Are Cloud Vendors also Security Vendors? with Sarah Young

AppSec Builders

เนื้อหาจัดทำโดย Datadog เนื้อหาพอดแคสต์ทั้งหมด รวมถึงตอน กราฟิก และคำอธิบายพอดแคสต์ได้รับการอัปโหลดและจัดหาให้โดยตรงจาก Datadog หรือพันธมิตรแพลตฟอร์มพอดแคสต์ของพวกเขา หากคุณเชื่อว่ามีบุคคลอื่นใช้งานที่มีลิขสิทธิ์ของคุณโดยไม่ได้รับอนุญาต คุณสามารถปฏิบัติตามขั้นตอนที่แสดงไว้ที่นี่ https://th.player.fm/legal

3y ago 34:00

MP3•หน้าโฮมของตอน

In this episode of AppSec Builders, Jb is joined by Security Architect, Sarah Young, to discuss Cloud Security, its evolution, and its increased presence within Cloud Vendor solutions and platforms.

About Sarah:

Linkedin: https://www.linkedin.com/in/sarahyo16/

Twitter: https://twitter.com/_sarahyo

Sarah Young is a security architect based in Melbourne, Australia who has previously worked in New Zealand and Europe and has a wealth of experience in technology working across a range of industry sectors. With a background in network and infrastructure engineering, Sarah brings deep technical knowledge to her work. She also has a penchant for cloud native technologies.

Sarah is an experienced public speaker and has presented on a range of IT security and technology topics at industry events both nationally and internationally (BSides Las Vegas, The Diana Initiative, Kiwicon, PyCon AU, Container Camp AU/London, BSides Ottawa, BSides Perth, DevSecCon Boston, CHCon, KubeCon, BSides San Francisco). She is an active supporter of both local and international security and cloud native communities.

Resources:

Cloud Native Computing Foundation

Transcript

[00:00:02] Welcome to AppSec Builders, the podcast for Practitioners Building Modern AppSec hosted by Jb Aviat.

Jb Aviat: [00:00:14] Welcome to this episode of AppSec Builders, I'm Jb Aviat and today I'm thankful to welcome Sarah Young, who is a senior program manager in Azure security. Sarah, you're very prolific in this security space which conferences, the Azure security podcast your also CNCF - Cloud Native Computing Foundation Ambassador. Sarah, I'd love to hear more about this.

Sarah Young: [00:00:38] Thanks! And thank you for having me. Yeah! So many things I could say. So, yeah, I worked for Microsoft. So of course, every day I work with Azure and do Azure security as one would expect. But I've been working in security for oh. Like specifically focusing on security for the last eight or nine years now. Before I joined Microsoft, I worked with other clouds and so I got a fair bit of experience there. But with regards to CNCF I am, as you said, an ambassador and although I'm certainly not a developer, I certainly find the security aspect of cloud native stuff really, really interesting. And that's what I enjoy talking to people about.

Jb Aviat: [00:01:20] Alright. And so one thing you seem to be prolific about is Kubernetes and Kubernetes is definitely something that has gone through an amazing popularity over the past years and also got a lot of security exposure because it's notoriously a complex and difficult to use in the secure way. Do you have any specific thought about that?

Sarah Young: [00:01:42] Yeah, the of specifics we could go into here and I guess watching Kubernetes over the past two or three years has been really interesting because obviously there are new releases and every time there's a new release, there are updates and improvements made to it. Obviously, I focused more on that for me. I'm more interested in the security side of it. But it's really interesting if you go from the early days of Kubernetes through to now, how much it's improved. I mean, what are we on now? I think we're on twenty, twenty one or something like that. I forget the exact version. We're up to for releases at the moment. But if you go back to the early days or two, three years ago, there was some major, major security holes and Kubernetes. So there were things I mean, it didn't support RBAC or role based access control. So if you don't have roads, access control, you literally can't give people permissions, like everyone just has everything, which is a security person's nightmare. So it's been really good to actually see how it's developed over the years and how the community have addressed those things.

Sarah Young: [00:02:46] Now, I'm not saying it's perfect yet, because to be honest with you, let's be honest, like no software, no hardware, nothing is perfect security wise. And and that's what partly why I have a job, because whenever people create things, there will be security holes or things that it doesn't do ideally. So it's been really good to see how the community has really focused in on security more the last few years, because I think in this super, super early days, Kubernetes was just being built more from a traditional developer perspective. People were thinking about the features and what it could do and not the potential security gap. But now that's changed a lot. There are some great people out there in the community who are doing security work. They now have, because this week, while the week we're recording this, it is KubeCon EU and KubeCon's now got Cloud Native Security Day. And there's also the special interest group in the community for security. So certainly it's been really great to see how that has grown over the past few years because they'll always be things to address for sure.

Jb Aviat: [00:03:50] Of course. Of course. And so that is very interesting. And how even that's community driven project. How is the decision to prioritize security features made over the decision to prioritize the thousands of the features that are in the.

Sarah Young: [00:04:08] I wouldn't say it's an interesting question, because this comes back to a thing that the endless battle that security professionals have is the when you are developing any kind of system, not just Kubernetes, any kind of system or product in I.T., the main priority, of course, is to have the functionality that it needs to do to fulfill whatever business need or functional need that the product needs to do. And security is great, but you can't have security will never win out as a priority over costs, delivery date, and functionality. And there are some there are different trains of thought on this. But I think having worked in delivery as well before, I kind of became more purely focused on security role. When you're trying to deliver something and get something running, you know, you're building a new application, you're building a new micro service, whatever. You know, if you've got a deadline and a budget, you have to meet that because probably your business is paying for it, your project is paying for it, whatever. Security is great. And I think that most devs and security people want to do it. But security is never going to win out over those competing priorities, but pretty much never. Now, I'm sure there might be some better examples out there.

Sarah Young: [00:05:27] So really, what we've needed to do in security is security need to be made easier, because if it's not made easier to do and ideally in built into a product, it won't win out over other priorities. And there are some security people who just want to try and really push people saying, no, you know, you've just got to prioritize it. But the fact is that it won't win out over delivering budget and things like that. So we have to make security easier and more straightforward. And I think it's great that the community has embraced. And that's why let's take Kubernetes. It's got now a lot more inbuilt security features. They rather than you having to use a third party Add-On to integrate, say, role based access control or key storage or whatever, like a lot of those things have been fixed. So when you start up the product, that security issue is already largely taken care of. All you do a tiny bit of configuration. And so it's great that the community have actually addressed that because yeah as I said, I wouldn't say I think there's been more focus on it because, of course, you know, if you have a security breach or something is known as being insecure, like a piece of software, people don't want to use it.

Sarah Young: [00:06:41] But as I said, as a business, there are other priorities. But another great thing an old boss of mine told me a few jobs ago was and I really, really like this, we're not competitors when it comes to security. Now, what that means, because I was working for a financial services organization at the time, is that when we talk about security, right. If there's a vulnerability in something that's widely used, it's worth fixing. And even if you're fixing it for your company and it helps your competitor, then that's OK. Because at the end of the day, if you look at the cost to security breaches, although, say, I'd say you're an organization in your your main competitor gets owned and like you might be like, yeah, that's amazing. But it's not really because at the end of the day, we all lose out on security breaches always at the end of the day. So it's within everyone's interest to work together to make the overall environment more secure. And of course, there are different ways of doing that. But I really strongly believe in that phrase that my old boss taught me, which was, yeah, we're not competitors when it comes to security. And so we should help each other out.

Jb Aviat: [00:07:55] Yeah, that's an interesting point of view. And that's great that each time there is breach the overall trust is touched and impacted. And so that can indeed be hurtful for the overall space or industry. Interesting, yes, and to get back to a Kubernetes. And it isn't the way it evolves and has evolved from a security standpoint over the years where all the security efforts pushed by the community or there's some kind of more global governance done by maybe the CNCF

Sarah Young: [00:08:30] Well, there is the special interest group, this SIG security. And so that sort of drives a lot of the security discussions and see CNCF And there are some fabulous, fabulous people in there who really know their stuff, because if you take Ian Coldwater, for example, they are a really, really, really talented penetration tester. And they are absolutely yeah. I have a lot of respect because I am not a penetration tester. I understand the principles of it, but I know that they have really, really, really done some great work, found some really interesting vulnerabilities and. There's also people like Liz Rice, who's been a huge cornerstone of the CNCF security scene for a long time. There's so many names, I'll just chuck a couple of names out there. But there are some amazing individuals who are very talented, really know what they're doing, who've been driving that for a number of years. And it's really, really good to see

Jb Aviat: [00:09:30] Yes this is super interesting thanks for the considerations of Kubernetes. And so since you know very well just area, what are the main evolutions that you've seen over Kubernetes over the past year from the offensive standpoint and security research? I've seen lots of interest of articles and tools around everything from the operator and the Kubernetes implementor standpoint. Do you really think that the situation is much better today out of the box than it was maybe 10 years than just five years ago?

Sarah Young: [00:10:05] Yeah, it's like I don't know if you've seen this. It makes me think of the job adverts where people have said you've got to have 10 years experience in Kubernetes. And I know that was going there was someone posted one of those on Twitter a while ago. It made me laugh anyway. Oh, there's no doubt that it has improved massively since the early days. I mean, there's no doubt, like I said, I mean, some of the ones that really gaping holes that I can think of, things like I have no role based access control, one that people may remember is the admin page, the admin console of Kubernetes used to be accessible with no authentication. So as long as you knew that URL, you could go to it and do things which you don't have to be a security expert to know that is not good. And so, I mean, that that's the one that I always think of. And there were a couple of relatively at the time, high profile hacks and breaches around that. I also tried that myself, actually, in an experiment to see if I could get someone to own it. But I don't know if mine looks so obvious. Nobody wanted it looked so obvious. It looked like a honeypot. And for those of you who don't know what a honeypot is, that's just basically trying to attract people to attack your thing. But no one ever attacked it, which I was really surprised about that or I didn't pick it up, could have gone either way, I guess. So it's like there's no doubt it's improved hugely over the last few years.

Sarah Young: [00:11:36] Absolutely. But as is the case with everything, you still need to know what you're doing. But we're getting loads better at that. So obviously, the general skill level as Kubernetes has been around for longer, there are more people available who are skilled in it and understand what's going on. Also, we've got things like the CIS standard, so the Center for Internet Security benchmark that people can work through. There's also a lot of managed services out there. Now, I'm not shouting out to anyone in particular. There's quite a few providers offering managed Kubernetes clusters. And I think I'm a big fan of if you're not super comfortable with them or it's something you're still learning, then there's nothing wrong with going to a managed cluster, because then a degree of the configuration element, whether it's security or something else, is taken away because that will be done by the provider. And again, if we look at it from a pure security professional perspective, you know, you want to look at reducing your risk and reducing the likelihood something happens. And if you don't have the in-house skills yet or you're still building them up, but you want to use Kubernetes, that is that is a good way to go. There's also other advantages, particularly around integration, because most of the all the major cloud providers offer a managed Kubernetes service. And, you know, depending on where you've thrown your lot in with, it might make sense just from an easier integration perspective as well.

Jb Aviat: [00:13:02] Of course, differently agree here, which is a nice transition to my next question, Sara. So, yes, using managed services puts a lot of the security burden away. What are the other tools that you would recommend from a security standpoint to people using the cloud? So I know that's a broad question. It's the past years the security offering of the cloud vendors grew and maybe grew more that many of them along the lines of offering. And so I'd be super interested to know how you would choose in this growth and what other flagship products that you would recommend to anyone in the cloud.

Sarah Young: [00:13:45] Yeah, so it's a really tricky one because as you said, there's many, many products out there, so many products, and it can be difficult to know where to start. I think, particularly if you say a lot of organizations that have decided to go cloud first. So they'll like, OK, I'm going to put everything in cloud now. Although having said that, a lot of organizations will always have a bit of. An on premise footprint, it's unless you were born in cloud, say, in the last five years, it's actually quite hard to purely put everything in the cloud for various different reasons. So that's not realistic. So I always look at it. What I've been advising people, because there's so many things out there, you need to start right at the very beginning. More from a capability perspective. So what I mean is, rather than immediately picking a specific product that you like, look at it more from, I need this capability. I need this capability. And you may need I need this capability and I need it to run across, say, two clouds to commercial cloud and on premise. And so that starts to help you narrow down what tools you actually need. So how I look at it is you need I mean, this is what I do every day, but so this is what I love to talk about.

Sarah Young: [00:15:04] But you need a SIEM or SIEM or if you're from the US, it depends where you're from as to how you pronounce this. But SIEM, they say SIEM I say SIEM, but it is SIEM, which is security information and event management. Now, it's not a new technology. It's been around for a while. But now, of course, it is moving into cloud. So you can have on prem offerings and you have cloud. What I found and this is from me working more closely in cloud for about the last four or five years is the organizations seem to struggle to integrate cloud with some products. Now that's changing, as in a lot of the more modern cloud based SIEM's a much easier to integrate. But the traditional on premise ones have always been quite tricky for various different reasons. And again, I'm not even talking about a particular product or a particular type of cloud. It's something a problem I've seen across multiple different platforms. So what we see is people start putting things in cloud, but they're not monitoring it because the integration of the logs is tricky. And so we might have an organization that have got everything on premise monitored, but the cloud isn't monitored. And obviously that's a huge big black hole. So for sure, your visibility, if there's one thing you need to do, make sure you've got some visibility of what's going on.

Sarah Young: [00:16:26] And I think that's one of the most important things. So the other one is EDR or endpoint detection and response. So of course, I think everybody knows about antivirus and antivirus is still important. You should definitely have antivirus. But antivirus is very static. It just looks for signatures on things. It will look for signatures on files and things like that. And if it sees a match, it will give you an alert. Now, attack. We know that antivirus has been around a long time as attackers know how to get around that nowadays. And so EDR is more looking at general overall behaviors on an endpoint and an endpoint. I do mean, of course, like a desktop or laptop or whatever, but you can also use this on your server infrastructure as well, your VM's if you're still using VM's. And the fact is a lot of people still are. So I think it's wrong to I know we've been talking a lot about cloud native, but the fact is people still have VM's and Edwards much smarter at being able to pick up patterns of behavior as opposed to just a static signature. And so I really think it's important that people have a look at having some kind of EDR capability and of course, that can feed into your monitoring.

Sarah Young: [00:17:39] Then I guess more specifically, I'll finish on most actually. Now, two more for Kubernetes. I could go on forever, to be fair, but I'll leave it at these two for Kubernetes and containerized environments. So if you're using any other orchestrator, of course, you need some tools to be able to monitor the behavior of your orchestrator and your containers. Now, that one's trickier because traditional security tools don't always understand the containerized

7 ตอน

#Tech #MBA #Business #Sqreen, Inc