Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:54
How's it going , jeff ? It's really good
0:56
to finally have you on the podcast
0:58
here . You know we've been trying to put this thing together
1:00
for several months
1:02
but then you know it's just one thing
1:05
after the other in both
1:07
of our lives that you
1:09
know randomly comes up like 30
1:11
minutes before we're going to do it .
1:14
I know , I know the the stars have
1:16
finally aligned , joe . It's good to finally , you
1:18
know , make it happen . So glad to be here .
1:21
Yeah , definitely . Well , I'm sure we're going to have a great
1:24
conversation , you know . Hopefully
1:26
it'll be valuable to some people out
1:28
there .
1:29
I hope so . I hope so . It's an interesting world that
1:31
I live in daily , that you
1:33
know . Hopefully we can get a couple of nuggets
1:36
out there that are really helpful , just based on what I see
1:38
day to day with this world of insane
1:41
access and privilege risk in the in the cloud
1:43
.
1:43
So oh man , I can talk
1:45
about IAM forever , but
1:47
you know , before we get into the IAM
1:49
stuff , you know , jeff , why don't we start
1:52
with what your background is , why you
1:54
got into IT , why you got into security
1:56
, what that journey was like . Was
1:58
it faster than you expected ? Was it slower
2:01
than you expected ? What was that like
2:03
?
2:03
Yeah , so I've been in InfoSec now
2:06
for a little over 20
2:08
years now . Yeah , and
2:10
I've been in IT since 99
2:12
. And it's interesting
2:14
, you know , I went to college
2:16
here in Atlanta and
2:19
I got a degree in human resources . Joe , it
2:21
is the last thing that you would expect with
2:24
what I've been doing the last 20 plus years , but
2:27
I quickly realized that after I went to business
2:29
school that that is not what I wanted to do full time
2:31
. I was really a nerd at heart and riffing
2:33
apart PC since I was , you
2:36
know , since the early nineties log into
2:38
BBX's and all that crazy stuff using
2:40
GoFer and all
2:42
that . You know the stuff that really , really dates
2:44
me as I talk about it now and think about it . But
2:47
I was like you know what I want to get into tech ? That's
2:50
what I really want to do . And back
2:52
then , like one of the big training centers all
2:55
over the world was called Executive Train and
2:57
I went there and got my A plus cert back in 99
3:00
. And they saw I had a passion
3:02
and they offered me a gig . They were like , do you want
3:04
to ? Just , you know , a job here setting up classrooms
3:06
every day ? And , joe
3:08
, that fast tracked me through the
3:10
whole . You know NT4 , mcse
3:13
and you know setting up 13 Microsoft
3:15
classes a day . You'll
3:17
learn real quick , right , and so that's
3:20
how I got an IT . And then I
3:22
got into information security at
3:25
what many think is the original Internet
3:27
Security Company , which was Internet Security
3:29
Systems here in Atlanta . And
3:32
if you look at the today , there's
3:34
hundreds of InfoSec companies that have spun off
3:36
because of ISS back then . So that's
3:39
really where I just dove straight into InfoSec
3:41
and I've been doing that ever since . And
3:44
you know I was focused
3:46
on on-prem
3:48
infrastructure security for many , many years
3:50
, like I'm sure you were right , like we
3:52
all were , through the early 2000s
3:55
. And then I left
3:57
Cisco around three and a half years
3:59
ago where I was leading , you
4:01
know , a team of sales engineers to
4:03
come over to Sunry and focus on
4:05
public cloud security full time . And
4:07
Joe holy cow
4:09
was , I humbled . I thought I understood
4:12
the public cloud and I thought I understood how to secure
4:14
it when I was at Cisco , because of infrastructure
4:16
as a service and monitoring flow logs
4:18
and protecting VMs , I
4:21
had no idea about what was
4:23
happening at the platform level in these
4:25
cloud service providers , and so that's what I've
4:27
been focused on the last three and a half years . It's
4:30
what I do day in and day out , and you know I
4:32
consult I , you know , teach
4:34
customers how to build , you know , a platform
4:37
security strategy focused around access
4:39
and privilege , and so
4:41
that's what I do full time , and it
4:44
is it's a challenging , challenging
4:46
world that we are trying to protect
4:48
now as it relates to cloud native , and
4:51
so I'm sure we'll get into it here , as we , you know , continue
4:53
the conversation .
4:54
Yeah , absolutely , you know the cloud
4:56
. I always tell people that
4:59
you know cloud security is
5:01
like that graduated level
5:03
of security . You know you need experience
5:06
in several
5:08
other domains , you need to be deploying technology
5:11
in those domains before
5:13
you start jumping into cloud security . Because
5:15
you know cloud security
5:17
, you can't walk over to a server and unplug
5:19
it right . You can't walk over to a server and
5:22
console into it . You know , like
5:24
that stuff doesn't exist and
5:26
a lot of people you
5:29
know their . Their initial response would be
5:31
like oh well , that's a problem . On the cloud provider
5:33
, it's like these contracts are written
5:35
very differently . It's so true , and
5:38
the cloud provider is like never .
5:43
That's a great point , because a lot of
5:45
what I do nowadays
5:48
, joe , is I as I relate the
5:50
public cloud situation to
5:53
the world that you and I both came from and
5:55
so many of the folks listening right , securing data
5:57
centers and colos and hardware
5:59
, and you know , rack and stack and servers and routers
6:01
and switches and dealing with core and access and distribution
6:04
issues and firewall
6:06
right , and you know what I like it to
6:08
you know , as far as the world that I
6:11
see all the time is , it's almost like
6:13
you built a
6:15
data center , right
6:18
, and what we do when we build a data center
6:20
, we fortify it , right , we put in
6:22
our firewalls and we build our DMZs
6:24
, then we build out our different access
6:26
layers and it's all zoned and segmented right
6:29
. That's just what you do . It's
6:31
not a nice to have you got to do that right
6:33
, but when we plug into here
6:36
at Sun , when we plug into customers environments , it's
6:38
very interesting , to
6:41
put it gently , because everything's
6:43
flat , everything
6:46
can talk to everything in so many scenarios
6:48
, and it's just because organizations
6:51
, just like you said , they were thinking well , the cloud provider is
6:53
going to take care of all that for me . They're going to secure
6:55
it , they're going to segment it . They're going to zone it . Each little
6:57
thing that I provision , each little resource or microservice
6:59
that I provision , it's going to be in its own
7:01
little of and again , to liken it to the network days
7:03
its own little broadcast domain , okay
7:06
, where it can just talk to itself and maybe
7:08
, if I tell it to go talk to something else , that's great . But
7:10
that's not the case , right ? And
7:12
so they're just not aware that they really need to
7:14
be thinking of securing the public cloud the
7:16
same way that they do on-prem . That
7:18
you really really got to be thinking about segmentation
7:21
. But in a cloud-native world
7:23
, when we do the segmentation
7:25
, is it layer
7:28
three , layer four ? No
7:31
, it's at layer seven , it's
7:33
at the application layer . Right , it's abstracted
7:35
through the access fabric . That's how
7:37
everything lives , breathes and communicates , is through the
7:39
. You know , like you said , I am , but
7:41
you got to start thinking of I am like a network
7:44
, because that's what it is , and
7:47
so it's so true
7:49
when you relate it to something that they're very , very familiar
7:51
with , all of a sudden , you know , folks eyes open up .
7:54
Yeah , it's a really good point . You
7:56
know , at my current
7:58
organization , right , I
8:00
wanted to , you
8:02
know , create a resource that I could reach out to
8:04
the internet . It's in a dev environment , you
8:07
know , because I was trying to test something right
8:09
, and the entire dev
8:12
team that owned that entire function
8:14
was like it's impossible , you're
8:16
not going to be able to do it . We're not turning off this rule
8:19
. That auto , you know , removes
8:21
it , all these things , right , I
8:23
was constantly told it . I was like , guys , I'm going to get
8:25
around your rule . Like I'm getting
8:27
around it . You know , like , whether you like it
8:29
or not , I'm getting around it . I
8:32
know what I'm doing . I'm sorry , like I
8:34
know that you've spent , you know , five , six
8:36
years in the cloud and whatnot , but I know how
8:38
this thing works . I don't
8:40
get these certs by not knowing how this , how
8:42
AWS , works and
8:44
you know sure enough , right
8:47
, I got through it . And
8:49
then the next thing that they're complaining about is I'm
8:51
firing off a lot of alerts , like
8:53
, okay , I'll just bypass your alerts .
8:56
That's not a problem . Yeah Well
8:59
, I think that you know , back in the days of the
9:01
on-prem world , you know everything was you know the
9:03
IT staff . They could do that . They could , you know
9:05
, manage everything through very , very specific
9:08
, finite Ingress egress points . Right
9:10
, and if you wanted to do something to test , you
9:12
had to put in that change control request and you had
9:14
to . You know you were at their mercy . But
9:17
now you know , joe , if you want to go , do that
9:19
, just go , do it , just go build it . I mean
9:21
, there's not in the cloud , there's
9:23
not you know one or two Ingress egress points
9:25
, there's thousands
9:28
. I think it's fascinating , I
9:31
think it's absolutely fascinating , joe , that
9:33
if I want to log
9:35
into your cloud right now , all
9:37
I need is a cred right and
9:40
my laptop right here . So
9:42
technically , my laptop right
9:44
now is two commands AWS
9:47
configure . It's two
9:49
commands away from being dropped
9:52
dead in the middle of your cloud . That's
9:55
fascinating right .
9:57
Could you imagine if , like AWS
9:59
had a you know some bug that
10:02
bypass their login ? You
10:04
know , like you were able to just do it via the console
10:06
or something like that . You , if you , just if
10:08
you guess the account number right , you
10:10
know you're in the account , whatever it might be . I
10:13
always think about that because it's like man , we're putting
10:15
a lot of trust into this
10:17
thing to not fail
10:20
, and it's created by people like
10:22
me and you
10:24
know I'm not the smartest person in every single
10:26
area , like I'm a little dumb here and there , you
10:28
know .
10:30
Yeah , it's , it's . It's fascinating . I
10:32
mean it's bypass all of your
10:34
security measures , right , all I need
10:36
is a credit and with one command , when
10:38
the you know the AWS or GCP
10:40
or Azure SDKs , with my laptop
10:43
here , I'm just dead center in the middle of your cloud . It doesn't
10:45
matter what you've got protecting it at the
10:47
perimeter , and so that
10:49
really , I think that's what fascinated
10:51
me when I started to learn about identity
10:54
. Risk is is
10:56
how quickly you could be in
10:58
the hub of a customer's
11:01
cloud environment , regardless of what they've done
11:03
to protect the spokes that they think
11:05
are the entryways . I mean , they are entryways
11:07
, but more and more often , what you know
11:09
you and I are seeing now in the market is seeing is that
11:11
folks are just logging in , they
11:13
just log right into the center of your cloud and what and
11:16
that's where things get really really hearing .
11:18
Yeah , it's really good point from a cloud
11:20
engineer , slash architect . My
11:22
biggest problem is I am
11:24
by far you know it's , it's
11:26
I am trying to
11:28
manage the roles right
11:31
, what roles we have , what accounts we
11:33
have , what services are using , what
11:35
. It's a pretty close to impossible
11:37
task without , without
11:39
a solution that is dedicated to it . You
11:42
know , it's really frustrating . The
11:44
most frustrated time that I've ever
11:47
been was when I was working in I am
11:49
on prem . That's when I used to have hair
11:51
. It's
11:53
terrible , you know . It's like
11:55
it's a . It can . It can really
11:58
make your day very difficult
12:00
or it can make it relatively
12:02
smooth , right , I feel like it's just like
12:05
up to the power of that . I am
12:07
service , or whatever it might be
12:09
, is like are we going to have a good day or are we going to have a bad
12:11
day ?
12:12
Yes , yeah , and
12:14
it really is is daunting . You
12:16
know , I recently heard a term that
12:18
it just it resonated so well with me . I
12:21
heard it . I just came back from
12:23
September this was in September , but
12:25
it was back in . It was in Seattle , bellevue
12:27
, right , and hosted
12:29
by the cloud security lines , and
12:32
I heard a comment that just really really resonated
12:34
so well with me , and it's that you've
12:37
got to be thinking about cyber
12:39
garbage , identity
12:41
, identity , identity litter . Think
12:44
about that . That's what we're
12:47
up against is like
12:49
you said you know I am . When it does work , it creates
12:51
all of these personas , these usually
12:54
non-person identities , which are vast
12:56
and vague as to far as what that constitutes
12:59
. Right , but it's just as equally , if not more , dangerous
13:01
than a person identity . But
13:04
projects come and go , priorities
13:08
change , life turns over , for whatever
13:10
reason . Right , attrition
13:12
, and what's left is identity
13:15
garbage , identity litter . Right
13:17
, but it is scary because
13:20
it has rights to go do things
13:22
right . All
13:24
it takes is an access key associated
13:26
with a role or token or
13:29
someone getting a cred out of . You know GitHub
13:32
or you know S3 . It's
13:34
still happening , right . Global
13:37
exposure is rampant , still
13:39
. So you have all
13:41
of those different kind of vectors
13:44
that are just sitting out there , hundreds , if
13:46
not thousands , that you just don't know about . Like
13:48
you said , if you're not intentional about it , if you don't
13:50
have a tool that's designed to go crawl and map it all
13:52
out and figure out what's out there , what
13:54
can it do and what can it access , then
13:57
these are all things that you're blind to
13:59
, but they're all entry points
14:01
straight into the heart of your cloud
14:03
. It doesn't matter how much vulnerability
14:05
scanning you do or you know which
14:08
compliance standard you're adhering to . None of that
14:10
matters , joe . Throw it all out the window
14:12
when someone grabs one of those creds and
14:15
uses it to their advantage . So really you've
14:17
got to be intentional about understanding
14:19
what's out there , right , and
14:22
cleaning it up , getting rid of the litter
14:24
, getting rid of the garbage and then governing
14:26
it moving forward .
14:27
Yeah , it's a great point . You
14:30
know it's hard to fathom
14:33
the scale at which you can
14:35
create thousands of IAM accounts
14:37
and roles in your environment
14:39
. And I'm in this thing , right , I do
14:41
this every single day . It's even difficult
14:44
sometimes for me to imagine it , and
14:47
you know so . I work for a large automotive
14:50
manufacturer , right , you
14:53
can easily guess whichever one it is
14:55
. I'm not going to say any more than that
14:57
. But you know
15:00
, we consume cloud
15:02
services almost as
15:04
a service , because our
15:06
parent company , the one that owns
15:08
us all , negotiated the contract with the cloud
15:11
provider and kind of offers up
15:13
these services as a service to
15:15
us , right ? So they're building
15:17
out our cloud tenants , they're
15:19
giving us a blank template right
15:22
to work with and they have their own controls around
15:24
it . And their thought , you
15:26
know , I was talking to these guys and they said well
15:29
, how bad can it really get ? Right
15:31
, we're not giving them everything
15:33
. Why do they need to create all this stuff
15:36
? They literally said I bet they
15:38
won't need that many
15:40
IAM accounts or roles , right
15:42
, Because we're giving them the template
15:44
. And very quickly , within
15:47
six to 12 months , we
15:49
were at 200,000 accounts
15:51
, 200,000 accounts
15:53
across our tenants
15:56
. And how
15:58
do you expect that ? How do you have a solution
16:00
that manages that ? You
16:02
know , when I was doing IAM on-prem
16:05
, we were dealing with 42,000
16:09
accounts and we
16:11
had maybe 2,500
16:13
employees . Each employee
16:16
had five accounts . Most of them didn't
16:18
even know that those five accounts existed
16:20
and
16:22
so , like , we had a lot of data counts , right
16:25
. So , like , if you really factor that in
16:27
, we're probably at , like , you know , 10,000
16:30
accounts , right , 10,000 actual
16:33
user accounts that are being used . This
16:35
is 1020X
16:38
that .
16:40
It's insane , it
16:42
is . It is . You're talking
16:44
about a very person-oriented
16:47
landscape . I would venture that
16:50
for every one person identity
16:52
that we at Sunrise see here
16:54
in customer environments , there's 10
16:56
non-person identities to go with
16:58
it . That's what's really really fascinating
17:01
is the explosion of NPIs
17:03
. We call them non-person identities , and
17:05
they are roles , service principles
17:07
, managed identities , access keys , tokens
17:09
, things that grant
17:11
access and privilege to go do things , but
17:14
they're not as simple to
17:16
understand as hey , we're just going
17:19
to create a user account . It's
17:23
NPIs that we really really have to be thinking
17:25
about . The other thing , joe , is
17:27
, even it doesn't matter if it's a user account
17:29
or a non-person identity . You've
17:31
got to be thinking about the permissions on them
17:33
, right ? It's not just hey , we're going
17:35
to go create an account that lets you go do things . You've
17:38
got to be thinking about the excessive
17:40
permissions and entitlements on these things
17:42
and treat that as risk
17:45
as well . Not just thinking about cleaning up
17:47
things that are orphaned and abandoned , but the things
17:49
that we do need for the applications
17:51
to run . There's a concept
17:53
that is growing , thankfully , in
17:56
this industry of lease privilege . It's
17:58
a holy grail . Can we get to lease privilege ? I don't
18:00
know if anyone's ever going to truly get to lease privilege
18:02
, joe . That's like saying you're going to fix
18:04
every vulnerability . You're never going to fix every vulnerability
18:07
, right . But if you understand which identities mean
18:09
the most to the business , then you can focus
18:12
on at least getting them to lease privilege so that if and when
18:14
someone does get in , they
18:17
can't go wreak havoc in
18:19
your environment .
18:20
Yeah , getting to a full lease
18:22
privilege state . I mean , the only way that you
18:24
do that is if you started from the inception
18:27
of the company .
18:29
That's literally the
18:31
only way that you you got to build into the development process
18:34
too . That is a lot easier said than done
18:36
, my friend
18:39
. When we plug in , everything's
18:41
already out there . Everything's already
18:43
living and breathing . The litter and garbage
18:45
is out there , but in a greenfield
18:48
environment . Oh my goodness , how cool
18:50
would it be if you built in
18:52
leased privilege into
18:55
the actual development process . That's
18:57
something that we preach here at Sunray
19:00
is being able to do that , so
19:02
that when you do push to production , you've
19:04
already removed all that nonsense . You've
19:08
got to have a lot of cooperation and collaboration
19:10
with the development team , though .
19:13
Yeah , that's very true . You have to have everyone
19:15
on board . When you were starting
19:17
out or even throughout your career , did
19:20
you ever feel like this isn't a fit
19:22
for me ? This is too far above my head . I
19:24
don't understand what's going on here . They
19:27
surely hired the wrong person
19:29
. I asked that because I
19:32
started in IT , I guess technically , in high
19:34
school . I didn't
19:36
know anything . I knew how to plug in the USB
19:38
and install whatever was on it , that's it . But
19:42
as I went through my career , for instance
19:44
, one role was nothing but Linux . I
19:47
might as well have Linux on my laptop
19:50
that I was using for the job . That's
19:52
how much we used it I felt
19:55
like I was not a fit for that role
19:57
at all , by any stretch of
19:59
the term . I asked this question
20:02
because I actually get a lot of questions
20:04
about that . I
20:07
feel like I don't know enough , this
20:10
isn't a fit for me and whatnot . I
20:13
feel like it's more about time and you putting in
20:15
the effort than anything . It will
20:17
eventually come
20:19
. I'm wondering if you experienced
20:21
that as well .
20:23
I did . It's a great question . It
20:25
takes me back . It takes me way back
20:28
when I left that training company
20:30
and got my first network admin
20:32
role . It was at a company
20:34
called Dicecom , which you may
20:36
have heard of I don't even know
20:38
if they're still around , but it was
20:40
like the IT job site back then , before Monster
20:42
. I was their network
20:44
admin for their training division
20:47
. I will never forget being
20:50
given the keys to that server room and
20:52
looking at all the routers
20:54
and switches and the firewalls and everything
20:56
. They're like okay , it's all yours
20:59
. I was like okay , I
21:01
may have bitten off more than I
21:04
can chew . I don't know the first thing about any of
21:06
this stuff . As far as the routers and
21:08
switching , all of that , I could administer Windows
21:11
till the accounts come home . But
21:13
I'll never forget we
21:16
had an outage . I had to deal with the PIX
21:18
506 back in the day . If you remember what a
21:20
Cisco PIX was . It
21:22
predated the ASAs . I started
21:24
with the ASAs . Yeah
21:27
, I will never forget . We had an outage
21:29
and luckily there was a
21:31
senior administrator who got on the phone
21:33
with me and walked me through the crypto map
21:35
statements and all that isocamp
21:37
stuff , if you remember . I
21:39
did not know what I was doing . But I really
21:41
, really I felt over
21:43
my head a little bit of imposter
21:46
syndrome , if you will , but
21:49
I was humbled enough to not be afraid
21:51
to ask for help . I
21:53
think that's the key is that I realized
21:55
you know what I can do , this
21:57
, I can be successful at this if I
22:00
don't act like I know what I'm
22:02
doing , if I'm able to say you know what
22:04
, I'm not an expert at this , but if you
22:06
can show me I can take this and run with it
22:09
. I think that that was a big , big turning point in my
22:11
career is not being
22:13
afraid to ask for help , not
22:16
feeling like I have to be the smartest person in the room
22:18
or anything like that . But
22:21
then you got to do the hard work . You've
22:23
got to actually apply it so
22:26
that you really do understand the next time it comes around
22:28
. You're not asking that same person that same question . Can you come
22:30
in and do it for me , as long as you prove
22:32
to someone that you're learning , that you're listening , that you really
22:34
really do care . I found that folks really
22:36
want to pour into you . They
22:38
do . Folks love teaching other people
22:41
things as long as you're really
22:43
listening and absorbing and being
22:45
appreciative . I think that was one
22:47
big thing , right , so that
22:50
in fast forward to today
22:52
, I look at how often
22:54
that has helped me out in my career , right
22:57
. Or I'm not afraid to say , hey , you know
22:59
, you're really amazing at this , is
23:02
there a way that you can mentor me , right
23:04
? And so I just I think that's it
23:06
Be humble , don't be afraid to ask for help and
23:09
be appreciative . It really it's amazing
23:12
what people will do for you If that's what you
23:14
do .
23:15
Yeah , I think that's a great point and that's
23:17
definitely something to keep in mind too . You
23:19
know , when you're going through these different roles , like you're
23:21
not going to know everything you know , and
23:23
even on this podcast , right , I recommend
23:25
that if you fit 50% of
23:28
the job requirements
23:30
and a posting , that you should be applying to
23:32
it . You know , because if you're at 50%
23:35
, I can teach you the other 50% , right
23:37
, and yeah , it may be a faster pace
23:39
, environment and whatnot , but we can get through that
23:42
.
23:42
When it's .
23:42
when it's less than 50% it gets a little bit
23:44
more difficult because it's like , all right , you don't have the foundation
23:47
that we need to build this thing , Right
23:49
? I've got a comment on that .
23:51
So you know I've done a lot
23:53
of hiring over the years as I've led sales
23:55
, engineering and even post sales tech
23:57
support and TAM teams at various companies
24:00
, and you could not
24:02
be more right , joe , about you
24:04
know the 50% role . What I want
24:06
when I'm looking at folks to
24:08
join our team is is passion Right
24:11
? Obviously , personality Right Is
24:13
there ? Does this person seem a great character
24:15
? Do they really seem genuine
24:17
? Do they really have an interest ? Is there a path ? Is
24:19
there a drive ? Right ? I can teach
24:22
you the other 50%
24:24
from a technical perspective , if you
24:26
can bring 50% to the table . And what
24:28
we've started doing and what I've started doing in my
24:30
career because there is such a tech skills shortage
24:33
, especially in the area that you and I live in is
24:35
, if I can give you a project
24:37
, I'm going to give you a week . Right , go
24:40
build this lab out in AWS and
24:43
I want this lab to do X , y and
24:45
Z . And what I want is in a week we're going
24:47
to circle back on a Zoom or whatever and
24:49
I want you to walk me through how
24:51
you built the lab . But I want you to show
24:53
me which resources you use to learn
24:55
. I want you to show
24:57
me that you can go figure it out and that you are
25:00
. You know that you're creative , that you're a problem
25:02
solver . I don't care that you didn't know this a week
25:04
ago , but if you can go
25:06
learn this and explain this to me and
25:08
show that you can do it in a week's time , that's
25:11
all I need to know Because we can work
25:13
with that Right . And so
25:15
I think that , absolutely , if you've got
25:17
like 50% skills or whatever and
25:19
you know there's another half that you're not , don't be
25:21
afraid to go for it and take a shot and
25:23
, heck , offer it up . Say
25:26
, give me a chance to prove myself . I
25:28
think you'd be surprised at what hiring
25:31
managers will do when
25:33
they see that level of energy
25:35
and an intent from
25:37
a candidate .
25:39
Yeah , absolutely . You also
25:41
got to be taking copious amounts
25:43
of notes . I found
25:46
throughout my career when
25:48
I was learning different things , I mean
25:50
even now I'll take a bunch of notes . But
25:53
when I was learning , not
25:56
knowing or not even having
25:58
the background in an area , I had
26:00
to take an insane amount
26:02
of notes . It was an embarrassing amount of notes
26:04
. If you looked at my , I
26:06
think it was like notepad or whatever it was . I
26:08
mean , you could scroll on that thing for like
26:10
five minutes , right
26:13
. But in doing
26:15
that you become a
26:17
very valuable resource , because
26:20
not only are you experiencing
26:22
it , you're taking notes on it . Those
26:24
two things reinforces it in your mind
26:26
and from that you
26:29
turn into an internal resource for that company
26:31
. In a certain area For me
26:33
at this company , it was security . Whenever
26:36
there was a security problem or
26:38
anyone asked about security , it
26:40
was immediately just go to jump right
26:43
, he's the only one that spent any sort of time with
26:45
it . That's for engineers , that's
26:47
for developers , that's for the architects
26:49
, like that was for all of them . And I was like
26:51
the lowest man on the totem pole , right
26:53
. Well , I got there because I
26:56
took a huge amount of notes and I got to encountering
26:58
these stupid problems , and
27:00
so I was forced to learn it
27:03
. I had to learn it , otherwise I was going to
27:05
lose my job , right , and
27:08
I think taking notes absolutely
27:11
helps , especially when you're starting in a
27:13
new role .
27:14
It does . It shows you're listening
27:17
the cream of rice to the crop . And
27:19
for all of us , I think , at this kind
27:21
of the level that you and I are at in our careers
27:23
I mean , we started , like I started , in tech support
27:25
level one right , you
27:28
got to start somewhere and
27:30
your work will
27:32
speak for itself , right
27:34
, if you are passionate and if you
27:36
, like you said , you take notes , you pay attention , you
27:39
show that you want to just kick
27:41
butt at the role that you're in . The work
27:43
will speak for itself , people
27:45
will notice and it will open the door
27:47
for new opportunities for you . Absolutely
27:51
Right , and it's just , you got to work hard
27:53
in the beginning , right , and it will be noticed
27:55
.
27:57
Yeah , absolutely . I think , a part
27:59
of working hard I
28:02
feel like some people are worried
28:04
about that being noticed part
28:06
, you know , they feel
28:08
like if they put in the work , they put in the time
28:10
, it's going to be for nothing . You
28:13
know , I think that that's the worst . That's
28:15
the worst feeling for anyone to feel
28:18
. You know , when you're putting in the hours
28:20
, when you're doing the work , and you're still not
28:22
getting the job , you know you're still not
28:24
meeting the bar , right , how
28:26
do you keep going ? And , to be quite honest
28:29
, even with this podcast , I have felt
28:31
that at times , you know , like I'm
28:33
doing these episodes and I'm
28:35
putting all this time into it , I'm learning
28:37
how to edit , you know all these different
28:40
things , right , and it feels like , oh
28:42
, nothing is coming from this
28:44
, it's going nowhere . I'm putting my time
28:46
and effort into something that's not going
28:48
to help me in any way . It's almost like , you
28:50
know , the universe , right , shows up
28:52
, just gives me a little nugget , like , oh
28:55
, you didn't think that this would ever happen
28:57
and it happens . You know things
28:59
like that , it's a
29:01
grind , it's it is
29:03
, it's hard , there's no way around
29:05
it , unfortunately , yeah
29:08
, it's true , but I mean , that's
29:10
how life goes .
29:11
Yeah , right , you got to fight for
29:13
anything worth having and it's
29:15
not going to come easy and you're going to have
29:18
to stick it out . And you
29:20
know , like you said , that's happening with the podcast and tap
29:22
with me in my career . But I will say this also
29:24
, you know , by the way , I'm not known
29:26
for having a great filter . I'm
29:28
known for being overly transparent at times
29:30
, right ? But guess what ? If it's not working
29:33
out for you , if you're working your butt off and
29:35
it's not being rewarded , if they're not noticing
29:37
, right , and you think that you've done the things
29:39
that you need to do to be noticed , then don't be afraid to
29:41
make a change . I'm
29:43
serious , don't be afraid . Don't think that you're
29:45
stuck in this rut and that there's not any options
29:48
out there . Don't be afraid to put yourself out
29:50
there to see if there's other opportunities that
29:52
could be rewarding , right ? And
29:55
I think that that's kind of what fascinated
29:57
me so much about coming to Sunry from
29:59
Cisco . You know , like I said I was
30:01
because I there's a reason that Cisco
30:03
is the number one company in the world to work out . It's
30:06
fantastic , you know , I just so
30:08
tell me friends over there and everything . Maybe one
30:10
day we'll all go back to work at Cisco , right ? That's not really
30:12
the point of the conversation here . The
30:14
point is that I want to try
30:16
something new . I wanted to try something adventurous
30:19
, right and and Sunry gave
30:21
me a great opportunity to do that right . For you
30:24
know , back then it was a series A startup . I took a big
30:26
risk right , and Sunry is a fantastic place
30:28
to be now . But
30:30
you know , the point is that
30:32
if you are , if you
30:34
feel like you're you know , like you said , not getting rewarded
30:36
, if you are working your tail off and you don't
30:38
see a trajectory , then stand
30:41
up for yourself and make a change . Don't be afraid to .
30:44
Yeah , it's a really valid point . You
30:46
know , and I don't want to , I don't want to linger
30:48
on this topic too much , but I think that
30:50
this story will help someone out
30:52
there for sure . You know
30:54
, I have a good friend that I worked with
30:56
at a financial firm
30:59
and you know
31:01
he was very content with his
31:03
role , with his company , everything
31:05
like that . And the management
31:08
didn't believe in him , you
31:10
know , because they paid for him to get a certification
31:12
, like two times
31:15
, and he failed the test , you know , not
31:17
for lack of trying , it was just a really hard
31:19
test that he was taking . And
31:21
so they told him hey , we're never going
31:23
to fire you , but we're never going to give you a raise
31:26
. You're going to get the same bonus . You know
31:28
you're on out , you're going to be in the same role
31:30
, you're going to be doing the same sort of stuff . You
31:32
know you're not going to lead a project or anything
31:34
like that . And you
31:37
know he worked with all of his friends For
31:39
him . He values , you know , friendship
31:41
over everything else and he stayed in the job
31:43
for 25 years and
31:45
this year he got laid off and
31:48
he never took the time to develop
31:50
his skills , he never took the time to
31:52
invest in himself or anything
31:55
like that . You know , when I was there
31:57
I told him I was like dude , if they
31:59
ever lay you off , like you're going to
32:01
have to completely reinvent yourself . Like
32:03
because the skills that you have are
32:06
so outdated at this point no one
32:08
uses the stuff that you're familiar with . They
32:11
only have it here because you're
32:13
here . They keep you busy with that
32:15
stuff . And now he's in
32:17
this year-long journey of
32:20
figuring out what he wants to
32:22
do , doing some soul searching . You
32:24
know it's like do you really want to be in that
32:26
situation when you're 10 years away
32:28
from retirement ? I mean , this guy is 10
32:30
years away and he has
32:32
to reinvent himself . That's
32:34
the time to coast , in my opinion
32:37
.
32:38
I'm sad that that's becoming a
32:41
very frequent occurrence , I think right now
32:43
, especially in this current economy , and
32:46
, like you said , if you're
32:48
not in a position to
32:51
have to put yourself out in the market to
32:53
be relevant , then I think
32:56
you're doing yourself as a disservice . Maybe you won't ever
32:58
have to hopefully
33:00
you won't ever have to be in that position but if you are , I
33:02
think it's crucial that you
33:05
have skills and
33:07
can not only talk the talk but
33:09
walk the walk with modern
33:11
technologies , especially
33:14
the cloud . I mean , there's such
33:16
a shortage of folks
33:18
, whether it's on the vendor side
33:20
or on the business
33:23
side , that don't
33:25
understand how the cloud works . You
33:27
know , and in this world that I'm in , if
33:29
you don't understand infrastructure as code and
33:31
terraform and cloud formation
33:34
and how things like you know we're talking about IM roles
33:36
and how all that works then
33:39
you're gonna have a really big up to battle
33:41
trying to market yourself to companies right
33:43
now that are looking for folks to secure their networks
33:45
or looking vendors that are looking for folks
33:47
to sell their products right , because everything
33:50
has a spin now . That's cloud native . So I
33:52
think it's crucial that you go ahead and get
33:54
ahead of that .
33:56
Yeah , it's a great point . You know
33:58
, with the cloud and I
34:00
didn't know this until pretty recently you
34:02
know , one of the gold standard certs
34:04
out there , especially for the cloud , is the CCSP
34:07
from ISC squared . At
34:09
least in my opinion it's a gold standard . You know
34:11
it's gonna be what
34:13
the CISSP is known , as you know , kind of
34:16
that gold standard cert . And I
34:18
figured , okay , you know I'm one of a million
34:20
that's got this cert . You
34:23
know , whatever it might be , you know I figured
34:25
I wasn't an outlier by any
34:27
means or anything like that
34:29
. I looked it up and in North America
34:31
there's only 5,500 people
34:34
with the cert 5,500
34:37
. There's a whole lot more than 5,500
34:39
companies in North America
34:41
. Right , and it's not because , like
34:44
the cert , yes , the cert is extremely
34:46
difficult . That test was , like
34:49
probably the second hardest test
34:51
I've ever taken , you know , next to
34:53
the AWS cert that I got that I
34:55
unfortunately have to renew
34:58
pretty soon here . I'm not happy
35:00
about that .
35:04
Is it the solutions architect ?
35:05
No , it's the security specialist
35:07
one . Yeah , okay
35:10
.
35:10
I just I unfortunately I let my
35:12
solutions architect expires , but I was supposed
35:14
to renew it this time last year and I'm like
35:16
I'll get around to it and I still have it . But
35:18
to your comment on the CCSP
35:21
, I agree . So I'm a CISSP and
35:24
to this day I've always said that's probably definitely
35:26
one of the hardest tests I've ever taken in my life . So
35:28
I can imagine what you went through for the CCSP , because
35:30
I don't have that right . But I agree that
35:33
, like that is very , very telling it
35:35
, there's only 5,500 CCSP's
35:37
in America right now , because
35:39
that's just very indicative
35:41
of the shortage I was referring to .
35:43
Yeah , it shows you too
35:45
that if you put in the work , you
35:48
know when you get these certifications right
35:50
, there's opportunity
35:52
available . You know , I think the last
35:55
time I checked there
35:57
was a shortage of something like 5
36:00
million jobs in North
36:02
America , or maybe that was worldwide
36:04
, right , 5 million security
36:06
jobs where it is literally
36:08
there's more openings than there are people
36:11
in the field . You know , that's why
36:13
security professionals are
36:15
always at 100% employed . Right
36:17
, when we change jobs , we're taking two
36:20
weeks off . It's not because we were laid off
36:22
or anything like that . Like I had a buddy that
36:24
was laid off at the beginning of the interest
36:26
rate hike because we were at a very interest
36:28
rate sensitive company . He was
36:30
laid off and I mean the guy
36:32
took a two week vacation and he was back at work
36:34
at another company .
36:37
Like that's what I was . You
36:39
know it's interesting . One thing I want your audience
36:42
to hear too is and this is something I learned
36:44
when I came to Sonry is don't be afraid
36:46
to talk to a head hunter . Yeah , you
36:48
know that's . The whole reason that I came over here
36:50
was because a head hunter approached me . I
36:52
was super apprehensive . I'm like I've never talked to a head
36:54
hunter before . I just go to a company's website
36:57
or it's a friend that gets me an in
36:59
or something like that , you know , through the network
37:01
. But don't be afraid to talk to a recruiter
37:03
, because it
37:06
opened my eyes to this whole world . Joe , I didn't
37:08
know it was out there where companies
37:10
actually exclusively work through recruiters
37:12
. They're not going to post jobs
37:14
all the time on their websites , right
37:16
? So if you've got a recruiter and trust me
37:18
, you know it's like one of those accident attorneys
37:21
they only get paid
37:23
when they get you hired , so it's not going to cost
37:25
you anything , right ? But they're experts
37:28
in marketing you and they have
37:30
inst all these different companies where they can market
37:32
your skill sets , right ? So it doesn't matter
37:34
if you're kind of you know , like you said , entry level , you don't have
37:36
all the skill set , or if you are recently
37:38
, for whatever reason . I mean , this
37:40
is an economy right now where
37:43
you know RIFs and LRs . We're seeing that more
37:45
and more common , unfortunately . Don't
37:47
be afraid to talk to a recruiter because it's amazing
37:50
, you know kind of the doors that they can open for you .
37:52
Yeah , it's a really good point . You know , I've
37:55
actually explored partnering
37:57
with some recruiting firms
37:59
that I've used in the past . That I trust
38:01
, you know , because I've had really bad experiences
38:04
with the recruiters and I've had average
38:06
experiences with the recruiters and then these
38:08
couple that I use , they're just superb
38:11
, they're head and shoulders above everyone
38:13
else . You know , like it's a huge
38:15
difference , right , and so I'm actually
38:17
looking to kind of provide that full
38:19
suite right for my listeners where they
38:22
get that idea of , hey
38:24
, maybe I should talk to a recruiter , well , who does
38:27
security on filter recommend .
38:29
Yeah well , I've got some folks
38:31
that I have grown to really really respect
38:33
and love and work well with over the years
38:35
. That's , you know , maybe offline , you and I can
38:38
exchange those contacts or whatever
38:40
. But that's another thing . Is you got to find a good one
38:42
? Yeah , right , you got to find one
38:44
that actually has the relationships , the connections . But
38:47
there's oftentimes , where you know , there's
38:50
info sec recruiters specifically . Right
38:53
, these info sec recruiters have got ends
38:55
with big companies . I'm not going to say who , but
38:57
they've got ends with big companies where they feed them
38:59
really well qualified , better candidates
39:02
. Because I'll tell you right now , you know
39:04
, if you post a job on LinkedIn
39:06
I've been there , done that you
39:08
know you'll get 500 applicants within two days
39:10
and it's all you
39:13
know . God bless everyone . But you know it's
39:15
mostly career changers and folks that really just
39:17
, they need to be vetted , right
39:19
, and what that happens for us on our side
39:22
, on the hiring side , is that it's we can't
39:24
filter through , that it's not manageable , right ? So
39:26
we really leverage the recruiters to filter
39:28
and do that initial screen force to give us , you know , a
39:30
decent set of canvas that we can talk to .
39:32
Yeah , that definitely makes sense . You
39:35
know for why you would use it . They
39:37
have that in and they're able to sell
39:39
you typically a whole lot better
39:42
than what you would be able to from an external
39:44
perspective . Just to circle
39:46
back right to the cloud , when we're
39:48
talking about cloud IAM , a lot of people
39:50
kind of still have that legacy
39:53
IAM perspective going
39:55
into it , and I know I had that perspective
39:58
too of you can
40:00
have service accounts , you can have user
40:02
accounts . You can also have accounts that
40:04
are used only for service
40:07
to service talk or user
40:10
to service talk . You know there's so many different
40:12
variations . How in the world
40:14
do you keep track of it all ?
40:17
How do you stay on top of this ? Yeah , I mean
40:19
, listen , it's interesting , like you're talking service
40:21
to service , et cetera . I mean , you know , like let's
40:23
just say that we recently were working with a
40:25
customer , we found 100 admin
40:28
level accounts . When we say accounts
40:30
, we had to be careful , we're talking about identities . But
40:32
we found another 900 that
40:34
had an AWS , that had IAM pass
40:36
roll privileges Wow , well , what's that mean
40:38
? It means that the other 900
40:41
with one command could give themselves full admin
40:43
rights . So essentially we've got 1,000 administrative
40:45
level accounts . Well , what does an administrative
40:48
level account mean ? It means it has star permissions
40:50
. It doesn't have permission to go access one
40:52
service . It
40:55
has access to go access 150
40:58
services and
41:00
delete everything that you've got
41:02
in them if it's used nefariously . That
41:05
is frightening , that
41:08
is frightening . And so
41:10
that's where we and I don't wanna
41:12
make this too salesy , but that's
41:14
what I do , that's what we do at Sunray is we come in
41:16
, we plug in , we illuminate everything , we
41:19
give you visibility into these
41:21
orphan things and things
41:23
that aren't used anymore and just identities
41:25
that you didn't know about at the admin level
41:27
and all the other levels that you just did
41:29
not know about , and then we
41:31
help you clean it up , right . There's
41:33
a method to the madness here . It's very strategic
41:36
. This is what we do We've learned a lot
41:38
about this landscape over the years and
41:40
we help you remove everything that's out there that's
41:42
not used . We figure out is it used
41:44
or not and we help you get rid of it
41:46
. Just remove it with a single click in the product
41:49
. That's massive for making a
41:51
dent in that risk
41:53
landscape , joe . And then with what's left
41:55
, that's what's there running , that's
41:57
what's needed . So what we'll do is we'll figure
41:59
out how to right size each one of those things right
42:01
, and that's the whole least privileged thing that
42:04
we talk about so much . You
42:06
do your best , and the way that you do your best is that you
42:08
focus on the identities that matter the
42:10
most , the ones linked to the crown , jewels
42:13
, not everything in sandboxes
42:15
and things like that . You
42:17
get them to least privileged , right . But I think the most important
42:19
thing that folks aren't thinking about , joe , as
42:21
far as really wrapping
42:25
their head around this mess , is how you govern it
42:27
moving forward , right
42:29
, you need a capability out there that
42:31
can put tripwires around your
42:33
break glass accounts . They
42:35
can let you know if a new identity can suddenly
42:38
access that sensitive data
42:40
store because of some junior
42:42
admin putting a new trust relationship
42:44
out there that they had no idea the
42:46
impact that it would do , because
42:49
it created these new bonds in the platform
42:51
. They'd be like a network , right
42:53
? They created this network conduit
42:55
to what matters most to the business
42:58
from a sandbox because
43:00
they were just doing a quick test , right
43:02
? And you never can know how infrastructure is code
43:04
. No matter how much you lent it , no matter how
43:06
much you scan it , you don't know
43:09
what it's going to do until it gets
43:11
out there and it starts living
43:13
and breathing and interacting with what's already out
43:16
there . You need something that's watching
43:18
that and able to tell you holy cow , we've
43:20
got a cross account situation and we've got separation
43:22
to do these or whatever . So I think that governance
43:25
component is super , super key to
43:27
really really being
43:29
able to tackle this . But make no mistake about it that's
43:32
one thing that we've learned over the years here is that you're trying
43:34
to secure identity in the cloud , and I am . You
43:37
got to focus on taking out all of that unused
43:40
litter and garbage . Get
43:42
rid of it . Make sure that
43:44
you're governing for new unused litter and garbage
43:47
, but then double down on what's out
43:49
there and restricting it to only
43:51
the permissions that it needs , so that you vastly
43:53
reduce that risk landscape . Before
43:56
a credential gets thrown out and get hub on accident
43:58
, someone tries to use it against you .
44:00
Yeah , I feel like the technical
44:02
side of it is often
44:04
thought about first before
44:07
that governance side of it . Exactly , with
44:09
the cloud , it is so easy to
44:12
run into a situation where you resolve
44:14
it within , let's say , a week
44:16
and then the next week you're
44:18
right back where you were . If you don't have the
44:20
policy side of it set
44:23
up , if you don't have the checks and balances
44:25
already set up before you start
44:27
resolving it , this is going to be something where you're
44:29
always chasing your tail , so to speak , and
44:31
trying to figure
44:33
it out .
44:34
And if you don't have the buy-in of the engineers
44:36
and the developers , guess what's
44:38
going to happen ? You remove all
44:40
this risk today and tomorrow they're going
44:42
to push out a terraform update that's going to put it all
44:45
back . Right , Think about
44:47
that . All this work and
44:49
they just go put it all back . That's something you
44:51
have to think about . You have to account for the
44:53
fact that infrastructure is code responsible for 80%
44:55
of this mass .
44:57
Yeah , that's a great point . How
44:59
do you make that switch in
45:01
your head ? Because I'm coming at this
45:03
from an engineering perspective . Engineers
45:06
are hands on keyboard . They
45:09
just want to get stuff done , they want to make progress
45:11
, but a lot of the times the engineer
45:13
is the one that's also
45:15
driving the process , because
45:17
when you're in these sort of situations
45:20
, where you're in over your skis
45:22
, you probably don't have a very
45:24
good governance to begin with
45:26
. You probably actually have the engineers
45:28
going through
45:30
and trying to create these policies
45:33
and whatnot .
45:34
Well , yeah , they're the ones that are pushing everything out
45:36
there and have been for years with star permissions
45:38
Because it's easier for them to get
45:40
their code out there , especially on two-week sprints
45:43
. I get it . They're under timelines , so
45:45
they're not thinking about building least
45:47
privilege into the application
45:50
with whatever particular widget they're responsible
45:52
for . I think the key from an
45:54
engineer perspective , is
45:57
you have to
45:59
sell this story to them in a way
46:01
that does not come across as
46:04
impeding their ability to do their job
46:06
. Joe , we're actually
46:08
going to flip the script and
46:11
what we can do is we can enable
46:13
the business we're
46:15
actually enabling you to build more securely
46:17
. So if you fit into the way that they do
46:19
their code Terraform , cloudformation
46:22
, whatever if you fit into the fact
46:24
that they work out of Jira or
46:26
ServiceNow or ChatOps which
46:29
is something that I'm now learning about , which is evolving
46:31
like crazy , like they're doing all their jobs through
46:33
Slack
46:36
if you fit into the way that they work , then
46:39
I think what we have learned is that
46:41
it does a complete 180 . And
46:43
they actually are much more open
46:45
to considering building in
46:48
the pipeline from a secure perspective , versus
46:50
just pushing it all out there and saying
46:52
, infosec , go fix it .
46:54
Yeah , I think that's something that's still critical
46:56
, that we have to point out and
46:58
deconstruct Is that perception
47:01
that InfoSec is only there to make our
47:03
lives harder , to
47:05
put barriers in the way of me getting the sprint
47:08
done and showing productivity
47:10
and whatnot . There's a lot of the times
47:13
where I'll come into a company and
47:15
I'll see exactly that , where
47:17
it's almost like there's a brick wall in
47:19
between security and the rest of the organization
47:21
and
47:24
, brick by brick , you have to take that thing down
47:26
. And I mean one
47:28
time it took me a year just
47:30
to get one team on my
47:33
side and it was a lot of lunches
47:35
, I paid for a lot of drinks
47:37
, I paid for a lot more
47:39
than I'm willing to admit to my wife , but
47:42
it enabled me to get more done
47:44
in the organization and allow them
47:46
to actually trust me and say , hey
47:49
look , just give me this one little thing
47:51
, I'll show you it's not that bad
47:53
. We're going to teach you how to use it , we're going
47:55
to teach you what to do with it . All
47:58
that sort of stuff you kind of have to take it
48:00
over into a white glove
48:02
treatment sort of thing , where
48:04
they get priority even if to
48:07
your manager they don't get priority , but to
48:09
you they get priority .
48:10
Absolutely . And again , I think
48:13
it's all about integrating into the way that they
48:15
want to work . If you integrate into the way that they want to work , they're
48:17
going to be much , much more open . Oh
48:19
, my goodness , we've got a privileged escalation scenario . We've
48:21
got an SOD violation , whatever it might be
48:23
, but guess what ? We routed that risk to them the
48:26
way that they want it to be notified and they can
48:28
actually go fix it on their own and then they can
48:30
come and automatically it'll self-heal
48:32
on the summary side or whatever tool that you're using it
48:34
, versus them having to go manage yet another tool
48:36
that they're getting nagged about or whatever . You've
48:39
got to start to break down the barrier and I
48:41
think that the more that we start to introduce
48:43
identity security into DevSecOps
48:46
, I think the better things are going to
48:48
be , because you're in lockstep
48:50
, then , with the development team , with the app team , with
48:52
the actual business itself from
48:54
a security perspective , and it's because you're introducing
48:56
security into the development process
48:59
instead of just pushing all that out there
49:01
and then saying , ok , it's
49:03
working . And this is what we see all the
49:05
time . Joan , it's super scary , these amazing
49:07
applications , but it is
49:10
an identity crisis . When
49:12
it gets to be part , it's spaghetti . Everything
49:15
can talk to everything . How do you fix
49:18
that ? Because now the business is relying on this
49:20
application and this
49:22
is the plumbing that you built for it .
49:24
Yeah , absolutely . Well , where do you
49:26
think Cloud IEM is going in
49:28
the next five years ? Right , I
49:31
think back to the beginning of the cloud . No one thought
49:33
about IEM as an attack
49:36
surface , and now it
49:38
is the edge
49:41
of your cloud . It's how you get in . It's
49:44
no longer the network , right , you can lock that
49:46
thing down . But if you have accounts
49:48
that are open to the world , people
49:51
can get in .
49:53
Well , here's the thing . I think that four
49:55
or five years ago , securing IEM
49:57
on a priority scale for most businesses
49:59
was a nice to have . Well , back
50:02
then , that's when we would say identity is the edge , Identity
50:04
is the perimeter . I think
50:06
we're way past that . Identity
50:08
is the new network . Everything
50:10
lives , breathes , functions and communicates
50:12
through the identity fabric . In a cloud-native world there's
50:15
no network landscape . Everything
50:17
the accepts and denies , the
50:19
permits and denies , are in the identity
50:21
fabric , on those JSON policies attached
50:24
to these person and non-person identities , not
50:27
through managing the security and firewall
50:29
rules or next-in firewalls that
50:31
you're trying to cram into a
50:33
VM . They don't have their place in a cloud-native
50:35
world . They don't right . And I
50:37
think , if you look at the way that the market has evolved
50:39
over the last couple of years , we're
50:41
seeing more and more companies that are starting to put
50:43
identity at the forefront of
50:46
their security strategies . It's not a nice to have , it's
50:48
an absolute requirement . And
50:51
when you do that and then you
50:53
attach the fact that you're focusing your identity
50:56
strategy on what matters the most to the business , meaning
50:58
the crown jewels , not just we're going to secure
51:00
identity , to secure identity and start playing whack-a-mole
51:03
, you start with what
51:05
matters the most to the business who and what
51:07
can access that data container
51:10
, that table , whatever
51:12
it might be . Start there , and
51:15
then you work your way out . So there's a method to the madness
51:17
there . Right , you do that . You
51:20
focus on the hub that's what I call it instead
51:22
of all the spokes , Because right now , so
51:24
many in the market are still focusing the spokes . Focus
51:26
on the hub . When one of those spokes
51:28
gets popped , it's going to be a dead end
51:30
. It's a beautiful story . Folks
51:33
just have to be willing
51:35
to accept and understand
51:37
that identity is the new network and
51:40
it must be secured from the inside
51:42
out .
51:43
Yeah , absolutely . I mean , that's
51:45
the whole thing . That's
51:48
changed completely with
51:50
the cloud . Well
51:52
, jeff , I really appreciate the time
51:54
here . I feel like we could
51:56
keep going with this conversation for sure
51:58
.
52:00
It was very fascinating .
52:01
We went through a lot of different rabbit
52:03
holes and whatnot , but I think
52:05
overall it shows the importance
52:08
of IAM in the cloud for sure .
52:10
Absolute pleasure talking to you . Like you said , we could have
52:12
gone on and on and on and
52:15
, like I said in the beginning , I hope that folks listening
52:17
across the rabbit holes that
52:20
we went down , I hope that they captured nugget
52:22
. Maybe it's about your career , your job , whatever
52:24
your skills , but
52:26
certainly I hope that you picked up a nugget
52:28
or two about really rethinking
52:31
how you are
52:33
securing your cloud as it
52:35
relates to where IAM and identity and
52:37
access and privilege are from a strategy and
52:40
a priority perspective . It's important .
52:42
Definitely . Well , jeff , before I
52:44
let you go , how about you tell my audience where
52:46
they could find you if they wanted to reach out to
52:48
you and where they could find sonar security
52:51
if they wanted to learn more ?
52:53
Absolutely . Jeff Moncree Fund LinkedIn
52:55
. Please hit me up , please connect with
52:57
me . I'd love to answer any questions
52:59
that you might have . And then I've
53:01
worked for Sunrise Security and sunrisecuritycom
53:04
, and we
53:06
secure some of the world's largest companies
53:08
as it relates to helping them with access
53:10
and privilege in the public cloud . We're definitely a
53:12
thought leader in this space , one of the OGs , if
53:14
you will .
53:16
This is where purpose built for this , so we
53:18
would love to talk to you about what we can do for you
53:20
Awesome , and all of the links that he mentioned
53:22
will be in the description of the episode , so
53:24
if you want , go ahead and check them
53:26
all out . All right , thanks everyone .
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More