 Hi, this is your host Supreme Bhatia and welcome to another episode of T3M or topic of this month And the topic of this month is security and compliance and today we have with us Linda Brown Director of risk and compliance at small step Linda is great to have you on the show. Great. Thanks for having me I will look to hear from you How you have seen the evolution of security because if you look at the traditional IT security used to be someone else's problem It was not developers problem. They are separate silos But ever since we started moving to containerized cloud native Kubernetes centric world. We talk about things like DevSec off. We talk about zero trust We talk about shift left. So the security landscape is also changing and evolving. So just can you talk about the evolution of security? Yeah, it's funny. I think it's evolved in a lot of ways. I think One of the big ways is just the ending of the concept that security is all about the perimeter You know, I think that's what zero trust is all about right is the The fact that perimeter security is no longer enough to make sure that organizations are secure and as companies move to Cloud environments and multi cloud environments have actually recently seen Companies that were staunch resistors of cloud environments That just refuse to even consider the cloud as an option They're now moving to the cloud and they're really having to rethink how they do security and if you take out the perimeter and Make the assumption that your human controls can fail, you know, we've seen all these Fishing attempts and you know, it's users. It's all about the user still right And if that fails if that human control fails What do you have in place next to make sure that your data and everything is secure? and I think that Has pushed everything Further down the stack which relates to the shift left movement Which relates to how we secure the kubernetes pods and the databases and the back end communications if all the things are everywhere How do you control them? Uh, the security of them. How do you make sure that the inner object communications are secure? Making sure mutual TLS is there getting certificates everywhere and how do you do it at scale? You know, I think when you when in the past we thought about certificates because obviously they're not new technology There was a lot of manual labor involved and somebody would call somebody and we need a new certificate and ops would take care of it If we're going to move and have zero trust where those certificates really have to be everywhere We need a corresponding scalable Environment where we know we can just get certificates reliably and I really love The change to and and this is a big thing for small step the change to short live certificates I don't think it helps anyone to have One and three and five and ten years certificates when you're talking about Every database and every every kubernetes pod that spins up and even people 24-hour certificates, but how do you meet that demand with a centralized platform that's scalable and also has Auditing and logging. You know, it just really changes the perspective Of how we think about things and that's zero trust to right moving past the concept of perimeter security There are so many different like few weeks ago. There was a report where booking.com They were using oauth and they have an api vulnerability So everything else was compromised. Of course social engineering happens a lot Which was uber. So and these are tech companies. These not even in a mom and pop shops We have nothing to do with technologies and even at kubecon. We see home depot there I still have a home depot mug. So all these companies Hardcore hardware companies. They are doing it. But the thing is that The security the the attack, you know vector or you know, whatever you you call it. They're also evolving There are so many variables now that security as you also said it's no longer It's it never was but it's not a product anymore It's a process which is not just about technologies. It's about culture and people If I ask you when you also talk about these customers who were like reluctant to move to the cloud and you know Cloud itself is very complicated. And when you start talking security things get even more complicated If I ask you, what are your major concern that you feel? Hey companies are not doing the right thing or you feel that hey, yes They are taking security seriously because I was talking to after I was talking to somebody Yesterday also for the topic and you all you said that the best thing that security companies have done in the last five years Is to tell us how miserably they've failed, you know And we're talking with all the traditional, you know security companies or other companies So my question to you is what are the major security concerns that you see that are there if companies don't make it a priority? I think part of the part of the problems I've seen Is still that that shift as people move to cloud and companies move to cloud I still think there's a predisposition and it just comes from habits Of securing the perimeter of all those clouds So I think that there's a a fundamental Mind shift that has to happen And to break those habits I think part of that is you know Shifting how we test You know when you think about just you know the way we've done Vulnerability scanning the way we've done pen testing All of the the things that we use to measure how we were doing with security has been about the perimeter And I think that all has to shift to be Are we protecting all the things in all the places we are? If we assume it's inevitable That someone is going to get to our infrastructure How do we secure it? How do we make sure that each thing is considered the house and we worry about the open doors and windows and it's full stack? Which means we have to push Into every piece of what developers build. I think there was a tendency for only certain developers That were building certain types of components to be concerned about security But now it's everybody and I think From a corporate standpoint I personally feel that shifting A culture to to think more about security anything call I think culture changes hard, right? I I've always Compare it to turning a cruise ship So, you know, you're moving and trying to get everybody to think in this new way and There's bottom up things that can happen to help that I think Small step is especially good at helping people take a single use case And start with that and make it secure and build that Security from the ground up But I think we also need in order to make sure that security moves to all areas of an organization I really believe there has to be a top down will To make security a priority And that is what allows for budgets to free up. That's what allows for Certain business managers to not get away with saying. Oh, I can't do security the right way right now because of money limitations or technology limitations You know, there has to be There has to be the will to say we cannot operate this way You and your business line must make changes And that's across the entire organization. So I think the the top and the bottom meet somewhere in the middle But there are there are plenty of changes to still be made A real thing that you know security is kind of a solved problem when I listen to you and you're like Hey, everybody has totally understood that digital distillation cloud native that is their approach But you know, it looks like that is still a major challenge there Can you talk about what is is stopping or what are the roadblocks or hurdles where Because when we do talk about a lot of I mean, also, I'm in the field where I do See the technology they are building for tomorrow. So I think hey, that's already a solved problem But you deal with that your customer So what do you think are the roadblocks which are kind of these companies are hesitant to You know adopting some of these practices. I think as with every new thing that comes into security There's a pattern and a path that things take I think as we thought about and and moved through the evolution of how do we Secure users We came to a place where there were these great umbrella technologies that helped us manage users and user access Um, you know the idps of the worlds, you know, I think it's a very mature part of what we do I think what has to happen across the industry is there has to be a maturing of products Around zero trust and I think we're really just getting started It's you know, I feel like we've been talking about zero trust for a while now as security practitioners but the businesses are just starting to move from Single zero trust use cases pieces part zero trust to really understanding that It is an entire change in perspective and methodology And I don't think the tools have quite caught up I think you know and and small step is thinking the same way right? How do we Provide an umbrella solution that is the way companies secure all that other stuff That's not people. We've done a good job. I think with people but not all that other stuff And so I think that's what's needed is that evolution in the industry and it's it started right with you know how we do eds and end point solutions and It's all kind of there, but how you know, how do we create that picture that allows security practitioners to Uh audit what's going on to log what's happening to report on where they stand Uh because the reporting is a big piece of this as you go up the chain and ask for money And talk to the higher ups They're looking for those red amber green indicators of what's working and what isn't and so Having that centralized reporting having those umbrella technologies That bring that picture into focus. I think is still developing in the zero trust market And uh small steps thinking the same way right? How do we take the what we're what good things we're doing around getting certificates to Anything anywhere all the time and auto renewing and at scale Uh, how do we present that information? to security practitioners and risk teams So that they can make decisions about what they do next Based on how they're seeing the progress going in in zero trust implementations They're already a scarcity of you know Security folks as much as we like to move everything into dev ops and sre's and zero trust But as long as as much as we want to break those silos, but there are folks, you know, like you who specialize in security So there will always be soft silos like that. You know folks who specialize in security will be there so Talk about the rule that a small step is playing in helping companies lower the barrier of entry So they can with a top down approach bottom approach. They can embrace some of these security practices. It's funny. We've started to really use the the name of the company as A notion about where you get started Take a small step Into this realm and the way we have the company set up and priced we make it easy for companies to Take one use case Get started with it Do it in a way that because we're a sass offering, you know, you don't have to spend A lot of time building up a pki environment Pki is complicated I've learned that even more after joining small step. I've been a security practitioner for years I have my cis sp and I got here and I thought wow, you know pki is just a whole another level of complexity and Here's this product that really makes it practical and approachable So that you can take that single use case Get started and then add on to it. Um, it's not uh, you know while we Want to make sure that we're providing a picture of what's happening auditing logging Um for Visibility, you know across a broader audience to get started. It's a small thing It's just one use case and you can add on to it And the pki infrastructure The deliverability Of those certificates reliably With short life spans is all taken care of for you high availability the whole thing I think that's the that's the beauty of what we've done with small step all with that open source core of pki at the base And so I think um, I think that's what we offer for companies What advice do you have for companies who are still, you know, kind of Still looking at improve They're still like, hey Should be or should be not but let's just keep those kind of coming the company who are looking at embracing some of these practices What advice do you have so that they they can take smaller steps to embrace and adopt a security practice Build a security culture there. I think taking um, the the things you're good at already that you have down where you have set processes and procedures and applying Certificates to them is a great place to get started. I think companies have gotten Many companies have gotten really good with how they distribute Containerized solutions, you know, can you kubernetes is a great example. They've built up that expertise It's a great way in with an established process where you can just insert certificates and You know small step makes that really easy I also love, um, you know, it's a very rude and core functionality It's not about x 509 certificates, but I love our ssh solution. I think it's a no-brainer Every company uses ssh It's a foundational level of access You know, and I see a lot of companies still using shared credentials Well, you take a product like small step and and I was a user before I joined the company And I loved it. I would authenticate to my ids We used oct at the time So I would authenticate in the browser and I could then ssh anywhere I needed to go in the organization With that one login once a day It made my job much easier I didn't complain about the security because it didn't make my life harder I didn't even care that it made the dev ops guy's job easier on the back end I just wanted to be able to do my job easier and Even if I was accessing a shared credential technically on the back end I was still logging in with my individual id So the logging and auditing is is available and visible now Where before you had no visibility into who might have used that shared account So even if you're using it for break glass or whatever, you know, don't change the users that you have on all those servers Overlay a solution like small step make everybody's lives easier from dev ops to the end users and you've secured What is a foundational level of access? That every organization uses so I think that's one really simple way and then again, like I said anywhere you already have Um set processes in place just insert a certificate into that Secure environment Linda. Thank you so much for taking time out today and talk about this topic and also share some of the insights How companies can embrace security practices? Thanks for your those insights and I would love to have you back on the show Thank you. It's been my pleasure. I hope we get to speak again