Hi. This is Kevin Donahue with Protiviti, happy to welcome you to a new edition of Powerful Insights and our series on Cybersecurity Awareness. Protiviti has a series of webinars on cybersecurity awareness that, along with these accompanying podcasts, are intended to highlight ways organizations can be proactive in addressing these critical security challenges today. We explore how leaders can dynamically build cyber resilience while maximizing value.

In the series, I’m talking to our cybersecurity leaders and experts who are speaking on our webinars and are in the market daily working with organizations to address these challenges. I invite everyone to visit protiviti.com/security where you can find and listen to webinars we’ve held on these topics as well as find our many other pieces of content addressing these issues.

With that, I’m happy to welcome my two guests today. Randy Armknecht is a Managing Director with the Security and Privacy practice of Protiviti based out of Chicago, and Isaac Zapata is a Senior Consultant also with our Security and Privacy Group and Isaac’s out of Seattle. Randy, thanks for joining me today.

Thanks for having me.

Isaac, it’s great to speak with you as well.

Yes. Great to be here, guys. Appreciate it.

Let’s get things started here. Isaac, I’ll have you answer my first question and then Randy, I’m going to have you answer the same one. Isaac, how would your parents describe what you do for a living?

It’s a fun one. It’s always interesting to try and clear this up and try to bring it down as far as what I do here, but I think that my usual response there is I do my best to prevent bad decisions from being made and also implement good decisions as it pertains to security and IT, kind of working with clients and understanding what the issues are and making sure that we go the right path. I think that’s pretty much where I’m at there.

Yes, well put, so Randy, you’re up. How would your parents describe what you do for a living?

I actually asked my mom this recently and she told me that I work with computers. I pushed her a little more on what specifically do I do with them, and she did get around to, I help companies protect their information from hackers.

Nice. That is great. That’s not the first time I’ve heard that answer, by the way, because it gets technical for sure. Randy, so you’re focused in the market and you specialize in cloud security. Why is this field so important today?

I think cloud is really helping businesses transform the way they run IT and when they do that, they’re able to create more value in a condensed period of time. They can often move faster. They can better connect with and collaborate both internally with their own workers as well as with their customers, and the amount of data that can be produced in the cloud allows them to use cool new technologies like predictive analytics, machine learning, AI, et cetera, to analyze that data and make better decisions faster. While this is all great and all in the cloud, if they don’t secure it, those benefits are all at risk, so I view cloud security as helping businesses maintain that extra value that they’re trying to capture by operating it in the cloud.

Great rundown. Thanks, Randy. Isaac, let me ask you. What are some of the common myths that you find to be around in this field of cloud security?

I think the biggest thing I would say is the idea that security is kind of a zero-to-a-hundred game. You’re either 100% secure or you’re not secure at all. I think one of the biggest things that we have to educate clients on, customers on, is that security is really a trade-off in the cloud. Randy has talked about all the major benefits you can get in the cloud and all these great things you can do. We have to secure those things but when you secure as well, it does have impacts as far as what you’re doing, how you’re operating, and it’s definitely a process that’s ongoing. It’s not something you just flip a switch on and it runs. I think that’s the main myth that you can turn on certain features, certain capabilities, but it doesn’t mean you are 100% protected and in some cases, you have to make the trade-off decision, economical decision to determine how far you can go and how far you can’t go and what you’re willing to accept and try to do. I think that’s probably the most common myth I see, is that you can be 100% secure to turn everything on when that is definitely not the case.

Randy, would you agree with that? Are there any other common myths do you see out there that you think are worth mentioning?

Yes, I definitely agree with what Isaac said and I’ll just mention another common myth that, thankfully, has become less common this year. This year, I haven’t heard it as much. In prior years, I heard it quite often and that’s that an organization’s data was always safer if it was in their on-premise data center than if it was in the cloud. The view that moving to the cloud had these business benefits but they were always sacrificing security that they would be safer if they kept it in their own data center. That’s in most cases simply not true. Unfortunately, a lot of clients have underfunded, understaffed, and sometimes even underskilled security teams and infrastructure teams supporting those environments, and so they can actually gain quite a bit of security by moving to the cloud.

Randy, I want to just ask one more quick follow-up on that. It’s also my understanding that when you’re using a cloud provider, one of the benefits is that they have dedicated teams of experts in this and are presumably using the latest tools and technologies for everything, including security. Is that an accurate perception?

Absolutely. All of the major players are making very significant investments into their cloud platforms to make sure that they are operated in a secure fashion. There’s a concept we covered on our webinar around the shared responsibility model, which says that there are certain things that the cloud providers are responsible for securing and there are other things that the customers are responsible for and massive investments in the things that the cloud provider is responsible for.

That’s great. Thanks. Hey, Randy, let me next ask you in this realm of cloud and security, what is the biggest challenge you see facing your clients right now?

The latest challenge that I see in a lot of clients is that of staffing or scaling up their teams. Finding qualified cloud security resources on the market that are looking to make a move is difficult and when you do find them, they often command a premium in their salary, so that can be challenging for a lot of organizations. Then the other challenge is they have teams of people that know their jobs well and are very good at it and when you move to cloud, it’s a lot of the same concepts but things have been twisted slightly, so it’s almost like you’re learning something entirely new but not quite. It feels familiar but if you go forward with your same familiar assumptions, you’ll miss some things. It’s a challenging thing for a lot of teams to learn and scale up on and it definitely creates a challenge for clients that are moving to the cloud as they need to reeducate their workforce.

That’s 100% my thoughts as well. The good thing is there are plenty of vendors out there on the market that try to assist and they are scaling up their teams and it’s just key there for our clients to understand and plan for scaling their teams up along with their cloud journey, not just focusing on the infrastructure aspect but also the business office aspect, making sure that their teams are ready for the ride and not left behind.

Isaac, that actually is a good segue to my next question which is for you. What’s the one question you are asked most often by companies or your clients and then how do you answer that?

I think that kind of alluding to it from what we talked about previously, a lot of times when it comes to the tech, there’s obviously going to be questions around that, but the main thing is really how do I prepare to get ready for this? How do I train myself or train my teams to be ready to do cloud security and what to look for? Most of the time, like Randy said, it’s, one, validating the fundamental skillset and then, two, performing a gap analysis to see what your teams do, what they’re capable of doing, and then training them up based on what those gaps are effectively. I would say that’s the most important question that I get that’s asked most often because everyone knows it’s coming. Everyone knows cloud security is needed as most companies are trying to become more agile and kick more things out into the market, but I think the thing that commonly gets missed when making that decision is, okay, how do I get my teams ready though? What should we be looking at? What should we be doing?

 

A training platform that I personally really liked is Cloud Guru. We use that very heavily. They’ve done a very good job as far as putting a lot of material together to cleanly educate people assuming no prior knowledge of cloud and they have a good enterprise platform to get clients ready, get their teams ready in various phases when they’re in the cloud, and really it’s making sure they track that, make sure teams are progressing accordingly and addressing the issues they may have as they’re learning.

Hey, Randy, I think this is a good follow-up to Isaac’s rundown there, which was very good. There are a lot of options out around cloud, cloud security. What are some of the key cloud security deployment solutions that a company should investigate to help get them started on this journey I guess, towards effective security in the cloud?

I’ll mention a few different things here. First off, there are two commercial products that I’ve seen at a large percentage of my clients and the client satisfaction with these products is quite high and I think they do a nice job of addressing security within the cloud environment. The first one being Prisma Cloud by Palo Alto. It really helps clients understand where their configuration compliance is at and where are other issues that the team needs to address. It’s cloud-agnostic so it will work across all your cloud environments.

The other one of is Twistlock which helps really dive into the security around your containers. They’re organizations that are taking a containerized approach to building out their infrastructure. Twistlock is just fundamental and something that I’ve seen at a very large number of clients in terms of container security, so two great products there.

With Microsoft Azure, they’ve recently released a product called Sentinel. Sentinel is a security logging and monitoring tool that gives you visibility into the environments and it natively pulls in your Azure logs and the O-365 logs, and uses AI to highlight events that are going to be of interest to your security team. It, of course, integrates with other systems and products and logs that you may want to pull in. A great product there.

Then within AWS, there is a product that I’m a big fan of called GuardDuty. GuardDuty is similar to Sentinel, will go ahead and use artificial intelligence to comb through your logs and look for events of interest that your security team would probably want to go ahead and look at. One of the cool things with GuardDuty when they announced it at Re:Invent a few years ago was they were like, “Okay. We’re going to demo how to turn this on,” and they clicked one checkbox and they were like, “Okay, it’s on.” It’s a very straightforward tool. They had a great presentation with it and I’ve seen a lot of clients get value from it.

Randy and Isaac, I want to thank you both for joining me today. I have one more question for each of you. First, let me remind our audience to visit protiviti.com/security where, again, you can find our webinar series on Cybersecurity, as well as other content and research from Protiviti.

A final question for both of you. Isaac, I’ll have you respond first. With regard to this field of cloud security, what are you most curious about right now? I guess I would add to that, what are you most curious about in terms of how things are changing and developing that might change over the next decade or so?

I think the kind of newest revelation, kind of the hot fad right now is the Security Orchestration, Automation and Response capability, called SOAR, and the idea being, we want to orchestrate our security, we want to automate our security processes to help our security teams, which is a valiant effort. I think it’s a very interesting concept and I want to see how that evolves over.

 

But any time you get a new capability, there’s always going to be risks that come with that and when you think fundamentally what that implies doing a secure orchestration and automated response. That implies whatever you have deployed or implemented is going to have access to do things to your environment, and there’s definitely going to be researchers out there and potential threat actors out there that are going to find ways to abuse that. When we talk automation, that just expands the problem. I’m very curious to see how that evolves over time and how we mitigate that.

 

I think the other field is the blockchain anonymization. It’s very recently the Federal Government had a very good breakthrough taking down a dark website, but the method that they used to do that and arrest some of the people involved, de-anonymizing the block chain which was not something that was very well known to be doable at this point and now that it appears that capability does exist out there, seeing how block chain evolves and how that now has to be protected and changed going forward for more proper uses by business, not in a negative fashion for the dark web. There are definitely many capabilities that block chain provides for businesses, for agility, but with that coming out very recently, it will be interesting to see how block chain evolves and changes to account for that in the future.

That is fascinating because the whole concept of blockchain was supposed to be no personal identifiers in terms of data in there, correct?

Absolutely. They’re kind of being tightlipped as far as what was done on the web right now. It’s pretty recent and I’m sure more details will come out as far as what particularly was done to trace back the certain transactions that were made to that chain, but yes, it’s a very interesting concept if that has been debunked now, that that is possible to de-anonymize. Very interesting.

Yes, indeed. Randy, I’ll give you the last word here. The same question to you, what’s really sparking your curiosity right now in this field, again, thinking about any developments over the next decade or so?

Same two topics, automation and blockchain, although I think for different reasons. With the automation, what has me most curious about where that’s heading is I’m curious if there’s going to be a path forward where through automation, through artificial intelligence, machine learning, and other things, we’re able to come to some type of industry consensus around, hey, this is what that looks like and does it go ahead and remove the role of your security administrator. That your security admin or your security analyst or many of the Level 1 and Level 2 functions within a security organization, do those roles end up being replaced by artificial intelligence that is able to do it? Then what would that look like? What would that cost? Who would control it, right? Lots of questions to be thinking about around that.

 

Then on the blockchain piece, what has me most interested in it is blockchain has this immutable record of transactions and when it comes to incident response and forensic investigation and trying to figure out who did what, when, an immutable record of transaction sounds really helpful. I wonder if the logging and monitoring and stuff that we see in our environment, will those logs, will those actions, will all of that be somehow captured on a block chain within a customer’s cloud environment that can help incident response, help corporate investigations, detect fraud, money laundering, et cetera? I think there’s very exciting future for these technologies. It will be interesting to see what happens.

Randy, Isaac, thanks very much for joining me today and sharing your insights on what clearly is a hot topic, a technical topic, an area that’s evolving rapidly. For those in our audience interested in more information and to hear our webinar on this topic and others in our Cybersecurity Series, visit protiviti.com/security. I also invite you to subscribe to our Powerful Insights Podcast Series on iTunes or wherever you access your podcast content.