0:54

How's it going , jeff ? It's really good

0:56

to finally have you on the podcast

0:58

here . You know we've been trying to put this thing together

1:00

for several months

1:02

but then you know it's just one thing

1:05

after the other in both

1:07

of our lives that you

1:09

know randomly comes up like 30

1:11

minutes before we're going to do it .

1:14

I know , I know the the stars have

1:16

finally aligned , joe . It's good to finally , you

1:18

know , make it happen . So glad to be here .

1:21

Yeah , definitely . Well , I'm sure we're going to have a great

1:24

conversation , you know . Hopefully

1:26

it'll be valuable to some people out

1:28

there .

1:29

I hope so . I hope so . It's an interesting world that

1:31

I live in daily , that you

1:33

know . Hopefully we can get a couple of nuggets

1:36

out there that are really helpful , just based on what I see

1:38

day to day with this world of insane

1:41

access and privilege risk in the in the cloud

1:43

.

1:43

So oh man , I can talk

1:45

about IAM forever , but

1:47

you know , before we get into the IAM

1:49

stuff , you know , jeff , why don't we start

1:52

with what your background is , why you

1:54

got into IT , why you got into security

1:56

, what that journey was like . Was

1:58

it faster than you expected ? Was it slower

2:01

than you expected ? What was that like

2:03

?

2:03

Yeah , so I've been in InfoSec now

2:06

for a little over 20

2:08

years now . Yeah , and

2:10

I've been in IT since 99

2:12

. And it's interesting

2:14

, you know , I went to college

2:16

here in Atlanta and

2:19

I got a degree in human resources . Joe , it

2:21

is the last thing that you would expect with

2:24

what I've been doing the last 20 plus years , but

2:27

I quickly realized that after I went to business

2:29

school that that is not what I wanted to do full time

2:31

. I was really a nerd at heart and riffing

2:33

apart PC since I was , you

2:36

know , since the early nineties log into

2:38

BBX's and all that crazy stuff using

2:40

GoFer and all

2:42

that . You know the stuff that really , really dates

2:44

me as I talk about it now and think about it . But

2:47

I was like you know what I want to get into tech ? That's

2:50

what I really want to do . And back

2:52

then , like one of the big training centers all

2:55

over the world was called Executive Train and

2:57

I went there and got my A plus cert back in 99

3:00

. And they saw I had a passion

3:02

and they offered me a gig . They were like , do you want

3:04

to ? Just , you know , a job here setting up classrooms

3:06

every day ? And , joe

3:08

, that fast tracked me through the

3:10

whole . You know NT4 , mcse

3:13

and you know setting up 13 Microsoft

3:15

classes a day . You'll

3:17

learn real quick , right , and so that's

3:20

how I got an IT . And then I

3:22

got into information security at

3:25

what many think is the original Internet

3:27

Security Company , which was Internet Security

3:29

Systems here in Atlanta . And

3:32

if you look at the today , there's

3:34

hundreds of InfoSec companies that have spun off

3:36

because of ISS back then . So that's

3:39

really where I just dove straight into InfoSec

3:41

and I've been doing that ever since . And

3:44

you know I was focused

3:46

on on-prem

3:48

infrastructure security for many , many years

3:50

, like I'm sure you were right , like we

3:52

all were , through the early 2000s

3:55

. And then I left

3:57

Cisco around three and a half years

3:59

ago where I was leading , you

4:01

know , a team of sales engineers to

4:03

come over to Sunry and focus on

4:05

public cloud security full time . And

4:07

Joe holy cow

4:09

was , I humbled . I thought I understood

4:12

the public cloud and I thought I understood how to secure

4:14

it when I was at Cisco , because of infrastructure

4:16

as a service and monitoring flow logs

4:18

and protecting VMs , I

4:21

had no idea about what was

4:23

happening at the platform level in these

4:25

cloud service providers , and so that's what I've

4:27

been focused on the last three and a half years . It's

4:30

what I do day in and day out , and you know I

4:32

consult I , you know , teach

4:34

customers how to build , you know , a platform

4:37

security strategy focused around access

4:39

and privilege , and so

4:41

that's what I do full time , and it

4:44

is it's a challenging , challenging

4:46

world that we are trying to protect

4:48

now as it relates to cloud native , and

4:51

so I'm sure we'll get into it here , as we , you know , continue

4:53

the conversation .

4:54

Yeah , absolutely , you know the cloud

4:56

. I always tell people that

4:59

you know cloud security is

5:01

like that graduated level

5:03

of security . You know you need experience

5:06

in several

5:08

other domains , you need to be deploying technology

5:11

in those domains before

5:13

you start jumping into cloud security . Because

5:15

you know cloud security

5:17

, you can't walk over to a server and unplug

5:19

it right . You can't walk over to a server and

5:22

console into it . You know , like

5:24

that stuff doesn't exist and

5:26

a lot of people you

5:29

know their . Their initial response would be

5:31

like oh well , that's a problem . On the cloud provider

5:33

, it's like these contracts are written

5:35

very differently . It's so true , and

5:38

the cloud provider is like never .

5:43

That's a great point , because a lot of

5:45

what I do nowadays

5:48

, joe , is I as I relate the

5:50

public cloud situation to

5:53

the world that you and I both came from and

5:55

so many of the folks listening right , securing data

5:57

centers and colos and hardware

5:59

, and you know , rack and stack and servers and routers

6:01

and switches and dealing with core and access and distribution

6:04

issues and firewall

6:06

right , and you know what I like it to

6:08

you know , as far as the world that I

6:11

see all the time is , it's almost like

6:13

you built a

6:15

data center , right

6:18

, and what we do when we build a data center

6:20

, we fortify it , right , we put in

6:22

our firewalls and we build our DMZs

6:24

, then we build out our different access

6:26

layers and it's all zoned and segmented right

6:29

. That's just what you do . It's

6:31

not a nice to have you got to do that right

6:33

, but when we plug into here

6:36

at Sun , when we plug into customers environments , it's

6:38

very interesting , to

6:41

put it gently , because everything's

6:43

flat , everything

6:46

can talk to everything in so many scenarios

6:48

, and it's just because organizations

6:51

, just like you said , they were thinking well , the cloud provider is

6:53

going to take care of all that for me . They're going to secure

6:55

it , they're going to segment it . They're going to zone it . Each little

6:57

thing that I provision , each little resource or microservice

6:59

that I provision , it's going to be in its own

7:01

little of and again , to liken it to the network days

7:03

its own little broadcast domain , okay

7:06

, where it can just talk to itself and maybe

7:08

, if I tell it to go talk to something else , that's great . But

7:10

that's not the case , right ? And

7:12

so they're just not aware that they really need to

7:14

be thinking of securing the public cloud the

7:16

same way that they do on-prem . That

7:18

you really really got to be thinking about segmentation

7:21

. But in a cloud-native world

7:23

, when we do the segmentation

7:25

, is it layer

7:28

three , layer four ? No

7:31

, it's at layer seven , it's

7:33

at the application layer . Right , it's abstracted

7:35

through the access fabric . That's how

7:37

everything lives , breathes and communicates , is through the

7:39

. You know , like you said , I am , but

7:41

you got to start thinking of I am like a network

7:44

, because that's what it is , and

7:47

so it's so true

7:49

when you relate it to something that they're very , very familiar

7:51

with , all of a sudden , you know , folks eyes open up .

7:54

Yeah , it's a really good point . You

7:56

know , at my current

7:58

organization , right , I

8:00

wanted to , you

8:02

know , create a resource that I could reach out to

8:04

the internet . It's in a dev environment , you

8:07

know , because I was trying to test something right

8:09

, and the entire dev

8:12

team that owned that entire function

8:14

was like it's impossible , you're

8:16

not going to be able to do it . We're not turning off this rule

8:19

. That auto , you know , removes

8:21

it , all these things , right , I

8:23

was constantly told it . I was like , guys , I'm going to get

8:25

around your rule . Like I'm getting

8:27

around it . You know , like , whether you like it

8:29

or not , I'm getting around it . I

8:32

know what I'm doing . I'm sorry , like I

8:34

know that you've spent , you know , five , six

8:36

years in the cloud and whatnot , but I know how

8:38

this thing works . I don't

8:40

get these certs by not knowing how this , how

8:42

AWS , works and

8:44

you know sure enough , right

8:47

, I got through it . And

8:49

then the next thing that they're complaining about is I'm

8:51

firing off a lot of alerts , like

8:53

, okay , I'll just bypass your alerts .

8:56

That's not a problem . Yeah Well

8:59

, I think that you know , back in the days of the

9:01

on-prem world , you know everything was you know the

9:03

IT staff . They could do that . They could , you know

9:05

, manage everything through very , very specific

9:08

, finite Ingress egress points . Right

9:10

, and if you wanted to do something to test , you

9:12

had to put in that change control request and you had

9:14

to . You know you were at their mercy . But

9:17

now you know , joe , if you want to go , do that

9:19

, just go , do it , just go build it . I mean

9:21

, there's not in the cloud , there's

9:23

not you know one or two Ingress egress points

9:25

, there's thousands

9:28

. I think it's fascinating , I

9:31

think it's absolutely fascinating , joe , that

9:33

if I want to log

9:35

into your cloud right now , all

9:37

I need is a cred right and

9:40

my laptop right here . So

9:42

technically , my laptop right

9:44

now is two commands AWS

9:47

configure . It's two

9:49

commands away from being dropped

9:52

dead in the middle of your cloud . That's

9:55

fascinating right .

9:57

Could you imagine if , like AWS

9:59

had a you know some bug that

10:02

bypass their login ? You

10:04

know , like you were able to just do it via the console

10:06

or something like that . You , if you , just if

10:08

you guess the account number right , you

10:10

know you're in the account , whatever it might be . I

10:13

always think about that because it's like man , we're putting

10:15

a lot of trust into this

10:17

thing to not fail

10:20

, and it's created by people like

10:22

me and you

10:24

know I'm not the smartest person in every single

10:26

area , like I'm a little dumb here and there , you

10:28

know .

10:30

Yeah , it's , it's . It's fascinating . I

10:32

mean it's bypass all of your

10:34

security measures , right , all I need

10:36

is a credit and with one command , when

10:38

the you know the AWS or GCP

10:40

or Azure SDKs , with my laptop

10:43

here , I'm just dead center in the middle of your cloud . It doesn't

10:45

matter what you've got protecting it at the

10:47

perimeter , and so that

10:49

really , I think that's what fascinated

10:51

me when I started to learn about identity

10:54

. Risk is is

10:56

how quickly you could be in

10:58

the hub of a customer's

11:01

cloud environment , regardless of what they've done

11:03

to protect the spokes that they think

11:05

are the entryways . I mean , they are entryways

11:07

, but more and more often , what you know

11:09

you and I are seeing now in the market is seeing is that

11:11

folks are just logging in , they

11:13

just log right into the center of your cloud and what and

11:16

that's where things get really really hearing .

11:18

Yeah , it's really good point from a cloud

11:20

engineer , slash architect . My

11:22

biggest problem is I am

11:24

by far you know it's , it's

11:26

I am trying to

11:28

manage the roles right

11:31

, what roles we have , what accounts we

11:33

have , what services are using , what

11:35

. It's a pretty close to impossible

11:37

task without , without

11:39

a solution that is dedicated to it . You

11:42

know , it's really frustrating . The

11:44

most frustrated time that I've ever

11:47

been was when I was working in I am

11:49

on prem . That's when I used to have hair

11:51

. It's

11:53

terrible , you know . It's like

11:55

it's a . It can . It can really

11:58

make your day very difficult

12:00

or it can make it relatively

12:02

smooth , right , I feel like it's just like

12:05

up to the power of that . I am

12:07

service , or whatever it might be

12:09

, is like are we going to have a good day or are we going to have a bad

12:11

day ?

12:12

Yes , yeah , and

12:14

it really is is daunting . You

12:16

know , I recently heard a term that

12:18

it just it resonated so well with me . I

12:21

heard it . I just came back from

12:23

September this was in September , but

12:25

it was back in . It was in Seattle , bellevue

12:27

, right , and hosted

12:29

by the cloud security lines , and

12:32

I heard a comment that just really really resonated

12:34

so well with me , and it's that you've

12:37

got to be thinking about cyber

12:39

garbage , identity

12:41

, identity , identity litter . Think

12:44

about that . That's what we're

12:47

up against is like

12:49

you said you know I am . When it does work , it creates

12:51

all of these personas , these usually

12:54

non-person identities , which are vast

12:56

and vague as to far as what that constitutes

12:59

. Right , but it's just as equally , if not more , dangerous

13:01

than a person identity . But

13:04

projects come and go , priorities

13:08

change , life turns over , for whatever

13:10

reason . Right , attrition

13:12

, and what's left is identity

13:15

garbage , identity litter . Right

13:17

, but it is scary because

13:20

it has rights to go do things

13:22

right . All

13:24

it takes is an access key associated

13:26

with a role or token or

13:29

someone getting a cred out of . You know GitHub

13:32

or you know S3 . It's

13:34

still happening , right . Global

13:37

exposure is rampant , still

13:39

. So you have all

13:41

of those different kind of vectors

13:44

that are just sitting out there , hundreds , if

13:46

not thousands , that you just don't know about . Like

13:48

you said , if you're not intentional about it , if you don't

13:50

have a tool that's designed to go crawl and map it all

13:52

out and figure out what's out there , what

13:54

can it do and what can it access , then

13:57

these are all things that you're blind to

13:59

, but they're all entry points

14:01

straight into the heart of your cloud

14:03

. It doesn't matter how much vulnerability

14:05

scanning you do or you know which

14:08

compliance standard you're adhering to . None of that

14:10

matters , joe . Throw it all out the window

14:12

when someone grabs one of those creds and

14:15

uses it to their advantage . So really you've

14:17

got to be intentional about understanding

14:19

what's out there , right , and

14:22

cleaning it up , getting rid of the litter

14:24

, getting rid of the garbage and then governing

14:26

it moving forward .

14:27

Yeah , it's a great point . You

14:30

know it's hard to fathom

14:33

the scale at which you can

14:35

create thousands of IAM accounts

14:37

and roles in your environment

14:39

. And I'm in this thing , right , I do

14:41

this every single day . It's even difficult

14:44

sometimes for me to imagine it , and

14:47

you know so . I work for a large automotive

14:50

manufacturer , right , you

14:53

can easily guess whichever one it is

14:55

. I'm not going to say any more than that

14:57

. But you know

15:00

, we consume cloud

15:02

services almost as

15:04

a service , because our

15:06

parent company , the one that owns

15:08

us all , negotiated the contract with the cloud

15:11

provider and kind of offers up

15:13

these services as a service to

15:15

us , right ? So they're building

15:17

out our cloud tenants , they're

15:19

giving us a blank template right

15:22

to work with and they have their own controls around

15:24

it . And their thought , you

15:26

know , I was talking to these guys and they said well

15:29

, how bad can it really get ? Right

15:31

, we're not giving them everything

15:33

. Why do they need to create all this stuff

15:36

? They literally said I bet they

15:38

won't need that many

15:40

IAM accounts or roles , right

15:42

, Because we're giving them the template

15:44

. And very quickly , within

15:47

six to 12 months , we

15:49

were at 200,000 accounts

15:51

, 200,000 accounts

15:53

across our tenants

15:56

. And how

15:58

do you expect that ? How do you have a solution

16:00

that manages that ? You

16:02

know , when I was doing IAM on-prem

16:05

, we were dealing with 42,000

16:09

accounts and we

16:11

had maybe 2,500

16:13

employees . Each employee

16:16

had five accounts . Most of them didn't

16:18

even know that those five accounts existed

16:20

and

16:22

so , like , we had a lot of data counts , right

16:25

. So , like , if you really factor that in

16:27

, we're probably at , like , you know , 10,000

16:30

accounts , right , 10,000 actual

16:33

user accounts that are being used . This

16:35

is 1020X

16:38

that .

16:40

It's insane , it

16:42

is . It is . You're talking

16:44

about a very person-oriented

16:47

landscape . I would venture that

16:50

for every one person identity

16:52

that we at Sunrise see here

16:54

in customer environments , there's 10

16:56

non-person identities to go with

16:58

it . That's what's really really fascinating

17:01

is the explosion of NPIs

17:03

. We call them non-person identities , and

17:05

they are roles , service principles

17:07

, managed identities , access keys , tokens

17:09

, things that grant

17:11

access and privilege to go do things , but

17:14

they're not as simple to

17:16

understand as hey , we're just going

17:19

to create a user account . It's

17:23

NPIs that we really really have to be thinking

17:25

about . The other thing , joe , is

17:27

, even it doesn't matter if it's a user account

17:29

or a non-person identity . You've

17:31

got to be thinking about the permissions on them

17:33

, right ? It's not just hey , we're going

17:35

to go create an account that lets you go do things . You've

17:38

got to be thinking about the excessive

17:40

permissions and entitlements on these things

17:42

and treat that as risk

17:45

as well . Not just thinking about cleaning up

17:47

things that are orphaned and abandoned , but the things

17:49

that we do need for the applications

17:51

to run . There's a concept

17:53

that is growing , thankfully , in

17:56

this industry of lease privilege . It's

17:58

a holy grail . Can we get to lease privilege ? I don't

18:00

know if anyone's ever going to truly get to lease privilege

18:02

, joe . That's like saying you're going to fix

18:04

every vulnerability . You're never going to fix every vulnerability

18:07

, right . But if you understand which identities mean

18:09

the most to the business , then you can focus

18:12

on at least getting them to lease privilege so that if and when

18:14

someone does get in , they

18:17

can't go wreak havoc in

18:19

your environment .

18:20

Yeah , getting to a full lease

18:22

privilege state . I mean , the only way that you

18:24

do that is if you started from the inception

18:27

of the company .

18:29

That's literally the

18:31

only way that you you got to build into the development process

18:34

too . That is a lot easier said than done

18:36

, my friend

18:39

. When we plug in , everything's

18:41

already out there . Everything's already

18:43

living and breathing . The litter and garbage

18:45

is out there , but in a greenfield

18:48

environment . Oh my goodness , how cool

18:50

would it be if you built in

18:52

leased privilege into

18:55

the actual development process . That's

18:57

something that we preach here at Sunray

19:00

is being able to do that , so

19:02

that when you do push to production , you've

19:04

already removed all that nonsense . You've

19:08

got to have a lot of cooperation and collaboration

19:10

with the development team , though .

19:13

Yeah , that's very true . You have to have everyone

19:15

on board . When you were starting

19:17

out or even throughout your career , did

19:20

you ever feel like this isn't a fit

19:22

for me ? This is too far above my head . I

19:24

don't understand what's going on here . They

19:27

surely hired the wrong person

19:29

. I asked that because I

19:32

started in IT , I guess technically , in high

19:34

school . I didn't

19:36

know anything . I knew how to plug in the USB

19:38

and install whatever was on it , that's it . But

19:42

as I went through my career , for instance

19:44

, one role was nothing but Linux . I

19:47

might as well have Linux on my laptop

19:50

that I was using for the job . That's

19:52

how much we used it I felt

19:55

like I was not a fit for that role

19:57

at all , by any stretch of

19:59

the term . I asked this question

20:02

because I actually get a lot of questions

20:04

about that . I

20:07

feel like I don't know enough , this

20:10

isn't a fit for me and whatnot . I

20:13

feel like it's more about time and you putting in

20:15

the effort than anything . It will

20:17

eventually come

20:19

. I'm wondering if you experienced

20:21

that as well .

20:23

I did . It's a great question . It

20:25

takes me back . It takes me way back

20:28

when I left that training company

20:30

and got my first network admin

20:32

role . It was at a company

20:34

called Dicecom , which you may

20:36

have heard of I don't even know

20:38

if they're still around , but it was

20:40

like the IT job site back then , before Monster

20:42

. I was their network

20:44

admin for their training division

20:47

. I will never forget being

20:50

given the keys to that server room and

20:52

looking at all the routers

20:54

and switches and the firewalls and everything

20:56

. They're like okay , it's all yours

20:59

. I was like okay , I

21:01

may have bitten off more than I

21:04

can chew . I don't know the first thing about any of

21:06

this stuff . As far as the routers and

21:08

switching , all of that , I could administer Windows

21:11

till the accounts come home . But

21:13

I'll never forget we

21:16

had an outage . I had to deal with the PIX

21:18

506 back in the day . If you remember what a

21:20

Cisco PIX was . It

21:22

predated the ASAs . I started

21:24

with the ASAs . Yeah

21:27

, I will never forget . We had an outage

21:29

and luckily there was a

21:31

senior administrator who got on the phone

21:33

with me and walked me through the crypto map

21:35

statements and all that isocamp

21:37

stuff , if you remember . I

21:39

did not know what I was doing . But I really

21:41

, really I felt over

21:43

my head a little bit of imposter

21:46

syndrome , if you will , but

21:49

I was humbled enough to not be afraid

21:51

to ask for help . I

21:53

think that's the key is that I realized

21:55

you know what I can do , this

21:57

, I can be successful at this if I

22:00

don't act like I know what I'm

22:02

doing , if I'm able to say you know what

22:04

, I'm not an expert at this , but if you

22:06

can show me I can take this and run with it

22:09

. I think that that was a big , big turning point in my

22:11

career is not being

22:13

afraid to ask for help , not

22:16

feeling like I have to be the smartest person in the room

22:18

or anything like that . But

22:21

then you got to do the hard work . You've

22:23

got to actually apply it so

22:26

that you really do understand the next time it comes around

22:28

. You're not asking that same person that same question . Can you come

22:30

in and do it for me , as long as you prove

22:32

to someone that you're learning , that you're listening , that you really

22:34

really do care . I found that folks really

22:36

want to pour into you . They

22:38

do . Folks love teaching other people

22:41

things as long as you're really

22:43

listening and absorbing and being

22:45

appreciative . I think that was one

22:47

big thing , right , so that

22:50

in fast forward to today

22:52

, I look at how often

22:54

that has helped me out in my career , right

22:57

. Or I'm not afraid to say , hey , you know

22:59

, you're really amazing at this , is

23:02

there a way that you can mentor me , right

23:04

? And so I just I think that's it

23:06

Be humble , don't be afraid to ask for help and

23:09

be appreciative . It really it's amazing

23:12

what people will do for you If that's what you

23:14

do .

23:15

Yeah , I think that's a great point and that's

23:17

definitely something to keep in mind too . You

23:19

know , when you're going through these different roles , like you're

23:21

not going to know everything you know , and

23:23

even on this podcast , right , I recommend

23:25

that if you fit 50% of

23:28

the job requirements

23:30

and a posting , that you should be applying to

23:32

it . You know , because if you're at 50%

23:35

, I can teach you the other 50% , right

23:37

, and yeah , it may be a faster pace

23:39

, environment and whatnot , but we can get through that

23:42

.

23:42

When it's .

23:42

when it's less than 50% it gets a little bit

23:44

more difficult because it's like , all right , you don't have the foundation

23:47

that we need to build this thing , Right

23:49

? I've got a comment on that .

23:51

So you know I've done a lot

23:53

of hiring over the years as I've led sales

23:55

, engineering and even post sales tech

23:57

support and TAM teams at various companies

24:00

, and you could not

24:02

be more right , joe , about you

24:04

know the 50% role . What I want

24:06

when I'm looking at folks to

24:08

join our team is is passion Right

24:11

? Obviously , personality Right Is

24:13

there ? Does this person seem a great character

24:15

? Do they really seem genuine

24:17

? Do they really have an interest ? Is there a path ? Is

24:19

there a drive ? Right ? I can teach

24:22

you the other 50%

24:24

from a technical perspective , if you

24:26

can bring 50% to the table . And what

24:28

we've started doing and what I've started doing in my

24:30

career because there is such a tech skills shortage

24:33

, especially in the area that you and I live in is

24:35

, if I can give you a project

24:37

, I'm going to give you a week . Right , go

24:40

build this lab out in AWS and

24:43

I want this lab to do X , y and

24:45

Z . And what I want is in a week we're going

24:47

to circle back on a Zoom or whatever and

24:49

I want you to walk me through how

24:51

you built the lab . But I want you to show

24:53

me which resources you use to learn

24:55

. I want you to show

24:57

me that you can go figure it out and that you are

25:00

. You know that you're creative , that you're a problem

25:02

solver . I don't care that you didn't know this a week

25:04

ago , but if you can go

25:06

learn this and explain this to me and

25:08

show that you can do it in a week's time , that's

25:11

all I need to know Because we can work

25:13

with that Right . And so

25:15

I think that , absolutely , if you've got

25:17

like 50% skills or whatever and

25:19

you know there's another half that you're not , don't be

25:21

afraid to go for it and take a shot and

25:23

, heck , offer it up . Say

25:26

, give me a chance to prove myself . I

25:28

think you'd be surprised at what hiring

25:31

managers will do when

25:33

they see that level of energy

25:35

and an intent from

25:37

a candidate .

25:39

Yeah , absolutely . You also

25:41

got to be taking copious amounts

25:43

of notes . I found

25:46

throughout my career when

25:48

I was learning different things , I mean

25:50

even now I'll take a bunch of notes . But

25:53

when I was learning , not

25:56

knowing or not even having

25:58

the background in an area , I had

26:00

to take an insane amount

26:02

of notes . It was an embarrassing amount of notes

26:04

. If you looked at my , I

26:06

think it was like notepad or whatever it was . I

26:08

mean , you could scroll on that thing for like

26:10

five minutes , right

26:13

. But in doing

26:15

that you become a

26:17

very valuable resource , because

26:20

not only are you experiencing

26:22

it , you're taking notes on it . Those

26:24

two things reinforces it in your mind

26:26

and from that you

26:29

turn into an internal resource for that company

26:31

. In a certain area For me

26:33

at this company , it was security . Whenever

26:36

there was a security problem or

26:38

anyone asked about security , it

26:40

was immediately just go to jump right

26:43

, he's the only one that spent any sort of time with

26:45

it . That's for engineers , that's

26:47

for developers , that's for the architects

26:49

, like that was for all of them . And I was like

26:51

the lowest man on the totem pole , right

26:53

. Well , I got there because I

26:56

took a huge amount of notes and I got to encountering

26:58

these stupid problems , and

27:00

so I was forced to learn it

27:03

. I had to learn it , otherwise I was going to

27:05

lose my job , right , and

27:08

I think taking notes absolutely

27:11

helps , especially when you're starting in a

27:13

new role .

27:14

It does . It shows you're listening

27:17

the cream of rice to the crop . And

27:19

for all of us , I think , at this kind

27:21

of the level that you and I are at in our careers

27:23

I mean , we started , like I started , in tech support

27:25

level one right , you

27:28

got to start somewhere and

27:30

your work will

27:32

speak for itself , right

27:34

, if you are passionate and if you

27:36

, like you said , you take notes , you pay attention , you

27:39

show that you want to just kick

27:41

butt at the role that you're in . The work

27:43

will speak for itself , people

27:45

will notice and it will open the door

27:47

for new opportunities for you . Absolutely

27:51

Right , and it's just , you got to work hard

27:53

in the beginning , right , and it will be noticed

27:55

.

27:57

Yeah , absolutely . I think , a part

27:59

of working hard I

28:02

feel like some people are worried

28:04

about that being noticed part

28:06

, you know , they feel

28:08

like if they put in the work , they put in the time

28:10

, it's going to be for nothing . You

28:13

know , I think that that's the worst . That's

28:15

the worst feeling for anyone to feel

28:18

. You know , when you're putting in the hours

28:20

, when you're doing the work , and you're still not

28:22

getting the job , you know you're still not

28:24

meeting the bar , right , how

28:26

do you keep going ? And , to be quite honest

28:29

, even with this podcast , I have felt

28:31

that at times , you know , like I'm

28:33

doing these episodes and I'm

28:35

putting all this time into it , I'm learning

28:37

how to edit , you know all these different

28:40

things , right , and it feels like , oh

28:42

, nothing is coming from this

28:44

, it's going nowhere . I'm putting my time

28:46

and effort into something that's not going

28:48

to help me in any way . It's almost like , you

28:50

know , the universe , right , shows up

28:52

, just gives me a little nugget , like , oh

28:55

, you didn't think that this would ever happen

28:57

and it happens . You know things

28:59

like that , it's a

29:01

grind , it's it is

29:03

, it's hard , there's no way around

29:05

it , unfortunately , yeah

29:08

, it's true , but I mean , that's

29:10

how life goes .

29:11

Yeah , right , you got to fight for

29:13

anything worth having and it's

29:15

not going to come easy and you're going to have

29:18

to stick it out . And you

29:20

know , like you said , that's happening with the podcast and tap

29:22

with me in my career . But I will say this also

29:24

, you know , by the way , I'm not known

29:26

for having a great filter . I'm

29:28

known for being overly transparent at times

29:30

, right ? But guess what ? If it's not working

29:33

out for you , if you're working your butt off and

29:35

it's not being rewarded , if they're not noticing

29:37

, right , and you think that you've done the things

29:39

that you need to do to be noticed , then don't be afraid to

29:41

make a change . I'm

29:43

serious , don't be afraid . Don't think that you're

29:45

stuck in this rut and that there's not any options

29:48

out there . Don't be afraid to put yourself out

29:50

there to see if there's other opportunities that

29:52

could be rewarding , right ? And

29:55

I think that that's kind of what fascinated

29:57

me so much about coming to Sunry from

29:59

Cisco . You know , like I said I was

30:01

because I there's a reason that Cisco

30:03

is the number one company in the world to work out . It's

30:06

fantastic , you know , I just so

30:08

tell me friends over there and everything . Maybe one

30:10

day we'll all go back to work at Cisco , right ? That's not really

30:12

the point of the conversation here . The

30:14

point is that I want to try

30:16

something new . I wanted to try something adventurous

30:19

, right and and Sunry gave

30:21

me a great opportunity to do that right . For you

30:24

know , back then it was a series A startup . I took a big

30:26

risk right , and Sunry is a fantastic place

30:28

to be now . But

30:30

you know , the point is that

30:32

if you are , if you

30:34

feel like you're you know , like you said , not getting rewarded

30:36

, if you are working your tail off and you don't

30:38

see a trajectory , then stand

30:41

up for yourself and make a change . Don't be afraid to .

30:44

Yeah , it's a really valid point . You

30:46

know , and I don't want to , I don't want to linger

30:48

on this topic too much , but I think that

30:50

this story will help someone out

30:52

there for sure . You know

30:54

, I have a good friend that I worked with

30:56

at a financial firm

30:59

and you know

31:01

he was very content with his

31:03

role , with his company , everything

31:05

like that . And the management

31:08

didn't believe in him , you

31:10

know , because they paid for him to get a certification

31:12

, like two times

31:15

, and he failed the test , you know , not

31:17

for lack of trying , it was just a really hard

31:19

test that he was taking . And

31:21

so they told him hey , we're never going

31:23

to fire you , but we're never going to give you a raise

31:26

. You're going to get the same bonus . You know

31:28

you're on out , you're going to be in the same role

31:30

, you're going to be doing the same sort of stuff . You

31:32

know you're not going to lead a project or anything

31:34

like that . And you

31:37

know he worked with all of his friends For

31:39

him . He values , you know , friendship

31:41

over everything else and he stayed in the job

31:43

for 25 years and

31:45

this year he got laid off and

31:48

he never took the time to develop

31:50

his skills , he never took the time to

31:52

invest in himself or anything

31:55

like that . You know , when I was there

31:57

I told him I was like dude , if they

31:59

ever lay you off , like you're going to

32:01

have to completely reinvent yourself . Like

32:03

because the skills that you have are

32:06

so outdated at this point no one

32:08

uses the stuff that you're familiar with . They

32:11

only have it here because you're

32:13

here . They keep you busy with that

32:15

stuff . And now he's in

32:17

this year-long journey of

32:20

figuring out what he wants to

32:22

do , doing some soul searching . You

32:24

know it's like do you really want to be in that

32:26

situation when you're 10 years away

32:28

from retirement ? I mean , this guy is 10

32:30

years away and he has

32:32

to reinvent himself . That's

32:34

the time to coast , in my opinion

32:37

.

32:38

I'm sad that that's becoming a

32:41

very frequent occurrence , I think right now

32:43

, especially in this current economy , and

32:46

, like you said , if you're

32:48

not in a position to

32:51

have to put yourself out in the market to

32:53

be relevant , then I think

32:56

you're doing yourself as a disservice . Maybe you won't ever

32:58

have to hopefully

33:00

you won't ever have to be in that position but if you are , I

33:02

think it's crucial that you

33:05

have skills and

33:07

can not only talk the talk but

33:09

walk the walk with modern

33:11

technologies , especially

33:14

the cloud . I mean , there's such

33:16

a shortage of folks

33:18

, whether it's on the vendor side

33:20

or on the business

33:23

side , that don't

33:25

understand how the cloud works . You

33:27

know , and in this world that I'm in , if

33:29

you don't understand infrastructure as code and

33:31

terraform and cloud formation

33:34

and how things like you know we're talking about IM roles

33:36

and how all that works then

33:39

you're gonna have a really big up to battle

33:41

trying to market yourself to companies right

33:43

now that are looking for folks to secure their networks

33:45

or looking vendors that are looking for folks

33:47

to sell their products right , because everything

33:50

has a spin now . That's cloud native . So I

33:52

think it's crucial that you go ahead and get

33:54

ahead of that .

33:56

Yeah , it's a great point . You know

33:58

, with the cloud and I

34:00

didn't know this until pretty recently you

34:02

know , one of the gold standard certs

34:04

out there , especially for the cloud , is the CCSP

34:07

from ISC squared . At

34:09

least in my opinion it's a gold standard . You know

34:11

it's gonna be what

34:13

the CISSP is known , as you know , kind of

34:16

that gold standard cert . And I

34:18

figured , okay , you know I'm one of a million

34:20

that's got this cert . You

34:23

know , whatever it might be , you know I figured

34:25

I wasn't an outlier by any

34:27

means or anything like that

34:29

. I looked it up and in North America

34:31

there's only 5,500 people

34:34

with the cert 5,500

34:37

. There's a whole lot more than 5,500

34:39

companies in North America

34:41

. Right , and it's not because , like

34:44

the cert , yes , the cert is extremely

34:46

difficult . That test was , like

34:49

probably the second hardest test

34:51

I've ever taken , you know , next to

34:53

the AWS cert that I got that I

34:55

unfortunately have to renew

34:58

pretty soon here . I'm not happy

35:00

about that .

35:04

Is it the solutions architect ?

35:05

No , it's the security specialist

35:07

one . Yeah , okay

35:10

.

35:10

I just I unfortunately I let my

35:12

solutions architect expires , but I was supposed

35:14

to renew it this time last year and I'm like

35:16

I'll get around to it and I still have it . But

35:18

to your comment on the CCSP

35:21

, I agree . So I'm a CISSP and

35:24

to this day I've always said that's probably definitely

35:26

one of the hardest tests I've ever taken in my life . So

35:28

I can imagine what you went through for the CCSP , because

35:30

I don't have that right . But I agree that

35:33

, like that is very , very telling it

35:35

, there's only 5,500 CCSP's

35:37

in America right now , because

35:39

that's just very indicative

35:41

of the shortage I was referring to .

35:43

Yeah , it shows you too

35:45

that if you put in the work , you

35:48

know when you get these certifications right

35:50

, there's opportunity

35:52

available . You know , I think the last

35:55

time I checked there

35:57

was a shortage of something like 5

36:00

million jobs in North

36:02

America , or maybe that was worldwide

36:04

, right , 5 million security

36:06

jobs where it is literally

36:08

there's more openings than there are people

36:11

in the field . You know , that's why

36:13

security professionals are

36:15

always at 100% employed . Right

36:17

, when we change jobs , we're taking two

36:20

weeks off . It's not because we were laid off

36:22

or anything like that . Like I had a buddy that

36:24

was laid off at the beginning of the interest

36:26

rate hike because we were at a very interest

36:28

rate sensitive company . He was

36:30

laid off and I mean the guy

36:32

took a two week vacation and he was back at work

36:34

at another company .

36:37

Like that's what I was . You

36:39

know it's interesting . One thing I want your audience

36:42

to hear too is and this is something I learned

36:44

when I came to Sonry is don't be afraid

36:46

to talk to a head hunter . Yeah , you

36:48

know that's . The whole reason that I came over here

36:50

was because a head hunter approached me . I

36:52

was super apprehensive . I'm like I've never talked to a head

36:54

hunter before . I just go to a company's website

36:57

or it's a friend that gets me an in

36:59

or something like that , you know , through the network

37:01

. But don't be afraid to talk to a recruiter

37:03

, because it

37:06

opened my eyes to this whole world . Joe , I didn't

37:08

know it was out there where companies

37:10

actually exclusively work through recruiters

37:12

. They're not going to post jobs

37:14

all the time on their websites , right

37:16

? So if you've got a recruiter and trust me

37:18

, you know it's like one of those accident attorneys

37:21

they only get paid

37:23

when they get you hired , so it's not going to cost

37:25

you anything , right ? But they're experts

37:28

in marketing you and they have

37:30

inst all these different companies where they can market

37:32

your skill sets , right ? So it doesn't matter

37:34

if you're kind of you know , like you said , entry level , you don't have

37:36

all the skill set , or if you are recently

37:38

, for whatever reason . I mean , this

37:40

is an economy right now where

37:43

you know RIFs and LRs . We're seeing that more

37:45

and more common , unfortunately . Don't

37:47

be afraid to talk to a recruiter because it's amazing

37:50

, you know kind of the doors that they can open for you .

37:52

Yeah , it's a really good point . You know , I've

37:55

actually explored partnering

37:57

with some recruiting firms

37:59

that I've used in the past . That I trust

38:01

, you know , because I've had really bad experiences

38:04

with the recruiters and I've had average

38:06

experiences with the recruiters and then these

38:08

couple that I use , they're just superb

38:11

, they're head and shoulders above everyone

38:13

else . You know , like it's a huge

38:15

difference , right , and so I'm actually

38:17

looking to kind of provide that full

38:19

suite right for my listeners where they

38:22

get that idea of , hey

38:24

, maybe I should talk to a recruiter , well , who does

38:27

security on filter recommend .

38:29

Yeah well , I've got some folks

38:31

that I have grown to really really respect

38:33

and love and work well with over the years

38:35

. That's , you know , maybe offline , you and I can

38:38

exchange those contacts or whatever

38:40

. But that's another thing . Is you got to find a good one

38:42

? Yeah , right , you got to find one

38:44

that actually has the relationships , the connections . But

38:47

there's oftentimes , where you know , there's

38:50

info sec recruiters specifically . Right

38:53

, these info sec recruiters have got ends

38:55

with big companies . I'm not going to say who , but

38:57

they've got ends with big companies where they feed them

38:59

really well qualified , better candidates

39:02

. Because I'll tell you right now , you know

39:04

, if you post a job on LinkedIn

39:06

I've been there , done that you

39:08

know you'll get 500 applicants within two days

39:10

and it's all you

39:13

know . God bless everyone . But you know it's

39:15

mostly career changers and folks that really just

39:17

, they need to be vetted , right

39:19

, and what that happens for us on our side

39:22

, on the hiring side , is that it's we can't

39:24

filter through , that it's not manageable , right ? So

39:26

we really leverage the recruiters to filter

39:28

and do that initial screen force to give us , you know , a

39:30

decent set of canvas that we can talk to .

39:32

Yeah , that definitely makes sense . You

39:35

know for why you would use it . They

39:37

have that in and they're able to sell

39:39

you typically a whole lot better

39:42

than what you would be able to from an external

39:44

perspective . Just to circle

39:46

back right to the cloud , when we're

39:48

talking about cloud IAM , a lot of people

39:50

kind of still have that legacy

39:53

IAM perspective going

39:55

into it , and I know I had that perspective

39:58

too of you can

40:00

have service accounts , you can have user

40:02

accounts . You can also have accounts that

40:04

are used only for service

40:07

to service talk or user

40:10

to service talk . You know there's so many different

40:12

variations . How in the world

40:14

do you keep track of it all ?

40:17

How do you stay on top of this ? Yeah , I mean

40:19

, listen , it's interesting , like you're talking service

40:21

to service , et cetera . I mean , you know , like let's

40:23

just say that we recently were working with a

40:25

customer , we found 100 admin

40:28

level accounts . When we say accounts

40:30

, we had to be careful , we're talking about identities . But

40:32

we found another 900 that

40:34

had an AWS , that had IAM pass

40:36

roll privileges Wow , well , what's that mean

40:38

? It means that the other 900

40:41

with one command could give themselves full admin

40:43

rights . So essentially we've got 1,000 administrative

40:45

level accounts . Well , what does an administrative

40:48

level account mean ? It means it has star permissions

40:50

. It doesn't have permission to go access one

40:52

service . It

40:55

has access to go access 150

40:58

services and

41:00

delete everything that you've got

41:02

in them if it's used nefariously . That

41:05

is frightening , that

41:08

is frightening . And so

41:10

that's where we and I don't wanna

41:12

make this too salesy , but that's

41:14

what I do , that's what we do at Sunray is we come in

41:16

, we plug in , we illuminate everything , we

41:19

give you visibility into these

41:21

orphan things and things

41:23

that aren't used anymore and just identities

41:25

that you didn't know about at the admin level

41:27

and all the other levels that you just did

41:29

not know about , and then we

41:31

help you clean it up , right . There's

41:33

a method to the madness here . It's very strategic

41:36

. This is what we do We've learned a lot

41:38

about this landscape over the years and

41:40

we help you remove everything that's out there that's

41:42

not used . We figure out is it used

41:44

or not and we help you get rid of it

41:46

. Just remove it with a single click in the product

41:49

. That's massive for making a

41:51

dent in that risk

41:53

landscape , joe . And then with what's left

41:55

, that's what's there running , that's

41:57

what's needed . So what we'll do is we'll figure

41:59

out how to right size each one of those things right

42:01

, and that's the whole least privileged thing that

42:04

we talk about so much . You

42:06

do your best , and the way that you do your best is that you

42:08

focus on the identities that matter the

42:10

most , the ones linked to the crown , jewels

42:13

, not everything in sandboxes

42:15

and things like that . You

42:17

get them to least privileged , right . But I think the most important

42:19

thing that folks aren't thinking about , joe , as

42:21

far as really wrapping

42:25

their head around this mess , is how you govern it

42:27

moving forward , right

42:29

, you need a capability out there that

42:31

can put tripwires around your

42:33

break glass accounts . They

42:35

can let you know if a new identity can suddenly

42:38

access that sensitive data

42:40

store because of some junior

42:42

admin putting a new trust relationship

42:44

out there that they had no idea the

42:46

impact that it would do , because

42:49

it created these new bonds in the platform

42:51

. They'd be like a network , right

42:53

? They created this network conduit

42:55

to what matters most to the business

42:58

from a sandbox because

43:00

they were just doing a quick test , right

43:02

? And you never can know how infrastructure is code

43:04

. No matter how much you lent it , no matter how

43:06

much you scan it , you don't know

43:09

what it's going to do until it gets

43:11

out there and it starts living

43:13

and breathing and interacting with what's already out

43:16

there . You need something that's watching

43:18

that and able to tell you holy cow , we've

43:20

got a cross account situation and we've got separation

43:22

to do these or whatever . So I think that governance

43:25

component is super , super key to

43:27

really really being

43:29

able to tackle this . But make no mistake about it that's

43:32

one thing that we've learned over the years here is that you're trying

43:34

to secure identity in the cloud , and I am . You

43:37

got to focus on taking out all of that unused

43:40

litter and garbage . Get

43:42

rid of it . Make sure that

43:44

you're governing for new unused litter and garbage

43:47

, but then double down on what's out

43:49

there and restricting it to only

43:51

the permissions that it needs , so that you vastly

43:53

reduce that risk landscape . Before

43:56

a credential gets thrown out and get hub on accident

43:58

, someone tries to use it against you .

44:00

Yeah , I feel like the technical

44:02

side of it is often

44:04

thought about first before

44:07

that governance side of it . Exactly , with

44:09

the cloud , it is so easy to

44:12

run into a situation where you resolve

44:14

it within , let's say , a week

44:16

and then the next week you're

44:18

right back where you were . If you don't have the

44:20

policy side of it set

44:23

up , if you don't have the checks and balances

44:25

already set up before you start

44:27

resolving it , this is going to be something where you're

44:29

always chasing your tail , so to speak , and

44:31

trying to figure

44:33

it out .

44:34

And if you don't have the buy-in of the engineers

44:36

and the developers , guess what's

44:38

going to happen ? You remove all

44:40

this risk today and tomorrow they're going

44:42

to push out a terraform update that's going to put it all

44:45

back . Right , Think about

44:47

that . All this work and

44:49

they just go put it all back . That's something you

44:51

have to think about . You have to account for the

44:53

fact that infrastructure is code responsible for 80%

44:55

of this mass .

44:57

Yeah , that's a great point . How

44:59

do you make that switch in

45:01

your head ? Because I'm coming at this

45:03

from an engineering perspective . Engineers

45:06

are hands on keyboard . They

45:09

just want to get stuff done , they want to make progress

45:11

, but a lot of the times the engineer

45:13

is the one that's also

45:15

driving the process , because

45:17

when you're in these sort of situations

45:20

, where you're in over your skis

45:22

, you probably don't have a very

45:24

good governance to begin with

45:26

. You probably actually have the engineers

45:28

going through

45:30

and trying to create these policies

45:33

and whatnot .

45:34

Well , yeah , they're the ones that are pushing everything out

45:36

there and have been for years with star permissions

45:38

Because it's easier for them to get

45:40

their code out there , especially on two-week sprints

45:43

. I get it . They're under timelines , so

45:45

they're not thinking about building least

45:47

privilege into the application

45:50

with whatever particular widget they're responsible

45:52

for . I think the key from an

45:54

engineer perspective , is

45:57

you have to

45:59

sell this story to them in a way

46:01

that does not come across as

46:04

impeding their ability to do their job

46:06

. Joe , we're actually

46:08

going to flip the script and

46:11

what we can do is we can enable

46:13

the business we're

46:15

actually enabling you to build more securely

46:17

. So if you fit into the way that they do

46:19

their code Terraform , cloudformation

46:22

, whatever if you fit into the fact

46:24

that they work out of Jira or

46:26

ServiceNow or ChatOps which

46:29

is something that I'm now learning about , which is evolving

46:31

like crazy , like they're doing all their jobs through

46:33

Slack

46:36

if you fit into the way that they work , then

46:39

I think what we have learned is that

46:41

it does a complete 180 . And

46:43

they actually are much more open

46:45

to considering building in

46:48

the pipeline from a secure perspective , versus

46:50

just pushing it all out there and saying

46:52

, infosec , go fix it .

46:54

Yeah , I think that's something that's still critical

46:56

, that we have to point out and

46:58

deconstruct Is that perception

47:01

that InfoSec is only there to make our

47:03

lives harder , to

47:05

put barriers in the way of me getting the sprint

47:08

done and showing productivity

47:10

and whatnot . There's a lot of the times

47:13

where I'll come into a company and

47:15

I'll see exactly that , where

47:17

it's almost like there's a brick wall in

47:19

between security and the rest of the organization

47:21

and

47:24

, brick by brick , you have to take that thing down

47:26

. And I mean one

47:28

time it took me a year just

47:30

to get one team on my

47:33

side and it was a lot of lunches

47:35

, I paid for a lot of drinks

47:37

, I paid for a lot more

47:39

than I'm willing to admit to my wife , but

47:42

it enabled me to get more done

47:44

in the organization and allow them

47:46

to actually trust me and say , hey

47:49

look , just give me this one little thing

47:51

, I'll show you it's not that bad

47:53

. We're going to teach you how to use it , we're going

47:55

to teach you what to do with it . All

47:58

that sort of stuff you kind of have to take it

48:00

over into a white glove

48:02

treatment sort of thing , where

48:04

they get priority even if to

48:07

your manager they don't get priority , but to

48:09

you they get priority .

48:10

Absolutely . And again , I think

48:13

it's all about integrating into the way that they

48:15

want to work . If you integrate into the way that they want to work , they're

48:17

going to be much , much more open . Oh

48:19

, my goodness , we've got a privileged escalation scenario . We've

48:21

got an SOD violation , whatever it might be

48:23

, but guess what ? We routed that risk to them the

48:26

way that they want it to be notified and they can

48:28

actually go fix it on their own and then they can

48:30

come and automatically it'll self-heal

48:32

on the summary side or whatever tool that you're using it

48:34

, versus them having to go manage yet another tool

48:36

that they're getting nagged about or whatever . You've

48:39

got to start to break down the barrier and I

48:41

think that the more that we start to introduce

48:43

identity security into DevSecOps

48:46

, I think the better things are going to

48:48

be , because you're in lockstep

48:50

, then , with the development team , with the app team , with

48:52

the actual business itself from

48:54

a security perspective , and it's because you're introducing

48:56

security into the development process

48:59

instead of just pushing all that out there

49:01

and then saying , ok , it's

49:03

working . And this is what we see all the

49:05

time . Joan , it's super scary , these amazing

49:07

applications , but it is

49:10

an identity crisis . When

49:12

it gets to be part , it's spaghetti . Everything

49:15

can talk to everything . How do you fix

49:18

that ? Because now the business is relying on this

49:20

application and this

49:22

is the plumbing that you built for it .

49:24

Yeah , absolutely . Well , where do you

49:26

think Cloud IEM is going in

49:28

the next five years ? Right , I

49:31

think back to the beginning of the cloud . No one thought

49:33

about IEM as an attack

49:36

surface , and now it

49:38

is the edge

49:41

of your cloud . It's how you get in . It's

49:44

no longer the network , right , you can lock that

49:46

thing down . But if you have accounts

49:48

that are open to the world , people

49:51

can get in .

49:53

Well , here's the thing . I think that four

49:55

or five years ago , securing IEM

49:57

on a priority scale for most businesses

49:59

was a nice to have . Well , back

50:02

then , that's when we would say identity is the edge , Identity

50:04

is the perimeter . I think

50:06

we're way past that . Identity

50:08

is the new network . Everything

50:10

lives , breathes , functions and communicates

50:12

through the identity fabric . In a cloud-native world there's

50:15

no network landscape . Everything

50:17

the accepts and denies , the

50:19

permits and denies , are in the identity

50:21

fabric , on those JSON policies attached

50:24

to these person and non-person identities , not

50:27

through managing the security and firewall

50:29

rules or next-in firewalls that

50:31

you're trying to cram into a

50:33

VM . They don't have their place in a cloud-native

50:35

world . They don't right . And I

50:37

think , if you look at the way that the market has evolved

50:39

over the last couple of years , we're

50:41

seeing more and more companies that are starting to put

50:43

identity at the forefront of

50:46

their security strategies . It's not a nice to have , it's

50:48

an absolute requirement . And

50:51

when you do that and then you

50:53

attach the fact that you're focusing your identity

50:56

strategy on what matters the most to the business , meaning

50:58

the crown jewels , not just we're going to secure

51:00

identity , to secure identity and start playing whack-a-mole

51:03

, you start with what

51:05

matters the most to the business who and what

51:07

can access that data container

51:10

, that table , whatever

51:12

it might be . Start there , and

51:15

then you work your way out . So there's a method to the madness

51:17

there . Right , you do that . You

51:20

focus on the hub that's what I call it instead

51:22

of all the spokes , Because right now , so

51:24

many in the market are still focusing the spokes . Focus

51:26

on the hub . When one of those spokes

51:28

gets popped , it's going to be a dead end

51:30

. It's a beautiful story . Folks

51:33

just have to be willing

51:35

to accept and understand

51:37

that identity is the new network and

51:40

it must be secured from the inside

51:42

out .

51:43

Yeah , absolutely . I mean , that's

51:45

the whole thing . That's

51:48

changed completely with

51:50

the cloud . Well

51:52

, jeff , I really appreciate the time

51:54

here . I feel like we could

51:56

keep going with this conversation for sure

51:58

.

52:00

It was very fascinating .

52:01

We went through a lot of different rabbit

52:03

holes and whatnot , but I think

52:05

overall it shows the importance

52:08

of IAM in the cloud for sure .

52:10

Absolute pleasure talking to you . Like you said , we could have

52:12

gone on and on and on and

52:15

, like I said in the beginning , I hope that folks listening

52:17

across the rabbit holes that

52:20

we went down , I hope that they captured nugget

52:22

. Maybe it's about your career , your job , whatever

52:24

your skills , but

52:26

certainly I hope that you picked up a nugget

52:28

or two about really rethinking

52:31

how you are

52:33

securing your cloud as it

52:35

relates to where IAM and identity and

52:37

access and privilege are from a strategy and

52:40

a priority perspective . It's important .

52:42

Definitely . Well , jeff , before I

52:44

let you go , how about you tell my audience where

52:46

they could find you if they wanted to reach out to

52:48

you and where they could find sonar security

52:51

if they wanted to learn more ?

52:53

Absolutely . Jeff Moncree Fund LinkedIn

52:55

. Please hit me up , please connect with

52:57

me . I'd love to answer any questions

52:59

that you might have . And then I've

53:01

worked for Sunrise Security and sunrisecuritycom

53:04

, and we

53:06

secure some of the world's largest companies

53:08

as it relates to helping them with access

53:10

and privilege in the public cloud . We're definitely a

53:12

thought leader in this space , one of the OGs , if

53:14

you will .

53:16

This is where purpose built for this , so we

53:18

would love to talk to you about what we can do for you

53:20

Awesome , and all of the links that he mentioned

53:22

will be in the description of the episode , so

53:24

if you want , go ahead and check them

53:26

all out . All right , thanks everyone .