 Hi, this is Yosipil Bhartiya and welcome to another episode of D3M, our topic of this month. And the topic of this month is security and compliance. And today we have with us, Tony Laro, Director of Security Strategy at Akamai. Tony, it's great to have you on the show. Thank you, thanks for having me. Let's talk about security from the perspective of, if you look at traditional IT, traditional security, things have changed a lot. Back in those days, somebody will write the software, we'll buy and deploy it ourselves. We have system admins, they'll manage everything. Security was someone else's problem, that's the point. But now in the cloud-centric, cloud-native world, security is moving to developers' pipeline. We talked about shift left. So I want to talk to you about the contrast that you have seen, how security has evolved from the traditional world to the cloud-centric world. You know, I feel like we kind of go through this ebb and flow, to be honest, right? Because as we move to the cloud, you know, maybe 10, 15 years ago, we started to kind of get the sense that, hey, we're now offloading this risk to the cloud provider, right? We're giving this big corporation that knows what they're doing. They've got more space than us. They've got more resources and they're going to manage how our applications and systems are built in those environments. But we very quickly realized that a lot of the fine print around deploying in the cloud is really more, you know, infrastructure and operational assurances. And it really has less to do with the efficacy of your security controls, how your applications are built, how you choose to deploy those applications and support them. And all of that really still just came back onto our shoulders. So a little bit of the evolution that's happening is although we need to know how to use these new environments, and obviously now people are in multi-cloud strategies where they're not just deployed in one cloud environment, they have several vendors they're working with. And then other layers of security that maybe even sit out front of that, right? Because you can't, you know, if you're renting a web application firewall in one cloud provider or they have one as a service, you probably can't get the exact same configuration and you probably have to also learn how to use the WAF that the other cloud provider rents to you, right? So you have this complexity of growing dashboards and interfaces that you have to manage as a security operations person. And then even when all that was taken care of, we said, hey, we figured out that this push into the mobile world and the DevOps speed of change is really making us rely a lot heavier, a lot more heavily on the efficacy of your application security, not just the procedures, how they're built, but the testing process, the QA process, and where do you put security testing and validation in that flow? We're coming to this point where we're now finding there's a whole lot of application security risks with web apps, the growing number of web apps and mobile APIs that it's becoming a real challenge. And I think the goal there is to say, hey, we first need to understand what we have, how it's being developed and get security into that pipeline to some degree, because doing security testing and monitoring after the fact is usually too late at that point, right? When we talk about looking at security in the modern terms, not as an afterthought, but as a priority, do you see that companies are actually taking it, seriously are they making it a priority or they feel, hey, we have moved to the cloud, you know what a lot of things are taken care of, we'll figure out security later? Yeah, I mean, I feel like in the vendor space, people are relying more heavily on vendor relationships because building security into your applications is can be a really time consuming and costly endeavor without the security vendors who have focused on making those things possible. So automated testing platforms, where you check in code, it's tested and validated against the number of security measurements, and then move down the pipeline for further testing or release. We're getting to the point now where I feel like we're finally getting our feet underneath us. In order to say, hey, there's a lot of work that we need to do from an operation standpoint and a development standpoint, we can't do it all on our own. So let's rely on these vendors who have made it their expertise to fit security into this puzzle. And generally speaking, I feel like even dashboards and tools that used to just have a couple knobs and levers, they now have a lot more thoughtful options put into them. Like, hey, we're going to allow you to access our web application firewall via a series of open APIs so that you can integrate your development and security testing into the release of new web application firewall rules to complement. Hey, I just released a new API. It's been automatically scanned by the WAF. A rule set's been developed based on best practices and what we think it should be. And then you as an operator have a chance to say yes or no and to accept that. But all of that is starting to move into this more automated manner with security at the forefront of those decisions being made, which I think is a positive step forward for sure. If you just look at the last few months, have you seen any, of course, we keep hearing about the breaches that are there on a weekly basis, but have you seen any breaches which when you felt like, hey, this is still a problem we need to solve, we cannot take it lightly? Yeah, I mean, I was just looking up prior to our call. There were a number of breaches, three major breaches in January of 2023. It was Norton, Lifelock, MailChimp, T-Mobile and then in February, Google Fi, Activision. And then in March, we saw more from Chick-fil-A, ChatGPT and this month, Young Brands had a data breach. And the idea here, I think something that I just kind of, I guess I kind of come back to this concept is we already have antivirus, email, filtering, URL, gateways, host-based intrusion detection. Why did data breaches and malware outbreaks continue to happen? And I really believe it's because there is kind of like the status quo of how we treat traffic once it's inside of our network that the attackers take advantage of. And they found a way to say, listen, when you, and you can even talk to people in the pen testing and red team space, they say, once I'm inside the network, I generally can do whatever I wanna do because you're expected to be able to maneuver laterally throughout the network environment. And those are some of the reasons why these things continue to take place. Now the deployment of them will always change. There was a big group who was doing ransomware that recently actually was last year, but they released their source code which allowed the ransomware writers who were pure play ransomware writers to focus on what they do best, which is making malware that does something bad that's gonna force you to pay money. And then other people could collaborate, these are threat actors, right? Other people could collaborate to say, I'm good at exploitation, at getting the payload deployed, at bypassing security controls. And now this collaboration has made it even more, it's made it easier and more lucrative for these malware writers to take their foothold. And that's obviously a challenge that you have to look at by taking the weakest link and trying to correct that problem. We talked about in breaches, are there also any new threat vectors that are seeing, I mean, this part we just talked about there itself is concerning, but there is a massive industry, there is a massive payoff for all these compromises. But are you seeing any new threat vectors also that, of course, there are a lot of things within the cloud-ready world, there's zombie APIs, there are so many other things out there that you are concerned, which keeps you awake at night. Over the past year, we've seen a massive increase in local file inclusion, LFI. And this is a threat vector that attackers use in order to gain access to a device so that they can get inside of the network. In years past, almost in every year past, if you look at the OWASP top 10, you would see SQL injection and maybe remote file inclusion, but usually cross-site scripting. And now that local file inclusion is at the very top of this list, and has been according to our logs, LFI has been hitting all of the industries 100 times fold more than it had been in years past. So this is showing that the attackers are leveraging LFI to carry out their attacks. They wanna get into the network, which is showing a little bit of their, I guess, the shift. They're not trying to compromise a web server and deface a web server, right? Like this whatever group was here and make some statement, they wanna get into the network so they can get their foothold across all the devices on the network, because that when it comes time to do ransom, the payout will be even more, they hope with the more machines that are infected. So those are some of the things that have been kind of shifting and evolving lately. No, when we look at things like LFI, I mean, we started talking about things like zero trust architecture, zero trust network. Do you think these kind of approaches can help there? And second is that how much adoption are you seeing of things like zero trust there? You know, zero trust has been a big buzzword topic for a long time. You could probably throw a stick and hit a zero trust salesman if you went to the park with your dog. And, but you know, in all seriousness, it's being adopted a lot more in the past couple of years, especially after the pandemic, people realize, you know, a lot of our workforce is not coming back. So we have to take a new lens in a new viewpoint of how we're doing kind of the simple things that we've been doing for 30, 40 years already, right? So the idea of remote access has been around for a long time. But if you think about, you know, if I'm working from home or from Starbucks and I VPN in, now a username and password and then probably, you know, some certificates on my device, that's verifying who I am. But when I connect from Starbucks on a VPN, what's happening is you're connecting the network of the network that I'm on at Starbucks with the network in the trusted environment of the corporate locale, right? And this is problematic, right? Because whatever, maybe this is accidental, I'm not trying to do something bad, but if there's malware or something on my device, it can come into the network. And this is kind of the biggest issue. So with zero trust network access, this whole model has been kind of changed quite a bit because what we're trying to say is when you connect to a resource inside of an environment, you don't necessarily need network access to do it, right? So can we provide you the application experience of you opening up Outlook or double clicking on an app linked to an internal webpage that's on your system while you're working remotely? And can we do that seamlessly without connecting you to the network? This is called the least privileged security model. I'm only gonna give you access to what you need to do your job. So that's been one big thing is zero trust network access is kind of abstracting the network layer away from that user experience of remote access. The other thing is, you know, MFA, MFA technology has evolved quite a bit. If you were to go to Google right now or to YouTube and do a Google search for MFA bypass, you probably wouldn't be surprised to see that there are hundreds of responses and actual YouTube walkthroughs of how to bypass MFA technology, right? And this is because there's no strong crypto relationship between the device that you make a request from, the authentication service, and then your two FA device that you say yes with, there's no strong cryptography relationship with those devices. This is why if you're a rideshare app or a company that has a bird in its logo, attackers leveraged MFA either through man in the middle attacks or through social engineering to trick a user into saying yes, granting a token to the bad guy and allowing them in on the network. So that has to change. So new multi-factor technology is creating that strong crypto relationship at time of registration between my corporate laptop, my two FA device and the authentication service. So if any request comes to or from one of those devices out of sync and out of the proper path structure, the request would fail. So that's another huge adoption point of zero trust. And the last piece that's really kind of blowing up right now is software defined micro segmentation. And it basically says, with all these data breaches we talked about earlier, if and when eventually something does get into the network, do you have the controls in place to control the blast radius of that malware outbreak or a bad threat actor so that they cannot communicate across that network using kind of the status quo of this open communication process. So these things are slowly being more adopted, but it's taking time. We're trying to work with clients to make sure that they can move forward in each of these areas kind of incrementally and get some quick wins so that they can prove up the chain to the rest of the business that this is viable. This is something that can be done and that we can help, right? So that's something we're really trying to push a lot, but it is moving slowly but surely forward. Once again, this looks more or less like organization need cultural change. We cannot do much about average consumer, but we do have to ensure that our employees are protected. So what cultural changes are needed or what cultural changes are going on with the organizations so they can improve their security posture. So there's cultural changes on both sides that need to take place, right? So one of the cultural changes, you know, from in terms of like security awareness training, these are things most modern companies have. It says, you know, it's a quarterly or you know, yearly training that says, hey, here's what bad guys like to do in order to trick you into doing something. Here's a best practice on how to handle data within the network, you know, and depending on your job role, you may have more or less training. The other cultural change that is really advancing quickly is on the defender side, right? So that is us trying to teach the users not to be a weak link, which frankly is kind of rude if you think about it, but at the same time, the defenders are, we need to create technology that works despite the user's disadvantage. So if the user happens to do something like in the case of micro segmentation, like I mentioned, if the user happens to get tricked by a really good phishing email and they click a link and it happens to be a URL that's not caught by your URL filtering and it goes to this malware payload site and it downloads onto that device and then it executes because it's using system processes through a vulnerability to execute. So host-based intrusion detection doesn't catch it and then it now it's here, now it's on the device, it starts to spring forth and it's gonna look and say, what can I communicate with? And the answer to that is anything you can talk to on the network, your computer can talk to on the network. Or malware can talk to on the network. So all the same rules that are in place for VLANs and segmentation that already allow me to do my job when I'm on the network is what the attacker's malware will try to take advantage of. So having the ability to kind of ring fence and protect the exploitation of that system from expanding laterally across the network is a huge, huge piece of the puzzle. And I would say, again, security awareness training and all this still needs to happen, but the real cultural shift on the technology side is we need security to work in spite of the user, right? And that's something I feel like we're slowly kind of moving towards in the industry, but it's taking a while. How do you help your customers so that they can remain secure? Talk a bit about your solution and how you help them. We do a lot of things. We've been deploying systems into multinational data centers since 1998. That's part of our content delivery network. But very quickly after that, our customers started saying, hey, we're getting hit with an application layer attack. And you can't just turn off the website, right? You have to ingest all that traffic and then use filters to identify if it's good or bad based on application vulnerabilities. And that's when we patented the first cloud web application firewall. So we've been at this a very long time. Our goal is to protect our customers forward-facing web presence, make sure that their website and their consumer experience is fast, reliable and secure. But we also use all of the telemetry of all the security events that we see around the world on who's attacking, who is this, a new threat, et cetera. And because we see 20, 30% of the world's web traffic, we see a ton of this threat data. We apply that threat data to your security control so that you can make more intelligent choices on how you want to allow or disallow something. And that that same security and intelligence we bring down into the network as well to provide things like software defined micro segmentation, secure web gateway services, zero trust network access, all of these things, MFA technology, all of these, our goal is to take the knowledge of the security stack that you typically would have to deploy in your environments. And we use our platform so that you can use that from wherever your users are, security follows them because right the CDN experience is you want that device to be right down the street from where your users are to access that website. We do that same thing for security. So we're really excited. Our security line of business is ever-growing and very fast-growing. We have a lot of great customers, some of the largest, top 10 largest banks in the world, all branches of the U.S. military, massive e-commerce websites. So we're really leveraging the lessons learned from them so that anyone who comes to Akamai can take advantage of that knowledge. What advice do you have for customers, companies, individuals so that they can adopt some practices to ensure some kind of security? Yeah, I mean, I would say there's so much to do. I would say do some kind of analysis that can tell you what areas you're weak in. NIST and the DOD have a security maturity model where you can actually look at different controls and capabilities and compare them to other organizations to get an idea of what areas you're actually weaker in. And then take those areas, the weak areas and target those to start making some drastic changes. I think that's probably the best way to start off. There's just so much to do. You gotta remember that the users now, they're not in the data center like they used to be or in the corporate location. They're distributed, your applications are distributed all over across different vendor relationships, different cloud environments. And then certainly your data is distributed now in all these different areas. So you have to think about security in a broader, more holistic view and not kind of a castle and moat architecture like we used to. That's one bit of advice I think would be helpful. Tony, thank you so much for taking time out today and talk about this topic. And after listening to you, I would love to have you back on the show and talk more about security but I really appreciate your time today. Thank you. It would be my pleasure. Thanks for having me today.