 Hello, and how are you doing? Welcome to Abadji Talk. Gordo, the techs are here. I'm here with my good old buddy, Papi Chulo, who's in the house, filling in for the security guy, Andrew Lanning, who once again is traveling around the globe, spreading the word on security. Well, spreading something. I don't know, spreading the Aloha. That's what he's doing. Anyway, we have with us today Pete Insall. He's our guest today. He's a security architect for Presidio West Coast. Yep, that's correct. So we're going to talk about secure network architectures in the cloud and some things that are happening in that space, which is kind of interesting. You can tell by this pale skinned Hollywood boy that is his first trip to Hawaii. And you don't get much paler than that. And thank God there's someone paler than me in the house. He blends in with his shirt. Hey, thank you. Nicely worth his shirt. So it's great to have you on the show. We have a few segments. We do a little bit of news. We have this thing, you know, got one tech job. And then we'll we'll get into your background and things like that. But before we we'll do, we'll get out of the way. You know, got one tech job. You know, feel, feel to feel free to comment any time when this is the latest one that is actually down the street from where I live. You got to take a little close look at that photo. That is a lamppost. And that is the light for my street. It's been like that for, oh, I'd say we're coming up on three months. It's been down three months. That's how it is. But I tried to figure out what the problem was. And then I remembered when I was with the city, there's a thing called the joint poll committee. So it's probably in the committee right now, trying to determine who's got to fix it. Because the poll itself is one committee or one department. The arm that holds the poll is another department. And the end is another department. So that's probably going through its due diligence right now at the joint poll committee, at the sitting and counting of Honolulu. Who was in trouble when somebody crosses the night without the light and gets hit by a car. OK, well, then that's going to be another story. By the way, there's a crosswalk just up the street from there. So you nailed it. And that's all you got to do is have someone happen there. But anyway, we're on it. We've got our stuff on the upside, taking care of everything, sitting and counting of Honolulu. So security in the cloud is kind of an interesting thing. But before we get there, tell us a little bit about yourself. So where are you from? Where did you go to school? Did you go to school? Yes, home school. Yeah, interesting background. So I've been a little bit all over the map. So I was a military brat for years. So I've been all over the United States and Europe as well. I was actually born in Germany. But I ended up, myself, ended up going in the military. I actually ended up going to Texas A&M University for engineering degree. Didn't finish that up. Ended up going in the military. And I was stationed in the Navy on submarines. OK, so you were a Navy, and you were? Army. OK, so we like each other. So it's funny you like each other. Now, do you have any unique and interesting stories about getting arrested the first time you were assigned when you were stationed somewhere? Not that he had it happen to him. No, no, he didn't get arrested. He got a ticket for jaywalking. Nothing that I can disclose publicly. Well, this was the same. All I know is his uniform was wrinkled. So, by the way, you're looking pretty tan. Yeah, I'm enjoying my time off. Thank God I worked so hard for a living. I wouldn't mind borrowing some of that. Yeah, oh, look at that. There's a contrast. Oh, wow. That's scary. Just wear a lot of sunscreen. You know, when you spend all your time in a submarine, this is what happens to you. Oh, that's true. You're deprived of sunlight and other things. Yeah, you ever get cloudy day syndrome? Exactly. You're stuck inside. So you were in the Navy, you got out of the Navy, and where did you say you went to school in Texas A&M? Yeah, I went to Texas A&M originally, and I was going for an engineering degree, mechanical engineering, ended up going into the Navy after that, never finished out, finished about two years of my engineering degree, and then ended up going to the Navy, and actually was a nuclear chemist in the Navy. So I did radiation protection and reactor chemistry on a sub. That explains the color of your skin. That explains why I'm a little wider. Yeah, am I glowing? Am I glowing now? You're a glowing person now. I love you on this show, man. You're the best. So yeah, after I got out, I got interested in information technology in the late 90s and started pursuing that, ended up relocating and landed in Florida, ended up. But wait, Florida has sun. Yeah, Florida does have sun. And unfortunately, I didn't spend enough time in it. Yeah, obviously. So yeah, I ended up going into network engineering, my first job for a large insurance company, Liberty Mutual. Ended up starting to work for them, and I kind of progressed and ended up getting into security at that time, and kind of went from there, and that became my passion. And that was in the mid to late 90s? Yep. And so think of what, I mean, in your young career in doing this, how much has security changed over the past 10, 15 years? Night and day difference. The entire concept that we started with is cloud concept, public cloud. What is that, right? The internet was just starting out the dot-com days. So it just shifted the whole world. And everybody's paranoid now about getting hacked and having their data stolen and their record stolen and so on. And so, and we'll talk a little bit. Let's talk a little bit about that. So give us a definition for our viewers. What is the cloud to you? What is the cloud? No, that's something that he hasn't seen much of because of his suntan. But the cloud. Well, the cloud by definition is, well, cloud that goes out of my head. Let's only try to put together the right definition, but effectively it is services being delivered from outside of the organization is the most common. So if you're getting services from a bank and they're using their computer system and such, our house somewhere else, maybe managed by someone else like Presidio, then that would be in the cloud. Versus if they had it in their own location. Well, there's a couple definitions here. And it's really hard to explain this, but there's a concept of private cloud and public cloud. Private meaning you fully have control of this environment, which you're making available. All these resources available to all these end users. But you're controlling it in a fashion that allows you to deliver it with some degree of separation. OK, within a box, OK. And then public is, it isn't your environment. It's hosted in somebody else's environment, but you're using their services. So for example, I mean Netflix, Google, they're all technically cloud services. OK, and they're public or private? They're public cloud services, right? The end user is consuming those, yeah. And they're public services. So if I'm using like Microsoft Office 365. That's a public cloud service. That's a public cloud service. If I'm using ABC Bank and all of that stuff is in theirs or a secluded data center that they control, that's a form of private cloud. It's got some gray areas in there. I know, I'm just trying to get where you can define the lines, which show how complicated it could be. So just think about, so now you specialize in the security side of this thing, on the security side. So you've got all these different types of clouds, and then you've got to secure it. Now, he's in security too. Now, but he's in the wetwear side. We finally educated him. Wetwear is people, 90% or whatever it is, water. That's who it is. And then you've got the software side and the hardware side. What's the worst side? The hardware software or the wetwear, the people side? Oh, I think people. Yeah, guaranteed. People, hands down. I mean, you can do everything you can to secure everything, but at the end of the day, you're working with people. And human error. Human error or human intent. Yes, human intent, human error. They can do all of those kinds of things. Lots of harm. Lots of harm. So tell me, what it is you do? What is it you do? As a cloud security architect. So I spend most of my time educating and talking to customers how best to protect their data. Whether that be delivered in their own data centers, whether that be put into public cloud environments, for example, like we just talked about. But it's about putting together the right type of security solutions. But I'm mainly on the technology side, but like we just talked about, people are the biggest problem. So I like to talk about the people aspect of things as well. Not just focusing on how technology can solve the problems, but how do we help get awareness on the people side? Or how do we help control the people side? And then we use tools to help control the people problem that's going on there. Now you were saying earlier on today, there's a cloud is a growing industry. Yeah, yeah. So cloud services are expanding. What did you say, 37 billion? 37 billion, yes. It's expected to expand or top 37 billion this year. So that's 37 billion spending in cloud services, providing cloud services? Yeah, it's all cloud services combined. That's things from Amazon. That's things from Microsoft. That's Google's cloud services. All these other cloud services are it's going to be a roughly 37 billion dollar market this year. 37 billion dollar. And your job is to make sure all of that 37 billion dollar market is secure. Not all of it. No, wait, that's right. You've only got the West Coast. So not a problem. You got that under control. It's only one small person, one small. So that's a huge, do you see this growing? Yeah, cloud is the trend of the future right now, as we call it cloud. That is the trend of the future. Every customer is looking at cloud services, public cloud services specifically, if they haven't already adopted it, they're already there. And they're there without even knowing about it, because guess what? We're all consumers of Google services, Facebook, you name it. We're all consuming these public software as a service offerings that are ultimately underneath the noses of a lot of organizations. So is it safe to say that if I'm on my mobile device that and I'm going Facebook or LinkedIn or that I'm on the cloud? You're all on the cloud. So anyone that's sitting out there thinking, well, I'm not on the cloud, they're on the cloud. They're on the cloud, yes. Unless they get a flip phone and it's only the phone and it doesn't have anything else. But even then, that dial tone is coming from somewhere. That's true. And that carrier could be in the cloud. That's true. Providing it's turned down though, right? The cloud, the system has to be on your phone for it to go. Well, your phone has to be on. That's true. That's a good question. I didn't have this, the cloud was out there on Verizon. I said, where's all my stuff? Oh, it's in the cloud. Oh, you didn't turn yours on. So whatever you thought you saved is not safe. It's the best security. If you just turn off all your electronic devices, you're more secure. I'm in the cloud, the app. Your app itself was not there. But you were on the cloud from a dial tone perspective to make the call, right? But not from your data side. So a good point. But if you have the app and you don't turn on the app, it's not going to the cloud. Your photos aren't going or things aren't going. But if you're doing instant messaging, and that app is turned off, you're still in instant messaging. And so that's still in the, is that safe to say, in the cloud? Yeah. And all your data is stored there too. So here we go. So data's in the cloud. And we agree to that by signing on that long. Yeah, it's called a eula that no one reads. Yeah, nobody reads it. No one reads it. So you got the eula. So you got to cloud the data. You got to protect applications that are running on the cloud, client things, and so on. All this kind of stuff. So we're going to have to take a short break. It's amazing. We just cranked through 15 minutes. And I feel like we haven't even scratched the surface of this cloud. It is. But let us do that. Let us do a little short break. We'll go get Angus. He's got a new gadget, I think, this week, and a new Scottish sign. And you haven't met Angus? No, no, I haven't. And I can forward to it. Oh, yeah. And I hear your English. Oh, my goodness. Wait till he finds out. Anyway, we'll be escorting the techs out. Puppet you low. I forgot your name for a minute. Puppet you low. I was here like, what goes? And we're here with Pete Insall from Presidio. We'll be back in a minute. You're watching Think Tech Hawaii on ThinkTechHawaii.com, which broadcasts six live talk shows from 11 AM to 5 PM every weekday, and then streams earlier shows all night long. Great content for Hawaii from Think Tech. Hi, I'm Chris Leitham with The Economy and You. And I'd like to invite you each week to come watch my show each Wednesday at 3 PM. Hi, I'm Donna Blanchard. I'm the host of Center Stage, which is on Wednesdays at 2 o'clock here on Think Tech. On Center Stage, I talk with artists about not only what they do and how they do it, but the meat of the conversation for me is why they do it, why we go through this. A lot of us are not making our livings doing this. And a lot of us would do this with our last dying breath if we had that choice. And that's what I love to talk to people about. I hope you enjoy watching it. And I hope you get inspired, because there's an artist inside G2. Join us on Center Stage at 2 o'clock on Wednesdays. Bye. Aloha, everybody. My name is Mark Shklav. I'd like you to join me for my program, Law Across the Sea, on ThinkTechHawaii.com. Aloha. Aloha. My name is Danelia, D-A-N-E-L-I-A. And I'm the other half of the duo, John Newman. We are the co-hosts of Keys to Success, which is live on Think Tech live streaming network series weekly on Thursdays at 11 AM. Aloha. Aloha. Welcome back. And we're here to see our good buddy here, Angus. Angus, it's all of you now. Hey, there. How you doing there, puppy? You're looking a wee bit broon. That's how we see him sculling you. You're broon. You're broon. Yeah. And your guest is a wee bit peckish. I see that, too. He's like, yeah, it's nice to see someone here a little bit more pale than me. Well, almost pale to me. And so that's the English name, you know that. We beat the shit out of you in 1432. Just so you know, the bruises were in there. And you never stood a chance. Anyway, we forgive you. So just keep all your stuff done in England. Scotland will see you when they did ever again. Anyway, so I've got a couple of things. I got a Scottish sign of the day. And I put this up especially so when the English come up into Scotland, they can know where it is. This is a bus that's been a working. And when our bus is in our working, it says, ah, we no more than service. That's how it is. Ah, we no more service. That's the bus, the Scotland area. So that's how we're going. Anyway, you know, I always go out and try to find a new innovative gadget. So I got a new one today. It's so innovative, you can't buy it. It's a fan you put on your motorcycle to charge the battery or your iPhone. It's called an iFan. Can you beat that lad? It's an iFan. Easy, but you know, it's awesome. It's not Malaysia. You can't buy it yet. It's designed in Norway. And Norway's really good at saving energy. So I think they're gonna come up with it. The trouble is, they're gonna charge us too much, I bet. But anyway, it's called the iFan. Watch out for it. It's kind of really cool. Anyway, that's my gadget. That's my punch on the English. It's my punch on the Papi Julo. It's nice to see you all again. And remember, everybody, let your wing gang free. We're ready to be. Hello. This is so funny. Look forward to being a guest host. One day I'm gonna take over the show, one day. We'll do it all in Spanish. We'll do it all in Spanish. Oh, that's too funny. That's too funny. Anyway, we're here with Peter and Saul from Presidio on the West Coast. You're a security architect. We're talking about securing the cloud. So what are some of the biggest challenges you have in trying to secure companies' applications and data that are on the cloud? Well, a couple things that come to mind is a lot of times we just talked about that a lot of times organizations haven't actually identified what their goals were for going to the cloud. What are they actually trying to protect? The first thing we need to do in security is identify what we're trying to protect. What are our threats? What are the vulnerabilities, our exposure? So we always start with risk assessments. So that's one challenge is being able to identify the need that a risk assessment is critical whenever we're looking at the cloud or we're moving in the cloud. The other thing as part of it is what are the applications and that kind of data we're going to be putting in there, right? Is this sensitive information? Is this credit card? Right, is this credit card? Is this healthcare information? Because now we need to treat that a little bit differently and we need to provide proper security architecture around that. So there's a number of those considerations as well. So, but people, go ahead. It'd be like considering who has the right to that information also because they have different levels. Yeah, that's right. Because I'm on the same web network. I don't have any business looking at this guy's PII when it had nothing to do with me but I have a level of security clearance. But security clearance, exactly. It's a principle of least privilege that we try to apply for anything. And PII is public? Personally identifiable information. Personally identifiable information. Exactly. I was off for a couple of weeks. I was off for a couple of weeks. You're obviously a rank and he was officer. He was one of us, yeah. No, I had a brain fart. I was off for the last couple of weeks. No brain is right. You're still working on it. So there's that. So what about compliance? Yeah. Like there's PCI, HIPAA. Yep, there's CGIS, there's ITAR. We can keep going on and on about every type of compliance. So when I hear this, then I start panicking out and say maybe I shouldn't go to the cloud. No, actually, really the biggest thing that needs to be looked at in these public cloud environments because really that's what we're talking about here. These public services that you can put your data in. It's just knowing what the potential risks are and how you can actually secure those environments. What they have natively to offer security to you but what else you need to do to protect your information out there. But they are compliant. They are compliant. Now how much further ahead do you think that the cloud providers are then, and this is a loaded question because I already have my opinion, but the cloud service providers versus the people that are doing it in-house with limited, I'm coaching it, limited talent and resources. When you've got like, I bet AWS and Amazon and Microsoft got a lot of people doing security. Yeah, they have some of the better security teams that you can ever find. It's just the reality is Amazon and Microsoft, they have some of the best security teams out there and they're going to know how to secure their environments better than most customers can themselves. Now it doesn't mean that a customer that puts their data in there doesn't have a responsibility to equally secure their information because at the end of the day, there's not a, there's a concept of a shared responsibility. Right. So everybody's- Like a poll committee. Yeah, exactly. The shared responsibility. So, by shared responsibility, so I can use like the endpoint. Oh, there you go. Cloud, let's not say cloud services statistics. There's the 37 billion in 2016. Yep. So I have another slide, Missouri, if you can find that, would it be this a dirty dozen cloud security concerns? Oh, here's what we're protecting. Oh, hold it, hold that one. That's great. So this is what we're protecting. This is a great picture. This is the value of a hacked company. You know, a lot of people think that it's just data that they're trying to protect but there's a lot more information. When cyber criminals are going after a company, they can exploit and get access to a lot more information through different means here, right? They can go through partners, they can get access to the cloud services a company has and get access to the financials, the assets that they own. So it helps illustrate a point about, you know, we're not just protecting just data alone, the kind of sensitive information we just talked about. It goes far beyond that. Yeah, you look at the slide, you've got physical aspects, you've got the HR data, you've got financials like you said, virtual, all those kinds of things that are being protected. Yeah, even whether you're in the cloud or whether you have to do it on-prem, on your, it's the same thing. And do you have the talent that can do that? Exactly. There's another slide that, you know, maybe we could call it the dirty dozen, it's called cloud security concerns. You know, even though it says cloud security concerns, when I look at this, it's security concerns no matter whether it's cloud or not, right? I mean, how can it just be cloud data breaches? How many data breaches that we heard of, that I know of, from local firms that have their own data center? Well, what this comes from is, this is actually a survey put out by the Cloud Security Alliance for this year, actually. And it's a ranking of for cloud services, what are the highest risks and threats for cloud services? And this is ranked according to some of the concerns that are out there from professionals and everybody else. And where do we see the highest risks? And actually, you know, data breaches being number one, that's top of mind right now. Right, yeah. We're seeing hacked companies everywhere. So, of course that's top of mind. That, you know, the second one. Yeah, what's credential management? Yeah, credential management is the concept of, you know, how are you actually securely storing, you know, passwords and identity information? And how is that information being transmitted back and forth? How do you validate that it was you that logged on to a particular service, right? And that's where you've heard things like, have you heard of two-factor authentication? Have you, do you do this with your bank where you sign onto your bank and then they send you a PIN code and you enter the code? That code, that's two-factor authentication, exactly. And that should be, I would say, commonplace. It should be the norm. Unfortunately, there's so many organizations that have no concept of that today. Yeah, and I would say if you look inside the organizations, and I could point this out, organizations that are running their own data centers in their own facilities, see if your sign-ons are two-factor authentication. Do you change your passwords every 90 days or 60 days, whatever it is? You're not allowed to reuse passwords. There's a whole set of rules that should be followed, right? The governance. Yep, that's the governance. That's the governance that I can guarantee you that most in-house-serviced organizations that don't have to be regulatory components. Yeah, we find that the higher the regulatory requirements on the particular customer, the tendency that they happen to have better security hygiene, as I like to call it. Oh, yes, we've heard that word. Yes, exactly. Mr. Lanning uses that word a lot. Yes. So what about there's an insecure APIs which are application program interfaces? Correct. So that's number three. A lot of people wouldn't know what that is, but kind of give us in a lay person's way. So it's a way to programmatically make changes or retrieve data or input data into an environment using programmatic methods. So you're familiar with scripting and things like that, orchestration, automation. Those are all using what's known as APIs. As APIs. These APIs must have secure authentication mechanisms, though, in place. Sometimes they have vulnerabilities to where those can be exploited by criminals, et cetera, that know how they work. Now, an example of an API, if I downloaded a particular application onto my mobile device that then got into one of my production systems, per se, how do I know that that mobile device application is secure enough to be handling? One way to secure interface, it's usually behind the scenes, but your application is a mobile web version. That's just using native access, but it's a web version. It's a web version. So what's the next one you think that the next one that people should be conscious of and be made aware of? Well, one other thing is people are having their credentials stolen, right? We're hearing of these phishing emails where people click on them, and they're asked to put in their username and password into a log form, into a form filled. They fill it in, and ultimately, the attacker steals their credentials, and then uses that to compromise another system. Another system. Yeah. So they impersonate that individual. So it's hijacking. So hijacking. Hijacking. So what should a lay person be doing to ensure that that doesn't happen? Once again, this whole concept of identity is the new perimeter. You may have heard that phrase. It's true. I mean, at the end of the day, we're only as secure as how we can validate if it was you or myself logging into a particular system. And if passwords are dead, I think that's pretty well common. Yes, pass phrases now. Yeah. Exactly. 21-bust characters. Nobody can remember past phrases. So this whole concept of, I have a system, but I'm not going to tell anybody it, because then they'll have my system. So there's any money. This whole concept of two-factor come from. It's something you have and something you know. It's the way to. Well, yeah. OK, so we've got to move quick, because we only got a minute. This is CSA. You talked about that. Yeah, I didn't have a chance to talk about some of the news. But I'll do a quick one, because Palbox gives us some interesting stuff, and it's really related to this. They were saying it related to cost. The health care IT costs per doctor now are at $32,000 a year, just for security. And that's just to protect the records. And if your doctor, dentist, health care provider is not paying in that range, then you have to start wondering if they've got stuff going on. And maybe they should be putting their stuff on the cloud. So it's expected to increase. That's not 40% increase since 2009. Like you said earlier about what was going on. And then we had a hip-hop criminal for prosecution in Tampa the other day there. The guy went to jail for violating hip-hop. So get ready, the more that stuff is happening. So anyway, Pete, we haven't even scratched the surface, so we've got to get you back. Pete is obviously an expert in this cloud stuff. I'm dizzy with everything that's been going on. But we also have something that we never, this is a totally secure, hip-hop-compliant solo cup that we give to all of our guests. And you have number 82 in the series. Well, that's great. And that's it. So anyway, that's it. We're ready to head on to the show. And like we said, thank you, Nick, and thank you, Zerry. Like we say at the end of every show, one, two, three. How you doing?