 Hi, this is your host of the Bhartiya and welcome to brand new episode of T3M or topic of this month and topic of this month is Security and today we have with us once again Glenn Russell principal engineer at Carrick Group. Glenn. It's great to have you back on the show Happy to be back. Thank you. Let's talk about the state of security security We used to live in the legacy traditional IT world But when we move to the multi-cloud cloud native cloud centric word The definition of security has kind of all those changes no longer make kind of afterthought It's kind of and then we are seeing a lot of movement like shift led and all those things So I want to hear from you how you have seen this evolution And what is the state of security in the multi-cloud cloud centric word? Things really haven't changed on in one respect and now I think the key parts of a good security program Are the same as they've always been. It's who has access to what it's managing logs and events All of the things which have been a part and parcel of legacy security programs for years The real issue is that with the move to public cloud Is really the kind of a cursive choice and the complexity that comes with that because where is you know Developers and and infrastructure architects, you know, we're pretty much constrained by hardware and by gondas now. They have a somewhat limitless You know resources in the form of AWS gcp, etc But what that comes with the complexity of managing that estate And while those fundamentals kind of fundamentally have changed the same the complexity has enforced a greatly increased And this has presented many challenges not least not least of all to security vendors themselves We could talk a bit about how that landscape is improving, but certainly what Karak says You know day-to-day at customers is that those enterprise workloads that those legacy applications are still very much centerpiece and accompanies you know Dependent services and critical services the real Trek so to speak is how to migrate those into Multi-cloud and public cloud while maintaining resilience and business continuity and when you look at these modern, you know users is Security is still an afterthought for them or because of this embrace of cloud and a lot of practices like shift left is their dev ops Dev sec ops the whole zero trust movement Do you think that you know, they are pride in prioritizing security where they are like the the moment They develop a right application the security become, you know part of that process from the very beginning I think the happy news is that Increasingly what what we see with our customers is that teams are increasingly focused on security and they're increasingly focused on shifting at left But let's be clear that is not becoming any easier for reasons. I talked about earlier. That is becoming only more complex so what we say for example are teams who move to public cloud and really they're kind of forced into doing more of a lift and shift and so really they do They also bring over all their technical debt to you and that includes security technical debt So while I think that security vendors for example on the public clouds themselves are getting better at providing tools for those teams There's still a quite a significant shortfall and how you get from that data center based monolith to something Which is more cloud native. It is simply not a binary thing. That is why it's a journey and not a Not a destination so to speak I mean vendors like whiz for example are Noted for the fact that they execute well. It's not even a technology question. It's they execute well I think that's that's the most important thing that we see when we're dealing with these large Large enterprises migrating the public cloud That's perfect segue to my next question because you said, you know, it's more or less like, you know Part of the process, you know, it's not a technology It's not a you know tools problem. It's kind of culture problem And talking about culture we have been talking a lot about that from engineering these days How do you see, you know the the the evolution of practices like that from each ring is also kind of helping embrace security practices into The the the platform teams Their processes so once again As you also talk some of the hurdles are, you know Exercising practicing so how is platform engineering helping it if it is helping a bit security at all? Well, I think it's very much helping security and from the point of view that The developers need to build applications the applications are what that's what makes your business successful That is your business I mean, I think many companies these days regardless of whether they're a blue chip company or a travel company or an airline Would say that they are among other things a technology company and the technology company is dead in the water Unless they can actually deploy their applications quickly and secondly and as importantly securely One one thing I'll refer to is I was reflecting on a on a customer Well, not a customer a colleague at a bank a few years ago And this was a bank that I looked at said this is the model for how to do security in public cloud And unfortunately about two months hence, I saw news about how They suffered a critical data breach down to the simplest of things and misconfiguration of public cloud and really that That underlined for me the need to put security at the start of the application life cycle and not the end But the time you've deployed that vulnerability the cost and time to remediate it is probably ten times a hundred times longer What I've been on I think platform engineering brings focus where it belongs at the start of that journey and makes it an iterative Concern up there with product functionality Resilience you know five you know features, etc. Excellent and that Rinses to another interesting point as you're saying about you know the today's company I think in modern word every company has to have some, you know You have to be a tech company or you cannot survive without having a dedicated teams To to take care of your tech and of course cloud is a big part of that and a lot of flaws that we are seeing Gone are the days where flaws are about zero-day vulnerability in some you know propriety code base Most of the things that we are seeing are either social engineering I don't want to give a name of a company or as you mentioned Misconfiguration or there we are all using open source technologies the bug the thing is the bug was Fixed the patch was already out there, but once again it did not get to the process It was never applied And also we are also changed totally you know a geopolitical situation with a lot of you know state-sponsored attacks are happening We are once again socially all these things are happening So that brings us to the point of the cultural changes so cultural change is not just about Implementing these technologies, but also how to also make sure I mean Security as you also said is a process not a product You know it will always be there bad guys have to be right only once we have to be right all the time So talk a bit about the cultural changes that are happening which go beyond just utilizing the tools that you are seeing with your customers I think one of the biggest things is the realization. I think at last that Among the security practitioners at large companies that they can't do it all themselves So I'm sure many of our viewers are Know about for example their application security team and their application security team Modern day is fighting a losing battle and has been for years because you know one of the things you talked about Which was very oppression I think was You know you have an attack which is might be a social engineering attack It might also be a known vulnerability that was breached more often than not it's a combination of those things It's a social engineering attack and then an attacker is traversed using a well-known vulnerability There's no point solution on the planet that is going to solve that problem and that's why Increasingly, we're seeing enterprises look to effectively decentralize the job of security and make it everyone's Make it everyone's not one of them don't say a problem, but everyone's concerned And we're saying that especially in app sec. We're seeing it with Platform engineering we've been seeing with dev dev apps and an SRE for a long time in the in the you know in the Form of dev sec ops and this can only be a positive thing and how that what that looks like is you know you know The security team maintain policy maintaining governance But letting the teams themselves decide how they're going to satisfy a particular policy or control That's immensely powerful because remember not most of us don't get to work in greenfield projects We have projects and applications that have been running for 20 years the latest and greatest Vulnerability scanners, maybe don't even read the source code And so we have to give the teams the ability and the responsibility and the trust to do the right thing and thankfully whereas the idea of using trust as a security control is maybe a Antithetical to a lot of the viewers We see that it has very positive results in reducing vulnerability rates and making better code and increasing deployment times Are there any new kind of threats that you are saying we talk about you know API driven word zombie API so there are a lot of folks you know when they move to cloud they start a lot of things they never stop them So what are the new either threats or new kind of? Attack surfaces that you are seeing which can be believable even in these clouds and the cloud native word in modern day It's really hard to not have a conversation that has has mentioned chat GPT at least once Let me tell you what I think about chat GPT Regardless of the technology itself The reality is that here's a new technology which has users excited when you generate when you generate excitement in technology There's a corresponding You know opportunity on the attacker side to harness that to capture more and more Users and and encourage other kinds of attacks with the same technology in the spec in effect, but which Is just using a new buzz a new hype and again, I'm not saying chat GPT's hype At all what I'm saying is you dangle that kind of new technology in front of people and you have that carrot to compromise a set of credentials and plant malware, you know, so Whereas you know things like I'm sure you've heard a bit prompt injection You know where someone puts an instruction to chat GPT on their LinkedIn profile chat GPT reads it reveals some secret information Really, you're just talking about the same theme of things that's happened before that new technology been used in unintended ways to actually You know harvest credentials, I would say this though I think that a very real threat or With respect to AI is is the prevalence of synthetic identity You know whereas before we could make a good judgment call as to whether that LinkedIn request was actually a genuine one Now it's becoming harder and harder through the generation generation of synthetic human synthetic voice To actually identify well, who's real and who's not but let's ignore the tech for one second We're fundamentally talking about the same thing been socially engineered to make a connection with somebody who has malicious intent So in that ways things are the same as they've always been But the attack vectors and materials are slightly different. Let's talk a bit about, you know Of course, the problem is their challenges there as we discussed security is always a process Talk a bit about how are you folks by you folks? I mean carry group you are helping customers to improve their security indeed and Back to some of the discussion we've already had that starts at the beginning of the journey whether it's a You know migrating a single app multiple apps or an entire company over to public cloud It starts with the fundamentals and you know, it's not a shiny and exciting answer But the things which applied, you know last year apply this year It's it's getting a getting a customer to understand about the principles of least privilege The the principle of a breach first mentality, which says that you know Assume you've been breached and that you're trying to limit the damage the so-called blast radius of an attack and then once you've established those Core kind of tenants of how people should think about their technology and their apps showing them how to actually implement that in code and automation And and all those things which will ultimately result in the business value And that is getting your applications to cloud securely so you can do your job faster and beat your competitors having a new feature And that's a relatively simple remit. But again, we're in complex environments We rarely ever say a Greenfield project And no two customers at the same so I think that where carrot really fills that gap and where the gap needs to be filled By the way, is that bridge between the tech? The security vendors and what what's actually happening on a day-to-day basis and you know Carrack fills that gap as we all know as much as we love everybody to be on the cloud The thing is that there are companies who are in different phases of their journey A lot of folks are still in the early stage where they are embarking on their, you know Cloud journey from the data center to public cloud as they embark on this journey What advice do you have for them so that they can ensure that they have all the process in the place? They have right practices in place and of course the tools so share your advice for them I think the first thing comes down to that age-old question of communication And it's ensuring that at the very start of the journey that everybody every stakeholder Is in the room and that everybody understands what what the journey is what what the end goal is And how how the teams are going to get there and from a security point of view that means including the existing network security teams that the governance GRC teams the APSEC teams and Understanding what it is they're actually going to do because it is it is a long journey The customers that we deal with for example, it's a two three four year journey And that is not going to happen with a set of security practitioners sitting in a silo By themselves dictating security policy to the rest of the company because the technical challenges That they'll encounter and as importantly The change in security controls or the design of security controls to compensate for those complexities It's something that's going to be iterative. It's a journey which is not going to be a straight line It's probably going to resemble more of a Zigzag and maybe a bit of packing forward But getting those people in the same room up front understanding what your what your security goals are at a fine-grained level and having those applied to or excuse me Designing the understanding the controls that are going to be in place Understanding for example, which controls are going to remain in the data center as part of that journey when you switch over What does a cutover look like down with milestones and dates as I never thought I'd hear myself said but get a project manager Or a program manager in place to help guide all this and it really comes down to communication You know Google AWS etc Well will give you the tech and tell you how to use it But unless you get your people together and actually get them on the same page, it's it's never gonna work It's never gonna succeed. Thank you so much for taking time out today and talk about security also great advice there And as usual, I would love to check with you again soon. Thank you. Thanks very much. Thank you