Are you prepared to redefine your approach to securing the public cloud? Join us for an enlightening discussion with Jeff, an InfoSec veteran, where we unravel the intricacies of securing public cloud-native platforms. As we step into Jeff's career of over two decades, we explore the world of cloud security and emphasize the role of cloud providers and the necessity for a shift in our security approach.
We have a powerhouse guest from Sonrai, who gives us a detailed inside look at the complexities of identity and access management (IAM) in the cloud. We tackle topics like the risk of maintaining multiple admin level accounts, the urgent need for visibility and clean-up, and how companies like Sonrai assist in addressing these challenges by identifying and eliminating unused identities. As we journey through this episode, we also touch upon the concept of least privilege and proactive measures to protect against potential cyber threats.
We're not all business and no personal growth. In this episode, we also share our experiences with overcoming imposter syndrome, the value of certifications in the job market, and the crucial role of headhunters in the info sec industry. Finally, we take a glimpse into the future of IAM in the cloud and its role in a cloud-native world. This episode is a must-listen if you're interested in rethinking your cloud security strategies and gearing up for a successful career in the ever-evolving world of technology. Strap in for an information-packed episode that promises to leave you with fresh insights and effective strategies.
Sonrai prides themselves on being able to reveal every over-privileged identity and all paths
Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: How's it going, jeff?
00:00:01
It's really good to finally have you on the podcast here.
00:00:05
You know we've been trying to put this thing together for
00:00:09
several months but then you know it's just one thing after the
00:00:13
other in both of our lives that you know randomly comes up like
00:00:18
30 minutes before we're going to do it.
00:00:21
Speaker 2: I know, I know the the stars have finally aligned,
00:00:24
joe.
00:00:24
It's good to finally, you know, make it happen.
00:00:26
So glad to be here.
00:00:28
Speaker 1: Yeah, definitely.
00:00:28
Well, I'm sure we're going to have a great conversation, you
00:00:31
know.
00:00:32
Hopefully it'll be valuable to some people out there.
00:00:36
Speaker 2: I hope so.
00:00:36
I hope so.
00:00:37
It's an interesting world that I live in daily, that you know.
00:00:40
Hopefully we can get a couple of nuggets out there that are
00:00:43
really helpful, just based on what I see day to day with this
00:00:46
world of insane access and privilege risk in the in the
00:00:49
cloud.
00:00:50
Speaker 1: So oh man, I can talk about IAM forever, but you know
00:00:55
, before we get into the IAM stuff, you know, jeff, why don't
00:00:58
we start with what your background is, why you got into
00:01:01
IT, why you got into security, what that journey was like.
00:01:05
Was it faster than you expected ?
00:01:07
Was it slower than you expected ?
00:01:09
What was that like?
00:01:10
Speaker 2: Yeah, so I've been in InfoSec now for a little over
00:01:14
20 years now.
00:01:15
Yeah, and I've been in IT since 99.
00:01:19
And it's interesting, you know, I went to college here in
00:01:24
Atlanta and I got a degree in human resources.
00:01:27
Joe, it is the last thing that you would expect with what I've
00:01:31
been doing the last 20 plus years, but I quickly realized
00:01:35
that after I went to business school that that is not what I
00:01:37
wanted to do full time.
00:01:38
I was really a nerd at heart and riffing apart PC since I was
00:01:42
, you know, since the early nineties log into BBX's and all
00:01:45
that crazy stuff using GoFer and all that.
00:01:49
You know the stuff that really, really dates me as I talk about
00:01:52
it now and think about it.
00:01:53
But I was like you know what I want to get into tech?
00:01:56
That's what I really want to do .
00:01:58
And back then, like one of the big training centers all over
00:02:02
the world was called Executive Train and I went there and got
00:02:05
my A plus cert back in 99.
00:02:07
And they saw I had a passion and they offered me a gig.
00:02:10
They were like, do you want to?
00:02:11
Just, you know, a job here setting up classrooms every day?
00:02:14
And, joe, that fast tracked me through the whole.
00:02:17
You know NT4, mcse and you know setting up 13 Microsoft classes
00:02:23
a day.
00:02:23
You'll learn real quick, right, and so that's how I got an IT.
00:02:28
And then I got into information security at what many think is
00:02:33
the original Internet Security Company, which was Internet
00:02:36
Security Systems here in Atlanta .
00:02:38
And if you look at the today, there's hundreds of InfoSec
00:02:42
companies that have spun off because of ISS back then.
00:02:45
So that's really where I just dove straight into InfoSec and
00:02:48
I've been doing that ever since.
00:02:51
And you know I was focused on on-prem infrastructure security
00:02:56
for many, many years, like I'm sure you were right, like we all
00:03:00
were, through the early 2000s.
00:03:02
And then I left Cisco around three and a half years ago where
00:03:06
I was leading, you know, a team of sales engineers to come over
00:03:10
to Sunry and focus on public cloud security full time.
00:03:14
And Joe holy cow was, I humbled .
00:03:17
I thought I understood the public cloud and I thought I
00:03:20
understood how to secure it when I was at Cisco, because of
00:03:23
infrastructure as a service and monitoring flow logs and
00:03:26
protecting VMs, I had no idea about what was happening at the
00:03:30
platform level in these cloud service providers, and so that's
00:03:34
what I've been focused on the last three and a half years.
00:03:36
It's what I do day in and day out, and you know I consult I,
00:03:41
you know, teach customers how to build, you know, a platform
00:03:44
security strategy focused around access and privilege, and so
00:03:48
that's what I do full time, and it is it's a challenging,
00:03:52
challenging world that we are trying to protect now as it
00:03:55
relates to cloud native, and so I'm sure we'll get into it here,
00:03:59
as we, you know, continue the conversation.
00:04:01
Speaker 1: Yeah, absolutely, you know the cloud.
00:04:03
I always tell people that you know cloud security is like that
00:04:08
graduated level of security.
00:04:11
You know you need experience in several other domains, you need
00:04:16
to be deploying technology in those domains before you start
00:04:20
jumping into cloud security.
00:04:21
Because you know cloud security , you can't walk over to a
00:04:25
server and unplug it right.
00:04:27
You can't walk over to a server and console into it.
00:04:31
You know, like that stuff doesn't exist and a lot of
00:04:34
people you know their.
00:04:36
Their initial response would be like oh well, that's a problem.
00:04:39
On the cloud provider, it's like these contracts are written
00:04:42
very differently.
00:04:43
It's so true, and the cloud provider is like never.
00:04:50
Speaker 2: That's a great point, because a lot of what I do
00:04:54
nowadays, joe, is I as I relate the public cloud situation to
00:05:00
the world that you and I both came from and so many of the
00:05:02
folks listening right, securing data centers and colos and
00:05:06
hardware, and you know, rack and stack and servers and routers
00:05:08
and switches and dealing with core and access and distribution
00:05:11
issues and firewall right, and you know what I like it to you
00:05:15
know, as far as the world that I see all the time is, it's
00:05:20
almost like you built a data center, right, and what we do
00:05:26
when we build a data center, we fortify it, right, we put in our
00:05:29
firewalls and we build our DMZs , then we build out our
00:05:33
different access layers and it's all zoned and segmented right.
00:05:36
That's just what you do.
00:05:37
It's not a nice to have you got to do that right, but when we
00:05:41
plug into here at Sun, when we plug into customers environments
00:05:44
, it's very interesting, to put it gently, because everything's
00:05:50
flat, everything can talk to everything in so many scenarios,
00:05:55
and it's just because organizations, just like you
00:05:58
said, they were thinking well, the cloud provider is going to
00:06:00
take care of all that for me.
00:06:01
They're going to secure it, they're going to segment it.
00:06:02
They're going to zone it.
00:06:03
Each little thing that I provision, each little resource
00:06:05
or microservice that I provision , it's going to be in its own
00:06:08
little of and again, to liken it to the network days its own
00:06:11
little broadcast domain, okay, where it can just talk to itself
00:06:14
and maybe, if I tell it to go talk to something else, that's
00:06:16
great.
00:06:17
But that's not the case, right?
00:06:19
And so they're just not aware that they really need to be
00:06:21
thinking of securing the public cloud the same way that they do
00:06:24
on-prem.
00:06:25
That you really really got to be thinking about segmentation.
00:06:28
But in a cloud-native world, when we do the segmentation, is
00:06:34
it layer three, layer four?
00:06:36
No, it's at layer seven, it's at the application layer.
00:06:41
Right, it's abstracted through the access fabric.
00:06:43
That's how everything lives, breathes and communicates, is
00:06:46
through the.
00:06:46
You know, like you said, I am, but you got to start thinking of
00:06:49
I am like a network, because that's what it is, and so it's
00:06:54
so true when you relate it to something that they're very,
00:06:58
very familiar with, all of a sudden, you know, folks eyes
00:07:00
open up.
00:07:01
Speaker 1: Yeah, it's a really good point.
00:07:02
You know, at my current organization, right, I wanted to
00:07:08
, you know, create a resource that I could reach out to the
00:07:11
internet.
00:07:12
It's in a dev environment, you know, because I was trying to
00:07:15
test something right, and the entire dev team that owned that
00:07:20
entire function was like it's impossible, you're not going to
00:07:23
be able to do it.
00:07:24
We're not turning off this rule .
00:07:25
That auto, you know, removes it , all these things, right, I was
00:07:30
constantly told it.
00:07:31
I was like, guys, I'm going to get around your rule.
00:07:33
Like I'm getting around it.
00:07:35
You know, like, whether you like it or not, I'm getting
00:07:38
around it.
00:07:38
I know what I'm doing.
00:07:39
I'm sorry, like I know that you've spent, you know, five,
00:07:43
six years in the cloud and whatnot, but I know how this
00:07:45
thing works.
00:07:47
I don't get these certs by not knowing how this, how AWS, works
00:07:50
and you know sure enough, right , I got through it.
00:07:56
And then the next thing that they're complaining about is I'm
00:07:58
firing off a lot of alerts, like, okay, I'll just bypass
00:08:01
your alerts.
00:08:03
Speaker 2: That's not a problem.
00:08:04
Yeah Well, I think that you know, back in the days of the
00:08:08
on-prem world, you know everything was you know the IT
00:08:10
staff.
00:08:11
They could do that.
00:08:11
They could, you know, manage everything through very, very
00:08:14
specific, finite Ingress egress points.
00:08:16
Right, and if you wanted to do something to test, you had to
00:08:19
put in that change control request and you had to.
00:08:21
You know you were at their mercy.
00:08:23
But now you know, joe, if you want to go, do that, just go, do
00:08:26
it, just go build it.
00:08:28
I mean, there's not in the cloud, there's not you know one
00:08:31
or two Ingress egress points, there's thousands.
00:08:35
I think it's fascinating, I think it's absolutely
00:08:38
fascinating, joe, that if I want to log into your cloud right
00:08:43
now, all I need is a cred right and my laptop right here.
00:08:48
So technically, my laptop right now is two commands AWS
00:08:54
configure.
00:08:54
It's two commands away from being dropped dead in the middle
00:09:00
of your cloud.
00:09:01
That's fascinating right.
00:09:04
Speaker 1: Could you imagine if, like AWS had a you know some
00:09:07
bug that bypass their login?
00:09:10
You know, like you were able to just do it via the console or
00:09:13
something like that.
00:09:14
You, if you, just if you guess the account number right, you
00:09:17
know you're in the account, whatever it might be.
00:09:19
I always think about that because it's like man, we're
00:09:22
putting a lot of trust into this thing to not fail, and it's
00:09:27
created by people like me and you know I'm not the smartest
00:09:32
person in every single area, like I'm a little dumb here and
00:09:35
there, you know.
00:09:37
Speaker 2: Yeah, it's, it's.
00:09:38
It's fascinating.
00:09:38
I mean it's bypass all of your security measures, right, all I
00:09:43
need is a credit and with one command, when the you know the
00:09:46
AWS or GCP or Azure SDKs, with my laptop here, I'm just dead
00:09:50
center in the middle of your cloud.
00:09:51
It doesn't matter what you've got protecting it at the
00:09:54
perimeter, and so that really, I think that's what fascinated me
00:09:58
when I started to learn about identity.
00:10:01
Risk is is how quickly you could be in the hub of a
00:10:07
customer's cloud environment, regardless of what they've done
00:10:10
to protect the spokes that they think are the entryways.
00:10:12
I mean, they are entryways, but more and more often, what you
00:10:16
know you and I are seeing now in the market is seeing is that
00:10:18
folks are just logging in, they just log right into the center
00:10:21
of your cloud and what and that's where things get really
00:10:23
really hearing.
00:10:25
Speaker 1: Yeah, it's really good point from a cloud engineer
00:10:27
, slash architect.
00:10:28
My biggest problem is I am by far you know it's, it's I am
00:10:34
trying to manage the roles right , what roles we have, what
00:10:39
accounts we have, what services are using, what.
00:10:42
It's a pretty close to impossible task without, without
00:10:46
a solution that is dedicated to it.
00:10:48
You know, it's really frustrating.
00:10:51
The most frustrated time that I've ever been was when I was
00:10:55
working in I am on prem.
00:10:57
That's when I used to have hair .
00:10:58
It's terrible, you know.
00:11:02
It's like it's a.
00:11:03
It can.
00:11:04
It can really make your day very difficult or it can make it
00:11:08
relatively smooth, right, I feel like it's just like up to
00:11:12
the power of that.
00:11:13
I am service, or whatever it might be, is like are we going
00:11:16
to have a good day or are we going to have a bad day?
00:11:19
Speaker 2: Yes, yeah, and it really is is daunting.
00:11:22
You know, I recently heard a term that it just it resonated
00:11:26
so well with me.
00:11:27
I heard it.
00:11:28
I just came back from September this was in September, but it
00:11:32
was back in.
00:11:32
It was in Seattle, bellevue, right, and hosted by the cloud
00:11:37
security lines, and I heard a comment that just really really
00:11:41
resonated so well with me, and it's that you've got to be
00:11:44
thinking about cyber garbage, identity, identity, identity
00:11:50
litter.
00:11:50
Think about that.
00:11:53
That's what we're up against is like you said you know I am.
00:11:57
When it does work, it creates all of these personas, these
00:12:00
usually non-person identities, which are vast and vague as to
00:12:05
far as what that constitutes.
00:12:06
Right, but it's just as equally , if not more, dangerous than a
00:12:08
person identity.
00:12:09
But projects come and go, priorities change, life turns
00:12:16
over, for whatever reason.
00:12:17
Right, attrition, and what's left is identity garbage,
00:12:22
identity litter.
00:12:23
Right, but it is scary because it has rights to go do things
00:12:30
right.
00:12:31
All it takes is an access key associated with a role or token
00:12:36
or someone getting a cred out of .
00:12:37
You know GitHub or you know S3.
00:12:40
It's still happening, right.
00:12:42
Global exposure is rampant, still.
00:12:46
So you have all of those different kind of vectors that
00:12:51
are just sitting out there, hundreds, if not thousands, that
00:12:53
you just don't know about.
00:12:54
Like you said, if you're not intentional about it, if you
00:12:57
don't have a tool that's designed to go crawl and map it
00:12:59
all out and figure out what's out there, what can it do and
00:13:02
what can it access, then these are all things that you're blind
00:13:05
to, but they're all entry points straight into the heart
00:13:09
of your cloud.
00:13:10
It doesn't matter how much vulnerability scanning you do or
00:13:14
you know which compliance standard you're adhering to.
00:13:16
None of that matters, joe.
00:13:18
Throw it all out the window when someone grabs one of those
00:13:20
creds and uses it to their advantage.
00:13:23
So really you've got to be intentional about understanding
00:13:26
what's out there, right, and cleaning it up, getting rid of
00:13:30
the litter, getting rid of the garbage and then governing it
00:13:33
moving forward.
00:13:34
Speaker 1: Yeah, it's a great point.
00:13:35
You know it's hard to fathom the scale at which you can
00:13:42
create thousands of IAM accounts and roles in your environment.
00:13:46
And I'm in this thing, right, I do this every single day.
00:13:49
It's even difficult sometimes for me to imagine it, and you
00:13:54
know so.
00:13:54
I work for a large automotive manufacturer, right, you can
00:14:01
easily guess whichever one it is .
00:14:02
I'm not going to say any more than that.
00:14:04
But you know, we consume cloud services almost as a service,
00:14:12
because our parent company, the one that owns us all, negotiated
00:14:16
the contract with the cloud provider and kind of offers up
00:14:20
these services as a service to us, right?
00:14:23
So they're building out our cloud tenants, they're giving us
00:14:27
a blank template right to work with and they have their own
00:14:30
controls around it.
00:14:31
And their thought, you know, I was talking to these guys and
00:14:35
they said well, how bad can it really get?
00:14:37
Right, we're not giving them everything.
00:14:40
Why do they need to create all this stuff?
00:14:43
They literally said I bet they won't need that many IAM
00:14:47
accounts or roles, right, Because we're giving them the
00:14:50
template.
00:14:52
And very quickly, within six to 12 months, we were at 200
00:14:58
accounts, 200 accounts across our tenants.
00:15:02
And how do you expect that?
00:15:05
How do you have a solution that manages that?
00:15:08
You know, when I was doing IAM on-prem, we were dealing with
00:15:14
42 accounts and we had maybe 2 employees.
00:15:21
Each employee had five accounts .
00:15:24
Most of them didn't even know that those five accounts existed
00:15:27
and so, like, we had a lot of data counts, right.
00:15:32
So, like, if you really factor that in, we're probably at, like
00:15:35
, you know, 10 accounts, right, 10 actual user
00:15:41
accounts that are being used.
00:15:42
This is 1020X that.
00:15:47
Speaker 2: It's insane, it is.
00:15:49
It is.
00:15:50
You're talking about a very person-oriented landscape.
00:15:55
I would venture that for every one person identity that we at
00:16:00
Sunrise see here in customer environments, there's 10
00:16:03
non-person identities to go with it.
00:16:05
That's what's really really fascinating is the explosion of
00:16:09
NPIs.
00:16:10
We call them non-person identities, and they are roles,
00:16:13
service principles, managed identities, access keys, tokens,
00:16:16
things that grant access and privilege to go do things, but
00:16:21
they're not as simple to understand as hey, we're just
00:16:25
going to create a user account.
00:16:26
It's NPIs that we really really have to be thinking about.
00:16:32
The other thing, joe, is, even it doesn't matter if it's a user
00:16:35
account or a non-person identity.
00:16:37
You've got to be thinking about the permissions on them, right?
00:16:40
It's not just hey, we're going to go create an account that
00:16:43
lets you go do things.
00:16:44
You've got to be thinking about the excessive permissions and
00:16:48
entitlements on these things and treat that as risk as well.
00:16:52
Not just thinking about cleaning up things that are
00:16:54
orphaned and abandoned, but the things that we do need for the
00:16:58
applications to run.
00:16:59
There's a concept that is growing, thankfully, in this
00:17:03
industry of lease privilege.
00:17:04
It's a holy grail.
00:17:06
Can we get to lease privilege?
00:17:07
I don't know if anyone's ever going to truly get to lease
00:17:09
privilege, joe.
00:17:10
That's like saying you're going to fix every vulnerability.
00:17:12
You're never going to fix every vulnerability, right.
00:17:14
But if you understand which identities mean the most to the
00:17:17
business, then you can focus on at least getting them to lease
00:17:20
privilege so that if and when someone does get in, they can't
00:17:24
go wreak havoc in your environment.
00:17:27
Speaker 1: Yeah, getting to a full lease privilege state.
00:17:30
I mean, the only way that you do that is if you started from
00:17:33
the inception of the company.
00:17:36
Speaker 2: That's literally the only way that you you got to
00:17:39
build into the development process too.
00:17:41
That is a lot easier said than done, my friend.
00:17:46
When we plug in, everything's already out there.
00:17:49
Everything's already living and breathing.
00:17:51
The litter and garbage is out there, but in a greenfield
00:17:55
environment.
00:17:55
Oh my goodness, how cool would it be if you built in leased
00:18:00
privilege into the actual development process.
00:18:03
That's something that we preach here at Sunray is being able to
00:18:08
do that, so that when you do push to production, you've
00:18:11
already removed all that nonsense.
00:18:13
You've got to have a lot of cooperation and collaboration
00:18:17
with the development team, though.
00:18:20
Speaker 1: Yeah, that's very true.
00:18:21
You have to have everyone on board.
00:18:23
When you were starting out or even throughout your career, did
00:18:27
you ever feel like this isn't a fit for me?
00:18:29
This is too far above my head.
00:18:30
I don't understand what's going on here.
00:18:33
They surely hired the wrong person.
00:18:36
I asked that because I started in IT, I guess technically, in
00:18:41
high school.
00:18:41
I didn't know anything.
00:18:44
I knew how to plug in the USB and install whatever was on it,
00:18:47
that's it.
00:18:47
But as I went through my career , for instance, one role was
00:18:52
nothing but Linux.
00:18:53
I might as well have Linux on my laptop that I was using for
00:18:58
the job.
00:18:58
That's how much we used it I felt like I was not a fit for
00:19:04
that role at all, by any stretch of the term.
00:19:07
I asked this question because I actually get a lot of questions
00:19:11
about that.
00:19:12
I feel like I don't know enough , this isn't a fit for me and
00:19:18
whatnot.
00:19:19
I feel like it's more about time and you putting in the
00:19:22
effort than anything.
00:19:23
It will eventually come.
00:19:26
I'm wondering if you experienced that as well.
00:19:30
Speaker 2: I did.
00:19:30
It's a great question.
00:19:31
It takes me back.
00:19:33
It takes me way back when I left that training company and
00:19:37
got my first network admin role.
00:19:39
It was at a company called Dicecom, which you may have
00:19:43
heard of I don't even know if they're still around, but it was
00:19:47
like the IT job site back then, before Monster.
00:19:49
I was their network admin for their training division.
00:19:55
I will never forget being given the keys to that server room and
00:19:59
looking at all the routers and switches and the firewalls and
00:20:03
everything.
00:20:03
They're like okay, it's all yours.
00:20:06
I was like okay, I may have bitten off more than I can chew.
00:20:12
I don't know the first thing about any of this stuff.
00:20:14
As far as the routers and switching, all of that, I could
00:20:17
administer Windows till the accounts come home.
00:20:19
But I'll never forget we had an outage.
00:20:23
I had to deal with the PIX 506 back in the day.
00:20:26
If you remember what a Cisco PIX was.
00:20:28
It predated the ASAs.
00:20:30
I started with the ASAs.
00:20:32
Yeah, I will never forget.
00:20:35
We had an outage and luckily there was a senior administrator
00:20:39
who got on the phone with me and walked me through the crypto
00:20:42
map statements and all that isocamp stuff, if you remember.
00:20:46
I did not know what I was doing.
00:20:47
But I really, really I felt over my head a little bit of
00:20:52
imposter syndrome, if you will, but I was humbled enough to not
00:20:57
be afraid to ask for help.
00:20:59
I think that's the key is that I realized you know what I can
00:21:03
do, this, I can be successful at this if I don't act like I know
00:21:09
what I'm doing, if I'm able to say you know what, I'm not an
00:21:12
expert at this, but if you can show me I can take this and run
00:21:15
with it.
00:21:16
I think that that was a big, big turning point in my career
00:21:19
is not being afraid to ask for help, not feeling like I have to
00:21:24
be the smartest person in the room or anything like that.
00:21:26
But then you got to do the hard work.
00:21:29
You've got to actually apply it so that you really do
00:21:34
understand the next time it comes around.
00:21:35
You're not asking that same person that same question.
00:21:37
Can you come in and do it for me, as long as you prove to
00:21:39
someone that you're learning, that you're listening, that you
00:21:41
really really do care.
00:21:42
I found that folks really want to pour into you.
00:21:44
They do.
00:21:46
Folks love teaching other people things as long as you're
00:21:50
really listening and absorbing and being appreciative.
00:21:53
I think that was one big thing, right, so that in fast forward
00:21:58
to today, I look at how often that has helped me out in my
00:22:02
career, right.
00:22:04
Or I'm not afraid to say, hey, you know, you're really amazing
00:22:07
at this, is there a way that you can mentor me, right?
00:22:11
And so I just I think that's it Be humble, don't be afraid to
00:22:15
ask for help and be appreciative .
00:22:17
It really it's amazing what people will do for you If that's
00:22:20
what you do.
00:22:22
Speaker 1: Yeah, I think that's a great point and that's
00:22:24
definitely something to keep in mind too.
00:22:25
You know, when you're going through these different roles,
00:22:28
like you're not going to know everything you know, and even on
00:22:31
this podcast, right, I recommend that if you fit 50% of
00:22:35
the job requirements and a posting, that you should be
00:22:38
applying to it.
00:22:39
You know, because if you're at 50%, I can teach you the other
00:22:43
50%, right, and yeah, it may be a faster pace, environment and
00:22:47
whatnot, but we can get through that.
00:22:49
Speaker 2: When it's.
00:22:49
Speaker 1: when it's less than 50% it gets a little bit more
00:22:52
difficult because it's like, all right, you don't have the
00:22:53
foundation that we need to build this thing, Right?
00:22:56
I've got a comment on that.
00:22:58
Speaker 2: So you know I've done a lot of hiring over the years
00:23:01
as I've led sales, engineering and even post sales tech support
00:23:05
and TAM teams at various companies, and you could not be
00:23:09
more right, joe, about you know the 50% role.
00:23:12
What I want when I'm looking at folks to join our team is is
00:23:17
passion Right?
00:23:18
Obviously, personality Right Is there?
00:23:20
Does this person seem a great character?
00:23:22
Do they really seem genuine?
00:23:24
Do they really have an interest ?
00:23:26
Is there a path?
00:23:26
Is there a drive?
00:23:27
Right?
00:23:28
I can teach you the other 50% from a technical perspective, if
00:23:33
you can bring 50% to the table.
00:23:35
And what we've started doing and what I've started doing in my
00:23:37
career because there is such a tech skills shortage, especially
00:23:40
in the area that you and I live in is, if I can give you a
00:23:44
project, I'm going to give you a week.
00:23:45
Right, go build this lab out in AWS and I want this lab to do X
00:23:51
, y and Z.
00:23:52
And what I want is in a week we're going to circle back on a
00:23:55
Zoom or whatever and I want you to walk me through how you built
00:23:58
the lab.
00:23:59
But I want you to show me which resources you use to learn.
00:24:02
I want you to show me that you can go figure it out and that
00:24:06
you are.
00:24:07
You know that you're creative, that you're a problem solver.
00:24:09
I don't care that you didn't know this a week ago, but if you
00:24:13
can go learn this and explain this to me and show that you can
00:24:16
do it in a week's time, that's all I need to know Because we
00:24:19
can work with that Right.
00:24:21
And so I think that, absolutely , if you've got like 50% skills
00:24:25
or whatever and you know there's another half that you're not,
00:24:27
don't be afraid to go for it and take a shot and, heck, offer it
00:24:31
up.
00:24:31
Say, give me a chance to prove myself.
00:24:34
I think you'd be surprised at what hiring managers will do
00:24:40
when they see that level of energy and an intent from a
00:24:44
candidate.
00:24:46
Speaker 1: Yeah, absolutely.
00:24:47
You also got to be taking copious amounts of notes.
00:24:50
I found throughout my career when I was learning different
00:24:57
things, I mean even now I'll take a bunch of notes.
00:24:59
But when I was learning, not knowing or not even having the
00:25:05
background in an area, I had to take an insane amount of notes.
00:25:09
It was an embarrassing amount of notes.
00:25:11
If you looked at my, I think it was like notepad or whatever it
00:25:15
was.
00:25:15
I mean, you could scroll on that thing for like five minutes
00:25:18
, right.
00:25:20
But in doing that you become a very valuable resource, because
00:25:27
not only are you experiencing it , you're taking notes on it.
00:25:31
Those two things reinforces it in your mind and from that you
00:25:36
turn into an internal resource for that company.
00:25:39
In a certain area For me at this company, it was security.
00:25:42
Whenever there was a security problem or anyone asked about
00:25:46
security, it was immediately just go to jump right, he's the
00:25:50
only one that spent any sort of time with it.
00:25:52
That's for engineers, that's for developers, that's for the
00:25:55
architects, like that was for all of them.
00:25:58
And I was like the lowest man on the totem pole, right.
00:26:00
Well, I got there because I took a huge amount of notes and
00:26:04
I got to encountering these stupid problems, and so I was
00:26:09
forced to learn it.
00:26:09
I had to learn it, otherwise I was going to lose my job, right,
00:26:13
and I think taking notes absolutely helps, especially
00:26:19
when you're starting in a new role.
00:26:21
Speaker 2: It does.
00:26:21
It shows you're listening the cream of rice to the crop.
00:26:25
And for all of us, I think, at this kind of the level that you
00:26:29
and I are at in our careers I mean, we started, like I started
00:26:32
, in tech support level one right, you got to start
00:26:35
somewhere and your work will speak for itself, right, if you
00:26:42
are passionate and if you, like you said, you take notes, you
00:26:45
pay attention, you show that you want to just kick butt at the
00:26:49
role that you're in.
00:26:49
The work will speak for itself, people will notice and it will
00:26:54
open the door for new opportunities for you.
00:26:56
Absolutely Right, and it's just , you got to work hard in the
00:27:00
beginning, right, and it will be noticed.
00:27:04
Speaker 1: Yeah, absolutely.
00:27:05
I think, a part of working hard I feel like some people are
00:27:10
worried about that being noticed part, you know, they feel like
00:27:15
if they put in the work, they put in the time, it's going to
00:27:18
be for nothing.
00:27:19
You know, I think that that's the worst.
00:27:21
That's the worst feeling for anyone to feel.
00:27:24
You know, when you're putting in the hours, when you're doing
00:27:27
the work, and you're still not getting the job, you know you're
00:27:30
still not meeting the bar, right, how do you keep going?
00:27:34
And, to be quite honest, even with this podcast, I have felt
00:27:38
that at times, you know, like I'm doing these episodes and I'm
00:27:42
putting all this time into it, I'm learning how to edit, you
00:27:46
know all these different things, right, and it feels like, oh,
00:27:49
nothing is coming from this, it's going nowhere.
00:27:52
I'm putting my time and effort into something that's not going
00:27:55
to help me in any way.
00:27:56
It's almost like, you know, the universe, right, shows up, just
00:27:59
gives me a little nugget, like, oh, you didn't think that this
00:28:03
would ever happen and it happens .
00:28:04
You know things like that, it's a grind, it's it is, it's hard,
00:28:11
there's no way around it, unfortunately, yeah, it's true,
00:28:16
but I mean, that's how life goes .
00:28:18
Speaker 2: Yeah, right, you got to fight for anything worth
00:28:21
having and it's not going to come easy and you're going to
00:28:24
have to stick it out.
00:28:25
And you know, like you said, that's happening with the
00:28:28
podcast and tap with me in my career.
00:28:29
But I will say this also, you know, by the way, I'm not known
00:28:33
for having a great filter.
00:28:34
I'm known for being overly transparent at times, right?
00:28:38
But guess what?
00:28:39
If it's not working out for you , if you're working your butt
00:28:41
off and it's not being rewarded, if they're not noticing, right,
00:28:45
and you think that you've done the things that you need to do
00:28:47
to be noticed, then don't be afraid to make a change.
00:28:49
I'm serious, don't be afraid.
00:28:51
Don't think that you're stuck in this rut and that there's not
00:28:54
any options out there.
00:28:55
Don't be afraid to put yourself out there to see if there's
00:28:58
other opportunities that could be rewarding, right?
00:29:00
And I think that that's kind of what fascinated me so much
00:29:05
about coming to Sunry from Cisco .
00:29:07
You know, like I said I was because I there's a reason that
00:29:10
Cisco is the number one company in the world to work out.
00:29:12
It's fantastic, you know, I just so tell me friends over
00:29:16
there and everything.
00:29:16
Maybe one day we'll all go back to work at Cisco, right?
00:29:19
That's not really the point of the conversation here.
00:29:21
The point is that I want to try something new.
00:29:24
I wanted to try something adventurous, right and and Sunry
00:29:28
gave me a great opportunity to do that right.
00:29:30
For you know, back then it was a series A startup.
00:29:32
I took a big risk right, and Sunry is a fantastic place to be
00:29:35
now.
00:29:35
But you know, the point is that if you are, if you feel like
00:29:42
you're you know, like you said, not getting rewarded, if you are
00:29:44
working your tail off and you don't see a trajectory, then
00:29:47
stand up for yourself and make a change.
00:29:49
Don't be afraid to.
00:29:51
Speaker 1: Yeah, it's a really valid point.
00:29:52
You know, and I don't want to, I don't want to linger on this
00:29:55
topic too much, but I think that this story will help someone
00:29:59
out there for sure.
00:30:00
You know, I have a good friend that I worked with at a
00:30:05
financial firm and you know he was very content with his role,
00:30:10
with his company, everything like that.
00:30:12
And the management didn't believe in him, you know,
00:30:17
because they paid for him to get a certification, like two times
00:30:21
, and he failed the test, you know, not for lack of trying, it
00:30:25
was just a really hard test that he was taking.
00:30:27
And so they told him hey, we're never going to fire you, but
00:30:31
we're never going to give you a raise.
00:30:33
You're going to get the same bonus.
00:30:34
You know you're on out, you're going to be in the same role,
00:30:37
you're going to be doing the same sort of stuff.
00:30:38
You know you're not going to lead a project or anything like
00:30:42
that.
00:30:43
And you know he worked with all of his friends For him.
00:30:46
He values, you know, friendship over everything else and he
00:30:49
stayed in the job for 25 years and this year he got laid off
00:30:55
and he never took the time to develop his skills, he never
00:30:58
took the time to invest in himself or anything like that.
00:31:02
You know, when I was there I told him I was like dude, if
00:31:06
they ever lay you off, like you're going to have to
00:31:08
completely reinvent yourself.
00:31:09
Like because the skills that you have are so outdated at this
00:31:14
point no one uses the stuff that you're familiar with.
00:31:16
They only have it here because you're here.
00:31:20
They keep you busy with that stuff.
00:31:23
And now he's in this year-long journey of figuring out what he
00:31:29
wants to do, doing some soul searching.
00:31:31
You know it's like do you really want to be in that
00:31:33
situation when you're 10 years away from retirement?
00:31:36
I mean, this guy is 10 years away and he has to reinvent
00:31:40
himself.
00:31:40
That's the time to coast, in my opinion.
00:31:45
Speaker 2: I'm sad that that's becoming a very frequent
00:31:49
occurrence, I think right now, especially in this current
00:31:51
economy, and, like you said, if you're not in a position to have
00:31:58
to put yourself out in the market to be relevant, then I
00:32:02
think you're doing yourself as a disservice.
00:32:04
Maybe you won't ever have to hopefully you won't ever have to
00:32:07
be in that position but if you are, I think it's crucial that
00:32:11
you have skills and can not only talk the talk but walk the walk
00:32:17
with modern technologies, especially the cloud.
00:32:21
I mean, there's such a shortage of folks, whether it's on the
00:32:27
vendor side or on the business side, that don't understand how
00:32:33
the cloud works.
00:32:33
You know, and in this world that I'm in, if you don't
00:32:37
understand infrastructure as code and terraform and cloud
00:32:40
formation and how things like you know we're talking about IM
00:32:42
roles and how all that works then you're gonna have a really
00:32:47
big up to battle trying to market yourself to companies
00:32:50
right now that are looking for folks to secure their networks
00:32:52
or looking vendors that are looking for folks to sell their
00:32:55
products right, because everything has a spin now.
00:32:57
That's cloud native.
00:32:58
So I think it's crucial that you go ahead and get ahead of
00:33:02
that.
00:33:03
Speaker 1: Yeah, it's a great point.
00:33:04
You know, with the cloud and I didn't know this until pretty
00:33:08
recently you know, one of the gold standard certs out there,
00:33:12
especially for the cloud, is the CCSP from ISC squared.
00:33:15
At least in my opinion it's a gold standard.
00:33:18
You know it's gonna be what the CISSP is known, as you know,
00:33:22
kind of that gold standard cert.
00:33:24
And I figured, okay, you know I'm one of a million that's got
00:33:29
this cert.
00:33:29
You know, whatever it might be, you know I figured I wasn't an
00:33:33
outlier by any means or anything like that.
00:33:36
I looked it up and in North America there's only 5
00:33:40
people with the cert 5.
00:33:43
There's a whole lot more than 5 companies in North America
00:33:48
.
00:33:48
Right, and it's not because, like the cert, yes, the cert is
00:33:53
extremely difficult.
00:33:54
That test was, like probably the second hardest test I've
00:33:58
ever taken, you know, next to the AWS cert that I got that I
00:34:02
unfortunately have to renew pretty soon here.
00:34:06
I'm not happy about that.
00:34:11
Speaker 2: Is it the solutions architect?
00:34:12
Speaker 1: No, it's the security specialist one.
00:34:15
Yeah, okay.
00:34:17
Speaker 2: I just I unfortunately I let my solutions
00:34:19
architect expires, but I was supposed to renew it this time
00:34:22
last year and I'm like I'll get around to it and I still have it
00:34:25
.
00:34:25
But to your comment on the CCSP , I agree.
00:34:28
So I'm a CISSP and to this day I've always said that's probably
00:34:32
definitely one of the hardest tests I've ever taken in my life
00:34:34
.
00:34:34
So I can imagine what you went through for the CCSP, because I
00:34:37
don't have that right.
00:34:38
But I agree that, like that is very, very telling it, there's
00:34:42
only 5 CCSP's in America right now, because that's just
00:34:47
very indicative of the shortage I was referring to.
00:34:50
Speaker 1: Yeah, it shows you too that if you put in the work,
00:34:54
you know when you get these certifications right, there's
00:34:59
opportunity available.
00:35:00
You know, I think the last time I checked there was a shortage
00:35:05
of something like 5 million jobs in North America, or maybe that
00:35:10
was worldwide, right, 5 million security jobs where it is
00:35:15
literally there's more openings than there are people in the
00:35:18
field.
00:35:18
You know, that's why security professionals are always at 100%
00:35:23
employed.
00:35:24
Right, when we change jobs, we're taking two weeks off.
00:35:27
It's not because we were laid off or anything like that.
00:35:30
Like I had a buddy that was laid off at the beginning of the
00:35:32
interest rate hike because we were at a very interest rate
00:35:35
sensitive company.
00:35:37
He was laid off and I mean the guy took a two week vacation and
00:35:41
he was back at work at another company.
00:35:44
Speaker 2: Like that's what I was.
00:35:45
You know it's interesting.
00:35:47
One thing I want your audience to hear too is and this is
00:35:50
something I learned when I came to Sonry is don't be afraid to
00:35:53
talk to a head hunter.
00:35:54
Yeah, you know that's.
00:35:55
The whole reason that I came over here was because a head
00:35:58
hunter approached me.
00:35:58
I was super apprehensive.
00:36:00
I'm like I've never talked to a head hunter before.
00:36:02
I just go to a company's website or it's a friend that
00:36:05
gets me an in or something like that, you know, through the
00:36:08
network.
00:36:08
But don't be afraid to talk to a recruiter, because it opened
00:36:13
my eyes to this whole world.
00:36:14
Joe, I didn't know it was out there where companies actually
00:36:18
exclusively work through recruiters.
00:36:19
They're not going to post jobs all the time on their websites,
00:36:23
right?
00:36:23
So if you've got a recruiter and trust me, you know it's like
00:36:26
one of those accident attorneys they only get paid when they
00:36:30
get you hired, so it's not going to cost you anything, right?
00:36:33
But they're experts in marketing you and they have inst
00:36:37
all these different companies where they can market your skill
00:36:39
sets, right?
00:36:40
So it doesn't matter if you're kind of you know, like you said,
00:36:42
entry level, you don't have all the skill set, or if you are
00:36:45
recently, for whatever reason.
00:36:47
I mean, this is an economy right now where you know RIFs
00:36:50
and LRs.
00:36:51
We're seeing that more and more common, unfortunately.
00:36:53
Don't be afraid to talk to a recruiter because it's amazing,
00:36:57
you know kind of the doors that they can open for you.
00:36:59
Speaker 1: Yeah, it's a really good point.
00:37:00
You know, I've actually explored partnering with some
00:37:05
recruiting firms that I've used in the past.
00:37:07
That I trust, you know, because I've had really bad experiences
00:37:11
with the recruiters and I've had average experiences with the
00:37:14
recruiters and then these couple that I use, they're just
00:37:17
superb, they're head and shoulders above everyone else.
00:37:20
You know, like it's a huge difference, right, and so I'm
00:37:24
actually looking to kind of provide that full suite right
00:37:27
for my listeners where they get that idea of, hey, maybe I
00:37:31
should talk to a recruiter, well , who does security on filter
00:37:34
recommend.
00:37:35
Speaker 2: Yeah well, I've got some folks that I have grown to
00:37:39
really really respect and love and work well with over the
00:37:42
years.
00:37:42
That's, you know, maybe offline , you and I can exchange those
00:37:46
contacts or whatever.
00:37:47
But that's another thing.
00:37:48
Is you got to find a good one?
00:37:49
Yeah, right, you got to find one that actually has the
00:37:51
relationships, the connections.
00:37:53
But there's oftentimes, where you know, there's info sec
00:37:57
recruiters specifically.
00:37:58
Right, these info sec recruiters have got ends with
00:38:02
big companies.
00:38:03
I'm not going to say who, but they've got ends with big
00:38:05
companies where they feed them really well qualified, better
00:38:08
candidates.
00:38:09
Because I'll tell you right now , you know, if you post a job on
00:38:12
LinkedIn I've been there, done that you know you'll get 500
00:38:16
applicants within two days and it's all you know.
00:38:20
God bless everyone.
00:38:21
But you know it's mostly career changers and folks that really
00:38:24
just, they need to be vetted, right, and what that happens for
00:38:28
us on our side, on the hiring side, is that it's we can't
00:38:31
filter through, that it's not manageable, right?
00:38:33
So we really leverage the recruiters to filter and do that
00:38:36
initial screen force to give us , you know, a decent set of
00:38:38
canvas that we can talk to.
00:38:39
Speaker 1: Yeah, that definitely makes sense.
00:38:41
You know for why you would use it.
00:38:43
They have that in and they're able to sell you typically a
00:38:47
whole lot better than what you would be able to from an
00:38:51
external perspective.
00:38:52
Just to circle back right to the cloud, when we're talking
00:38:56
about cloud IAM, a lot of people kind of still have that legacy
00:39:01
IAM perspective going into it, and I know I had that
00:39:04
perspective too of you can have service accounts, you can have
00:39:09
user accounts.
00:39:09
You can also have accounts that are used only for service to
00:39:14
service talk or user to service talk.
00:39:17
You know there's so many different variations.
00:39:20
How in the world do you keep track of it all?
00:39:24
Speaker 2: How do you stay on top of this?
00:39:25
Yeah, I mean, listen, it's interesting, like you're talking
00:39:28
service to service, et cetera.
00:39:29
I mean, you know, like let's just say that we recently were
00:39:32
working with a customer, we found 100 admin level accounts.
00:39:35
When we say accounts, we had to be careful, we're talking about
00:39:38
identities.
00:39:38
But we found another 900 that had an AWS, that had IAM pass
00:39:43
roll privileges Wow, well, what's that mean?
00:39:46
It means that the other 900 with one command could give
00:39:49
themselves full admin rights.
00:39:50
So essentially we've got 1 administrative level accounts.
00:39:53
Well, what does an administrative level account
00:39:55
mean?
00:39:56
It means it has star permissions.
00:39:57
It doesn't have permission to go access one service.
00:40:00
It has access to go access 150 services and delete everything
00:40:08
that you've got in them if it's used nefariously.
00:40:11
That is frightening, that is frightening.
00:40:16
And so that's where we and I don't wanna make this too salesy
00:40:20
, but that's what I do, that's what we do at Sunray is we come
00:40:23
in, we plug in, we illuminate everything, we give you
00:40:26
visibility into these orphan things and things that aren't
00:40:30
used anymore and just identities that you didn't know about at
00:40:33
the admin level and all the other levels that you just did
00:40:36
not know about, and then we help you clean it up, right.
00:40:40
There's a method to the madness here.
00:40:41
It's very strategic.
00:40:42
This is what we do We've learned a lot about this
00:40:45
landscape over the years and we help you remove everything
00:40:48
that's out there that's not used .
00:40:50
We figure out is it used or not and we help you get rid of it.
00:40:53
Just remove it with a single click in the product.
00:40:55
That's massive for making a dent in that risk landscape, joe
00:41:00
.
00:41:00
And then with what's left, that's what's there running,
00:41:04
that's what's needed.
00:41:05
So what we'll do is we'll figure out how to right size
00:41:07
each one of those things right, and that's the whole least
00:41:09
privileged thing that we talk about so much.
00:41:12
You do your best, and the way that you do your best is that
00:41:15
you focus on the identities that matter the most, the ones
00:41:18
linked to the crown, jewels, not everything in sandboxes and
00:41:22
things like that.
00:41:22
You get them to least privileged, right.
00:41:25
But I think the most important thing that folks aren't thinking
00:41:27
about, joe, as far as really wrapping their head around this
00:41:32
mess, is how you govern it moving forward, right, you need
00:41:37
a capability out there that can put tripwires around your break
00:41:40
glass accounts.
00:41:41
They can let you know if a new identity can suddenly access
00:41:46
that sensitive data store because of some junior admin
00:41:49
putting a new trust relationship out there that they had no idea
00:41:53
the impact that it would do, because it created these new
00:41:57
bonds in the platform.
00:41:58
They'd be like a network, right ?
00:42:00
They created this network conduit to what matters most to
00:42:04
the business from a sandbox because they were just doing a
00:42:07
quick test, right?
00:42:09
And you never can know how infrastructure is code.
00:42:11
No matter how much you lent it, no matter how much you scan it,
00:42:14
you don't know what it's going to do until it gets out there
00:42:19
and it starts living and breathing and interacting with
00:42:22
what's already out there.
00:42:23
You need something that's watching that and able to tell
00:42:26
you holy cow, we've got a cross account situation and we've got
00:42:29
separation to do these or whatever.
00:42:31
So I think that governance component is super, super key to
00:42:34
really really being able to tackle this.
00:42:37
But make no mistake about it that's one thing that we've
00:42:39
learned over the years here is that you're trying to secure
00:42:41
identity in the cloud, and I am.
00:42:43
You got to focus on taking out all of that unused litter and
00:42:47
garbage.
00:42:48
Get rid of it.
00:42:49
Make sure that you're governing for new unused litter and
00:42:53
garbage, but then double down on what's out there and
00:42:57
restricting it to only the permissions that it needs, so
00:42:59
that you vastly reduce that risk landscape.
00:43:02
Before a credential gets thrown out and get hub on accident,
00:43:05
someone tries to use it against you.
00:43:06
Speaker 1: Yeah, I feel like the technical side of it is often
00:43:11
thought about first before that governance side of it.
00:43:15
Exactly, with the cloud, it is so easy to run into a situation
00:43:20
where you resolve it within, let's say, a week and then the
00:43:24
next week you're right back where you were.
00:43:26
If you don't have the policy side of it set up, if you don't
00:43:30
have the checks and balances already set up before you start
00:43:34
resolving it, this is going to be something where you're always
00:43:36
chasing your tail, so to speak, and trying to figure it out.
00:43:41
Speaker 2: And if you don't have the buy-in of the engineers and
00:43:44
the developers, guess what's going to happen?
00:43:46
You remove all this risk today and tomorrow they're going to
00:43:49
push out a terraform update that's going to put it all back.
00:43:52
Right, Think about that.
00:43:54
All this work and they just go put it all back.
00:43:57
That's something you have to think about.
00:43:58
You have to account for the fact that infrastructure is code
00:44:01
responsible for 80% of this mass.
00:44:04
Speaker 1: Yeah, that's a great point.
00:44:05
How do you make that switch in your head?
00:44:09
Because I'm coming at this from an engineering perspective.
00:44:12
Engineers are hands on keyboard .
00:44:15
They just want to get stuff done, they want to make progress
00:44:18
, but a lot of the times the engineer is the one that's also
00:44:22
driving the process, because when you're in these sort of
00:44:26
situations, where you're in over your skis, you probably don't
00:44:30
have a very good governance to begin with.
00:44:33
You probably actually have the engineers going through and
00:44:38
trying to create these policies and whatnot.
00:44:41
Speaker 2: Well, yeah, they're the ones that are pushing
00:44:42
everything out there and have been for years with star
00:44:44
permissions Because it's easier for them to get their code out
00:44:48
there, especially on two-week sprints.
00:44:50
I get it.
00:44:51
They're under timelines, so they're not thinking about
00:44:53
building least privilege into the application with whatever
00:44:57
particular widget they're responsible for.
00:44:59
I think the key from an engineer perspective, is you
00:45:06
have to sell this story to them in a way that does not come
00:45:10
across as impeding their ability to do their job.
00:45:13
Joe, we're actually going to flip the script and what we can
00:45:19
do is we can enable the business we're actually enabling you to
00:45:23
build more securely.
00:45:24
So if you fit into the way that they do their code Terraform,
00:45:28
cloudformation, whatever if you fit into the fact that they work
00:45:32
out of Jira or ServiceNow or ChatOps which is something that
00:45:37
I'm now learning about, which is evolving like crazy, like
00:45:39
they're doing all their jobs through Slack if you fit into
00:45:44
the way that they work, then I think what we have learned is
00:45:48
that it does a complete 180.
00:45:49
And they actually are much more open to considering building in
00:45:55
the pipeline from a secure perspective, versus just pushing
00:45:57
it all out there and saying, infosec, go fix it.
00:46:01
Speaker 1: Yeah, I think that's something that's still critical,
00:46:03
that we have to point out and deconstruct Is that perception
00:46:08
that InfoSec is only there to make our lives harder, to put
00:46:12
barriers in the way of me getting the sprint done and
00:46:16
showing productivity and whatnot .
00:46:18
There's a lot of the times where I'll come into a company and
00:46:22
I'll see exactly that, where it's almost like there's a brick
00:46:25
wall in between security and the rest of the organization and
00:46:31
, brick by brick, you have to take that thing down.
00:46:33
And I mean one time it took me a year just to get one team on
00:46:39
my side and it was a lot of lunches, I paid for a lot of
00:46:44
drinks, I paid for a lot more than I'm willing to admit to my
00:46:48
wife, but it enabled me to get more done in the organization
00:46:52
and allow them to actually trust me and say, hey look, just give
00:46:57
me this one little thing, I'll show you it's not that bad.
00:47:00
We're going to teach you how to use it, we're going to teach
00:47:02
you what to do with it.
00:47:04
All that sort of stuff you kind of have to take it over into a
00:47:08
white glove treatment sort of thing, where they get priority
00:47:12
even if to your manager they don't get priority, but to you
00:47:16
they get priority.
00:47:17
Speaker 2: Absolutely.
00:47:18
And again, I think it's all about integrating into the way
00:47:21
that they want to work.
00:47:22
If you integrate into the way that they want to work, they're
00:47:24
going to be much, much more open .
00:47:25
Oh, my goodness, we've got a privileged escalation scenario.
00:47:28
We've got an SOD violation, whatever it might be, but guess
00:47:31
what?
00:47:31
We routed that risk to them the way that they want it to be
00:47:33
notified and they can actually go fix it on their own and then
00:47:36
they can come and automatically it'll self-heal on the summary
00:47:39
side or whatever tool that you're using it, versus them
00:47:42
having to go manage yet another tool that they're getting nagged
00:47:44
about or whatever.
00:47:46
You've got to start to break down the barrier and I think
00:47:48
that the more that we start to introduce identity security into
00:47:52
DevSecOps, I think the better things are going to be, because
00:47:56
you're in lockstep, then, with the development team, with the
00:47:58
app team, with the actual business itself from a security
00:48:02
perspective, and it's because you're introducing security into
00:48:04
the development process instead of just pushing all that out
00:48:07
there and then saying, ok, it's working.
00:48:10
And this is what we see all the time.
00:48:12
Joan, it's super scary, these amazing applications, but it is
00:48:17
an identity crisis.
00:48:18
When it gets to be part, it's spaghetti.
00:48:21
Everything can talk to everything.
00:48:23
How do you fix that?
00:48:25
Because now the business is relying on this application and
00:48:29
this is the plumbing that you built for it.
00:48:31
Speaker 1: Yeah, absolutely.
00:48:32
Well, where do you think Cloud IEM is going in the next five
00:48:36
years?
00:48:36
Right, I think back to the beginning of the cloud.
00:48:39
No one thought about IEM as an attack surface, and now it is
00:48:46
the edge of your cloud.
00:48:49
It's how you get in.
00:48:50
It's no longer the network, right, you can lock that thing
00:48:53
down.
00:48:54
But if you have accounts that are open to the world, people
00:48:58
can get in.
00:49:00
Speaker 2: Well, here's the thing.
00:49:01
I think that four or five years ago, securing IEM on a priority
00:49:05
scale for most businesses was a nice to have.
00:49:07
Well, back then, that's when we would say identity is the edge,
00:49:10
Identity is the perimeter.
00:49:11
I think we're way past that.
00:49:14
Identity is the new network.
00:49:16
Everything lives, breathes, functions and communicates
00:49:19
through the identity fabric.
00:49:20
In a cloud-native world there's no network landscape.
00:49:23
Everything the accepts and denies, the permits and denies,
00:49:27
are in the identity fabric, on those JSON policies attached to
00:49:31
these person and non-person identities, not through managing
00:49:34
the security and firewall rules or next-in firewalls that
00:49:38
you're trying to cram into a VM.
00:49:40
They don't have their place in a cloud-native world.
00:49:42
They don't right.
00:49:44
And I think, if you look at the way that the market has evolved
00:49:47
over the last couple of years, we're seeing more and more
00:49:49
companies that are starting to put identity at the forefront of
00:49:53
their security strategies.
00:49:54
It's not a nice to have, it's an absolute requirement.
00:49:57
And when you do that and then you attach the fact that you're
00:50:02
focusing your identity strategy on what matters the most to the
00:50:04
business, meaning the crown jewels, not just we're going to
00:50:07
secure identity, to secure identity and start playing
00:50:09
whack-a-mole, you start with what matters the most to the
00:50:13
business who and what can access that data container, that table
00:50:18
, whatever it might be.
00:50:20
Start there, and then you work your way out.
00:50:23
So there's a method to the madness there.
00:50:25
Right, you do that.
00:50:26
You focus on the hub that's what I call it instead of all
00:50:29
the spokes, Because right now, so many in the market are still
00:50:32
focusing the spokes.
00:50:32
Focus on the hub.
00:50:34
When one of those spokes gets popped, it's going to be a dead
00:50:37
end.
00:50:37
It's a beautiful story.
00:50:39
Folks just have to be willing to accept and understand that
00:50:45
identity is the new network and it must be secured from the
00:50:49
inside out.
00:50:50
Speaker 1: Yeah, absolutely.
00:50:51
I mean, that's the whole thing.
00:50:54
That's changed completely with the cloud.
00:50:57
Well, jeff, I really appreciate the time here.
00:51:01
I feel like we could keep going with this conversation for sure
00:51:05
.
00:51:07
Speaker 2: It was very fascinating.
00:51:08
Speaker 1: We went through a lot of different rabbit holes and
00:51:10
whatnot, but I think overall it shows the importance of IAM in
00:51:15
the cloud for sure.
00:51:17
Speaker 2: Absolute pleasure talking to you.
00:51:18
Like you said, we could have gone on and on and on and, like
00:51:22
I said in the beginning, I hope that folks listening across the
00:51:26
rabbit holes that we went down, I hope that they captured nugget
00:51:29
.
00:51:29
Maybe it's about your career, your job, whatever your skills,
00:51:33
but certainly I hope that you picked up a nugget or two about
00:51:36
really rethinking how you are securing your cloud as it
00:51:42
relates to where IAM and identity and access and
00:51:44
privilege are from a strategy and a priority perspective.
00:51:48
It's important.
00:51:49
Speaker 1: Definitely.
00:51:49
Well, jeff, before I let you go , how about you tell my audience
00:51:53
where they could find you if they wanted to reach out to you
00:51:56
and where they could find sonar security if they wanted to learn
00:51:59
more?
00:52:00
Speaker 2: Absolutely.
00:52:00
Jeff Moncree Fund LinkedIn.
00:52:02
Please hit me up, please connect with me.
00:52:04
I'd love to answer any questions that you might have.
00:52:07
And then I've worked for Sunrise Security and
00:52:10
sunrisecuritycom, and we secure some of the world's largest
00:52:14
companies as it relates to helping them with access and
00:52:17
privilege in the public cloud.
00:52:18
We're definitely a thought leader in this space, one of the
00:52:21
OGs, if you will.
00:52:23
Speaker 1: This is where purpose built for this, so we would
00:52:25
love to talk to you about what we can do for you Awesome, and
00:52:28
all of the links that he mentioned will be in the
00:52:30
description of the episode, so if you want, go ahead and check
00:52:33
them all out.
00:52:34
All right, thanks everyone.