Are we all on board with the shared security model in cloud security? We always said it, but I don’t know if everyone knew what the cloud provider and the customer’s responsibilities were.
Check out this post by Justin Pagano at Klaviyo for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap). Joining us is Jesse Webb, CISO and svp information systems, Avalon Healthcare Solutions.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
Imagine taking a proactive, deny-by-default approach to cybersecurity, blocking every action, process, and user unless specifically authorized by your team. ThreatLocker helps you do this and provides a full audit of every action, allowed or blocked, for risk management and compliance. Onboarding and operation is fully supported by their US-based support team. Stop the exploitation of trusted applications within your organization to keep you running efficiently and secure, protected from ransomware.
Worldwide, companies like JetBlue trust ThreatLocker to secure their data and keep their business operations flying high. To learn more about how ThreatLocker can mitigate unknown threats and ensure compliance for your organization, visit ThreatLocker.com
Full Transcript
Intro
0:00.000
[David Spark] Are we all on board with the shared security model in cloud security? We always said it, but I don’t know if everyone knew what the cloud provider and the customer’s responsibilities were. We just kind of said, “Shared security model,” and no one knew who did what. Are cloud providers not holding up their end of the bargain?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this very episode… He’s been here a long time. He’s coming back yet again. It’s Geoff Belknap. Geoff, say hello to the audience.
[Geoff Belknap] Hey, everybody. I just am glad to be here to be able to tell you that you can have a career after being a childhood actor in podcasting.
[David Spark] Geoff is pulling back… That’s a classic from the Defense in Depth.
[Geoff Belknap] Deep cut.
[David Spark] You could probably search our transcripts to find this, but I have mocked Geoff multiple times of being a child actor. He has not been a child actor, but I have brought him in on…
[Geoff Belknap] David, how could you say something so hurtful? My art, my craft.
[David Spark] I told you, I worked with a guy who was a child actor on “The Waltons” many, many moons ago.
[Geoff Belknap] You and Charlton Heston.
[David Spark] It was not Charlton Heston.
[Geoff Belknap] Oh, right. Okay.
[David Spark] I don’t think he was on “The Waltons,” was he?
[Geoff Belknap] Aren’t you guys the same age? Is that…?
[David Spark] I hope I’m not the same age as Charlton Heston. He’s long dead, isn’t he? I definitely hope we’re not the same age.
[Geoff Belknap] You’re definitely healthier.
[David Spark] I was a big fan of “Planet of the Apes” though. Our sponsor for today’s episode is zero trust endpoint protection platform. Huge thanks to Threat Locker for sponsoring this episode. They’ve been a phenomenal sponsor of the CISO Series. And more about their platform later in the show. But first, let’s talk about today’s topic, Geoff. The cloud shared responsibility model sounded great at first. But are vendors living up to their end of the deal? Now cloud provider’s number one concern is sales and adoption.
But if they were to apply stringent security controls out of the box on their side, it would definitely cause friction for adoption. So, Justin Pagano of Klaviyo argues that the shared model is showing its age, and the number of cloud breaches in the news call for cloud providers to up their game on default cloud security settings. He suggests cloud vendors should make non SMS MFA default. Remove default passwords for infrastructure and services and prescribe least privileged permission policy changes based on actual permission usage. All right, I will ask you, Geoff, do the shared responsibility models and SLA, the service level agreements, need to be rewritten? Are we at a time when we need to give it another shot in the arm?
[Geoff Belknap] I spent a lot of time in this space, and certainly I have a very specific opinion, which is it would benefit everyone globally, economically, individually, greatly if every cloud service provider provided a service that was secure by default. However, we’ll tell you most of the customers in the cloud service space do not want those by default. Now, I want to be clear, I’m not blaming people who use cloud services, but the people who are building on top of cloud providers have a job to do.
And I will say my experience has been they get very upset when you turn the secure defaults on by default. And it is also a shared journey of growth, helping people understand why they have to do these things. I think turning it on now by default is a little like telling everyone, “You need to pull over and install seatbelts in your car.” We all know you need to do it, and we all should do it, but we both have to do it together.
[David Spark] That is a good point. And I think security is always a journey, and it kind of sounds like secure by default, which sounds really good… Nothing about it sounds bad.
[Geoff Belknap] It would be better. But…
[David Spark] It doesn’t necessarily work. We’re going to go on in that journey in the next 25 minutes. And the person who’s going to help us with that journey is the CISO and SVP of information systems over at Avalon Healthcare Solutions. It’s none other than Jesse Webb. Jesse, thank you so much for joining us.
[Jesse Webb] David, thank you for the invite. Avalon is 100% cloud, so this is an important conversation for us.
Why are they behaving this way?
4:27.509
[David Spark] Owain Bainbridge-Rees of NCC Group said, “I think the shared responsibility model is a well thought out business model. The issue stems from companies not understanding their own responsibilities when using cloud. Now, should cloud providers set all default settings to follow security best practice? Should cloud providers enforce NIST CIS compliant builds by default? My answer is no. Companies should take responsibility for their deployments on cloud or pay for a fully managed service.” Kind of in line with you, Geoff, there. Although you see the value on both ends here.
Travis McPeak, Resourcely, “We need to use nudges to push people towards the outcomes we want. I visited Japan recently. They have cigarette vending machines, and packs cost a dollar to two bucks. In the US, cigarette packs are more than ten dollars. That’s a direct result of our government making it painful for people to smoke in the way that we know is effective—with money. What if providers up charge you for not requiring strong MFA account wide?” I’ve actually experience this before. “The more negative and positive nudges we can use to incentivize the behavior we want, the better.” I, in fact, got my monthly service charge reduced when I installed MFA. That might be the trick. What do you think, Geoff?
[Geoff Belknap] I think that’s a great trick. I think incentivizing people to have great security is probably the better method here. I think when we talk about forcing everyone into security defaults, which I, by the way, would be a huge fan of, the intersection with the practicality of that and the business reality of that is everyone’s threat model is different. There are some things that I think you could get some generally strong agreement on about if you are going to require people to have MFA, it should probably be strong MFA. There’s really no point in having weak MFA. However, should I require you to have memory encryption on by default?
Should I require you to have at rest storage encryption on by default? What if you’re distributing a binary that it’s okay for everybody to have for free? Why do I need to force you into extra high security that you’d need if you were banking versus if you’re running a video game server? Like your threat model and your security needs are different. I think incentivizing organizations to use known security defaults that apply broadly to any usage of a service on the internet is a great idea. Forcing people into a strict box of the same security controls, probably not going to be good long-term.
[David Spark] All right, I throw this to you, Jesse. Let’s just get your initial thoughts on this. Secure by default – can it work, or do you need to incentivize? Or is it a journey? Where do you stand on this?
[Jesse Webb] I am all for the secure by default, and I’d like it turned on. But I also would like the option to make adjustments. Because if there’s certain services that I need public, I want to be able to turn them off. But to be able to have it on by default, as I’m standing up a brand new account or I’m training a brand new junior admin, he’s going to make mistakes. I would rather him have to figure out how to turn the security off than how to turn it on.
[David Spark] But… And I’m going to go back to a lot of the pushback that I’ve heard in the past, is for the people selling the services, when it is secure by default, the usage and what you said, Geoff, as well, is that customers don’t want it on by default. You’re speaking as a security professional. I’m sure it would both of your lives a lot easier if it was all configured nice and secure right out of the box, right? I’ll start with you, Jesse.
[Jesse Webb] I think you have to differentiate between [Inaudible 00:08:08] like your bank. A user going to their bank and the bank making you turn on MFA. Or incentivizing you by some fee discount for turning on MFA. Versus a large scale implementation like AWS, Snowflake, Azure. The security that should be on by default at scale when you’re running enterprise workloads is a very different conversation than when you’re dealing with end users.
[David Spark] Right. And that’s a really good point. There’s a lot of secure by default we’re having in this conversation here. Geoff, let me ask this, is there something that should be secure by default? Like we really…this should come out of the by default secure.
[Geoff Belknap] Well, I think I’m going to go back to the easy answer, which is MFA. If you’re an end user logging into something, MFA should be by default. But really, I would expand it beyond that. If I’m going to provide a cloud service or if I’m going to provide an end user service, there should be logging on by default. There should be a reasonable target. You should have secure auth. You should have secure authz. There’s all these things. But then the complexity is it’s not one thing that makes your cloud environment secure. It’s the totality in the usage of all those things together. And this is where it becomes really hard to just expect the provider to do it all for you. I think the providers could do more, and then I think the customers also need to level up what they’re contributing to that as well.
What are they doing wrong?
9:28.615
[David Spark] Jason Allen of Traceable by Harness said, “I don’t get it. They built the functionality, made it available, and you chose not to enforce it. That doesn’t seem like a shared responsibility model. That seems like negligence.” Patrick Garrity of VulnCheck said, “Shared responsibility equals defer risk to the customers.” Interesting take there. And Jaroslaw Postawa said, “It’s harder to do anything in cloud than in traditional infrastructure because people not only have to manage abstraction layer (aka the portal and the api) of cloud provider but also infrastructure behind but managed in a very restrained way.
We can revoke some of 40 years old concepts and make some modern updates. Security will follow.” So, set in the original post by…why we’re discussing this by Justin Pagano and here by Jaroslaw Postawa, there is a desire to revisit what is the shared responsibility model. So, let me ask you, Jesse, is there something you’d like changed in this shared model?
[Jesse Webb] Oh, absolutely. Because we’re a small to mid-sized business. But we’re 100% in the cloud. So, I am dependent upon those providers to provide services. And let’s go to the example of like Snowflake, because they’re one of the cloud providers we used. When we were in there, I couldn’t turn on MFA by…mandatory MFA for all my users. I had to go user by user and talk to my user and say, “Turn your MFA on.” After that, we had to change over to SSO because we couldn’t enforce MFA. This is where providers stepping up and providing a more default setting or default capabilities is very important.
[David Spark] Or even global capabilities, which it seems like is not what you were getting at the time.
[Jesse Webb] Correct.
[David Spark] Geoff, what would you like changed? And, again, if we had a chance to revisit this whole thing and said, “All right, here are the plans of the shared responsibility model. The line is going to change this way,” what do you say?
[Geoff Belknap] Well, I think it’s really important to remind ourselves what shared responsibility model means in the cloud. I think first and foremost, shared responsibility means I, as the cloud provider, am going to secure the infrastructure that you have no control over. I am going to be responsible for that. You, as the customer, are going to secure the infrastructure that you have responsibility over. You are going to be responsible for that. Now, I think where we’ve elevated that conversation is beyond just, “I’m going to run the routers and switches, and you’re going to run the bits and bites,” to, “I should provide you a minimum level of security controls that allow you to control that security yourself and allow you to decide your own security levels.”
I think what’s happening these days is many customers are finding that maybe I, as a cloud provider, don’t even provide enough controls for you. Or I make them too hard for you to turn on. Or I charge you too much to turn those on. Now, I don’t mean me literally, Geoff, but the cloud provider. And I think that’s where we need to be thoughtful about how we change that. I think cloud providers should just provide all these things.
However, all these things cost money. And at the end of the day, even if they’re provided, customers don’t always turn them on. And it’s easy to go, “Well, it should have been on by default.” I think at the end of the day, if you’re going to run your services in the cloud, you have just as much responsibility as the cloud provider to secure what you’re putting in the cloud as long as you have those controls available to you.
[David Spark] I got to imagine… And again, we’re talking about such a sort of wide network of cloud providers here. But I have to assume there’s some kind of wizard or step guide when you start installing these things that starts giving you advice, or maybe they could give you better advice on security. Jesse?
[Jesse Webb] Oh, definitely. And most of the providers do have very good onboarding guides, documentation for what security they do provide. It’s there. And that goes back to some of the comments that we see here. “I don’t get it. Why didn’t you turn it on?” Well, it takes time to go in and find those settings and learn the settings. And I agree with that comment – that if it’s provided to you, you should be taking advantage of it.
Sponsor – ThreatLocker
13:39.017
[David Spark] Before I go on any further, I do want to tell you about our fantastic sponsor. One of our best sponsors, and that is ThreatLocker. Now, I want you to listen to this. We all know in cyber security, seconds matter. But also precision matters. And that’s why ThreatLocker is upping the game, their game. Again, a lot of things to mention, so pay attention. The company just launched a new set of solutions built for teams who need to move fast without compromising security. So, it’s zero trust but without complexity. So, with ThreatLocker insights, you get real time intelligence from million of ends points worldwide to empower you to make the best swift cyber security decisions on what applications to allow and what controls to put in place in your environment. Patch management? Well, instead of chasing updates and manually approving patches at two in the morning, ThreatLocker takes care of it for you with the rigorous research and testing you need to stay compliant and secure. Cloud control adds an essential layer of defense, further closing the gaps that phishing and token theft campaigns love to exploit.
They’re also making life easier for IT and security teams with the new user store, a smart way to give users instant access to preapproved software while maintaining the strong security of your environment. And for web threats, well, web control lets you block sites you don’t trust or users should not access from the workplace. It blocks unapproved content by category, not URL by URL.
Now, of course you still get ThreatLocker’s 24×7 US based cyber hero support. No scripts, no waiting hours for answers. They deliver world class swift support. Responding in about 60 seconds. That’s pretty darn fast. It’s no accident that over 50,000 companies now trust ThreatLocker to help them harden their environments against modern threats. Now, if you’re serious about tightening your defenses and getting a platform that doesn’t slow you down, check out their website. It’s threatlocker.com. Go there to learn more.
Why does this still happen?
15:56.053
[David Spark] Russell Spitler of Nudge Security said, “Most mainstream B2B SaaS companies have done a reasonable job drawing the line for shared responsibility, but the real challenge is that most companies do not have a scalable way to ensure that qualified employees are in the right place to take responsibility for their side of the shared responsibility. This is a challenge that needs to be addressed at scale. Even in a world where every B2B SaaS vendor in the world enables MFA by default. The rest of your wish list is not going to be handled by Bob in accounting or Jesse in development.”
And I talked to Russell about this. Often new SaaS tools are introduced not by the security department. And then these people that… It mentions generic person of someone in accounting or marketing. They all of a sudden become the individual responsible for setting up security for your business. Let me just add one more quote here. Adi Chemoul of Token Security said, “Major cloud and app providers should work closely with customers to fix (minimize) these gaps or at least warn them about the potential impacts of neglecting basic protections.
Recent breaches at Snowflake customers like Ticketmaster and Santander Bank happened because of things like not using MFA, failing to rotate keys, and weak network restrictions—basic stuff as I see it. Not a stealthy role who accidentally granted cross-account permission.” So, I’m going to start with you again, Jesse, on this. I think what Russell was saying is that often these are introduced not by the security team or the security team is not aware of it. They’re not involved in the setup of it. And this is why security by default would help. Because you can’t count on other people outside of security to install it. What say you on that?
[Jesse Webb] I agree. I think it’s a great comment. And true. You still need someone passionate about security and skilled enough to protect your company. And if you’re a small company that can’t afford a professional CISO, secure by default is the way to go.
[David Spark] Geoff?
[Geoff Belknap] I’d say even if you can afford a fancy, expensive, very handsome former child actor CISO, you still need phenomenal tools and platforms to support you. And one of the things that always comes to mind here is let’s say every cloud app or service that I buy has all the security defaults, and they’re all on by default. One of the challenges I have as a security leader is there are different settings for each of those things. If I wanted to enable a tool to go make sure I’ve got all the security defaults on my CRM, on my productivity tools, on my payroll system, it is not possible for me to look across all of those things with one set of tools and make sure that they are all configured for some value correctly.
They all work differently. They all expose those tools differently. They all have different APIs. It is very challenging. And I’ve only listed about three different apps. A standard medium sized enterprise has 400 SaaS apps. It is difficult to track even if you give me all those features. And the reality is many cloud providers don’t give you all the features you need.
[Jesse Webb] And that’s a good point. Like SSO is not going to be turned on by default. You’re still going to have to go set up that kind of capability.
[David Spark] Yeah, and setting it up for 400 apps, that’s going to take you some time. And then it’ll change over time.
[Geoff Belknap] That’s right. And even if let’s say logging is available on all those apps, the way you use logging or set up logging to go to some central place for you to monitor it all is different across each one of those apps. So, it’s not just a matter of providing the feature, it’s also we need to get together as providers and as customers and say, “Hey, we’d like this in some kind of standardized way,” too.
[David Spark] It seems that that might solve a lot of issues. Because, honestly, they could all have MFA. They could all make it easy. They could all have SSO and all make it easy. But the way to do it is so different that you need training on each one. Have you run into this, Jesse?
[Jesse Webb] Yeah. And we have a pretty sharp team, and we have been forcing secure by default from day one. And the abrasion it’s created with our development team, I’ve lived it, and we’ve had to overcome some of the issues. We don’t want to be a department of no, but we also want to say well, maybe, “Hell no, we’re not doing it that way.”
[David Spark] Okay. This conflict of the shared responsibility model with things not being a default forces a very security minded business like yourself to struggle internally to make it work for you. Am I kind of reading that correctly, Jesse?
[Jesse Webb] Well, yeah, because we’re having to now implement our own tools or our own policies, procedures, processes, or restrictions, and it is not a standard format. We’re trying to make sure that we have applied what works for our business.
What’s our visibility into this problem?
20:53.828
[David Spark] Justin Francesconi of Bowtie said, “Shared controls are just the tip of the iceberg, it’s only what you can see and control above the surface; what’s beneath is hidden…” And this was sort of referenced at the top. “…and largely beyond scrutiny or control. What we need is a model where nothing is hidden, security defaults apply from the outset, AND ease of use is paramount.” Geoff, I think Justin sort of just described the Eden of cloud security. Yes?
[Geoff Belknap] That sounds great.
[David Spark] How do we get there?
[Geoff Belknap] We have to sort of back into like, “Why aren’t we there today?” It’s not because companies are too stupid to provide these features. I’m going to be honest. It’s because a lot of companies will not pay extra for a service that has these features versus a service that doesn’t. Some of this is this maligned incentives in the security space of if I’m buying a set of productivity tools, I’m probably not buying based on which one has the best security features. And that’s unfortunate. This is also where I’d love to see a little regulatory involvement or some minimum standards required. If customers said, “I will not buy your product if it does not have these features,” they would change the market overnight. But that’s not what’s happening today.
[David Spark] It’s going to all require customer pressure. I mean do you have another solution here, Jesse?
[Jesse Webb] No, not necessarily. There is a certain [Inaudible 00:22:24] by degrees. Somethings could be turned on by default very easily. I think basic MFA for all end point access, encryption on the drives, logging. These are services which could be hidden behind the scenes and turned on for you. Other, the more complex ones, which is going to be your advanced access, the SSO, or bring your own key level of encryption. Those require significant investment of time and settings for configuration.
[David Spark] It seems there’s a desire, but the market pressures are kind of preventing it from happening. We did though talk about incentivizing. It sounds like demand from public and incentivizing is probably the best way we’re going to go, yes?
[Geoff Belknap] Yeah, I think there’s been some really interesting progress here in the gaming sector of all places, which is interesting. There is some massively multiplayer online role playing games who incentivize their players to turn on MFA by giving them free skins or items in games. That pushed their MFA adoption above 60+%. Now, I’ll notice, it didn’t push it to 100%, but it certainly incentivized people to do the right thing. If it was me running a cloud service, I’d be like, “Great. If you don’t turn on MFA, I’m going to charge you 20% more, or 10% more, or whatever it is.” But the reality is I need to provide a business that is going to both make me money and provide solutions that my customers want.
And I either need the customers to apply pressure to vendors to say, “No one is going to buy your product if you don’t provide X, Y, and Z feature.” Or I need regulators or some other pressure in the market to say, “I can’t compete unless I provide this baseline set of features.” And I think today, right now, it’s taking way too long for that market pressure to come. I would love for everybody to be building super advanced security features for everybody to take advantage of. But the reality is even the advanced features that a lot of companies build like MFA, people don’t even turn on.
Closing
24:19.661
[David Spark] Well, that brings us to the final question I have for both of you, and that is which of these quotes was your favorite, and why. And I will start with you, Jesse.
[Jesse Webb] Well, can I go back to the original LinkedIn article instead of one of the quotes?
[David Spark] Sure.
[Jesse Webb] Because one of the things that Justin covered was the Google shared fate approach. I thought that was a fantastic article, and I think it needs to be the approach, is the vendors have got to engage with the customers and take a shared fate responsibility to say, “We’re going to help you get the security turned on.”
[David Spark] That’s a good way of saying it. Let me help you. Let me walk you through. Let me support you. Because… This is an interesting thing. We hear this again and again from CISOs. Back me up on this, Geoff. We want a partner, we don’t want a vendor. Yes?
[Geoff Belknap] Yes. 100%. At the end of the day, I want somebody who’s going to help me achieve my goals, not just collect a rent check.
[David Spark] Good point.
[Geoff Belknap] I think this is why my favorite quote here, I’m going to pick a part of Travis McPeak from Resourcely, who said at the end of his quote, “The more negative and positive nudges we can use to incentivize the behavior we want, the better.” And I think this is the best option we have going forward. Would it be great if Cloud providers just turned on all the security defaults and told you, “Sorry, it’s going to be hard to configure, but it’s going to be very secure,” yes, that would be phenomenal, and I would be behind it 100%.
Is the market going to let us do that? No. So, I think the next best thing to that is saying, “Hey, it’s really easy to configure MFA, or logging, or [Inaudible 00:25:54] on your storage buckets,” or whatever you might need to configure. And maybe when we walk you through the configuration wizard or you’re setting up your SaaS product for the first time, all these things are on by default, or we walk you through turning them on, and you make a choice whether to turn them on by default. But whatever it is, that little bit of nudge, that little bit of poke on a regular basis to do something that’s going to make your security better, I think that is a great approach for everyone to take.
[David Spark] Excellent point. And now that brings us to the end of the show. A huge thanks to our guest, and that would be Jesse Webb, the CISO and senior vice president of information systems over at Avalon Healthcare Solutions. 100% in the cloud as I understand. But I believe your healthcare solutions are not 100% in the cloud, are they?
[Jesse Webb] No, we’re 100% cloud data centered, and all of our services and toolings. And we’re actually a SaaS offering ourselves back to the health plans.
[David Spark] Okay. But the people you’re getting the health plan is getting an actual health plan is the point I’m making.
[Geoff Belknap] Are you making the cloud healthier, Jesse?
[David Spark] Yes, can you make the cloud healthier?
[Crosstalk 00:26:53]
[David Spark] There you go. There’s a money making idea.
[Jesse Webb] Well, participating in your program is doing that, isn’t it?
[David Spark] There you go.
[Geoff Belknap] There you go.
[David Spark] All good all the way around. Huge thanks to our sponsor. That would be ThreatLocker. Remember, zero trust end point protection platform. Go check them out at threatlocker.com. Where else would you find them? Thank you as well to Geoff Belknap who is always amazing. Continues to lean in. Let me ask you something, a question about the whole child acting thing. This is like Henry Winkler and the Fonzarelli. He still is asked questions about being the Fonz. Do you have the same issue yourself, that you can’t sort of shake it off?
[Geoff Belknap] Yeah, everybody recognizes me from the first Terminator movie.
[David Spark] You were the kid on the motorcycle?
[Geoff Belknap] Yeah. Yeah, I was in one scene for a quarter of a millisecond. But you know, the fame doesn’t go to my head.
[David Spark] It doesn’t, no.
[Geoff Belknap] It’s fine.
[David Spark] We appreciate you being levelheaded.
[Geoff Belknap] Now, what I want everybody to do is go through the movie scene by scene and try to figure out who I am.
[David Spark] There you go. Maybe someone can figure that out. Or maybe Photoshop your head onto somebody. We’ll see.
[Geoff Belknap] I’ll post something, and it’ll be great.
[David Spark] Thank you very much, Jesse. Thank you very much, Geoff. And thank you to our audience. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please, write a review. Leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at [email protected]. Thank you for listening to Defense in Depth.