[00:00:36] Tom Garrison: Hi, and welcome to the Cyber Security Inside podcast. I’m your host, Tom Garrison. And with me as always is my co-host Camille Morhardt. How are you doing Camille?
[00:00:44] Camille Morhardt: Hi, Tom. I’m doing well.
[00:00:45] Tom Garrison: Well, today we’re going to talk about something near and dear to all of our hearts–with all the services that we get over our I-phones and the business–and that’s the cloud and, uh, keeping cloud services secure .
[00:01:00] Camille Morhardt: Yeah, I think it’s really interesting. We hear the term public cloud a lot, but you know, what does that really mean? Really means, I guess a lot of us are sharing the same underlying infrastructure with all of our very personal, important data to us. So I care a lot that public cloud is very, very secure.
[00:01:18] Tom Garrison: That’s right. And the techniques, when you yourself don’t own the hardware, how can you keep yourself secure? And should you be thinking about. You know what to do in the event of a, an outage, for example, right? We’ve we’ve seen some of these big high profile outages. And should you have multiple clouds that you utilize or, or whatnot? I think there’s a whole host of things that we need to talk about today.
[00:01:43] Camille Morhardt: Yeah. I’d love to hear from an expert on public cloud secrity.
[00:01:47] Tom Garrison: Yeah. Well, we’ve got a good one. So let’s get started.
[00:02:07] Tom Garrison: Today our guest is Jo Peterson. Jo is th Vice President of Cloud and Security at Clarify360. Welcome to the podcast Jo.
[00:02:19] Jo Peterson: Thanks for having me.
[00:02:22] Tom Garrison: So we want to talk today about the cloud, cloud infrastructure and so forth. Maybe we can start off at the highest level. What are some of the trends that you see happening in the world of cloud as it intersects with security?
[00:02:38] Jo Peterson: Recently, one of the major cloud hyperscalers had an outage, they actually had a couple in a row. And Cloud systems are expected to always be on and news like that makes the headlines. What I’m hearing customers talk about is maybe the need to rethink a strategy about having all their eggs in one basket. We think it’s really important to talk about resiliency.
You can do some things as a customer to maybe not start again–do everything from scratch–but think about this, do you have things like High Availability, also known as HA, built in? Are you housing workloads across multiple availability zones? Are you supporting region routing using things like domain name services? Are you backing up your data? Are you encrypting that data? Those are sort of things that customers are top of mind with right now.
[00:03:49] Camille Morhardt: What are some of the dirty secrets of the customers that they’re not going to admit to anybody else? But maybe in talking to you, what are things customers admitted that they haven’t been doing yet that they feel like they should be?
[00:04:01] Jo Peterson: Yeah. I like to think of it in terms of a sort of health checks or best practices for cloud data security. We talked to them about some basic hygiene things that you should be doing. Have you secured your user end points? That translates into all end points. You might have the users squared away, but maybe you don’t have your VM squared away. Maybe you don’t have your server squared away. So that’s something to think about.
Have you implemented encryption? Are you controlling user access? It surprises me, although it shouldn’t surprise me, the vast majority of cloud breaches happened with unsecured assets and they happen because somebody made a mistake somewhere, usually internally.
Let’s think about things like the Shared Responsibility Model, because the shared responsibility model is different for each cloud provider and it’s different for each product within that cloud provider. So are you and your team sure about what your responsibility is as it relates to that cloud provider and that particular product?
And it gets even crazier when you’re dealing with multiple clouds, it’s a lot for anybody to remember. We tell them, “Hey, look at your cloud usage policies”. I know it seems super simple, but practice good password hygiene. Who’s got the passwords to this stuff, right? Those are some of the things we talk to them about.
[00:05:36] Tom Garrison: Yeah, it seems kind of crazy that we’re in 2022 now, and we’re talking about, “do you have good password hygiene?” The area that I’d like to try to poke on for a second is this notion of recently Amazon has been in the news. And it’s not just Amazon, there weresome pretty high profile outages, the same for other CSPs the same. And you mentioned the idea of having sort of multi-cloud and the ability if one goes down that you, as a compan, who’s relying on that backend infrastructure, you could fail over to another provider.
First of all how prevalent is that? That’s a standard computer server thing that’s been in the industry forever; but at the cloud level obviously there’s a whole different level of complexity. Is this a concept or does it exist today and how do you see it progressing over time?
[00:06:31] Jo Peterson: It’s not an idea of sharing that workload across multiple providers cause that really is not happening so much. More often we see hybrid environments. We’ll see an on-prem instance of a particular workload and then some portion of that workload in a cloud, right? And from a best practice standpoint, what we’re seeing happen is some of the things I mentioned from the more advanced shops come into place. Like they are taking that workload and they’re placing it across multiple availability zones so that they’ve got some redundancy built in. So they’re doing everything to ensure that that workload is protected along its journey as much as possible.
[00:07:34] Camille Morhardt: Are you saying that somebody would take a single kind of a thing, like payroll, and you would have the ability to do it on-prem and you would also have the ability to do it in a CSP, for example?
[00:07:47] Jo Peterson: Well, some portions of that application might be housed on-prem depending upon cost optimization. For example, that might be a reason you might have some of the data stored on-prem for that application, because it’s become too costly to run in the cloud all the time based upon egress, based upon bandwidth and latency. So you might have some of the storage for that application on-premise, and you might be doing some of the compute for the workloads, for the newer portion of the workloads in the cloud, right? And you might be transversing back and forth. That would be an example of perhaps somebody utilizing an on-premise portion of that same application versus a cloud portion of the application.
[00:08:33] Tom Garrison: So you also mentioned availability zones. I presume that for example, a given workload or piece of a workload that’s at a cloud service provider. Are you saying best practices say that at that cloud service provider it’s not just enough to have several instances in one availability zone; they require that workload not to be across multiple geographies, multiple availability zones, so that if one of them goes down, the other guys are still up and running. Is that what you’re referring to?
[00:09:06] Jo Peterson: That’s exactly right. So you might have it in hyperscaler location in California as your West Coast presence. But say we have an earthquake out here; you might decide to have a presence on the East Coast as well, and you do that via application load balancers. So you load balance the application in the different availability zones.
[00:09:32] Camille Morhardt: Is that the definition of an availability zone? It’s a geographical thing or are there other definitions?
[00:09:38] Jo Peterson: Yeah, that’s primarily the definition. An availability zone would be the idea of geographically balanced infrastructure.
[00:09:49] Tom Garrison: It seems that the notion of availability zones was what you just described before, which is like natural disaster stuff. There’s a big fire, there’s an earthquake, there’s a whatever. But what we’re talking about now in the press is somebody didn’t secure an endpoint or something happened. So that the idea that one particular set of servers goes offline, I just wonder if the sort of definition of availability zones needs to change so that it’s not geographically dispersed so you’re gonna fail out of California and you’ve got to jump over to your East Coast presence. Instead, maybe there within California, there’s four different availability zones, even within the same data center so that the whole thing doesn’t come crashing down. Is that a thing?
[00:08:22] Jo Peterson: You could do it that way, too. Wherever the disaster happens, it’s still a disaster. So if you’re running in a different availability zone, you’re theoretically dealing with a whole ‘nother stack of infrastructure. So it doesn’t matter.
[00:10:43] Tom Garrison: Yeah. In terms of best practices, is this something that’s pretty broadly known today? Is this basics? Somebody who’s going to Amazon today and they say, “I need to host some backend workloads.” Is it very common for them to say “And Amazon, I want you to have this in four different availability zones, just in case something goes down.” Is that best practice?
[00:11:20] Jo Peterson: So I’m going to tell you what I see and then what’s reality. All of the hyperscalers do a really great job of helping to inform and educate potential clients. So every one of them has how-to guides. But at the end of the day, it’s you building your infrastructure. So what I see happen in shops that don’t have a lot of help is they’ll go to a managed service provider, a CSP first to get that sort of architectural best practice from that company. And they’ll learn as they go, it’s training wheels. And it’s a good idea. If you don’t have a team that’s ramped up, if you need somebody to help you along and hold your hand, if you’re not sure of the security checks to put in place, for example, it’s a really great way to start as you’re building out your cloud environemnt..
[00:12:19] Camille Morhardt: Have you seen any other kind of adaptation to the number of cybersecurity style attacks versus say natural disaster? Have you seen any other kinds of changes or structural changes or definitional changes because of that?
[00:12:38] Jo Peterson: Well, cloud is a teenager, and it’s growing up. There’s things that are happening as it grows up and matures. The world around it is changing and its world is changing. So there’s this sort of dual effect. So we’re telling customers that you may want to take a look at things like cloud configuration automation and consistent enforcement. Do you have those things in place?
If you look back 10 years and you look at now, we are using way more SaaS applications. What’s your policy around connecting to other SaaS applications and how are your users connecting to that cloud environment? Because everybody works from home now, everybody’s remote. If you look back at VPN, it was the 80-20 rule–80% of the workforce was in the office and 20% was remote. Now that’s reversed. So does a technology like VPN for how we connect to all of our mission-critical applications still hold? Maybe, maybe not. Maybe it’s time to do an identity-based.
You know VPNs looks at the device, they don’t look at the user. So that there’s no identity parameters about who’s coming in to that environment. So maybe we should rethink who we’re letting in the door, right? Because these are the company’s crown jewels. So things are changing, companies embracing multiple cloud; visibility is a big deal. How do you see what you have? Those are some of the things that we’re seeing change sort of ubiquitously and its security and its network and it’s the cloud itself.
[00:14:22] Tom Garrison: For our listeners that may be thinking about moving some workloads off into the cloud, what sort of questions would you recommend they ask their potential cloud service provider partner and their selection criteria. What are some of the things that may uncover either a CSPs strength in areas of security and manageability, or maybe uncover some weaknesses that you would be like, “Aha, this is a red flag for me!”
[00:15:00] Jo Peterson: So before you accept a date to the prom, make sure of the dress you’re going to be wearing. And what do I mean by that? Know what your inventory is first. When I was a young engineer, they used to tell us to keep it simple. How many customers don’t have a baseline inventory of what they have? If you’re not sure what you have, and you’re not sure how many applications you want to move to the cloud, get that squared away first. And I tell you that because that will help you decide who you’re going to pick as a partner to go with to the dance.
And then you can start to look at things like have I selected a cloud I want to go to? I want to look for competencies around that particular cloud. And there are some really solid, competent partners that have specialization in each of the clouds.
Now, there aren’t that many that do all the clouds. So that’s something to ascertain. Start to look at their engineering bench, how deep is it? How long have they been doing cloud journey work? Are they competent in the different areas of cloud journey work? Meaning can they do an application rationalization; because if they can do an app rash, chances are they’re not going to be able to do a really good job of managing your environment. They’re not mutually exclusive, but there’s some things to look for. I look at how long they’ve been around? how deep is their bench? how much experience do they have? how long have they been doing this? in which cloud are they most competent?
[00:16:39] Camille Morhardt: What kinds of things are still strikingly different among cloud vendors? I’m going toward privacy and wondering if there’s sort of a comprehensive approach there, but maybe there’s something else you could help us understand.
[00:16:55] Jo Peterson: You’re spot on. I don’t think if you look at their competencies, every one of the hyperscalers do great work and every one of them have really built out their practices and they’re just solid. So it’s not going to be a matter sometimes of which cloud can do the best compute for me, which cloud could do the best storage for me. Those are table stakes. It becomes who’s got the easiest to follow security for me? and who can help me–particularly if I’m a multi-nationa–meets some of the different country regulations that I have to encounter? And they’re all different and it’s becoming more of a thing. You really need someone that can guide you along. In Germany, for example, the data can’t leave, so how do I handle that? In Spain, they’ve got a different set of rules. In the UK I’ve got some different rules to follow, so who can guide me along there?
[00:17:53] Tom Garrison: Let me ask you one of the other big buzz terms that is thrown around all the time and that’s AI and machine learning. And what is your take in terms of, how do you see AI and ML affecting the use of the cloud?
[00:18:12] Jo Peterson: I was looking this up and I was surprised at the numbers I saw. Current estimates expect today’s $2.5 billion ML market–cloud ML market–to reach $13 billion by 2025. It’s a pretty big increase, right?
And Deloitte put out a 2020 study of AI revealed that 83% of organizations expect AI to be critical to their business success in the next two years. So cloud drives measurable benefits for AI programs. It helps you improve efficiency and decision-making competitive advantage. I think they go hand in hand. So I think we’re just going to be seeing more AI and cloud together, like peanut butter and jelly.
[00:18:58] Tom Garrison: Hmm. That’s interesting. So these analysts believe that the AI workload itself will be scaled in the cloud?
[00:19:09] Jo Peterson: I think we’re going to see AI utilized in the cloud, particularly around BI, that’s what I think.
[00:19:18] Camille Morhardt: Just to push on that one a little but more, I think 10 years ago it was sort of like IoT is going to drive the cloud; we’re going to have all kinds of new workloads and use cases that we’ve never seen before. And now we’re hearing AI is what’s going to drive the cloud. So is there anything else on the horizon that you think maybe isn’t top radar for everybody, but that’s going to sneak in there and make a pretty big difference with respect to cloud?
[00:19:45] Jo Peterson: Personally, I think we’re going to see, particularly in certain verticals, like retail, healthcare, we’ll see edge cloud deployments. And he who has the data and he who uses the data is going to be first. You’re going to see market disruption. You’re going to see first to market advantage by companies that are using that edge, that customer data most creatively. That’s what I think.
[00:20:09] Tom Garrison: I couldn’t agree with you more. It’s all about the data. It always has been about the data. And especially as the data sets get so large, the person who controls that data has a huge advantage.
Before we let you go. We do have one more segment that we love to do called Fun Facts. So. Jo, we’ll let you go first. What is your fun fact for the day?
[00:20:40] Jo Peterson: Oh, okay. I knew that I wanted to be an engineer at age four when I retrofitted my Easy Bake Oven with a bigger light bulb so it would cook faster. It got me thinking about three modern world inventions that were invented by women that most folks can’t or don’t want to live without.
The first was the mechanical dishwasher, created by a woman by the name of Josephine Cochran. Mary Anderson invented windshield wipers. You know, she did this at a time when women were just not even thought of as scientists and inventers. And my favorite one is Ruth Graves Wakefield who invented the chocolate chip cookie. Who wants to live without a chocolate chip cookie?
[00:21:24] Tom Garrison: Oh my God. We should give that woman, if she’s still alive, the Nobel Prize! What is life without chocolate chip cookies? I don’t want to think about that, that would be really bad. Those are excellent. Thanks, Jo. Camille, what is your fun fact?
[00:21:43] Camille Morhardt: Yeah, I like all three of those. My fun fact is about the wombat, which is a marsupial in Australia. The really weird thing about the wombat, well, there’s probably a few things that are quite unusual, but one of the really weird things about the wombat is its little pouch–that characteristic thing that marsupials have where they give birth, and then the babies crawl into the pouch and they carry them around. And the wombat carries the baby around for about five months in the pouch.
But the pouch on a wombat faces the opposite direction of all the other marsupials. So if you see a picture of a kangaroo, the little baby kangaroo can kind of poke its head out the top of the pouch. Well the wombat pouch faces the other direction. I’ll just quote unquote the reason they suppose that’s the case because they’re extensive burrowers and tunnelers and the concept is they can tunnel and the don’t end up filling the pouch up with dirt or mud. I don’t know how you prove that, but I do think we know the pouches facing the other direction.
[00:22:54] Tom Garrison: Wow. I could see, I mean, a wombats four legged, right? So they’re not upright like a kangaroo because otherwise gravity would want it to fall out. Interesting.
All right. So I have to give credit to my daughter for this one. She is a biochemistry major and she’s about to graduate. She said, “Dad, I got this really cool fun fact, you’ve got to use it.” So here it is. Did you know that the most powerful bacterial toxin is botulinum toxin. The potency of botulinum toxin depends on whether you eat it or inhale it; but one gram of this can kill about a million people. No other toxin is more powerful. But you might ask, well, how does it work? How does it kill?
[00:23:55] Camille Morhardt: Wasn’t going to ask, but I have a feeling you’re going to tell us.
[00:23:58] Tom Garrison: Well, because my daughter’s a biochemistry major, she got to tell me how it works. Botulinum toxin is an enzyme that is basically taken up into the muscle fiber. The toxin itself digest these key proteins needed for the muscles to operate properly. That means that the muscle cannot contract.
Because it’s so toxic you would think that we would stay away from this crap altogether. However, botulinum toxin is also used to treat wrinkled skin in the form of Botox. It’s the same stuff. In that therapy doctors inject a small amount of this botulinum toxin into the muscles under the skin and that means that the muscles can’t contract anymore and they in effect become paralyzed and the wrinkles subside.
[00:24:59] Jo Peterson: That is cool. I did know about the Botox situation there. Not that I’ve had any, no.
[00:25:06] Tom Garrison: Well, it’s one of those things where I knew about the connection between botulinum toxin and Botox, but I did not know how unbelievably toxic it is and how it works.
Well hey, on that note, Jo, thank you so much for joining us for this great, great conversation. I’m sure we will get lots of good listenership as a result.
[00:25:35] Jo Peterson: Thank you for having me. It was fun.