
(10:05):
And then network, becauseyou've got you on a device
talking to something is all theinteractions that are happening
and the network is key for that.
So what we are evangelizing isthe zero trust network security
elements inside the clouds that,once Evan is certified as being
(10:26):
Evan and his device isunderstood to be effective and
clean, and the packets, therequests, go in the cloud.
Now it's a workload to workload.
Zero trust problem I've gotrequests going from UI
frameworks to app frameworks, todata frameworks, to Gen AI, mcp
(10:46):
server frameworks, tothird-party SaaS engines and
back to Evan and all of thatcommunication that's happening.
Hundreds or thousands of packetpings within a cloud, within
multiple clouds, within multipleclouds, and SaaS providers back
to my on-prem data center.
How do you ensure that thosecommunications are safe and have
(11:10):
zero trust, and that's theproblem that we are excited
about attacking.
Speaker 1 (11:15):
So let's dive deeper.
How do you actually help themuncover and address those blind
spots?
Help them uncover and addressthose blind spots, the
visibility that they're lackinginto their exposure.
What's the approach on theproduct?
Speaker 2 (11:28):
There's a couple of key elements that we view as
foundational to theeffectiveness of the Zero Trust
Cloud workload orientation.
One, going back to the internet, is the network.
One going back to the internetis the network.
Most workloads, let's say VPCor VNet or a Kubernetes cluster,
by default are connected to theinternet.
(11:52):
The actual stance within Azureright now they're supposed to
change that by September is assoon as you instantiate a VNet
it automatically connects to theInternet.
It's automatically given anInternet address.
So the first piece is, ratherthan just have a direct
connection, which is silly, orjust putting a network address
translation gateway there to tryand give you some of that IP
(12:15):
utilization and disguising, youreally need egress security.
You want to make sure thatevery single workload that is
communicating across theinternet that you are able to
see where is it going to andwhat is it doing when it's going
out to something out there.
Is it actually going toSalesforcecom or is it going to
(12:37):
a spoofed address?
Or is it just blatantly goingto a known nefarious address
because someone got inside yournetwork and is now pointing that
workload to a command andcontrol framework with a
nefarious website that can beginthe communication path?
So egress for us, we believe,is one of the most important
elements, because when you do atrue network security assessment
(13:00):
within our prospects or ourcustomers, they're often shocked
at the number of workloads thathave direct Internet access
without any type of visibilityor control.
The second piece that'scritical is now.
Let's assume that you've gotbetter handle on what's
happening with Internetcommunications.
There are still many paths forbad actors to get into your
(13:21):
cloud environment.
If you can stop command andcontrol, that's the first piece.
But assuming that there's somegateway somewhere, they then
begin lateral movement.
They generally do not come into the most trusted assets.
There's a whole multi-month ormulti-year campaign for most of
the bad actors to be superpatient, inject their capability
(13:43):
and begin command and controlactivities and then work their
way east-west, laterally, fromthe less important assets that
they don't care about tosomething much more important,
to a key database that hascustomer information, or
laterally to promote malwareeverywhere, so they can actually
shut everything down and lockeverything down, as we saw with
(14:05):
MGM or we saw with UHG andChange Health.
So the second component for usis how do you deal with the
least macro segmentation on aneSquare basis?
How do you make sure thatobject A, workload A, is
supposed to talk to workload B,and the movement that these bad
actors are trying to make oftenwill be from something that
shouldn't ever have acommunication channel to
(14:27):
something else, and then theyget credentials for that new
thing.
So that's absolutely critical,and the third phase for us
becomes something moremicro-segment,
micro-segmentation oriented.
Which is it?
You can stop SAP from talkingto bad website that they're not
supposed to.
But now, within those instances, assuming that they're talking
(14:50):
to who they're supposed to talkto bad things can still happen.
And how you take much morerefined micro-segmentation to
isolate activity there.
And then the fourth elementthat we believe is really
important is overall encryptionmore software-based encryption
We've seen in the world at large.
there was an admittance aboutfive or six months ago by the US
government that our very valuedtelecommunications
(15:13):
infrastructure has actually beencompromised by third-party
actors.
And unless you have encryptionat a higher level, you have to
assume that there's a decentchance that a lot of your
information is being exfiltratedand interrogated.
And so the combination of thosefour we think is a really
important eventual deploymentfor a full cloud data security.
(15:37):
Fabric capability within anorganization, fabric capability
within an organization.
But where you start as anorganization really depends on
what does your environment looklike and what do you want to
lock down first, and then secondand then third, to give you
higher confidence that yourcyber risk is at a reasonable
level.
Speaker 1 (15:59):
Got it Very exciting.
Let's touch on AI.
The whole industry is excitedabout intelligent agents and
automation and its role in cloudsecurity, both in detection and
defense.
What's your point of view orperspective at Aviatrix?
Speaker 2 (16:24):
important element here, and so, if I just finish
that story, I was talking aboutthe utilization of agentic AI
and gen AI by organizations,which most of us are in the
process of really pushing excuseme as quickly and aggressively
as possible, just increases thenumber of workloads, the number
of attack surfaces and the speedof change within most
corporations' organizations'environment.
So Gen AI, just from adeployment basis.
(16:47):
Security for NAI and for AIwithin clouds is, I think, one
of the propellants of why is acloud-native security fabric so
important.
Why is a zero-trust cloudworkloads framework so important
?
That is a good tailwind forsomeone like KBHRX and anyone
that's trying to solve thisproblem.
The urgency for organizations istwofold.
(17:13):
How do you, given that we'reall trying to deploy agentech
and gen AI to help ourorganizations, how do you train
your team and get them leaningforward on?
Utilizing agentech and gen AIto do a better job of defense is
absolutely critical, and whatare you doing to secure your AI
(17:36):
and your other workloads iscritical.
But the other half that we'veall been talking about that's
super scary is now most of theorganized bad actors that Gen AI
has been out for many years,but on a broad basis with
ChatGPT 4.0 in 2022.
For almost three years now,they've mastered it pretty
(17:59):
effectively and so thevigorousness and effectiveness
of attacks that we're seeingfrom any type of organized group
out there is continuing toraise, which I think makes the
criticality of what we'reevangelizing that much more
urgent for folks.
The criticality of what we'reevangelizing that much more
urgent for folks.
Attackers whether it's Gen AI,only Gen AI, assisted or non-Gen
(18:22):
AI assisted attackers think ingraphs.
They're trying to reallyunderstand the landscape of an
organization and find anyinsertion point, any movement
that they can have within thatgraph of all the objects, the
individuals, the endpoints andthen the workloads, cloud
workloads and others that existfor organization A, b or C.
(18:43):
And understanding that GenJKIjust increases the rate that
they can develop these graphsand it increases the
vulnerability that you have forinsertion points and lateral
movement, which goes back to youbetter lock down your egress,
you better lock down youreast-west and you better
implement encryption everywherethat makes sense so that you can
(19:06):
protect your state.
Speaker 1 (19:09):
Got it and now multi-cloud has become sort of
the de facto reality out therefor many enterprises I'd say
most enterprises.
What additional risks areintroduced with multiple clouds,
whether it's compliance orother challenges that you're
seeing in the field?
Speaker 2 (19:29):
Yeah, I'd say trying to manage cloud security
effectively, even within asingle cloud, is a bit
problematic, because you reallywant universe, you want
effective coverage of yourpolicies and reactions across
your entire state, greatsolutions within each one of
(20:00):
their clouds to provide both thepervasive coverage that you
need and the easyoperationalization and
adaptability, given howchange-filled clouds are.
As soon as you get tomulti-cloud and almost none of
us are left out at this point intime we're both organically
realizing hey, I need thisworkload in GCP because they're
excellent here, I need this inAzure, I need this in OCI and
this in AWS.
And then acquisitions only makethat worse because you wind up
(20:23):
acquiring companies that havemade those cloud choices as well
.
As soon as you get tomulti-cloud, it becomes really
problematic because the policyand the visibility and the
enforcement needs to follow theworkload Policy and visibility
and the enforcement needs tofollow the workload.
And workload, as I said, ishard enough within one cloud,
(20:45):
given the diversity that happenswithin that cloud.
But as soon as you've got theactivity, consistent policy,
consistent enforcement,consistent deep dive and
diagnostics within those clouds,and so I think that the Gen AI
(21:07):
wave the shift in cloudarchitecture that opens up this
aperture, the Gen AI wave that'spropelling more workloads and
multi-cloud are the three corefactors that mandate that CISOs
and CIOs need to start thinkingabout this problem and looking
at companies like Aviatrix aspotential solutions for them.
Speaker 1 (21:30):
Got it and you've been out there furiously talking
to customers and partners,press media, everyone out there.
What sort of dialogue andpartners, press media, everyone
out there what sort of dialogueare you hoping to spark with the
security community as we getinto next month, with DEF, CON
and Black Hat and on and on withgreat events?
What's the feedback and whatare you hoping to?
Speaker 2 (21:49):
learn.
We are in the early stages.
If I go back to Splunk back in2014, 15, 16, when we were
jumping up and down aboutsecurity being a data problem,
that was not a cool thing.
That was, people were lookingat different elements that they
thought could help with security, and orientation is there's a
foundational layer of the datalayer that can serve all aspects
(22:11):
of security and non-security toget the appropriate insight and
awareness of what's happeningin the security layer, with
security overall.
And finally, about 2018-19,when I was walking through RSA,
I heard 80% of companies say, oh, security is a data problem.
We've got that same journey, Ithink, with Aviatrix, which is
helping to drive awareness ofwhy is a Zero Trust Cloud
(22:35):
workload stance so critical, whyis it a missing piece on your
Zero Trust journey?
And there, when you look atCISA's framework, their Zero
Trust maturity model, theyactually call out how the
elements that we're focused onnetwork, network overall,
(22:56):
different visibility aspectsapply to all aspects of security
and why it's important.
But we are just for any of youout there that go to our website
, have been going to our websiteand really are looking at our
blogging activity, ourpodcasting activity, the words
that we're using on the website.
We began this pivot in fall and, month over month, we're really
(23:17):
trying to drive a awareness andeducation and understanding of
the problem and felt need on whythis is something that people
need to pay attention to andultimately we've got to convince
CISOs and IT teams to look atthe whiteboard that they have
with all their projects and putthis cloud native security
(23:38):
fabric category and the zerotrust cloud workload problem up
on that whiteboard in one of thetop five positions if we want
to help the world lock down thishuge attack surface that that
keeps me up at night.
It's, it's uh, it's become apersonal mission at Aviatrix.
There's been a series ofquarters of getting more
(24:02):
emotionally attached to whatwe're doing, a lot like Splunk.
I love data.
I've been in the data space fora huge chunk of my life and
that's what attracted me toSplunk.
But it took me, quarter afterquarter, to get much more
passionate about where we coulduse data to solve key problems.
As we really rotated to cyber,it became a life's mission and
(24:22):
that's where I am now withAviatrix.
My number one mission is how doI make people aware of this?
And then number two is how dowe through that?
How do we help Aviatrix?
But whether you ever look at usor not, please just pay
attention to this problem,because we're all citizens and I
use all these services and if Ican't have confidence in my
(24:43):
online life, our way of lifelooks really different than it
does today.
So there's a higher levelmission and purpose to securing
the world's digital fabric thatwe're super passionate about
right now.
Speaker 1 (24:56):
Wonderful.
Well, that's a mic drop moment.
There You're an optimist,clearly.
Where do you see this level ofmaturity landing in a couple of
years?
I assume you think we're goingto get there, if not fully, then
partially.
Speaker 2 (25:12):
Yeah, I don't think that we have a choice.
I think humans react reallywell, for whatever reason.
We wait until there's a crisisto truly pay attention and when
we do, we react extremely well.
The Gen AI initiative, thecontinued modernization and
(25:34):
migration of workloads to cloud,like all those factors, as
we're seeing, sadly, likethere's not a day that goes by
that I don't see some highvisibility breach happen.
Now I think that we will react.
I've got high confidence we'llreact and it's just like how
much pain are we going to endurebefore we up the game and level
(25:56):
across many organizations?
But I have strong confidence inthe resilience and adaptability
of humans, so we'll find a way.
Speaker 1 (26:06):
Well, wonderful sentiment.
Thank you so much for joiningand sharing the mission and
vision and I appreciate yourtime onwards and upwards.
Speaker 2 (26:14):
Well, thank you, and I appreciate yours as well.
Thank you for having me on, andI hope that the weather stays
beautiful in Boston.
You enjoy a great weekend.
Speaker 1 (26:22):
Thanks so much and thanks everyone for listening
and watching and check out ournew TV show at techimpacttv now
on Fox business and Bloomberg.
Take care everyone.
Bye-bye.
Hey everybody, Fascinating chat today as we
dive into the complex world ofcloud security with a true
innovator and expert in thefield, Aviatrix.
Doug.
How are you Good?
How are you, Evan?
I'm doing well.
Thanks so much for joining.
Followed you guys for quitesome time.
Maybe start with the bigpicture introductions to
(00:22):
yourself, and how do youdescribe Aviatrix these days?
Start with the big pictureintroductions to yourself and
how do you describe Aviatrixthese days?
Speaker 2 (00:27):
Yeah, we've gone through a few changes with
Aviatrix over the past sinceI've joined and certainly over
the past nine months.
The company Aviatrix at thispoint, is focused on a problem
that we are incredibly excitedand passionate about, which is
the zero trust cloud workloadproblem that we see through the
(00:49):
hundreds of customers we have ascustomers and the prospects
we're working with, it turns outit's well over 50% of the
potential attack surface formost organizations and we are
evangelizing, leveraging ournetworking and network security
heritage as a company toevangelize a category that we're
calling the cloud nativesecurity fabric.
(01:11):
So it's a bit of an iteration.
Aviatrix traditionally had beenfocused on ensuring that cloud
networking, the way thatorganizations that move
workloads to the cloud, the waythat they push packets around
inside of that cloud, that it'sdone as efficiently, with as
much visibility, at the rightcost structure, with the right
(01:35):
set of capabilities, and thecompany had driven some success
with that.
We got well over 60 million inARR focusing on that area.
But as we worked with ourcustomers we saw that why they
really used us was for cloudsecurity, cloud network security
(01:56):
, and that's the enhancementsthat we've been doing with the
company.
But I may have jumped the gunon a soft intro of who's
A-Matrix and who's Doug Merrittby jumping right to the punch
point.
Speaker 1 (02:09):
Well, let's get to it .
I mean, the cloud marketplaceis on fire.
It's the way computing is donetoday, of course, and with all
that innovation from thehyperscalers and others, the
security model hasn't reallykept pace.
So you know what'sfundamentally broken about cloud
security, or the cloud securityarchitecture, as it were, these
(02:29):
days.
Speaker 2 (02:31):
I think that's the right founding initial question,
evan, which is the clouds havedone so much work to ensure that
the data centers that they'vebuilt are highly secure, that
the data centers that they'vebuilt are highly secure, and to
make people confident in movingworkloads to the cloud.
They did the appropriate thingby jumping up and down and
(02:52):
talking about how secure theirdata centers are, and I agree
completely.
I don't think there's many datacenters in the world that are
more secure than the datacenters that Microsoft or Amazon
or Google or others manage asthe foundation for all the stuff
that organizations are movinginto the cloud.
Where I think people miss themessage is there's two elements
(03:14):
that are happeningsimultaneously.
One, there's a sharedresponsibility model.
The data centers are incrediblysecure, but everything you put
inside the cloud and everyservice you use inside the cloud
has three buckets from Amazonsomething that's unbelievably
pervasive is up to theorganization to secure.
So if the data center isbreached which I think is highly
(03:36):
unlikely it is one of the bighyperscalers.
Responsibility and they'refully culpable.
Responsibility and they'refully culpable.
But all the breaches we hearabout are data or other
important elements beingexfiltrated from the assets that
organizations put inside thecloud, and so I think there's
some confusion by some of thetechnical teams, different
(03:59):
organizations I talked to, onthat divide of responsibility,
which I think then creates alittle bit of laxness often and
like what am I reallyresponsible for and how
important is it for me to payattention to security within the
cloud?
But I think the morefundamental element is the way
that security has been drivenhistorically.
(04:22):
If we really go back and aretrying to be grounded in first
principle based on how did thecybersecurity world grow up?
When you had your own datacenters with no internet
connection let's go back to like1989 or 1990 or 1992, security
was all physical.
I would inspect the equipmentbefore it went in, I would badge
(04:43):
people, I'd make sure that Ihad secure facilities that
people couldn't get into,because as soon as things
operated inside a data center,if I did those things, we had a
very trusted relationship.
The SAP app could talk to theOracle database without any
concerns.
The cyber world grew up becausewe started plugging the
Internet pipes into those datacenters for good reasons, and
(05:06):
most cybersecurity was verygrounded on how do we protect
the data centers from theInternet.
What happened with the cloud isa few really fundamental
elements that I think alsopeople haven't really
conceptualized.
One now, with your assets inthe cloud, the internet is the
enterprise network.
When you make a call from anapp to an S3 bucket, you're
(05:31):
using the internet to actuallyget access to that data that you
put into your Amazon servicecalled S3.
So the internet is now prettymuch the enterprise backbone and
it wasn't architected for thelevel of security going back to,
how did cyber grow up in thefirst place that people want?
The second is that old castleemote perimeter defense piece.
(05:54):
That was very appropriate for adata center driven world.
You had a digestible number ofprinters, maybe you had four
data centers, or eight or 12 or15, but you controlled them.
You knew what they look like,or eight or 12 or 15, but you
controlled them.
You knew what they looked likeand you could actually manage
those perimeters and keep theassets inside safe from the
internet.
In the cloud, most organizationshave thousands or tens of
(06:14):
thousands or hundreds ofthousands of mini perimeters.
The perimeter didn't go away,it just atomized.
Every virtual private cloud inan AWS instance or VNet within
Azure, every Kubernetes cluster,every API endpoint, every MCP
server.
Going into the agentic world istypically internet addressable
and needs a perimeter defensestrategy.
(06:36):
So now, instead of 10perimeters, you've got thousands
or tens of thousands, hundredsof thousands.
And then the third is most ofthe workloads are ephemeral,
they're not long-lived.
The VMs are pretty long-lived,but most of the stuff that
people are doing today isserverless, and the combination
of those three radically changeshow you even think through
(06:59):
network security.
And that's the task we've takenupon ourselves at Aviatrix is
help make this clear the worldand help educate the CIOs and
CISOs of like.
What does that mean?
Why should I care about whatyou're saying, doug?
It means that you've got anattack surface that's probably
50 to 80 percent of all theinteresting communications are
(07:21):
happening.
That is largely unguarded andin a world of Gen AI, it's this
bad period.
In a world of Gen AI, it'sreally bad.
It's really bad.
Speaker 1 (07:32):
So let's break that down the three cloud security
challenges, the multiplyperimeter, the internet becoming
the network, new apps and appmodernization taking place with
Gen AI.
When you talk to CISOs, whatare they underestimating?
What are the risks they'remaybe ignoring or aren't aware
of?
Speaker 2 (07:51):
when you mention education, so the way that we're
framing this is what we'retrying to evangelize and bring
to market is a zero trust cloudworkload addition to the zero
trust landscape, and I thinkwhat most CISOs I've talked to
(08:11):
are missing is an understandingof what does it take, what are
those workloads and why isbringing a zero trust framework
to those workloads important?
And is it their responsibilityor is it somebody else's
responsibility?
And I think that part of theshared responsibility model we
talked about with thehyperscalers, there's also a
(08:33):
shared responsibility model withwho actually deploys things
into the cloud and who'saccountable for security.
And many CISOs are notresponsible for the deployment.
The CIO or the AppDev team orthe DevOps team or the platform
team is responsible fordeployment, but they are fully
accountable for the security.
And trying to excuse me,semi-caught a cold with all my
(08:58):
troubles this week, in fact,helping educate CISOs on the
culpability what does thatlandscape look like and then the
potential culpability they have, and then giving them an easier
button to solve that problem,are the steps that we're going
through right now.
And there's logical confusionon oh, we've got a zero trust
(09:23):
initiative, like we're workingwith Zena Skeller or Cloudflare
or CrowdStrike on zero trust,and they are, and those are
really important zero trustinitiatives.
If I think about the three firstprinciples, foundational
elements of what can actuallystop an attack or prevents
attack there's three elementsthat are fundamental Identity If
(09:45):
I always know it's Evan and Ialways monitor what Evan's doing
and it's not spoof credentials,or you really reduce the chance
of an attack.
Endpoint If I know what Evan isusing to communicate and I can
control that device, I greatlyincrease my cyber effectiveness.
(10:05):
And then network, becauseyou've got you on a device
talking to something is all theinteractions that are happening
and the network is key for that.
So what we are evangelizing isthe zero trust network security
elements inside the clouds that,once Evan is certified as being
(10:26):
Evan and his device isunderstood to be effective and
clean, and the packets, therequests, go in the cloud.
Now it's a workload to workload.
Zero trust problem I've gotrequests going from UI
frameworks to app frameworks, todata frameworks, to Gen AI, mcp
(10:46):
server frameworks, tothird-party SaaS engines and
back to Evan and all of thatcommunication that's happening.
Hundreds or thousands of packetpings within a cloud, within
multiple clouds, within multipleclouds, and SaaS providers back
to my on-prem data center.
How do you ensure that thosecommunications are safe and have
(11:10):
zero trust, and that's theproblem that we are excited
about attacking.
Speaker 1 (11:15):
So let's dive deeper.
How do you actually help themuncover and address those blind
spots?
Help them uncover and addressthose blind spots, the
visibility that they're lackinginto their exposure.
What's the approach on theproduct?
Speaker 2 (11:28):
There's a couple of key elements that we view as
foundational to theeffectiveness of the Zero Trust
Cloud workload orientation.
One, going back to the internet, is the network.
One going back to the internetis the network.
Most workloads, let's say VPCor VNet or a Kubernetes cluster,
by default are connected to theinternet.
(11:52):
The actual stance within Azureright now they're supposed to
change that by September is assoon as you instantiate a VNet
it automatically connects to theInternet.
It's automatically given anInternet address.
So the first piece is, ratherthan just have a direct
connection, which is silly, orjust putting a network address
translation gateway there to tryand give you some of that IP
(12:15):
utilization and disguising, youreally need egress security.
You want to make sure thatevery single workload that is
communicating across theinternet that you are able to
see where is it going to andwhat is it doing when it's going
out to something out there.
Is it actually going toSalesforcecom or is it going to
(12:37):
a spoofed address?
Or is it just blatantly goingto a known nefarious address
because someone got inside yournetwork and is now pointing that
workload to a command andcontrol framework with a
nefarious website that can beginthe communication path?
So egress for us, we believe,is one of the most important
elements, because when you do atrue network security assessment
(13:00):
within our prospects or ourcustomers, they're often shocked
at the number of workloads thathave direct Internet access
without any type of visibilityor control.
The second piece that'scritical is now.
Let's assume that you've gotbetter handle on what's
happening with Internetcommunications.
There are still many paths forbad actors to get into your
(13:21):
cloud environment.
If you can stop command andcontrol, that's the first piece.
But assuming that there's somegateway somewhere, they then
begin lateral movement.
They generally do not come into the most trusted assets.
There's a whole multi-month ormulti-year campaign for most of
the bad actors to be superpatient, inject their capability
(13:43):
and begin command and controlactivities and then work their
way east-west, laterally, fromthe less important assets that
they don't care about tosomething much more important,
to a key database that hascustomer information, or
laterally to promote malwareeverywhere, so they can actually
shut everything down and lockeverything down, as we saw with
(14:05):
MGM or we saw with UHG andChange Health.
So the second component for usis how do you deal with the
least macro segmentation on aneSquare basis?
How do you make sure thatobject A, workload A, is
supposed to talk to workload B,and the movement that these bad
actors are trying to make oftenwill be from something that
shouldn't ever have acommunication channel to
(14:27):
something else, and then theyget credentials for that new
thing.
So that's absolutely critical,and the third phase for us
becomes something moremicro-segment,
micro-segmentation oriented.
Which is it?
You can stop SAP from talkingto bad website that they're not
supposed to.
But now, within those instances, assuming that they're talking
(14:50):
to who they're supposed to talkto bad things can still happen.
And how you take much morerefined micro-segmentation to
isolate activity there.
And then the fourth elementthat we believe is really
important is overall encryptionmore software-based encryption
We've seen in the world at large.
there was an admittance aboutfive or six months ago by the US
government that our very valuedtelecommunications
(15:13):
infrastructure has actually beencompromised by third-party
actors.
And unless you have encryptionat a higher level, you have to
assume that there's a decentchance that a lot of your
information is being exfiltratedand interrogated.
And so the combination of thosefour we think is a really
important eventual deploymentfor a full cloud data security.
(15:37):
Fabric capability within anorganization, fabric capability
within an organization.
But where you start as anorganization really depends on
what does your environment looklike and what do you want to
lock down first, and then secondand then third, to give you
higher confidence that yourcyber risk is at a reasonable
level.
Speaker 1 (15:59):
Got it Very exciting.
Let's touch on AI.
The whole industry is excitedabout intelligent agents and
automation and its role in cloudsecurity, both in detection and
defense.
What's your point of view orperspective at Aviatrix?
Speaker 2 (16:24):
important element here, and so, if I just finish
that story, I was talking aboutthe utilization of agentic AI
and gen AI by organizations,which most of us are in the
process of really pushing excuseme as quickly and aggressively
as possible, just increases thenumber of workloads, the number
of attack surfaces and the speedof change within most
corporations' organizations'environment.
So Gen AI, just from adeployment basis.
(16:47):
Security for NAI and for AIwithin clouds is, I think, one
of the propellants of why is acloud-native security fabric so
important.
Why is a zero-trust cloudworkloads framework so important
?
That is a good tailwind forsomeone like KBHRX and anyone
that's trying to solve thisproblem.
The urgency for organizations istwofold.
(17:13):
How do you, given that we'reall trying to deploy agentech
and gen AI to help ourorganizations, how do you train
your team and get them leaningforward on?
Utilizing agentech and gen AIto do a better job of defense is
absolutely critical, and whatare you doing to secure your AI
(17:36):
and your other workloads iscritical.
But the other half that we'veall been talking about that's
super scary is now most of theorganized bad actors that Gen AI
has been out for many years,but on a broad basis with
ChatGPT 4.0 in 2022.
For almost three years now,they've mastered it pretty
(17:59):
effectively and so thevigorousness and effectiveness
of attacks that we're seeingfrom any type of organized group
out there is continuing toraise, which I think makes the
criticality of what we'reevangelizing that much more
urgent for folks.
The criticality of what we'reevangelizing that much more
urgent for folks.
Attackers whether it's Gen AI,only Gen AI, assisted or non-Gen
(18:22):
AI assisted attackers think ingraphs.
They're trying to reallyunderstand the landscape of an
organization and find anyinsertion point, any movement
that they can have within thatgraph of all the objects, the
individuals, the endpoints andthen the workloads, cloud
workloads and others that existfor organization A, b or C.
(18:43):
And understanding that GenJKIjust increases the rate that
they can develop these graphsand it increases the
vulnerability that you have forinsertion points and lateral
movement, which goes back to youbetter lock down your egress,
you better lock down youreast-west and you better
implement encryption everywherethat makes sense so that you can
(19:06):
protect your state.
Speaker 1 (19:09):
Got it and now multi-cloud has become sort of
the de facto reality out therefor many enterprises I'd say
most enterprises.
What additional risks areintroduced with multiple clouds,
whether it's compliance orother challenges that you're
seeing in the field?
Speaker 2 (19:29):
Yeah, I'd say trying to manage cloud security
effectively, even within asingle cloud, is a bit
problematic, because you reallywant universe, you want
effective coverage of yourpolicies and reactions across
your entire state, greatsolutions within each one of
(20:00):
their clouds to provide both thepervasive coverage that you
need and the easyoperationalization and
adaptability, given howchange-filled clouds are.
As soon as you get tomulti-cloud and almost none of
us are left out at this point intime we're both organically
realizing hey, I need thisworkload in GCP because they're
excellent here, I need this inAzure, I need this in OCI and
this in AWS.
And then acquisitions only makethat worse because you wind up
(20:23):
acquiring companies that havemade those cloud choices as well
.
As soon as you get tomulti-cloud, it becomes really
problematic because the policyand the visibility and the
enforcement needs to follow theworkload Policy and visibility
and the enforcement needs tofollow the workload.
And workload, as I said, ishard enough within one cloud,
(20:45):
given the diversity that happenswithin that cloud.
But as soon as you've got theactivity, consistent policy,
consistent enforcement,consistent deep dive and
diagnostics within those clouds,and so I think that the Gen AI
(21:07):
wave the shift in cloudarchitecture that opens up this
aperture, the Gen AI wave that'spropelling more workloads and
multi-cloud are the three corefactors that mandate that CISOs
and CIOs need to start thinkingabout this problem and looking
at companies like Aviatrix aspotential solutions for them.
Speaker 1 (21:30):
Got it and you've been out there furiously talking
to customers and partners,press media, everyone out there.
What sort of dialogue andpartners, press media, everyone
out there what sort of dialogueare you hoping to spark with the
security community as we getinto next month, with DEF, CON
and Black Hat and on and on withgreat events?
What's the feedback and whatare you hoping to?
Speaker 2 (21:49):
learn.
We are in the early stages.
If I go back to Splunk back in2014, 15, 16, when we were
jumping up and down aboutsecurity being a data problem,
that was not a cool thing.
That was, people were lookingat different elements that they
thought could help with security, and orientation is there's a
foundational layer of the datalayer that can serve all aspects
(22:11):
of security and non-security toget the appropriate insight and
awareness of what's happeningin the security layer, with
security overall.
And finally, about 2018-19,when I was walking through RSA,
I heard 80% of companies say, oh, security is a data problem.
We've got that same journey, Ithink, with Aviatrix, which is
helping to drive awareness ofwhy is a Zero Trust Cloud
(22:35):
workload stance so critical, whyis it a missing piece on your
Zero Trust journey?
And there, when you look atCISA's framework, their Zero
Trust maturity model, theyactually call out how the
elements that we're focused onnetwork, network overall,
(22:56):
different visibility aspectsapply to all aspects of security
and why it's important.
But we are just for any of youout there that go to our website
, have been going to our websiteand really are looking at our
blogging activity, ourpodcasting activity, the words
that we're using on the website.
We began this pivot in fall and, month over month, we're really
(23:17):
trying to drive a awareness andeducation and understanding of
the problem and felt need on whythis is something that people
need to pay attention to andultimately we've got to convince
CISOs and IT teams to look atthe whiteboard that they have
with all their projects and putthis cloud native security
(23:38):
fabric category and the zerotrust cloud workload problem up
on that whiteboard in one of thetop five positions if we want
to help the world lock down thishuge attack surface that that
keeps me up at night.
It's, it's uh, it's become apersonal mission at Aviatrix.
There's been a series ofquarters of getting more
(24:02):
emotionally attached to whatwe're doing, a lot like Splunk.
I love data.
I've been in the data space fora huge chunk of my life and
that's what attracted me toSplunk.
But it took me, quarter afterquarter, to get much more
passionate about where we coulduse data to solve key problems.
As we really rotated to cyber,it became a life's mission and
(24:22):
that's where I am now withAviatrix.
My number one mission is how doI make people aware of this?
And then number two is how dowe through that?
How do we help Aviatrix?
But whether you ever look at usor not, please just pay
attention to this problem,because we're all citizens and I
use all these services and if Ican't have confidence in my
(24:43):
online life, our way of lifelooks really different than it
does today.
So there's a higher levelmission and purpose to securing
the world's digital fabric thatwe're super passionate about
right now.
Speaker 1 (24:56):
Wonderful.
Well, that's a mic drop moment.
There You're an optimist,clearly.
Where do you see this level ofmaturity landing in a couple of
years?
I assume you think we're goingto get there, if not fully, then
partially.
Speaker 2 (25:12):
Yeah, I don't think that we have a choice.
I think humans react reallywell, for whatever reason.
We wait until there's a crisisto truly pay attention and when
we do, we react extremely well.
The Gen AI initiative, thecontinued modernization and
(25:34):
migration of workloads to cloud,like all those factors, as
we're seeing, sadly, likethere's not a day that goes by
that I don't see some highvisibility breach happen.
Now I think that we will react.
I've got high confidence we'llreact and it's just like how
much pain are we going to endurebefore we up the game and level
(25:56):
across many organizations?
But I have strong confidence inthe resilience and adaptability
of humans, so we'll find a way.
Speaker 1 (26:06):
Well, wonderful sentiment.
Thank you so much for joiningand sharing the mission and
vision and I appreciate yourtime onwards and upwards.
Speaker 2 (26:14):
Well, thank you, and I appreciate yours as well.
Thank you for having me on, andI hope that the weather stays
beautiful in Boston.
You enjoy a great weekend.
Speaker 1 (26:22):
Thanks so much and thanks everyone for listening
and watching and check out ournew TV show at techimpacttv now
on Fox business and Bloomberg.
Take care everyone.
Bye-bye.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.