 Hi, this is your host of the Bhartiya and welcome to a brand new episode of our series TFR topic of the month a.k.a. T3M and this month's topic is security and compliance and my next guest to discuss this topic is Rob Herscheld, CO& co-founder of Reckon Rob. It's great to have you on the show to talk about security today. Swap, it's a pleasure. I'm really excited. Security is a critical thing for people to consider in their infrastructure. Right. I remember the days when security used to be an afterthought than before pandemic. We started seeing a lot of sessions on security. Now they are dedicated days for security, the whole shift that women zero trust. A lot of things are changing to kind of make sure that security is not an afterthought. It's not someone else's problem. It's kind of everyone's problem But if I ask you, since you do deal with not only, of course, the whole ecosystem, but you have your own customer base What kind of changes you are seeing when it comes to security in the clouds and trick cloud to do work? One of the things that we see is more concern on how systems are getting built behind the scenes and and not just creating an assumption that because you're using kubernetes or you're using containers or you're using a third party service There's more scrutiny scrutiny in the idea of the whole environment for the system. And I think that that's really valid. It's important for companies not to assume that you know any part of their supply chain Is is secure by default. They actually need to they have to have a degree of ownership in All of the components of their system. And so I think that's a really valuable change that we've been seeing Security is not an end game. It's not a product as a process So as much as we are working towards improving security, we continue to hear about breaches Can you talk about what are some of the major security concerns that are still there? I mean just we can reflect on some of the recent news items around security So what do you think which is still, you know, a major concern there? A lot of times the security things that we see result from people who haven't really well automated processes or or allow things to drift away from doing things in a repeatable routine configuration way and so You know what we see here is even though we're very excited, you know the industry We are very excited about CICD systems and automation and get ops where you can go on and on about all these pieces It is very easy for us to run into a time when somebody has bypassed that process to give themselves access or have an exception And then didn't automate around that exception or didn't follow a dev test prod process And they end up with things in production that should never have reached production And that is a really significant fault in How we think about security so You know the only the systems only work if you Ensure that you're you're running them in a consistent way as soon as you allow That there's inconsistency and exceptions to come in You're opening yourself up for risk And that's that's going to be true in every environment as humans are ultimately, you know, the source of a lot of these these faults Sometime, you know the the the threats that we see in the traditional IT space are also the same in the in the in the cloud native cloud centric world as well if I ask you what are the new threat vectors or new Attack vectors that should be a concern for organization. Let's say zombie apis is a good example there Without a doubt, you know the we've made it so easy to create new infrastructure and and build and and deploy things I think zombie apis are a really good example We're seeing this wave of enthusiasm around platform engineering and developer portals Which have you know, I'm going to be creating, you know, potentially zombie the environments and test labs and Developer, you know any any time you have that those environments you've improved access and made things easier You also run the risk that you're creating more attack vectors for people to enter in And so I think those are really significant Components for people to think through it's always a risk that You're going to have, you know credential leaks or people checking credentials into code bases or Putting, you know sensitive credentials into one environment because they're trying to access another environment I think, you know, we really we've done a really good job of building better secrets management and injecting You know making it possible to inject secrets into systems But we've also meant that we're putting a lot of secrets into shared Locations and and injecting them automatically into infrastructure for people And so I think we need to be careful that when we build these systems and they're injecting secrets That you know, we're also Ensuring that the systems that do that injection have the security and the checks and balances that we need in them Right, otherwise you could spin up environments add in credentials and all of a sudden you're off to the races with you know with privileged credentials So it's it's you know a degree of empowerment Tends to let people forget what all that goes into that automation and what's being built for them without them thinking about it And it's very easy for something like that to slip through the cracks Um, and so we we need to be careful with with where those things go And what just as a point of recommendation One of the things to me for people to think about is what I would call the half life of any environment Um, and along those lines, you know, it's it's a really good idea if you're if you've been automating things to make them Very easy to get it's worth remembering to automate to make them automatically get destroyed or torn down So the easier it is to build an environment the easier it should be to tear it down And if you're not looking at both sides of that equation, you're potentially leaving yourself open to a zombie Environment or a zombie api That sticks around and and people aren't even aware that it's there. So shorter Easy to build fast to tear down very important How much adoption of practices like, you know, zero trust dev sec ops You're seeing there today. So we see quite a bit. We see adoption and interest very high Definitely for things like improved when I think of shift left I think of developer empowerment, but I also think of improved security postures of systems throughout their life cycle And so we definitely see In our customer base and throughout the industry Better and better work done earlier and earlier in the process. So, you know My favorite example of this for our customer base is, you know, most of our customers have been moving into a process to fully build Deployment images inside of their CICD pipelines. So that means secured patched and they can then replace that whole image That to me is shifting left. So you've gone from doing a whole bunch of security configuration and validation work, you know In when the system is installed and after after can after install and post deployment To the point where you're actually doing it in the CICD pipeline that type of of enhancement It gives them a lot better performance, but it also is a much stronger security state zero trust We see customers getting much more aggressive about properly building TLS infrastructure And certificates and managing their certificate infrastructure, which is a key piece of doing zero trust. Well I wish I saw that moving faster There's a lot of pieces in like secure boot where The discipline needed to do that type of work zero trust is similar the discipline needed to do zero trust requires a lot of confidence in your in your tooling And so our customers are pulling that in But it's very hard to win in those in those games if you're not confident in your automation And that's a place where I would just tell tell people if if you're not Dealing with automation that's reliable if reliable isn't the first test for your automation Then you're going to have trouble with zero trust. It's the thing that racking customers really turn to us for You know even before performance even before flexibility Much more serious about the security Lesson get much more serious about reusing and repeating Apply rinse repeat processes immutable infrastructure all of those Healthy good security disciplines come out of for liability earlier. We recorded an episode on cost cutting and cost efficiency Do you think there will be any impact on security teams or the budgets for C source if yes What does it mean? How will that impact security or no security is something which is untouched by those cuts? I wish I had good news on this one It's without a doubt going to impact security teams And it's going to impact security That you know, there's just no doubt that as you look across For savings inside of an organization All companies are going to try and figure out ways they can get the same people to do a little bit more work And that's just going to it's going to hit security just like everything else um and unfortunately those those Dips do impact security right lack of discipline something that didn't get done Something that got done a little bit more slowly than it otherwise would have gotten done or all all vulnerability vectors for organizations So sadly, yeah cost cutting is going to impact security posture And the only thing I can tell you and this is going to sound very shift left of me Is that make sure that you're embedding security Into your native processes into your regular processes when you shift security left It does have the benefit of ensuring the security can't be pulled out or as much harder to pull out of a process Because it's embedded in the process And companies really need to take that as a posture do the work do the work with security in mind first Because there is always the risk that that's that's going to be pulled out or compromised um And it really does have very high roi If you embed if you embed security into the automation you're building if you make sure that you can quickly scan reset and Rebuild an environment you'll find that um a lot of the security vectors disappear on their own And as a benefit to the sysos if you're a syso watching this If your ops and automation teams are better at building rebuilding and resetting environments Then the posture of the systems actually your your threat posture is is better So you're you're much less vulnerable If you are doing regular um patching regular rebuilds if your system is much more is more dynamic Um, it gives you a better posture and then you can maybe do get do buy Do better with fewer people or have those people focused on more important security concerns Now let's talk about rack and in How are reckon solutions either directly helping with security or Like sometimes you have to make things so easy so simple That a security doesn't kind of crop up creep up and become a concern. So Whichever way your solutions help customers. Let's talk about that Yeah, I mean fundamentally rack end is helping our customers gain control of their infrastructure, whether it's bare metal virtual cloud That that's the fundamental piece and You know a lot of that control ends up being a security concern and helping address security issues right at the start So a lot of what we do is we help people's infrastructure become more reliable If it's more reliable, you can add in automation. You can run your automation more regularly You can do resets and rebuilds in places where you might not have done those processes before Um, all of those things dramatically improve the security outlook for the systems that people are trying to to control We're also incredibly good at helping our customers do dev test prod fidelity And that allows them to really have confidence that when they test something in development It's going to work in their test environments It's going to make it into their test environments that are production environments without Having manual changes You know the reality is a lot of the security issues we see are not Introduced in the system on purpose They're actually introduced because we have a lot of variants or manual steps or human configurations in the systems And what we do at rack end is we work to eliminate the need for those types of variations and human interventions So our customers dev test prod environments are very similar our site to site variation for customers is incredibly low Our infrastructure changes by type of infrastructure is incredibly low all of those things mean that Our customers write and use automation that they don't have to have a lot of changes to a lot of variants to a lot of human touch to And all of those things create a much more uniform operating environment that is then Easier to secure so it all fits together as one piece And if you can make all those things work together Then you know you can actually focus on the high value security aspects that need to get done and stop worrying More about you know who has access to your gear. Do they have the right certificates? Do they can they rotate a patch? Can they apply a patch quickly? unfortunately So many customers Used to spend a lot of time Just chasing toil, you know applying patches fixing things checking on systems Doing audits all of that work. If you can eliminate it translates directly into free time to do high value activities that really make a difference What advice you have for companies to improve their security posture as you said security is not It's strictly about security. There are so many things that can create a lot of you know security risk there I think treating security um as As a service Not you know as a sass where you're you're hiring it, but actually having a service mindset In building security, right? What you're really looking to do is improve the user experience and things um, and We too often look at security as an add-on that we have to add into a system Rather than a benefit for how the systems operate and I think looking at security as You know ensuring that people have access even more than ensuring that people don't have access um That that shift in mindset actually becomes a much more friendly approach To how these things work, right? We're we're making sure that you have access to the systems and we're you know In that sense limiting it to everybody else, but the more we do the right Thing from that perspective with a sort of services mindset service oriented mindset Then the more people will embrace security practice as it removes the overhead Thinking that security is way too often burdened with rob. Thank you so much for taking time out today and talk about Of course security today and I would love to have you back on the show. Thank you. I'm looking forward to it. Thanks