Security Dilemma: When Migrating to Cloud Archana Puri KAT: All right! Welcome to our next talk.
00:23 - INE learning security, action axe, MongoDB, Juniper, of course.
00:30 - Corelight. Google. We Hack Purple.
00:33 - I love it. And BridgeCrew. We have a great talk coming up.
00:39 - With a great speaker. Archana, I’m very excited to hear about the security dilemma when migrating to the cloud.
00:49 - And I’m going keep this introduction very short.
00:52 - But Archana has almost over 9 years of experience doing security risk in the business world.
00:59 - And making all kinds of security decisions.
01:03 - I’m really looking forward to hearing her talk about the issues that happen when migrating to the cloud.
01:13 - So, without further ado, please take it away, Archana.
01:19 - ARCHANA: Thank you, Kat. Good evening, everyone.
01:23 - It is good morning in Australia. In sunny Sydney here.
01:29 - Thank you for joining me here for the talk about Security Dilemma: When Migrating to Cloud.
01:34 - I am Archana. I have been introduced already.
01:39 - Just want to give you a glimpse of my work and talk about a little about myself.
01:45 - I’m a cybersecurity adviser working into the cybersecurity domain for almost a decade now.
01:51 - I’m currently working as a security manager for a retail organization in Sydney.
01:56 - I’m a former biotech graduate who pursued a masters in cybersecurity cyber laws and information security and practicing the same.
02:06 - I’m an advocate for the women in cybersecurity community.
02:12 - And passionate about reducing the gap of women in the workforce within the organization and continue to contribute towards it.
02:20 - I’m associated with some of the associations as you can see within Australia and the Middle East for the same.
02:30 - And let’s quickly cover the agenda for today’s session.
02:32 - I will be talking about key strategic drivers for cloud migration.
02:37 - And approaches for cloud migration for major technical and security challenges.
02:43 - I will then take you through the Pandora box which I call a security dilemma that I encountered working for the organizations towards their migration journey.
02:56 - Followed with some of the approaches and security controls.
03:01 - Mainly focused on the cloud native ones. And then lastly, we will conclude the talk with some of the key understandings and learnings from the sessions as takeaways.
03:12 - So, with the ongoing pace of adoption to cloud technologies to scale up businesses, and especially accelerated, you know, during the global pandemic as we have seen with working from home requirements, there is more than ever a requirement for security to scale up to the business platform and technology modernization.
03:34 - With that said, some of the other strategy drivers that drives companies to adopt to the cloud, you know, apart from everybody doing so is some of it is listed here.
03:50 - Which pay for what you use. You know, it is subscription based.
03:55 - So, you basically pay while you use it. Use a resource within cloud and then once you are done with it, discard it and you don’t pay for it anymore.
04:04 - So, it’s kind of cost effective. Quick time to market.
04:07 - You know, businesses are adopting and, you know, releasing their services day in and day out.
04:14 - To meet that demand they need a scalable, reliable platform as well.
04:21 - So, that’s one of the drivers for them to migrate to cloud.
04:25 - Next is scalability. I have touched a little bit upon it.
04:29 - You know, that with the growing number of services, with the growing number of portfolios.
04:33 - And the customer demands, the companies need to grow in real time.
04:41 - And they don’t have really time to place an order for an application, servers, storages and stuff.
04:49 - And they need to meet the scalability demands in real time.
04:54 - Compliance to security and privacy guidelines.
04:57 - Like we all know, cloud service providers, Google, Amazon, Microsoft.
05:02 - They’re kind of compliant with a lot of, you know, regional, global security privacy guidelines.
05:09 - And adopting to their services, you know, helps companies transfer those privacy and security obligations.
05:16 - Or any other, you know, regional laws and obligations to share with the cloud service providers.
05:25 - And hence, you know, they move their workloads to cloud as well as a motivation.
05:32 - Mobility. Basically, access to the systems from anywhere, any time and from any system.
05:38 - Not to explain further that this has been kind of, you know, a key driver during the pandemic as well.
05:46 - That people have been working from home, from anywhere.
05:49 - From any device. And so, I just want to take you through some of the stats here.
05:56 - You know, most of the companies start their journey with these goals in place as we have discussed I call it drivers in place.
06:04 - However, as they progress, they realized that it takes longer than what they thought for their cloud migration to happen.
06:13 - Because of scope creep, budget overrun, longer timeline, unmanaged resources and there are many other reasons, you know, for that lag time.
06:24 - I would say, you know, the journey with the ambition of having an adjoined mobile and scalable work place works quite well for a startup which are starting their whole footprint within cloud.
06:35 - Or it is comparatively easier for small to medium businesses because of less complexity within their environment.
06:42 - However, you know, for some this could be debatable too.
06:48 - But they’re less complex than heavier organizations.
06:52 - Because none of these compares to a well established large organization hosting critical legacy systems.
07:00 - And they have many dependencies and tentacles spread across the infrastructure.
07:04 - And then they plan to lift and ship this heavy load to the cloud.
07:11 - You know? The migration tends to fail if it is not done with the right approach.
07:17 - And some of the facts here, you know, that I’ve presented, the 68%, 73% and 62% here are some of the stories which are, you know, talking about some of those cloud journeys which have gone south.
07:35 - And then as you would appreciate that we have been just talking about some of the challenges.
07:41 - We have not even touched upon the security which may cause another level of concern and nightmare during the migration.
07:48 - So, in the following slides, I just wanted to set a baseline.
07:53 - And in the following slides, we will be touching through some of the security and technology challenges.
08:00 - And then but that doesn’t mean, you know, there is that we can’t get the cloud migration working right.
08:08 - All that is required is the right people, right approach and the right controls for the migration for it to try it within cloud.
08:16 - Let’s look at some of the migration approaches here which have been standardized and classified into six categories based on the approach.
08:28 - You can see this is a well known, you know, diagram for demonstrating these 5R, 6R approaches for cloud migration.
08:38 - So, while planning the migration, you know, and just to start from the scratch, when planning the migration, it is important to perform the code for your planning and discovery exercise.
08:51 - This means that the company should first identify applications that they want to migrate.
08:57 - Prioritize which ones to move first. You know, depending on the overall architecture, the complexities because of the interdependencies.
09:05 - Licensing arrangements and many more. Ideas and straightforward approach.
09:10 - It is always a good idea for companies to starts with lower complexities, like service oriented applications.
09:16 - As a quick thing to open a path with good learns experience for migrating rather complex systems later.
09:30 - The identification and prioritization for migration should not be a one time activity.
09:35 - This should be, you know, a living and breathing approach or this should be a living and breathing activity, rather.
09:46 - To be able to accommodate any if the project requires so.
09:52 - And then now that we have set the baseline that, you know, there is migration that is going to happen, I just want to quickly take you through these six approaches and let you know what these are.
10:05 - So, that’s starting with the re hosting which is lift and shift.
10:09 - This approach involves, you know, just lifting the application from your data center and moving it to another’s data center, which is cloud.
10:20 - And just rehosting without doing any architectural changes.
10:25 - So, why companies do so? Because, you know, most of them, they estimate some level of benefit, you know, of rehosting these applications to the cloud.
10:36 - Next comes replatforming. It’s the yellow color here.
10:41 - Not sure if that’s too visible. So, replatforming is an optimization approach.
10:46 - After mostly adopted after lift and shift. Where, you know, the companies utilize cloud native capabilities to meet the functional requirements.
10:57 - So, for example, you are replacing your on premise database with an Amazon RDS relation database there.
11:07 - Or similar capabilities that is provided by some other cloud native capabilities with the cloud you’re moving.
11:16 - Refactoring or rearchitecting involves writing the application from scratch.
11:25 - And then just to have more automation, more agility, improve resiliency and be able to utilize that cloud cloud technology more to achieve the drivers and goals that we saw in the initial place.
11:40 - Next comes repurchasing. In orange here.
11:43 - Which is, you know, it’s simple that you repurchase the application that you want to migrate.
11:49 - So, for example, you know, well knowns are migrating the CRM systems.
11:55 - Which was here, and you are using one frame to save spots.
11:59 - Or an HR system to work and there are many more.
12:07 - Next comes here in the grays, there are these two in gray that you see here, retire and retain.
12:13 - So, during the application migration, companies may come across to the applications or features that are no longer required and can be retired.
12:22 - And then the other one is retain. Which includes the set of applications not prioritized for migration because it is not aligned with the goals of migration at this time.
12:34 - However, it can be considered later. So, as we’ve looked at all these migration scenarios, I just want to concentrate, you know, a bit on and grab your attention on the three migration approach, rehosting, replatforming and refactoring as it will form the basis to understand the scenario that we’re gonna talk about in the further slides.
13:00 - So, let’s look at lift and shift or rehosting and understand some of the complexities that that comes part of it.
13:10 - You know, as I mentioned, you know, it is a widely adopted approach for migrating critical and legacy applications to cloud.
13:18 - When commercial off the shelf applications are migrated using lift and shift, the limitations of applications such as lack of scalability, integrations and other, you know, flexible opportunities that the cloud service provides, you know, you tend to resist it.
13:38 - Or it is not really compatible with it. And also, with the lift and shift, you know, you’ve retained those network complexities within your network because you just are lifting and shifting the applications to cloud.
13:53 - However, you may regain some of that connectivity with the online and others that the application depends on.
14:04 - As I mentioned, dependent applications and databases.
14:08 - You retain those connectivity with your on premise system to have those dependent applications and it’s easier to run.
14:17 - Because you don’t want to compromise on the overall architecture or the availability of that particular application that you’re dependent on.
14:26 - Hence what happens is with its limitation, you know, it is it the companies have limited utilization of cloud resources.
14:39 - And hence, you know, resulting in a long time long term failure if, you know, they tend to find it going over budget, you know, running over time on the project timelines.
14:54 - And it requires capabilities and skills. You know? However not as much as the other approaches.
15:03 - Next step. So, replatforming. So, as we covered before, it is the next step to lift and shift.
15:12 - You know, it is mostly an optimization approach.
15:14 - By using cloud native capabilities. It requires specialized skills.
15:19 - Hence, it is a bit time consuming. Understanding, learning those skills.
15:26 - Testing those skills. Since as I mentioned, it requires more specialized skills, there are increased chances of errors and mis configurations.
15:34 - However, if it is configured properly, it provide increased resilience because you’re utilizing more cloud native services.
15:44 - It enables long term cost saving which is one of the goals as we saw and one of the drivers for moving to cloud.
15:52 - And it enables adaptability and the ability to respond quickly to changes within your organization.
16:02 - The last one is refactoring. Which is rewriting the application from scratch.
16:07 - It also uses the cloud native capabilities and other, you know, other capabilities as well.
16:16 - Automation is basically the foundation here.
16:18 - So, you know, the code is the basis. Hence, you know, you need more specialized skills, you know, to be able to automate all your requirements from the technical and security aspect.
16:34 - However, from the security aspect, we’ll look a bit later too.
16:39 - And then since it requires specialized skills with the migrations that are happening adopting such approaches, you know, tend to end up in this configurations, you know, unintentional errors.
16:52 - However, you know, ifs it done properly, the migration provides, it’s kind of most cost effective.
17:01 - And, you know, it is really adaptable and provides a good amount of or it’s it provides effective change management as well.
17:14 - So, now that I’ve covered the migration approach and its complexity, I just you must have been wondering where is security among all of these exercises? I want to take you through some of the common security challenges encountered during the migration work.
17:30 - As you can see, I highlighted after one with a meme that I’ve taken from Google.
17:37 - So, which is which is in itself a nightmare for a lot of project managers and technology team.
17:47 - Okay, you plan for the migration. But you forgot to engage security there.
17:51 - After all, the hard work is done around, you know, defining the migration approach, migration drivers and then here you call security and security comes and says, oh, it’s just don’t go there.
18:03 - Well, let’s look at some of the security challenges.
18:06 - One is defined here. Let’s look at the other ones.
18:10 - I call them security dilemma. And hence the talk comes into picture.
18:16 - So, the dilemma, we’ll just cover one by one.
18:20 - The first and foremost and the most important, as I see, you know, for establishing the baseline for any security program or, you know, just understanding what security control is required.
18:31 - You need visibility. So, it simply is, you know, what you can’t see.
18:36 - You really can’t protect. And so, security office faces challenge with respect to, you know, asset mapping within cloud because of its dynamic nature of the instances, changing IPs.
18:49 - Complexity of the architecture, mapping accesses.
18:52 - You know? And managing changes within cloud.
18:57 - Data flow, you know, if you don’t know what data flow is, what’s the classification of it? It gets difficult to put those controls in place.
19:08 - The next one comes keeping up with the rapid changes.
19:12 - It’s, again, like we’ve covered this before.
19:16 - That the companies were adopting the cloud technology need that engineering and flexibility to be able to develop and release these services on demand.
19:27 - But from the security aspect, the traditional checklist based controls, you know, that we have in place for our data center on premise systems for security assurance, before any release of these services to production are not really sufficient here.
19:44 - This is what happens is like these services are released without, you know, appropriate security checks.
19:50 - Leaving the low hanging fruits for the adversities to gain access within your system.
19:57 - Next comes the inconsistent security policy and governance controls.
20:01 - So, of course, you know, it all is kind of interlinked, you know, as we are thinking through it one by one.
20:09 - But inconsistent security policies and controls here means that for your data center, you know, once you define a security policy or lay down those security controls and governance processes, it is based off a certain risk risk assessment approach.
20:27 - You define those risk, you know, you understand the risk exposure of your data center.
20:32 - Why you’re moving to the cloud with other challenges in place and while, you know, the migration approaches that are adopted.
20:41 - The right view of the security risk is not identified.
20:45 - And then hence, you know, the applicability of these controls and security guidelines becomes a challenge for security teams or security architects to basically, you know, move these or make these controls happen to be capable within cloud.
21:06 - Next one is the dependency on traditional security controls.
21:11 - We covered some of that in, you know, keeping up with the rapid changes.
21:14 - However, you know, as I mentioned before point in time risk assessment is almost impossible due to the growing number of internal and external services.
21:23 - Dependency, run time. Makes polyglot software development adopted.
21:30 - And thus it forced, you know, companies to make a tradeoff between speed and security and exposing the organizations to unnecessary risk.
21:40 - Next is mis configuration. You know, of course, like with the adoption requires some level of skills and then, you know, the lack of skills.
21:50 - Or the negligence within the cloud because you’re spinning the systems day in and day out.
21:56 - Bringing down the systems day in and day out, the mis configurations tend to happen and which leaves significant loopholes and it’s hard for security architects or security teams to manage this level of, you know, mis configurations.
22:13 - And the linked another dilemma in the configuration is lack of adequate monitoring and incident response.
22:23 - So basically, you don’t know what systems are existing out in within cloud.
22:29 - What services have you procured? Since, you know, not much visibility is there within within the environment.
22:36 - And hence, you know, maybe the logs are not enabled, or the monitoring is not appropriately configured.
22:44 - And hence, you know, if there is any event or incidents happening within those instances, it just goes unnoticed.
22:51 - Last, but certainly not the least is the access control.
22:55 - Along with, you know, everything else that we have been seeing.
23:01 - You know, access control tend to be a mess.
23:03 - You don’t know what privileges are assigned to which users.
23:07 - Although, you know, the cloud technologies provide the level to develop these access controls.
23:13 - However, the configuration becomes a challenge without, you know, visibility, without understanding who needs access to what.
23:21 - And practicing those least privileged need to know, you know, becomes a challenge.
23:26 - So, now that we have looked at, you know, all the security challenges there, I want to take you to the migration scenario here which is proposed to lift and shift the critical application from data center from cloud.
23:43 - The objective for this migration was to scale the existing application to enhance its performance and capacity in cloud with deploying number of, you know, services for the portfolio for the organization.
23:55 - To understand the problem better, let’s consider that the set of applications which are hosted here in the data center are critical customer facing applications.
24:04 - And due to the criticality, the migration was required to be done with minimum overall change to the architecture.
24:09 - However, to achieve this scalability and enhance the performance of the application, it was important to consider replatforming and refactoring some of the, you know, associated applications and the components.
24:25 - Hence while lift and shift resulted with better, you know, retaining some of the data center ingress/egress traffic by a compromised, you know, security protection systems like firewalls, load balancers and all.
24:42 - The migration architecture and roadmap also included optimizing the application and dependent integration by leveraging cloud native capabilities.
24:50 - And later on, the refactoring of, you know, to enhance the functionality and overall performance.
24:57 - So, as you see in the architecture here, you know, the security challenges that we have discovered before seems quite valid and inevitable.
25:07 - But the irony here is that this is just the tip of the iceberg.
25:12 - Showing that I’ve tried putting together. The actual architecture actually looked way better and way complicated than this.
25:21 - So, now that we looked at the security challenges in such architecture and such migration work, I will take you through the approach by using secure by design principles whereas security architects are or security professionals we can work with business teams which are planning to migrate to cloud and make it easier from the security aspect.
25:47 - The first step starts with security teams doing this early on within your project.
25:54 - Not being the late comers. It is important for business and technical teams to bring in security at an early stage.
26:02 - Which will ensure a clear understanding of the migration drivers and align the strategy goals with the overall goal.
26:11 - What it will do is facilitate better communication and collaboration as well with development teams.
26:19 - Where security teams will be able to identify the scope and work with the solution architects to understand the conceptual and retail design.
26:28 - And roadmap for the migration, which will lay the grounds for the security team to perform appropriate profiling and assess the risk to the applications and platforms.
26:37 - And then, you know, identify the adequate control applicability within your cloud migration, you know, while you’re migrating or, you know, in the process of migration.
26:50 - Or post migration, you know, control applicability.
26:55 - This would then be defined, you know, for the security architects or security professionals engaged in the cloud migration work.
27:03 - The work would be to define these control baselines and the risk assessment that you had before.
27:11 - And define and measure those guardrails and measure the effect of security and define the matrices and these periodic matrices.
27:21 - Now, how you will achieve all of these controls and then control assurance around your cloud workflows is to keep optimizing and improving by adopting cloud native solutions and capabilities and then optimizing configurations and embedding security into the DevOps cycle to avoid much of the manual intervention here.
27:47 - And then have it as automated as possible. So, from next slide onwards here, I want to concentrate on some of and I want to showcase some of the cloud native controls to achieve, you know, the approach that we have worked through here.
28:03 - And so, one of the security controls and the basic one is to have, you know, visibility and, you know, just to resolve the challenge that we saw to mitigate the lack of visibility there.
28:19 - To perform the adequate risk profiling and identification.
28:23 - So, the example shown here is basically, you know, is related to a asset tagging and providing the asset tagging and having the CMD of your asset which involves controlling the owner, team, life cycle, policies and environment.
28:45 - So, the example which is demonstrated here is the automated asset tagging which consists of, you know, as you can see the lambda function here.
28:55 - Which captures the API events, you know, if there is, say, a new EC2 instance that’s created as part of the auto scaling functionality.
29:06 - It will capture the capture the traffic and then analyze, you know, and create the tag using the owner’s value of the username and the EC2.
29:21 - And then provide C tagging for that EC2 instance as part of the auto scaling group.
29:27 - Once you’ve tagged the instance for us as security professionals to be able to monitor these assets as these are being created, it gets easier to keep track of the overall data flow and then hence identify the at risk exposure level of these instances in real time.
29:49 - So, this is the basic one which where you can leverage the Cloud Native capabilities to be able to tag those assets and identify and get the visibility of your cloud infrastructure.
30:03 - Similar to that, next one that I want to show as I mentioned about laying the guardrails and, you know, defining the minimum security requirements within the cloud.
30:13 - And then achieving those and keeping track of those with the adequate automation.
30:19 - I tried showing the example here of, you know, just just with the configuration changes, for example.
30:27 - Where if if any configuration changes in any of your workload, there’s this big AWS config which monitors the configuration that you have enabled.
30:39 - Which monitors those configuration compliance within your workloads.
30:43 - Amazon, the IDS intrusion detection system that picks up all the logs and then provides the behavioral analysis.
30:53 - So, these basically, these pick up the logs from particular resources.
30:59 - For example, when this configuration has happened and would provide you, if you have configured just for detection, would provide you the notification that here’s something here your workload is misconfigured or is not compliant to the security guardrails that you have defined.
31:17 - Please have a look at it. Or if you have any lambda functions and custom prevention rules there, then, of course, it will prevent or it will revert the configuration back to, you know, what it was supposed to be and provide you with the notifications.
31:35 - Moving forward is, you know, one of the one of the most important controls.
31:43 - You know, having this segmented network architecture.
31:46 - So, basically, you know, create the critical instances in separate accounts.
31:52 - Don’t have them all hosted within one account.
31:57 - You know, segregate those. So, you know, for example, out of this picture, an example, if you want all your logs to be collected from your cloud instances within an S3 bucket, you wouldn’t want that S3 bucket, you know, to be accessible to everybody.
32:13 - So, you would want that S3 bucket to be hosted in a specialized, you know, account.
32:19 - In a segregated environment which is, you know, accessible to the least people as possible.
32:25 - Or, you know, you have more controls over it.
32:31 - Next one is implementing least privilege network.
32:35 - So, what I’ve shown, I’ve tried showcasing here is, you know, you can adopt some of the cloud technologies such as, you know, having security groups, having network ACLs to segregate and, you know, control the network ingress and egress traffic movement between two instances.
32:56 - So, as an example here, I tried showcasing that how using, you know, the firewalls, the transit gateways.
33:05 - These are Cloud Native solutions for Amazon Web Services.
33:07 - You know, you can segregate the traffic and control the traffic between two virtual private clouds or different accounts.
33:16 - Maybe hosted in different regions or, you know, you can control those with the CPL within the same region as well.
33:23 - Just to control that network traffic and, you know, reduce the overall risk surface.
33:28 - So, in lines with that, like I’ve demonstrated a lot of security solutions, you know, which are Cloud Native and some of these I just want to highlight, you know, as is that some of the shared security capabilities that are available within your cloud service provider.
33:50 - I have taken an example of Amazon Web Services here.
33:54 - But the similar capabilities are provided by other cloud service providers as well.
33:59 - So, some of these common security capabilities are federated IAM, logging and monitoring, incident response, key management there will be many more.
34:10 - I have showcased AWS config as a capability to take an example of continuously monitoring the configuration compliances.
34:22 - You know, which is monitored through AWS config if that is enabled.
34:28 - And then you get notified as we have seen in the slides as well.
34:33 - So, some of the some of the key takeaways from this session as we are wrapping it up is, you know, having the right management oversight.
34:42 - Because they are the decision makers. And, you know, aligning the security intentions and security objectives during the migration.
34:50 - Or while planning the migration with the overall business objectives comes a long way because you basically protect, secure, or are working towards enabling your business.
35:03 - Setting the right security guardrails. You set them off of the risk appetite and risk assessment.
35:10 - By understanding the approach and understanding what you’re adopting within the cloud by migration.
35:19 - The other one is automation like going forward, you know, as you adopt.
35:24 - Enhance your skills. You know, keep automating these controls.
35:28 - Because within the cloud with the rapid changes, of course, it is difficult to keep track of everything with a traditional, you know, security methodologies.
35:38 - Then, you know, developing and enhancing these skills and capabilities with the continuous, you know, cloud continue continuous capabilities.
35:48 - It is important to have those capabilities and have a team which is understanding of the security controls and how to achieve them through the automations and capabilities that are available with the cloud platform that your companies plan to adopt to.
36:08 - Security should be in the DevOps cycle. DevOps, DevSecOps, it’s just part of it.
36:16 - It comes to the automation as well. So, security is embedded in your CI/CD pipeline, basically.
36:23 - You know, everything is developed. Everything is checked in real time.
36:28 - So, it doesn’t have to be a point in time exercise.
36:32 - And the last one is that security is standardized across the asset lifecycle.
36:35 - So, once it is accepted. We saw the asset tagging.
36:40 - You know, you create an asset and let us decommission.
36:45 - You know, you have the security built and you’re managing it well.
36:50 - You have the right visibility to it. So, with that, you know, this concludes my presentation into the challenges that are faced by security architects while you’re working with your teams in their cloud migration journey.
37:05 - I did a paper on this topic as I’m consolidating and making it more detailed, it will be available by September.
37:14 - And then at the end, I just to want to say thank you for attending my talk.
37:18 - You have my LinkedIn and email here. I will be available on Slack as well.
37:23 - And I’m ready to take any questions now. KAT: Thank you so much, Archana.
37:29 - That was awesome. I learned a lot there.
37:35 - I am a cloud person. And that gave me some things to think about.
37:41 - We do have a question here. Do you have any recommendations for getting DevSecOps and DevOps working toward the same goals and working better together? ARCHANA: Yes.
37:58 - So, you know, the answer answer basically lies in the question that, you know, you both the DevOps and DevSecOps are working to achieve the same goal.
38:10 - That is the business objective. If it is for moving to cloud or operating in cloud and retaining that cloud environment.
38:17 - So, you know, when you’re working towards the same objective and the challenge basically comes because security is adopting certain guidelines and checklist based approaches.
38:29 - So, when they tend to understand how developers are working, how developers are developing those codes, it is easier to embed those security tests, automated tests, you know, as part of your development cycle.
38:43 - And embedding those security checks, you know, as part of those CI/CD pipelines that DevOps is working towards and making sure that, you know, your security isn’t built in the part of any solution that is being released, you know, out there for customers to utilize.
39:01 - I hope that answers. KAT: I’m gonna throw out my own question.
39:08 - ARCHANA: Yes. KAT: I work a lot with developers, engineers and such that are always thinking that the security team is just out to get them.
39:24 - Actually. Especially when it comes to the cloud.
39:30 - Because they just don’t get it that the cloud is it’s a little bit different.
39:35 - But it’s still just exposed computers and so on.
39:38 - ARCHANA: Yes. KAT: Do you have any suggestions on getting those engineers kind of on board? Especially when you’re dealing with the DevSecOps pipeline? How do you tend to sell security to them in a positive way? ARCHANA: It is, you know, it is it all comes down to understanding the exposure level, you know, or risk exposure level of for that particular goal as I mentioned that you’re working towards.
40:09 - So, the developers the developers and engineers are working to, you know, develop those capabilities for the organizations to utilize for their purposes.
40:17 - And if there is, you know, if the security security architects and professional, first of all it is important for us to not really them.
40:29 - And then the problem comes when we go to them.
40:32 - We go to these developers and tell them, hey, this is a compliance obligation.
40:36 - Please, you know, stick to it. That’s when it becomes policing.
40:40 - Which is, you know, not really welcome. So, working towards, you know, the same goal.
40:45 - Achieving, you know, that particular solution.
40:48 - It is important for security professionals to talk in a risk based approach.
40:54 - And then make the engineers understand, you know, that hey, if we do this way, certain things I mean, this is, you know, the kind of risk exposure that our solution might have.
41:08 - And then hence, you know, we require these minimum controls.
41:11 - It may not be, you know, as restrictive as, you know, sometime we tend to provide.
41:16 - You know, it has to be catering to the business requirement.
41:21 - It has to be understanding those engineer’s point of view and yet, you know, embedding those controls at minimum to mitigate those risks at an acceptable level for their organization is, you know, an approach that works.
41:34 - You know, with the engineers that I worked with, you know, and worked with day in and day out.
41:42 - And just understanding and focusing on that particular risk and mitigating that to an acceptable level.
41:48 - It doesn’t have to be, you know, particularly a compliance approach.
41:50 - It tends to put them under the under the way or, you know, just is diverged away from the overall object.
42:00 - KAT: Good point. We have another question up here.
42:05 - Do you have any particular references for people coming up to speed on the security tools in the different cloud environments? ARCHANA: Let me read that question.
42:17 - Do you have any particular references for people coming up to speed on cloud tools? Okay.
42:22 - Yeah. It’s you know, if you’re starting up as a, you know, a security professional working around using these cloud technologies, you know, there are a lot of labs available out there.
42:35 - I particularly, you know, I particularly follow a lot of AWS Cloud Native work and capabilities.
42:43 - So I, you know, if you go out to their websites and there are a lot of trainings and, you know, I think like classrooms.
42:53 - That, you know, you can have and leverage these tools and work out in real time.
43:00 - And then see for yourself like how these configurations and rules are basically working within cloud.
43:06 - KAT: I’ll add one into that I use a lot in various cloud environments.
43:12 - It’s called ScoutSuite. Open source by NCC.
43:17 - And it is a great way to audit your environments, regardless of AWS, GCP, Azure, et cetera.
43:25 - And it really gives you a good overall picture of what your environment looks like.
43:29 - And if you have any settings that are misconfigured.
43:34 - Which tends to be a big problem. ARCHANA: Yep.
43:39 - KAT: Any other questions, anybody? Well, this was great talk.
43:45 - Thank you again so much. And thanks to all of our sponsors.
43:51 - And thank you all for attending. This has been a very long day.
43:55 - But it’s been a very productive day with a lot of great talks throughout.
43:59 - And just a special thanks, Archana. Because, you know, this is I think it is the last talk of the day, right? I don’t have the schedule in front of me, ah, I should do that.
44:12 - But is it? ARCHANA: I think so, yes.
44:15 - KAT: I think it is. And it’s always hard to be the last talk of the day.
44:19 - So, you know, I give you credit for doing that and doing it so well.
44:24 - So, thank you very much. Thank you all.
44:26 - ARCHANA: Thank you. KAT: And we will ARCHANA: Thank you all for attending.
44:31 - For more questions, I’m still on Slack. KAT: Oh, there is one more.
44:36 - I was just told. There is one more talk.
44:38 - So, yes. Sorry. I missed that.
44:41 - Yeah. There is one more. And what is it? It is ah.
44:48 - Leaders Lower the Ladder. No, that’s at yeah.
44:52 - Leaders Lower the Ladder. And that is on stage 1.
44:55 - And that is this stage. So, that will be coming up in just a few minutes.
45:02 - So, stick around and don’t forget tomorrow is day two.
45:07 - And there’s lots more talks. Please visit the expo.
45:12 - Talk to our sponsors, talk to the villages.
45:16 - Everything’s going on. Lots of good stuff.
45:19 - Thank you all. Have a great rest of your conference. .