What I learned in the security podcast part II with Brent Lassi and Mike Hurwitz
A little bit about what I learned/my notes on the second security podcast episode with Brent Lassi and Mike Hurwitz.
1. Security needed for data centers has evolved rapidly in the last 10 years (beginning)
The worry has shifted from protecting the physical space of the data center to the data itself. Like stealing API, Google Cloud, AWS keys or GitHub credentials. This has made it easier to get into the "protected space." Now you need to make sure getting the connectivity is hard. Which means good firewalls, etc. If you can get into a Google account, you have access to VPNs and all the services. This is a major shift from 10 years ago and highlights why identity management is so important.
It's much more difficult to scan your network and inspect/understand what's going in cloud environments. The cloud providers don't make that generally available to the end-user.
There's been a big change not only to how you identify yourself, but also a slow shifting mentality about visibility into packet-level inspections.
2. A container is not exactly a VM & the security risks are different (~10 min)
The container handles breakout differently. Breakout, escalate privileges, is easier to do in a containerized environment since they aren't as physically separated as VMs due to all running on a common kernel. So you are trying to just talk to other processes in containers and can get to other containers in that system easier, whereas in the VM you need to break through the hypervisor.
Containers do have a lot of good, segmentation of workloads is one advantage, but another important one is the nimbleness to repair/ kill access to something once it is deployed, which is a big plus in the security world. The least secure server is the one that's been running the longest. This is a big change from old processes that could take much longer to remove servers.
3. Responsibilities for security professionals have shifted with the cloud (~11:50 min)
Load balancers, firewalls, etc are all made available for you. Making security easier for companies because these tools needed very specialized people to implement them. None of these configurations, like encryption/decryption, has to be managed. So, it has simplified a companies' responsibilities to only being about the code. The advantage: this takes a lot of complexity off of the security professionals in the company, the disadvantage: the company is putting a lot of trust in the hands of the cloud provider.
The less complexity, the more secure things are.
4. Enterprise viability is about creating the right processes (16 min)
From a software engineer perspective enterprise viability is that "... you need to be able to keep your stuff up, you need to be able to keep your stuff safe, you need to be able to ensure that the right people can get to your stuff which is almost as hard as making sure the wrong people can't." - Mike Hurwitz
You need the right processes in place and the people who know how to, for example, store data. The cost of failure can mean that people don't want to/not able to do business with you anymore.
5. Even in security, looks matter (~19 min)
Enterprise viability is a lot about people also. It doesn't just matter that you are secure, you have to do things like audits, tabletop tests, penetration tests. Having clients come in and audit you isn't fun, but it builds credibility and trust.
Being able to have difficult conversations about security with a client and building trust is a big part of enterprise viability. Transparency and accountability are essential for building trust with clients. Being able to admit that you did something wrong and coming away with a stronger relationship with the client.
6. Recent developments that have made enterprise viability better (24 min)
1. Asset and identity control is so much easier in cloud. It's all in one place and makes it easier to secure.
2. 2 Factor Authentication has gotten a lot better in the last few years. Now we can just have 2FA into the cloud also, instead of into many different systems and components.
3. There have been a lot of fresh eyes look into these aspects of security, providing new perspectives as the shift away from only IT people concerning themselves with the security aspects. This has created a lot of opportunities for collaboration and new ideas.
7. What are some things we need to keep an eye out for/ things that have gone wrong? (27 min)
Fresh eyes also mean possible skill gaps. People with less experience in the security field means they might miss some of the foundational/important aspects of security while creating something new because they lack the knowledge that experience brings.
Traditionally, we have tried to stop hackers with network engineers but hackers are coders, so in order to understand and better fight against these attacks, more security people should write code and understand code bases. The cloud environments have allowed for this to happen, and there is improvement in this area already.
While moving to cloud, some companies made a lot of assumptions about what was possible. Some work needed to be done to have the resiliency and scalability in cloud that didn't come from just migrating the application.
Change is hard sometimes, especially around technological principles. There was some resistance to moving onto cloud, letting go of the old way of doing things and reassign responsibilities, but IT/security organizations are starting to come around now. Being quick to adjust is something we can all improve on.
Now that we are seeing a lot of infra as code, the issue that security budgets and expertise sometimes hadn't been given to the area it belongs to, to the CTO. This causes issues because the CTO may not have the budget or resources for security. This shift also took a while to come around to.
Basically, there has been a huge shift in the security space, and it has taken a while for some to catch up. Although change can be scary, the faster we embrace it and adapt, the better off we will be.
8. Impact of recent hacks (33 min)
There are always going to be bad actors. One way to guard ourselves is to keep things simple because complexity breeds insecurity. By keeping the number of technologies and components as low as possible, you limit the blast radius of the possible damage. As a company, if you stay as simple as possible, you have a better chance of securing yourself against these attacks.
A lot of the security issues come down to people-- training people, keeping them alert, and keeping them aware can greatly help to reduce the blast radius and damage. An individual can actually make a big difference by being cautious about their actions.
Sometimes a consumer's behavior can put a business at risk, so don't reuse your passwords!!