When it comes to data, compliance, and reducing risk, where are we gaining control? Where are we losing control? And what are we doing about that?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest Amer Deeba, CEO and Co-founder, Normalyze.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, Normalyze
Discover, visualize, and secure your cloud data in minutes with Normalyze Freemium.
Full transcript
[David Spark] When it comes to data, compliance, and reducing risk, where are we gaining control? Where are we losing control? And what are we doing about that?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series and joining me for this very episode, if you’ve heard an episode before or maybe two or three, chances are very high that you’ve heard our guest. Not our guest, our co-host, and that’s Geoff Belknap, CISO of LinkedIn.
Geoff, say hello to the audience.
[Geoff Belknap] Hey, audience. And thank you for the promotion to guest. I appreciate it. Someday I may receive such an auspicious award.
[David Spark] You have been a guest on other shows before.
[Geoff Belknap] I have, I have. I notice I haven’t been invited back, I just got made co-host and I’m not sure it’s at the same level of guest.
[David Spark] You’re doing fine. We’re not upset with anything that you’re doing, Geoff.
[Geoff Belknap] Ah, thank you, thank you.
[David Spark] Our sponsor for today’s episode is Normalyze – the data-first cloud security company. Normalyze, let me, by the way, there are a lot of odd spellings of cybersecurity companies, I just want people to know how to spell Normalyze because it’s going to come up a couple times in the show and it’s Normalyze, that’s the part that throws you, N-O-R-M-A-L-Y-Z-E.
If you go to .ai you’ll find them. But Geoff, let’s get into today’s topic at hand.
[Geoff Belknap] Let’s.
[David Spark] On LinkedIn you asked where are we losing control and where are we getting more control with cloud data, and specifically we’re talking around managing risk around data, maintaining compliance, and controlling exposure of data and data leakage. And for the areas we’re losing control, you asked the community what are you doing to remedy that?
Now, as I discovered when we talk about cloud security, there are lots of opinions, and a good number of them are conflicting. We run into that. Did you see that again here?
[Geoff Belknap] I did, and it’s so strange because usually everyone agrees when it comes to cloud security.
[David Spark] Yes. These shows become redundant.
[Geoff Belknap] What a shock. Yeah.
[David Spark] Yes, there is a conflicting. But what did you generally learn here?
[Geoff Belknap] The thing that really stuck out to me is that people agree we are getting great bounds and leaps improvement in visibility, which should lead to more control. But we’re also at the same time that we’re getting this improvement in visibility, we’re getting an increase in decentralization.
And I noticed that most of the people that feel like there’s some loss of control are really bemoaning the fact that we’re seeing more and more decentralization, and we haven’t quite adapted to how to control and implement things in the cloud when we’re seeing that. We’re used to more of a centralized approach, and I think that’ll make for a great discussion for today with our guest.
[David Spark] An excellent summary of the main issue we have right here. And the person to help us is an expert on this subject, comes from our sponsor Normalyze. In fact, we went straight to the top.
[Geoff Belknap] Mr. Normalyze.
[David Spark] I know, Geoff, you said, “Get the guy that works in the mailroom,” and I said, “No! Absolutely not! We’re working our way up.” We got the CEO; we have the co-founder. Our sponsored guest from Normalyze, it is Amer Deeba. Amer, thank you so much for joining us.
[Amer Deeba] What a pleasure. Thank you for having me. I am honored, honestly. It’s kind of, yeah, an amazing discussion.
What are they doing right? What are they doing wrong?
3:21.037
[David Spark] So, let’s talk about more control, what you brought up, Geoff. First, Evan Morgan of Ally said, “The tooling and telemetry is almost always significantly better with a cloud service provider than on premise. This is due to the considerable standardization in building blocks that cloud service providers offer with their services.” And in the same vein, Brendan Hannigan of Sonrai Security said, “Amazing telemetry that enables discovery, classification, and tagging of data.”
Now, on the less control side, first Evan Morgan of Ally said, “You are at the mercy of the cloud service provider’s tooling. Example – not all services are equal on capabilities across them all. And then Brendan Hannigan of Sonrai Security said, “An identity, access, and permissions morass. Serverless functions have rights to your data too!
Countless numbers of non-people entities have access to your data with paths to this data often hidden in layers of cloud IAM complexity.” So, I think this amazing amount of tooling is great, but I think that amazing amount creates this double-edged sword of, “Oh, wait. We’ve created more problems, haven’t we?”
[Geoff Belknap] We have. And the way I like to think about this is the main problem we’ve created is it is now a problem of legibility. We have all this visibility, we have all this surface area to create policies and enforce them, but now we have much less ability to understand what’s going on in terms of those policies, where they’re implemented, are they consistent, do they do what we want them to do.
And I think that’s kind of what Brendan’s getting to here is that especially when it comes to identity, which I know Brendan kind of specializes in, you have to focus on what you’re doing. It’s no longer acceptable to just say, “Oh, you got read/write or you’ve got read only access.” You have to write these really understandable policies of who has access to what and why and under what conditions.
And that has to be something that’s legible or understandable to everybody that’s responsible for that environment. And at the same time, I think Evan Morgan is making a great example here of you also have to share that responsibility with your cloud service provider and sometimes that is not easy either.
Now, not only do you have more control but you’re sharing control with a third party where you haven’t done that before in the traditional data center space.
[David Spark] Where do you think things are spinning out of control, Amer?
[Amer Deeba] Look, data is eating the cloud. I mean, it’s a huge problem right now. And especially because of what happened during the pandemic and all these innovations and applications that happened and got developed so fast and so quickly in the cloud. It all brought with it a lot of data, a lot of sensitive data, and the fundamental problem is like, yeah, we focus on securing the infrastructure and making sure we have a solid one but what about all this data that’s just moving and getting proliferated in the environment at av very fast pace in structured, unstructured type of data stores and this is becoming a big problem for the security teams.
Where’s the sensitive data? Who has access to my sensitive data? Are there shadow data stores out there that are popping in the environment that I’m not aware of?
And managing all that risk and compliance that comes with it is a big problem. So, yes, there’s a lot of telemetry and a lot of visibility, but also how to tie it all together and to connect it in a functional way so security teams can understand where the important data jewels are and how to secure them is still a huge problem and that’s what companies and security teams are struggling and trying to solve at scale.
Especially in a multi-cloud environment, which almost every company is now in a multi-cloud environment, and I think Geoff can confirm that from his own experiences.
[David Spark] It seems, by the way, everyone is dealing with this. Like, who isn’t dealing with this? Let me come back to you, Amer. Just what has been the one – let’s just pick one way – of these sort of major complaints about losing control that you think we’re gaining ground?
[Amer Deeba] So, look. The CI/CD cycle, it kind of came at this kind of movement that came into the cloud and the fast development pace where so much innovation happened so fast. And that, of course, created a lot of benefits to businesses, but also it created a lot of complexity. From a security standpoint, a lot of the trust factors that you had when you built these applications in on-prem and you brought them into the cloud in this fast movement, all these trust factors went away.
You had some of them, you gave it to someone else or to your CSE to manage for you, so you sort of had control but not full control of it, and others got just distributed within the CI/CD cycle to various constituents. And trying to kind of connect them together in a way to maintain that level of security in a fast-moving development cycle is very hard.
What’s the issue here?
8:32.245
[David Spark] Gabe S. of PDC Technology said, “Cloud is offering more security solutions at the risk of putting all your eggs in one basket. Take Azure, for example. They’ve really created a granular zero trust environment that is relatively easy to deploy, integrate, monitor, and respond to threats.
How you configure and manage this is directly related to your security posture. CSPs, cloud service providers, have an interest in organizations being secure. With that being said, they have dropped the ball in default settings and incidents like signing malware and patching.”
And Dr. Magda Chelly of Responsible Cyber said, “In theory, we often gain more control in cloud data through centralized management and automation. However, in practice, losing control occurs when dealing with multiple cloud providers and inconsistent security measures, which unfortunately happens often.
A potential remedy could be implementing unified security policies across platforms.” Geoff, that last line seems like the one that we all want to rally around – unified policies, yes?
[Geoff Belknap] Yeah. That’s where we’re all headed towards, where we go, “Okay. We’ve got a policy in our one cloud provider, we’ve got another policy in our on-prem systems, and now we’re going to bring another cloud provider in or maybe a third-party processor.” It’s really tough for people like me out of the box to make sure that the policy I’m enforcing one place is consistent everywhere else.
[David Spark] Now, I pause you in just that right there. One of the issues that came up in the previous segment was the fact that capabilities are not always equal provider to provider. Is it now difficult to possibly impossible because the capabilities don’t exist uniformly across to even implement consistent policies?
[Geoff Belknap] It still is a problem. I think it’s becoming less and less a problem. I mean, I feel like my parent company has a fine cloud product and the amount of capabilities that exist there that don’t exist in other cloud providers, it’s pretty minimal. Now, how they’re implemented, how they’re exposed, via methods or APIs or in the UI or how effective they are is kind of all debatable and variable everywhere else.
But it’s not the capabilities that are mismatched. It’s really that visibility to one customer that might be using Azure and AWS and GCP, maybe the Oracle cloud because they’ve done acquisitions or they’ve been around a while and they’ve got different systems. It is difficult for them to see a consistent picture, even consistent visibility across all of those clouds without significant effort.
And that leads to this feeling that you’ve lost control when in fact you’ve gained more control but you’ve upped the complexity of managing across all of those environments.
[David Spark] Where do we get the consistency control, Amer?
[Amer Deeba] By the way, I agree with what Geoff was saying 100%. I think the differences between the clouds and what they can offer is becoming less and less kind of visible but the semantics how you go around implementing it and get that visibility and control can vary from one cloud to the other.
And customers that are trying to do everything themselves, especially in a multi-cloud environment, it can be a bit complicated. And I think this is where looking at kind of what’s out there, what other tools can help you work and establish these controls in a consistent manner across in a multi-cloud environment can bring a lot of efficiencies into the process.
Specifically from my point of view when it comes to data, I mean, there are now a lot of solutions out there that can really help you understand and get that visibility at all of your data in as multi-cloud environment and establish these controls in a consistent way that can give you kind of a uniform security standard that you can apply about any type of data at rest or in motion within these cloud environments.
So instead of trying to amalgamate different tools and processes and implement them differently from one cloud to the other yourself, be open to bringing in these type of solutions that can really help you implement that better and faster and quicker.
Sponsor – Normalyze
12:52.197
[David Spark] Before I go on any further, I do want to talk about Amer’s company. That’s Normalyze. Remember how I spelled it? Normalyze? Don’t forget that. So, Normal with Y-Z-E at the end of it, that’s the easy way, and then add a .ai and you’ll be at their site. But let me explain something about what they do.
So, the rise of cloud computing and the resulting data sprawl is creating many security and compliance challenges for organizations across the world. Today, enterprises find their most important asset – their data, I don’t need to explain that to you – but we find it scattered throughout multiple cloud environments, and security teams are hampered by limited visibility and control.
More data movement means more exposure and risk, so both data security posture management and around-the-clock monitoring of the movement across the environment is key to securing the data and preventing expensive breaches from occurring.
Now, with Normalyze you can actually discover, visualize, and secure all your cloud data in minutes. In a nutshell, Normalyze enables security teams to analyze, prioritize, and respond to data threats and prevent damaging data breaches without spending days on manual discovery or drowning in alert noise.
Now, the Normalyze cloud-native platform manages data security posture and compliance by automatically tracking all risks to sensitive data, visualizing who can access what, and quickly blocking unauthorized access or vulnerable points of attack. With data-in-motion, data lineage, and anomaly detection capabilities, security teams can continuously identify cloud [Inaudible 00:14:29] sensitive data, both at rest and in motion, to secure access paths and reduce the risk of breach.
You can get the full picture of your cloud data now with Normalyze Freemium. I like the sound of that – Freemium. Just go to their website, it’s normalyze.ai.
Where does the solution fall short?
14:53.599
[David Spark] Steven Smith of Zwift says, “SaaS. It’s a simple thing for any number of teams to set up a SaaS to just spew data wherever they want. This is extremely difficult to work with at scale.” And Raj Krishnamurthy of ComplianceCow said, “Losing control is inevitable as we decentralize and distribute systems and processes.” So, Raj and Steven here seem a little distressed and maybe potentially say, “This is just inevitable that with SaaS platforms that anybody can deploy and put data into, and the fact that we’re so highly decentralized, we don’t have a choice but to deal with this.” I don’t know if this is what they mean but is it potentially a losing battle, Amer?
[Amer Deeba] It is not a losing battle. I mean, SaaS is part of our reality. I mean, we face it every day. With again, back to the point I was mentioning earlier, you can understand and classify the data that’s going into your SaaS environments now in very effective ways and across in a multi-cloud type of environment.
Trying to do it yourself might be an over daunting task to implement that from scratch. But looking at solutions that can really kind of connect into these SaaS applications in a secure efficient way and to understand, classify the data that’s in it and understand what’s going in and what’s going out of it now is something that’s becoming a standard practice for many security teams.
And there are various options that can allow you to, again, depending on your use case, how to go after it and implement it in an effective and efficient way. SaaS, think of it as just an extension to the cloud. It’s not IaaS, it’s not PaaS, but it’s SaaS and that’s where data is being across all these type of environments.
It’s a reality we have to live with and understand and put all the controls around it so we could measure the level of risk and secure it properly.
[David Spark] Geoff?
[Geoff Belknap] Yeah. I kind of think about this in a slightly different way. I think where people are feeling things fall flat when it comes to SaaS or the cloud and they really struggle is when you are in your own data center, the number of tools that you have to use to secure a tool or a solution that you’re building or deploying to the internet was fairly limited and you understood.
It was firewalls, maybe you could get exotic and you did network recording or IDS and maybe you had a WAF. Now as you push things into the cloud or you embrace third-party SaaS, those tools are not effective for a SaaS product. So, you’ve got to use something like our guest’s product or you’ve got to use some other product that helps you see what you need to see in that specific SaaS tool.
And it might not be consistent or it might not be exactly how you used to see it in your network security tooling or your IDS or your IPS or your WAF.
So, you have to really rethink how you’re mitigating and managing the risk that you had before because you’re using a new set of tools to do that and there are pros and cons for each of those tools and there are different capabilities for each of those tools compared to what you used before. That is a struggle because you’re not only growing the way that you think about risk, you’re growing and you have to have your team learn what are the new tools, what can they provide, whether it’s similar ways to manage that risk.
That stuff’s hard. That’s just the industry growing fast while we’re all just trying to adapt to the last thing that grew. That’s going to be a consistent challenge for us. Like five or six months from whenever this is recorded, we’re probably going to have this conversation and it’s going to be generative AI.
And it’s going to be a very similar conversation to that where there aren’t any generative AI-specific tools available for us to protect today and we’re going to have to rethink how we do that.
Is anyone happy with this solution?
18:47.015
[David Spark] Mike Van Orden of Emanate Security said, “Discovery and visibility tools have come a long way, surfacing many unnecessary privileges, unsanctioned SaaS apps, or misconfigured cloud workloads. But there can be so many alerts that security teams often don’t have the bandwidth to share them with the right users.
I might get into the world of vulnerability management here. Unfortunately, that leaves users both in control of data and in the dark about how they could be helping to keep it safe.
And Naresh Balasubramanian said, of The Washington Post, “It is hard to keep up with the new offerings and features in the cloud platform and understand the security implications as companies rush to the market with a shiny product or feature.” Amer, I’ll let you take this first. There’s this fear of we’ve got the knowledge but we can’t pull it off because either the tools are moving too fast or we can’t get our own systems in check to be able to manage the knowledge that we have to be able to deal with it.
Do your customers feel this way or did they feel that way before they came to you?
[Amer Deeba] Definitely. I mean, the problem is there and the ability to get that visibility that you need and the discovery that you need to do across in a multi-cloud environment can be an overwhelming task to do right. But there are ways to do it better and there are tools and solutions that can help you bring that visibility to you and to your team in many consolidated ways that can sort of really allow you to be a lot more efficient at what you do and make better and faster decisions.
There’s so much telemetry that we can collect from a cloud environment, so much telemetry about the environment itself, its security, its configuration, vulnerabilities within it.
[David Spark] But it’s a skipping ahead to, “I’ve got the knowledge. How do I translate that into action?”
[Amer Deeba] In order to do that, you really have to have the right tools to bring it together in a way so you can connect the dots in an effective way and understand really where the risk is and prioritize remediation to it. And this is really what our whole premise and approach of my company is that we want to help you focus on really what’s important.
Because so much telemetry you can be collecting from a security perspective in your cloud environment can also be false alerts or alerts that are of no interest to you at this moment.
So, you really need to pay attention to what’s important, which is where’s the most important sensitive data in your environment and what you need to do to protect it. What are the attack paths that can lead to compromise, that can lead to data exfiltration, that can lead to data leakages that you should be aware of right away and remediate them immediately and have the right workflows to share that information with the right teams to address these problems in a quick way.
And I think if you approach it that way and you take a step back and you try to bring kind of security into it, information security, this will be a huge win for many companies. And that’s sort of what we hear from our customers and working with our community.
[David Spark] Geoff, what’s the frustration of too much knowledge, not enough connecting that to action? Where does that frustration level lie?
[Geoff Belknap] I would just rephrase that as the frustration is really too much information, not enough knowledge.
[David Spark] I got it. So parse that.
[Geoff Belknap] Yeah. We’re in a situation where it’s a lot of work to go from your typical native PaaS or IaaS platform to enough knowledge that you can make decisions about whether something’s bad or good from a security perspective. And sometimes where people get lost, and I admit this has happened to me before, is it can be a lot of work to just get to the point where you’re getting that information out of the platform, the infrastructure that you’re working with, and into your security tools.
And sometimes that can be so much work or so much information, like so much data, that you forget the other half of the problem is building knowledge on top of that.
Like I can generate a billion log lines of data out of my cloud platform if I just turn on all the knobs and switches. But not all of that is useful from a security perspective, and if you don’t understand what assets you have there, what their value is, what data they’re handling, how they’re handling that data if a third party’s involved, you can’t go from data or a stream of information to security-relevant data.
And a lot of times, that can be very challenging, and we forget about that challenge. And then sometimes as we’re working on that challenge, something might change underneath us and the meaning is lost. So, today it is hard to find solutions that make that problem easier for you, and it’s certainly, just like we talked about on several other shows, it’s just hard to find solutions in general because security companies have trouble rising above the noise of every other security company.
[David Spark] By the way, this is a theme we deal with since day one of the CISO Series.
[Geoff Belknap] Yeah. So, this is the double-edged sword of like, “Yeah, I know everybody really wants to email me personally to talk to me about their company but not everybody understands the problem.” We had this problem maybe a year or two ago, I think we’ve passed it, I hope, knock on wood. Everything was zero trust.
Well, now everything’s probably AI but everything is now like, “Hey, we’re going to solve all your cloud security problems.”
[David Spark] Zero AI trust.
[Geoff Belknap] Oh, don’t, David, don’t. All right, Gartner, if you’re listening, don’t listen to David. Do your own homework. But I think now we’re just starting. Like, companies are just starting to help us solve these problems of how you use this data for your security program, and it’s still a challenge.
This is not a fully solved problem yet.
[Amer Deeba] It’s improving, improving though.
[Geoff Belknap] Absolutely.
[Amer Deeba] With a lot better new options and better options. And, again, depending on your use case and what you’re trying to do, think there’s definitely a lot of new innovations that are helping. Including us, of course.
[Geoff Belknap] Of course.
[David Spark] Yes. And I get the sense that the two are kind of rushing after each other, if you will. Like one keeps getting further away, and tools like yours, Amer, are trying to desperately catch up because there’s the demand. The audience has the demand for it, as we’ve clearly seen.
[Amer Deeba] And no doubt it’s a very hard problem. I mean, especially if you’re trying to do it in a multi-cloud environment, it really compounds the complexity and also the variety of stuff out there that’s [Inaudible 00:25:16] within in the cloud from a data perspective, [Inaudible 00:25:18] perspective, it just makes it really, really complicated.
[Geoff Belknap] And the hard part for security teams is not that there aren’t solutions like Amer’s out there. It’s that I’m just following the business. The business is figuring out where it wants to go and the engineering teams and product teams that support them are trying to figure out how best to support that.
And the security team’s just left sort of going, “Okay. Well, we’ll figure it out. For whatever building blocks you choose to implement, we will figure out the best way to do that.” And it takes a while to cycle through that and find a good stable medium.
[David Spark] Excellent.
Closing
25:49.000
[David Spark] Well, this brings us to the point of the evening where I ask both of you which quote was your favorite and why, and I will start with you, our guest Amer. Which quote was your favorite and why?
[Amer Deeba] One of the quotes that I liked the most was Avani D. from Schellman says it’s important to adopt a more data-centric approach to cloud security. This means understanding the value and the sensitivity of the data being stored in the cloud and implement the controls that can protect it through its life cycle.
[David Spark] Now, hold it. I’m just going to clear up for our audience – this was not a quote that was used in our show but I had some extra quotes. We’re totally cool and Amer wanted to pull that one out. Why do you like it so much?
[Amer Deeba] It sums it all up. It gives you kind of focus on what’s important, which is data, your crown jewels, and start from there because that really will help you prioritize and drive remediation and protect it through its life cycle. I feel like it’s very concise and to the point and kind of summarized what we are trying to accomplish within my company.
[David Spark] My apologies for forgetting to put it into the show. Geoff, your quote and why did you like it so much?
[Geoff Belknap] I’m going to pick Raj Krishnamurthy here from ComplianceCow, “Losing control is inevitable as we decentralize and distribute systems and processes.” And I think the real important thing is, and I guess you can’t see me giving air quotes here, but “losing control” is in quotes. And I just want to underscore – a lot of times we’re not actually losing control; we’re losing control the way we used to do it in the data center or in your on-prem environment.
[David Spark] Ah, good point.
[Geoff Belknap] And now we have to gain that control through other methods, through other tools, through other capabilities, whatever it might be. That control is absolutely there in the cloud. It’s just a matter of us figuring out how we want to do it in the new model.
[David Spark] Ah. And that brings us to the true end of this show. I want to thank our sponsor guest Amer Deeba who’s the CEO and Co-founder for Normalyze, our sponsor for today’s episode. Normalyze, it you didn’t all know, is the data-first cloud security company. And now that I look at that, I’m like, “Well, no wonder you like Avani D.’s quote because he was data first in his quote.” Makes sense.
For our audience, please go to normalyze.ai. Geoff is always, or sometimes, or maybe looking to hire great talent. But if you for some reason did not want to work with Geoff, well…
[Geoff Belknap] And that’s fine.
[David Spark] ..there’s this website called LinkedIn and it has lots of great opportunities.
[Geoff Belknap] It sure does. It’s a fine little website, we’re very proud of it.
[David Spark] Amer, are you hiring over at Normalyze?
[Amer Deeba] Yes, we are, and you can find it at normalyze.com/careers.
[David Spark] Oh, there’s a dotcom? I thought you were .ai.
[Amer Deeba] And .ai, both of them.
[David Spark] Both of them work. Either way you’ll find him.
[Amer Deeba] Yeah. The .ai, we’re .ai company. So .ai/careers, you find them there.
[David Spark] All right. Any last comments, you want to make a pitch about Normalyze, or do you want to make an offer to our audience? Please.
[Amer Deeba] We love customers. We have a great solution for you. We help you regain the visibility and control and trust of your data in the cloud, across all the clouds, come and check us out, see our website, talk to us, try our Freemium, and we’d love to help you with any data security or data security audits that you’re trying to do.
[David Spark] Excellent. Thank you very much, Amer. Thank you very much, Geoff. Thank you so much to Normalyze as well. And thank you, our audience. We love, love your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.