Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:53
How's it going , charlie ? It's great
0:55
to get you on the podcast . You know , I think
0:57
, that we've been planning this for quite a while , but
0:59
I'm really excited for our conversation today .
1:02
Thank you , it's great to be here .
1:04
Yeah , absolutely . So . You
1:06
know I start everyone off with
1:09
telling their background . You know how you got
1:11
into IT , what made you want
1:13
to get into cybersecurity overall . You want to get into
1:15
cybersecurity overall , and
1:21
the reason why I do that is because there's people that are listening or watching
1:23
on YouTube . Of course , at this point you
1:26
know that might be trying to make that transition
1:29
for themselves , and I feel like hearing
1:32
someone's story and maybe
1:34
it lines up . They can say , oh well , if he
1:36
did it , I might be able to do this
1:38
thing too . You know , I
1:41
look back on my life earlier on Right
1:43
and all I ever needed was
1:46
to see someone else do it
1:48
. It's like , oh well , if he could do it , maybe
1:50
I can do this too . So so where
1:53
does that story start for you ?
1:55
Well , I think I've been in and
1:57
out of IT or engineering
1:59
or technology , you know
2:02
, in different worlds . But
2:04
, to be honest , like going to engineering for
2:06
me was kind of like
2:08
the natural thing to do . The
2:10
fact that I'm today more
2:13
of like a business and management type
2:15
person , you know , running a company is
2:18
actually , you know , for me the surprising
2:20
part , like I would be , you
2:22
know , if I needed to guess when
2:25
I was 16 , where I'll be , you
2:27
know , at 45 , I would probably say I'm going
2:29
to be like an architect
2:31
, like a , like a , you know , technology
2:33
architect , software architect or engineer or something
2:36
like that . I was
2:38
super good , like you know , in math and physics
2:40
when I was younger . So , like natural
2:42
, kind of like , um , I
2:45
would say , path for
2:47
people you know , like me , especially especially
2:49
in israel , where you know software engineering
2:51
is so popular , was hey
2:53
, you know , you finish your army service , you
2:55
go to learn engineering , software engineering that just
2:58
what you do , you know . Uh , you finish your army service , you go to learn engineering , software engineering
3:00
, that's just what you do , you know pretty much . So I went
3:02
into that and , you know
3:04
, then I started working for , you
3:06
know , my first company After
3:09
school . I was an algorithms engineer . I
3:11
like I really like solving problems
3:13
. You know , for me , being
3:15
a software engineer and algorithms engineer was
3:17
just almost like continuing the
3:19
studies and solving more riddles
3:21
. It was like a new algorithm is like a
3:23
riddle for me and now you can make it most
3:26
effective . I wrote
3:28
a few patents under my name Back in
3:30
the days I wasn't in security , I was more in
3:32
algorithms for video compression
3:35
and multimedia , and
3:37
then I worked as an engineer for a few years
3:40
and then I moved to a security startup and
3:42
, kind of like got the hang of security
3:44
and did some security software development
3:46
. And then actually
3:48
, you know , my path went sideways
3:51
a little bit when I actually
3:53
went to do my MBA
3:56
in the University of Pennsylvania
3:58
in the States and that took me to
4:00
like another path of you
4:02
know . I went into management , consulting and advisory
4:05
and stuff like that and actually what brought
4:07
me back into technology was
4:09
, you know , being back in the startup
4:11
scene . You know , opening
4:14
a startup , first joining a startup and then opening
4:16
a startup together with my co-founders
4:18
.
4:21
What made you want to go down the
4:23
MBA route ?
4:26
It was a bit opportunistic
4:28
, to be honest . I
4:31
was like back in the days I was a team
4:33
leader in a software company in Israel
4:36
and a very good friend of mine
4:38
we are still good friend of mine , we are still good friends until
4:40
today . Unlike
4:47
me , he was like we were together in like , doing like our engineering degree together
4:50
, and he knew he was going to go down the business route . So
4:52
he was planning to go to do an MBA , you
4:54
know , right after school and he was
4:57
planning his entire . You know he's much more
4:59
planned than I like his life , much
5:01
more planned than I . I mean , he knew he was
5:03
going to go to do an MBA in one of the Ivy
5:05
Leagues and I didn't even know what Ivy League
5:07
means back in the days . And
5:11
then the reason I went there
5:13
is that he was there . He was
5:15
accepted to a
5:17
school called Walton , which then I joined him
5:19
, and he
5:23
called me one day . You know we were in touch as a racial
5:25
. You know you , you got to apply . You
5:27
know you got to apply . I know you . You
5:30
know you love studying , you love diversity
5:32
. You would love you know what's going on
5:34
, what's going on . You would love the
5:37
level of education that
5:39
these guys bring to the table . I
5:42
really , really encourage you to do that . That's
5:44
how I kind of like started . I said , okay , I will apply
5:46
. I wasn't really serious about
5:48
it , to be honest . I said , you know I'll apply and see what
5:50
happens . And then , when
5:53
you start to apply to these programs
5:55
, you fall in love with them
5:57
. As you apply to them , you know , you kind
5:59
of like start to
6:01
investigate them more and understand what's going
6:04
on and see how global and
6:06
what type of education they're going to give you . So
6:08
that's how I kind of like fell in love with it and then became
6:11
more and more invested and finally I went
6:13
ahead and you know
6:15
, and studied there .
6:19
Yeah , I've contemplated myself
6:21
about getting an MBA , but I'm
6:26
not sure what I would do with
6:28
it . You know , and for me like to put in
6:30
that kind of time and effort , you
6:32
know , into it , right , I want to see results
6:34
, I want to see roi on
6:36
it and I'm not sure what
6:39
I would do with that . To , you
6:41
know , create that roi . But
6:43
you know , I I totally relate
6:45
when you say , you know , someone
6:48
else kind of told you to get into it and you
6:50
know it would , you
6:53
know , expand you in different ways and whatnot
6:55
. Um , because I kind of went down that
6:57
path with the PhD , where
7:00
I've been exploring it for
7:03
years , really
7:05
thinking about it Every year
7:07
. It seemed I would reassess
7:10
the ROI that I would get from it
7:12
and things like that . If there was topics
7:14
that I wanted to look into or anything
7:16
like that that
7:20
you know , if there was topics that I wanted to look into or anything like that
7:22
. And finally , you know , this past year I finally pulled the trigger and
7:24
and got into it right
7:26
. So and I
7:29
mean it's , it's amazing that I , I
7:32
guess I finally decided to get into it right
7:34
. But now it's like , okay , I gotta , I
7:36
got to do the work and
7:45
and that's the part that's the part that's like really hard , I think , to estimate ahead of
7:47
time , because you don't . You don't know what you don't know . And getting
7:49
a PhD is completely different . You know
7:51
, you're not in a classroom every single day
7:53
. You're not having someone telling you hey
7:56
, you need to turn in this paper . Hey , you need to turn in this paper
7:58
, you need to turn in this assignment or whatever
8:00
it is . It's literally like
8:02
no , there's a body of work that you need to turn
8:05
in . However long it takes you is
8:07
how long it takes you . You know
8:09
it's like there's no
8:11
path . You know also , like
8:13
you're figuring out how to do it along the
8:15
way .
8:16
So , like you're figuring out how to do it along the way Exactly , you know
8:18
, I , you know , to be honest , I contemplated about a
8:20
PhD myself so many
8:23
times in , you know , even before I did the
8:25
MBA and after I did the MBA , just
8:27
because I love studying so much . But
8:36
the PhD is like you know , it's you need like extreme self-motivation , you know , in order to make
8:38
it happen and to do it well , because
8:40
life happens to you as you do it
8:42
. You know , before we started recording , we
8:44
talked a little bit about kids and family
8:46
, and then you have your work . So
8:48
, finding the time and
8:50
the balance to actually do it , I
8:53
really respect the fact that you're
8:55
up to it and
8:57
, yeah , it really , really , really requires a
8:59
strong self-motivation .
9:02
Yeah , you know , I approached
9:05
it from two different
9:07
angles , right ? So
9:10
you know , I'm someone that comes from
9:12
very little right ? Like my family wasn't
9:14
well off or anything like that . I
9:16
was the first in my family to go to college , um
9:19
, you know all all that sort of thing , right
9:22
? So when I look at my daughter and
9:24
I say to myself , well , I want to set
9:27
a good example for her of what's
9:29
possible , of , you know , setting
9:31
that bar as high as possible
9:33
, I would say , set it as high as possible
9:36
, and if they aim for the bar right
9:38
, they'll land . Even if they don't , you
9:40
know , meet it right , they'll land somewhere
9:43
. That is a good place , you
9:45
know , yeah , um , and just showing
9:47
you know , her and my future kids
9:50
. You know what that looks like , what's what's
9:52
possible , right ? Um
9:54
, and same thing
9:56
for my wife . Like , my wife is finishing up
9:58
her second master's degree , so
10:01
it's , it's , it's definitely
10:04
like a part of us and
10:06
who we are and everything . But then
10:08
I also took it another step
10:10
Right , because I'm always looking for trends
10:12
in cybersecurity . You know what's coming five
10:14
or 10 years down the road that
10:17
maybe I should prepare for right now . And
10:20
I did that with cloud security . You know , obviously
10:23
I didn't see the very beginning of cloud security
10:25
because I was , I was getting my bachelor's at
10:27
the time , it wasn't paying attention to it or anything
10:29
like that , but it wasn't . It
10:31
was nowhere near as big as what
10:33
it is today , you know . But I
10:36
figured that there was a lot of potential to
10:38
go that route , because VMware was
10:40
so big at the time and this basically replaced
10:43
it , and so I started going
10:45
down the cloud security path and here I am
10:47
now , in a larger
10:49
security area . And
10:51
so when I was looking at my PhD , I
10:53
took that same approach and started to dive
10:55
into satellite security . You
10:58
know how to actually secure satellites in
11:00
space ? How to , you know , protect
11:02
them against incoming attacks
11:04
? How do you relay you
11:07
know communications to them ? How
11:09
would they be able to interact with communication
11:11
systems , all that sort of thing , uh
11:22
, and so now you know , I'm really pushing myself to to , I mean , I , I , I have a hard time saying be
11:24
an expert , but I guess the phd kind of gives you that
11:26
without you know anything else , but
11:28
to really dive into this thing and learn
11:30
it , because there's so much that I don't
11:32
know .
11:32
yeah you know , just investing the
11:35
time yeah , you
11:37
know to , to learn a topic , and
11:39
you know , eventually you
11:41
just know more about it than other people because
11:43
you just spent more time with it . Right
11:45
, it's
11:48
just , you know the mathematics of
11:50
time .
12:00
Are there , you know , looking back now that you're , you know , in charge of this
12:02
company , right ? Were there any key skills , maybe two or three key
12:05
skills that you got from the MBA that
12:07
really influence how you
12:09
operate today ?
12:12
Wow , I think
12:14
. So
12:17
. You know I was a very , very , you
12:22
know , analytical person . You
12:24
know I was an engineer math , you know
12:26
everything for me was like . You know I
12:30
don't want to exaggerate by saying everything for me was
12:32
black and white , but you know what I mean . I was a numbers
12:34
type person . You know what I mean . I was a
12:36
numbers type person and
12:39
the , the soft skills that you learn
12:41
in in
12:49
an MBA and and the variety of people that you meet , I think are the key , you know
12:51
, benefit that I got from it . Um , also , you know , specifically for myself
12:53
, it's not just about the MBA , it's about
12:55
also , you know , moving to to another country MBA . It's about
12:58
also , you know , moving to another country with your family
13:00
. So , just , you know , just the mere
13:02
experience of
13:04
you know , moving to the United States , experiencing
13:06
the culture , experiencing , you know
13:09
, the values and
13:11
the work ethics and how
13:13
you know processes are done
13:15
in a different country , you know , gives
13:18
me , gives you a lot of perspective and a lot
13:20
of , you know , new skills
13:22
that you acquire . And
13:24
then , and then , quite frankly , frankly , you
13:27
know , my first job , you
13:29
know , after the MBA , was in the Boston
13:31
Consulting Group , which for me
13:33
was really an extension of the MBA . You
13:35
continue learning and you know
13:37
that companies you know I
13:39
don't want to promote them or anything , but they are so
13:41
good at building your capabilities
13:44
. You know giving you frameworks to analyze
13:46
situations and
13:48
you know structure your presentations
13:51
and and communicate your
13:53
thoughts and understand complex situations
13:56
, which I think you know gave
13:58
gave me a lot of value into what
14:00
I'm doing today .
14:03
Yeah , it must be very beneficial to
14:06
come from that
14:08
engineering background , that engineering
14:11
mindset , and go into a
14:13
business , because you can break apart
14:15
problems and issues in different
14:17
ways than what
14:20
you would be able to without it . Know
14:22
, at least in my opinion , um
14:24
, because I'm just
14:26
thinking you know my day job , right
14:28
? I'm principal cloud security
14:30
engineer , right ? So I'm breaking apart problems all
14:32
day long , um , and
14:35
finding , you know , inconsistencies
14:37
and , you know , directing people
14:39
towards the , the a new
14:41
or a better solution , right
14:46
? That sounds a
14:48
lot like what running
14:50
a company is . You're encountering
14:52
with problems constantly and you have to filter
14:55
out the ones that you
14:57
want to pay attention to , the ones that will
14:59
make or break your company . Right
15:01
, those are the ones that get your time . But
15:04
then you also have this back burner
15:06
in your brain of like , oh yeah , I also
15:08
need to adjust these other 10 or 15
15:10
things . Being
15:13
able to do that and manage that
15:15
is , I mean , obviously
15:17
it's extremely important for a company , but
15:19
it's always interesting to hear how
15:21
people get that experience , because everyone
15:24
gets it differently , I feel how
15:26
people get that experience , because
15:28
everyone gets it differently .
15:29
I feel , yeah , I think you know , problem solving is probably one of the key
15:31
skills that any manager and leader
15:34
needs to have . And
15:36
as long as you're not , you know
15:38
, as long as you have some soft
15:41
skills to go along with it because there are
15:43
some great problem solvers that are
15:45
that have zero you
15:47
know soft skills or you know emotional intelligence
15:50
, and that's a big problem . But
15:52
once you have that combination , I think
15:54
that's where you know , you get to be
15:56
very successful . And you
15:58
know , even in my life , you know , as I
16:00
said , you know , for example , when I was in
16:02
in in a consulting company
16:05
, right , when I was in a consulting
16:07
company , right , you see that the
16:10
engineers that come into that company , they
16:15
become the best consultants because they have that mindset and the recruiting
16:17
process basically filters out the fact that
16:19
they will have , you know , some emotional
16:21
intelligence and capabilities , so
16:23
it makes them really , really good
16:26
consultants . I have to say that another
16:28
type of persona there
16:30
aren't many of those because
16:33
they usually stay . They
16:35
become doctors , but we had some people
16:38
who came from medicine school and
16:40
that's also , you know , a very good indicator
16:42
and if you think about it
16:44
like doctors are really engineers of the body right
16:47
, like they need to evaluate situations and
16:49
see signals and come
16:51
up with solutions . So they also
16:53
are very good , you
16:56
know , in problem solving in general .
17:01
Yeah , that is really
17:03
fascinating . You know , when people ask
17:05
me how
17:08
to get promoted , you're
17:11
already an engineer . You're
17:13
already a really smart , intelligent
17:15
area . How do you get promoted to
17:18
management or architecture ? I
17:21
always start with the soft skills , because the
17:23
soft skills is really what
17:25
separates you from everyone else , right
17:28
, because everyone is used to that
17:30
engineer . That tech guy that's
17:33
, you know , a little socially awkward
17:35
, isn't really used to talking to other people
17:37
. Everyone is used to that , right ? So
17:39
if you break that mold , you're immediately
17:42
going to stand out . Even if you're breaking
17:44
the mold in a controversial way or maybe a poor way right In the beginning , you're
17:46
still going to stand out . Even if you're breaking the mold in a controversial way or maybe a poor way
17:48
right in the beginning , you're still
17:50
going to stand out and hopefully you're standing
17:52
out to the right people in the right
17:54
frame of view or
17:56
frame of mind , right ? But
18:00
soft skills are extremely
18:03
important , especially today where
18:06
you know so many of us are remote
18:08
. You know the soft skills really
18:10
pay dividends when
18:12
you know you're on a video call and
18:15
you have to get across a point
18:17
and make sure that people are understanding
18:19
and break it down into a
18:21
way that suits your audience
18:23
. That's probably
18:26
actually the biggest thing that
18:28
I see a lot of people mess
18:30
up on is not adjusting
18:32
what you're saying to the audience . That
18:35
is in the call . You
18:37
have to be able to maybe
18:40
go just
18:42
an inch below the surface , right Like , hey
18:45
, here's all this stuff . None of it makes sense
18:47
to you . That's okay , because this is what
18:49
it's really doing . Give
18:52
them that good overview
18:54
so that they could take that slide and
18:56
put their own words on it and present
18:59
it to their management , right ? You have to think
19:01
about it like that , and making
19:03
that switch over in your mind is typically
19:05
a really difficult thing to do . I
19:07
have found , at least .
19:09
Yeah , I completely agree . You know
19:11
the ability to simplify , you
19:13
know technology
19:16
. Simplify solutions , even simplify problems
19:18
, is something which is super critical
19:20
. One of the biggest mistake
19:22
we are doing everyone is doing
19:25
, I do it as well , right . The biggest mistake we are doing everyone is
19:27
doing , I do it as well , right in communications is
19:29
that we assume that the
19:31
other side is the same as us . It's
19:34
just easier to assume that you assume they have
19:36
your knowledge , they assume they have your
19:38
kind of like history , and
19:48
it's really really hard to put yourself in the other side and in the shoe of the
19:50
other person , as they say , and then we assume different things
19:52
and the communication breaks and
19:54
the value is not communicated , and
19:58
I think that's the biggest
20:00
mistake . Marketers do that mistake all the time
20:02
. One of the first thing
20:04
you need to understand as a marketer is that
20:06
you don't market yourself . Need to understand
20:09
, you know the other side . Um
20:11
, yeah , I think that's . It
20:14
is so natural
20:16
, uh , to assume that and and
20:19
and . It's so easy to forget that
20:21
. You need to really think about who
20:23
am I going to speak with you . You know what's
20:25
their objectives . You know what's their
20:27
background , what do ? they want
20:29
what they want to get out of the conversation
20:32
. You know what they need to do . Yeah
20:34
, it is just very hard to do . It's
20:37
not hard to do , it's easy to do if you think
20:40
about it , but it's very hard to focus on it
20:42
and really , you know , actually do it . Everybody
20:44
will say , do it right , but
20:46
to actually do it in
20:48
real time in a conversation , it's
20:51
not easy .
20:53
Right , so let's
20:55
dive into
20:58
a little bit about your company . So
21:00
what is the company that
21:02
you're in charge of right now and what's
21:04
the problem that you're trying to solve with
21:07
this company , with your solution
21:09
?
21:10
Yeah , so my company
21:12
, the company name is Armo and
21:15
we are a dedicated Kubernetes
21:17
security company Kubernetes
21:20
has grown to be pretty much , you
21:22
know , the de facto standard for , you
21:25
know infrastructure for cloud workloads
21:27
. And if
21:30
we think about application
21:32
protection platforms , you know
21:34
, if you think about what
21:37
Gartner calls ASPM today application
21:39
security posture management or if you
21:41
think about CNAP cloud network
21:43
application protection platform , there
21:46
are a lot of you know initials and a lot of
21:48
different kind of like words
21:50
to say one key thing , which
21:52
is you need to protect an application running
21:55
in the cloud and you need to protect
21:57
the cloud from the application running in the
21:59
cloud . And those applications
22:02
will 90% be
22:04
running on Kubernetes . And
22:07
that's why we believe that getting
22:09
intimate with Kubernetes , with
22:12
the configurations of Kubernetes , the configurations
22:14
of the workloads in Kubernetes , getting all of the
22:16
context of what's happening in runtime
22:19
, is crucial to
22:21
securing workloads running in Kubernetes
22:24
. And the main reason is that when you start
22:26
to secure , you know cloud and Kubernetes
22:28
native environments , there
22:30
is a you know I
22:32
remember I talked about it about a year
22:35
ago Kubernetes as itself
22:37
. Yes , it is super complicated and
22:40
you know enormous
22:42
and exponential
22:44
number of you know misconfigurations that can
22:46
happen . But
22:49
the main
22:51
reason for the complexity of
22:53
things running in Kubernetes is
22:55
not Kubernetes itself , it's the architecture
22:59
that it is enabling . So
23:01
once microservice-based
23:04
architecture is possible
23:06
, once microservice-based
23:09
architecture is possible , just
23:12
the number of software artifacts that are running in your cluster or in your cloud is growing
23:14
so exponentially , so vulnerabilities
23:16
are growing exponentially , the attack surface
23:18
is growing exponentially , the number
23:21
of alerts is growing exponentially . So
23:23
you have so much mess going
23:25
on that you need a more adaptable
23:28
security solution . And what
23:30
we are trying to do in Armour is
23:32
using that Kubernetes context , that
23:34
workload context , that runtime context , to
23:37
adjust the security
23:39
based on what's happening in your environment
23:42
. So we will apply stronger hardening
23:45
capabilities in places where the risk is higher
23:47
. And we will apply stronger hardening capabilities in places where the risk is higher and we will
23:49
apply more
23:51
detailed you know runtime security
23:54
. We will tighten the security in
23:56
places where we find the risk based
23:58
on the context of Kubernetes being
24:00
higher . And I think just
24:03
the fact that you know we secure all the same and
24:05
all workloads are born equally
24:07
. It's no longer the case . You
24:09
need to prioritize , because if
24:11
you don't , you just spread the thing
24:13
.
24:13
Yeah , that is
24:16
a really good point . What you said is that Kubernetes
24:19
is basically everywhere now . When
24:22
I started to get into the cloud , it
24:25
was kind of a niche area . Not very many people dove
24:27
into it , not very many people understood it . When I started to get into
24:29
the cloud , it was kind of a niche area . Not very many people dove into
24:31
it , not very many people understood it
24:33
, but it's becoming almost
24:35
like its own domain
24:38
within cloud security . I
24:41
was at a company where they
24:44
were actively mig , you know , migrating
24:46
their infrastructure in AWS to
24:48
Kubernetes instances
24:51
, and you
24:54
know it was really challenging because
24:56
our I mean , I
24:58
call it legacy but they're still top of the line
25:01
our legacy EDR . Yeah
25:03
, you know , of course they offer a
25:05
solution to protect your containers
25:07
and whatnot , but when you put
25:09
that agent on there , it's so heavyweight
25:11
and it's not coded
25:14
properly . You know to be running on such
25:16
a lightweight infrastructure that
25:18
you end up spending two to three times
25:20
more than what you actually
25:22
would have been spending , and that's a huge thing because what you actually
25:24
would have been spending . And that's a huge thing because Kubernetes
25:27
is so , I guess , nimble , so
25:30
easy to deploy . You could
25:32
spin up , you know , like
25:34
if the cloud is easy
25:37
to spin up resources . Kubernetes is
25:39
like a factor of 10 , right of
25:53
how quickly you can actually spin up resources and start eating up a budget , and so if you extrapolate
25:55
on it , you know you're spending a significant amount of money eating up resources that you really probably
25:57
shouldn't be . So I always
26:00
found that interesting , you
26:02
know . Can we talk a little bit about the challenges
26:05
of building
26:07
a security platform on
26:09
Kubernetes or for containers
26:12
?
26:13
Yeah , well , I think you mentioned
26:15
one of the most critical
26:17
aspects of it , which
26:19
is scale and resource
26:21
consumption . You
26:23
know when , when
26:25
you take like legacy , I'll call it
26:27
legacy even though , as you said , it's top notch . But if you
26:30
take legacy type , you know
26:32
solutions and agents and
26:34
deploy them , you know , in Kubernetes . And
26:37
then you know new pods spin up
26:39
, new nodes may spin up , you know , and
26:41
you grow . You know , horizontally , vertically
26:44
, you know , in many different
26:46
ways . First
26:50
of all , the resource consumption and the cost for the customer is getting
26:53
super , super high and that's why I think the first
26:55
challenge that we have faced in
26:57
building a Kubernetes solution is okay
27:00
, let's build it from the ground up . For
27:02
Kubernetes , let's make sure
27:04
when , for example
27:06
, a pod is duplicating
27:08
itself , you don't duplicate your memory footprint
27:11
or your CPU and you're staying
27:13
relatively lean . Let's use
27:16
Kubernetes native capabilities
27:19
in order to do security . If
27:22
Kubernetes provides network policy
27:24
, you don't need another agent to
27:27
now run all of the network policy
27:29
. You don't need another sidecar
27:32
and another sidecar . You know sidecars
27:34
. I've seen companies that have , like I
27:36
don't know , six or 10 different sidecars
27:38
on every pod . You know you spin up a pod , 10
27:41
other pods come up together
27:43
. So
27:45
being very mindful that
27:48
you're running like it's . You
27:52
know , on one hand , it's a limiting
27:54
factor the fact that you're running on Kubernetes . You
27:57
need to be as native as possible
27:59
. On the other side , it gives
28:01
you a lot of capabilities and a lot of native capabilities
28:03
that , if you know to use them correctly , makes
28:06
you much more efficient . Right
28:08
.
28:28
Hmm , yeah , how is that
28:30
? You know , how is that learning gap with
28:32
Kubernetes , how time and money and resources
28:34
in Kubernetes ? You know
28:36
they're probably not going to know it as well
28:38
as you or some of the experts at your company
28:40
what
28:47
it should
28:49
actually be . You know doing
28:52
how it should actually be designed , things
28:54
like that , because you know that's
28:56
probably an important part of
28:58
what you do . I would think , right
29:00
, because
29:16
you're you don't want to them . Why you know this is valuable over something else , why
29:18
it works this way . Right , why you wouldn't
29:20
go with that top of the line EDR
29:23
solution that everyone has in their infrastructure
29:25
, why you wouldn't go with that module
29:27
and why you would be going with something
29:29
you knowbuilt . Have
29:33
you run into situations like
29:35
that where you guys are the
29:37
experts , so to speak , in the room
29:39
and you kind of have to educate
29:43
your customers ?
29:45
Yes , and I have to say , over
29:47
the last two years , what
29:51
we need to teach or
29:53
work with our customers on have
29:55
changed , you know , dramatically . And
29:59
you know you're always or at least you should be
30:01
always ahead of your customers in terms of your
30:03
knowledge and what you're seeing , because you
30:05
just see more in the market in
30:09
that specific field . So if you
30:11
think about , you know , three years ago , or even four
30:13
years ago , when we speak with customers
30:16
about Kubernetes , I
30:19
always one of the biggest things
30:21
that we always
30:23
deal with is the fact that Kubernetes
30:26
has a joint ownership . Kubernetes security
30:28
has a joint ownership between a security
30:31
team and a DevOps team or platform team
30:33
or SRE team . You know the
30:35
term itself is always changing
30:37
, but
30:39
if you think about three or four years ago , we
30:42
would speak with the security teams about
30:44
Kubernetes security and honestly
30:46
, they would be clueless , right ? They would say
30:48
we don't know . You know
30:51
we know we have Kubernetes , the
30:53
DevOps team is running it , we
30:55
give them some guidance and
30:57
we scan images , but they
31:00
don't really know what's going on in
31:02
there . So
31:04
that was the place back then . It's just
31:06
getting ownership . Today
31:09
we are in a place where our
31:12
third leadership is much more around . How
31:14
do security and DevOps team work
31:16
together to secure Kubernetes ? We
31:19
see more and more DevSecOps roles in
31:21
the company . We see security engineers
31:23
who know Kubernetes , but they will
31:25
never know it as well as the DevOps
31:28
. So one of the key things
31:30
we need to help our customers
31:32
is to mitigate
31:35
between a security
31:37
requirement , which is a very security-oriented
31:39
thing , and then the remediation
31:41
of that within Kubernetes , which is a very DevOps
31:43
thing , and
31:55
we actually invest a lot of time into creating features that will , you know , cater
31:57
to that specific gap feeling . So , for example , you know just
31:59
a nuance . You know if our system gives an
32:02
alert to the security team about
32:04
a misconfiguration that might
32:07
be problematic in the environment security-wise
32:10
, we also issue the remediation
32:12
advice to the DevOps team to apply
32:14
, and we built it based off
32:16
the Kubernetes context and the runtime context
32:19
in a way that it will not break
32:21
the application . So you know we
32:23
are always you know . I would
32:25
say the main thing our platform
32:27
needs to do is to continuously
32:30
shrink the attack surface , but
32:32
in a way that the DevOps feel
32:34
confident to use , right , that
32:36
doesn't break applications , and I think that's
32:39
the first of all . I
32:41
believe it's one of our key differentiators , but it's also
32:43
, I think , one of the biggest bridges
32:45
that you need to build between security
32:47
and DevOps .
32:51
Yeah , that relationship is
32:53
so critical . It's
32:56
becoming more and more important to
32:59
really build that relationship between security
33:02
and the developers and operations
33:05
, because these
33:07
organizations , these environments , are getting so
33:10
large that it's no longer under you
33:12
know , one team or one manager , right
33:14
, like there's several different pieces
33:16
at play , and that kind of ties
33:19
into what we were talking about before being
33:21
that engineer being able to , you
33:23
know , break things down , have the soft skills
33:25
to be able to talk to , you know
33:27
anyone in the room and ensure
33:29
that they understand . You
33:31
know , one of the I
33:34
guess maybe one of the biggest challenges that
33:37
I have faced , even in
33:39
recent years , is being
33:41
that security expert . When
33:44
we're talking about Kubernetes , right
33:46
, without really knowing
33:48
Kubernetes and trying
33:50
to get across you know security standards
33:52
to developers and saying
33:54
, how do we achieve it ? Because
33:57
, from an engineering
33:59
perspective , I put on my engineering
34:01
hat it's like , okay , well , let's learn
34:03
Kubernetes . How hard could it possibly be
34:05
? How long could it possibly take me ? Maybe
34:08
a month or two . And then you
34:10
start getting into it and
34:13
two months in , you feel like you know nothing and
34:15
it's like , okay , I seem to be starting
34:17
completely over in this area
34:20
. So I need to lean more on the
34:22
knowledge of other people that have been working
34:24
with it every single day . Yeah
34:26
, and try to make these
34:28
security I guess requirements
34:30
you know make sense to them
34:32
, and try and reword it so that it
34:35
makes sense to them , so that they could translate
34:37
it into Kubernetes and
34:39
say , oh , there's this whole , this
34:41
whole other you know management plane
34:44
, right , that we haven't thought about before
34:46
. But that does the thing that
34:48
you're thinking of right , it's
34:50
a , it's a balance . It's interesting
34:53
how that conversation just tied together
34:55
with what we were talking about before
34:57
with soft skills yeah , completely
35:00
, and it's , you know
35:02
it's always .
35:03
It's almost like um , um
35:06
, you know there's this movie , you know men's
35:08
out , men are from somewhere and then women are
35:10
from marcelina . So it it's simple . Security and
35:12
DevOps and if I need to kind of like
35:14
pinpoint it , you know security many times
35:17
. You know they speak a language
35:19
of risk . Right , they speak
35:21
a language of you
35:24
know posture , which
35:26
is a language that the
35:28
engineers , the DevOps , they don't
35:30
speak that language . They don't talk in
35:32
terms of risk . They talk in
35:34
terms of you know configurations . They
35:36
talk in terms of you
35:39
know engineering
35:42
, right , they talk about configuration
35:45
. They talk about you
35:47
know software packages . They talk
35:49
about network IPs . That's
35:52
their language . They talk about network
35:54
IPs . That's their language . And what we see today is that
35:56
security , they
36:01
need to know Kubernetes well enough to kind of like translate
36:03
some of the risk requirement and the
36:05
risk terminology into
36:07
technical terms . But
36:10
also the developers on their side , they
36:12
need to learn the risk implications of
36:15
different things and they need to start thinking about risk as
36:17
well . I think that's what
36:19
every platform that gives security for
36:21
Kubernetes will
36:24
need to manage . Basically .
36:29
Yeah , and even recently , the past
36:31
couple of roles that I've had , it's been
36:33
acting as that security
36:36
bridge to the rest of to translate
36:38
, you know , these
36:54
security components into something that
36:56
they understand so that we can , you
36:58
know , make progress . It has
37:00
been , I mean , it's interesting , it's
37:02
probably the evolution of an engineer , so
37:04
to speak . Right Is , you know , you go from
37:07
being hands-on keyboard I'm going to write this
37:09
code and fix this problem and
37:11
you know , we're going to go through it like that , to being
37:13
, you know , the subject matter
37:15
expert in an area and
37:18
then translating it to other
37:20
, to other departments , right For
37:22
them to actually do that work . And it's
37:25
, uh , that that transition , I guess , has
37:27
been slightly difficult for me
37:30
to to , I guess , stomach
37:32
, right , because I I still , I
37:35
still want to get in there and I'm still kind of paranoid
37:37
because I'm not in the weeds
37:39
like I used to be , so to speak .
37:41
It's not like man , is someone gonna like think
37:43
I'm , you know , useless and lay
37:45
me off because I'm not in the weeds
37:47
like you know what I mean , like it's that yeah
37:50
it's that mental shift , you know yeah
37:53
, you know , um , you know , I
37:55
have to say you know , another time
37:57
in in my life at least , that I've went
37:59
through you know , uh , this type
38:01
of like dissonance that you're mentioning is
38:04
, for example , just when you , you know , when you
38:06
move from being a developer to
38:08
a team leader right , yes
38:11
, you , you know you just
38:13
lose the capability or the capacity
38:16
to know every function that every developer
38:18
writes and you need to feel comfortable with
38:20
giving guidance and being
38:23
more
38:25
of the architectural oversight . You're
38:27
the security architectural oversight , right
38:29
, and I completely
38:32
get it . We're all in some ways
38:34
maybe not all of us , but maybe you and I are
38:36
control freaks , right , we want to know
38:39
that exactly what's going on , and
38:41
it's hard , but it goes
38:44
again . It goes to what we
38:46
talked about before and I think you said it right
38:48
. It goes to the soft skills into collaboration
38:50
and working together , communicating
38:53
well , in order to feel comfortable
38:55
with this new situation .
39:00
Yeah , absolutely so
39:02
you know , if
39:05
you look , you know five , ten years
39:07
out , right In technology . That's extremely
39:10
difficult to do to look ten years out . It's
39:12
probably really difficult to look five years out
39:14
. Where
39:17
do you think cloud infrastructure
39:19
as a whole is going
39:21
? Because we have Kubernetes
39:23
, but I wonder what
39:25
that next iteration of Kubernetes
39:28
is . Is it serverless , do you think
39:30
?
39:33
it's serverless , do you think ? Well , there
39:36
are already some . You know , there's
39:38
Fargate or the I don't
39:41
know Autopilot
39:44
from Google which are kind of like they're running containers , but they are
39:46
serverless . I think that's . The
39:49
problem today is that it is very
39:51
, very costly to go . But
39:53
also , you know , kubernetes makes
39:55
it so much easier to manage the
39:58
server themselves . Then it
40:00
makes me think about okay , so
40:02
if servers are so easy to manage
40:05
, why go serverless ? You
40:09
know I try not to make
40:11
predictions because
40:13
everybody that ever made
40:15
predictions probably was wrong . But
40:18
one of the things that I'm
40:20
seeing is that I
40:23
think the cloud as a cloud service
40:25
is going to proliferate . So we have Amazon
40:27
, then we have Google , now we have Azure , we have
40:29
IBM . I see companies
40:32
starting to do their own cloud . So what I
40:34
suspect might happen is
40:36
that the cloud technologies will
40:39
just be . You know , in so
40:41
many many places where you
40:43
could utilize cloud type technologies
40:46
, companies are already doing that . You know Kubernetes
40:48
is running on premise and companies
40:50
are doing like cloud native , but it's on bare
40:53
metal in their own environments . It
40:55
costs them less than going to Amazon if they're
40:57
big enough . So I
40:59
actually think , you know , I
41:05
don't think the big change going
41:07
forward will be in you
41:09
know what servers we are using
41:11
, or the architecture of the server , or
41:13
Kubernetes . I think it's going to
41:15
be about the type of services that
41:18
you can get from the cloud provider
41:20
. I think cloud providers will win and lose based
41:23
on the ease of their AI
41:26
models that they provide via APIs and
41:28
the database
41:31
services and how quick those are
41:33
. I think that's where the next
41:35
battlefield is in .
41:39
That's really fascinating , you
41:41
know what you're describing really eliminates
41:44
a lot of the security misconfiguration
41:47
that goes on in
41:49
the cloud . In
41:57
the cloud , you know , recently , right , I ran a report in the environment and saw a bunch
41:59
of public S3 buckets and
42:01
you know I'm sitting here like
42:03
this is , you know , literally
42:06
you know , third or fourth time
42:08
that I've had to go over this with . You
42:10
know all of my developer teams probably about 150
42:13
different people and
42:15
you know I'm trying to figure out
42:17
how to like finally solve
42:19
this problem so that you know we wouldn't
42:22
still encounter it , because my
42:24
environment is a little bit unique . We have limitations
42:26
around what we can
42:29
implement from a security perspective
42:31
, which makes which
42:34
makes these findings a little bit more difficult . But
42:38
that that's really interesting
42:40
because you know what you're talking about is
42:42
kind of a overarching control
42:45
plane that is running
42:47
on the cloud and you just tell that
42:49
service , you know what you want to be
42:51
using , what you want to do , what you want to be using , what
42:53
you want to do , what you want to accomplish , and they figure
42:55
out the most efficient way to get
42:57
it done for you and
43:00
really leverage their own internal
43:02
skill sets to do that within
43:04
whatever cloud provider makes the most sense
43:06
. It's
43:08
really interesting . I haven't thought
43:10
about it like that before . Are you seeing
43:13
that anywhere in the market right now ?
43:16
No , to be honest , like what we see
43:18
, we do see . You know multi-cloud environments
43:20
and then everybody
43:22
is using multi-cloud . They started to think about
43:24
, you know , for example , security
43:26
wise . You know , do we have like cross ? You
43:29
know cross-cloud communication and what's going
43:31
on there and
43:34
can one attacker move from one environment
43:36
to another ? So we see a lot of
43:38
that . Also , you know I'm
43:40
very much in the security domain , so
43:43
I'm mostly seeing , you know , the concerns
43:45
of security in these domains and less about
43:47
the control plane , the applicative control
43:49
plane . So it's hard to me
43:51
, but I can say that we see more and more
43:53
. You
43:57
know every big company is now having a multi-cloud
43:59
environment and an on-premise environment
44:01
as well , and all of that needs to be managed
44:03
.
44:06
Yeah , it's a really good point . It'll be
44:08
interesting to see where the space goes
44:10
, you know , in the near future
44:12
, and I wonder if satellites will play
44:15
a role in it . But you
44:18
know , Shali , I really appreciate
44:20
you coming on the podcast . I really
44:23
enjoyed our conversation .
44:25
Me too . I really enjoyed it . Thank you for having
44:27
me . It was a pleasure .
44:29
Yeah , absolutely . Well , you know , before I
44:31
let you go , how about you tell my audience where
44:33
they could find you if they wanted to reach out
44:35
, where they could find your company if they want
44:37
to learn more ?
44:39
Yeah , so me , you know . Just Google
44:41
Shauli Rosen S-H-A-U-L-I-R-O-Z-N
44:45
. On LinkedIn I
44:48
think I'm the only one , or at least I'm
44:50
one of the ones that will surely
44:52
pop up my company , armo
44:54
armosecio , and
44:57
also as important as my
44:59
company is our open source project , which
45:01
we almost didn't get a chance
45:03
to talk about at all , which is called Cubescape
45:06
, which is today one of the most prominent
45:08
open source projects for Kubernetes
45:11
security out there . It's an official Linux Foundation
45:13
CNCF project . Hundreds of
45:15
thousands of users , super successful
45:18
and anyone who
45:20
will contribute or use that . It's
45:22
also a win for me and I really
45:24
, really encourage you to try
45:26
it out .
45:28
Yeah , absolutely . We'll have
45:30
to have you back on to talk more
45:32
about that project .
45:34
Yeah , we can do like 60 minutes on the
45:36
open source itself and
45:38
we talked about how did they get into security
45:41
and how did they get to funding the company , how
45:44
did they get into open source , and the open
45:46
source journey as a whole is a
45:48
fascinating journey on its own .
45:52
Yeah , absolutely , we'll
45:54
figure that out and make that happen .
45:56
Yeah .
45:57
So thanks everyone . I hope you enjoyed
45:59
this episode .
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More