The Monica Talks Cyber Show

Solving security the cloudy-way

Monica Verma / Anton Chuvakin Season 2 Episode 1

Monica Verma talks with Anton Chuvakin, Head of Solutions Strategy at Google and former Research Director at Gartner. It this episode they talk about some of the security issues with cloud, especially with regards to cloud migration.  Can we trust cloud less to trust more? 

What are some of the key paradoxes when it comes to cloud breaches and how can we increase accountability when it comes to cloud breaches? How do we help organizations and security leaders shift to a cloud security mindset? We talked with Anton about these and more cybersecurity and cloud security issues.

Make sure you subscribe to my youtube channel Monica Talks Cyber and We Talk Cyber in your favorite podcast app. Do it right away so you don’t miss any of these amazing conversations and stories with renowned global experts that are making a different and real impact, every single day. 

If you like to support us, buy us a coffee at https://www.buymeacoffee.com/wetalkcyber :-) 


Looking to become an influential and effective security leader? Don't know where to start or how to go about it? Follow Monica Verma (LinkedIn) and Monica Talks Cyber (Youtube) for more content on cybersecurity, technology, leadership and innovation, and 10x your career. Subscribe to The 10x Circle newsletter at https://www.monicatalkscyber.com.

Podcast Intro 0:00

Hello folks. Welcome to a brand new season of We Talk Cyber with Monica. Yes, we are back. With a brand new season, brand new topics & amazing conversation on all things cyber. Do you wonder, what does it take to build a personal success story in cybersecurity and make a real impact? What are some of the most important challenges within security and privacy? How can we overcome them? How do they effect our today and probably also our tomorrow? Well, if you want to hear som of the real life stories from renowned global experts within security and privacy, be inspired, take your career even further and make a real difference and impact, then this podcast is the right place for you. In this podcast we talk to renowned global experts who are making a real difference in security and privacy, every single day, talk about their challenges, their learnings, recommendations and an opportunity for growth. So before we hop into the episode, make sure you subscribe to my youtube channel Monica Talks Cyber and We Talk Cyber in your favorite podcast app. Do it right away so you don’t miss any of these amazing conversations and stories. So, let’s hope right into the episode. This is We Talk Cyber with Monica.

Monica Verma  1:21
Hey! So, in today’s episode we will be talking to an industry leader and a cloud expert. We will be talking to Anton Chuvakin, who is the Head of Solutions Strategy at Google and former Research Director at Gartner. We will be talking to Anton about some of the security issues with cloud, especially with regards to cloud migration.  Can we trust cloud less to trust more? 

What is an enterprise’s responsibility with regards to security in cloud? What are some of the key paradoxes when it comes to cloud breaches? And how can we increase accountability when it comes to cloud breaches? How do we help organizations and security leaders shift to a cloud security mindset? So we will be talking with Anton about these and more. So, let’s meet our guest right away. 

Monica Verma  2:06
Hi, Anton, how you doing?

Anton Chuvakin  2:07  
Hello, thanks for inviting me.

Monica Verma  2:09  Lovely to have you on the podcast show today Anton. Would you like to say a few words about yourself to the audience and maybe share one fun fact about yourself? 

Anton Chuvakin  2:18  
Sure, absolutely. Now, you did mention that I work at Google and I ended up with Google through an acquisition, as some of you know. But the funny part is that I was acquired into Google after with Chronicle. But I joined Chronicle from Gartner where I spent eight years analyzing many security technologies and security markets. So it's kind of funny that I was lured away from Gartner into a startup, which had like 100 people. And now I've worked for a company that had 100,000 people. I was actually born in Siberia.

Monica Verma  2:47  
Oh, interesting. So very global background. Fantastic. 

Anton Chuvakin  2:51  
It is indeed, yes.

Monica Verma  2:52  
Let's just start with one of the biggest things that I've seen. So I have with cloud many years now. And one of the things that I've seen between even different cultures and all over the world working with global companies, is that, people when they're migrating to cloud or organizations when they're migrating to the cloud, they either have the mindset, oh, no cloud is not secure. Or they have the mindset, oh, cloud is secure 100%,  by default. Majority of the time, it's either or of the two scenarios. Why do you think is that? And what are your experiences with it?

Anton Chuvakin  3:25  
So this type of mindset I've definitely encountered during my Gartner days, because I've had people who are clearly under the influence, I use this term, of either one or another. Like, I've spent some time pondering this, and of course, other Gartner analysts have, which kind of let me give you some of the opinions I've seen which are useful, and also some of my own thoughts. So Gartner, for example, had a line had like a quote that goes like this, 99% of cloud breaches would be customer's fault. And then there's a longer version of that, and it has a decent fact base behind it. But to me, the reason I'm bringing this up is that this kind of has shed some light on on the paradox you brought up. If you look at cloud infrastructure, how its run, how it's built, it is actually really secure, very secure by many standards against many threats. And so and there are many ways to prove it. So in that sense, if you're checking how cloud is run by cloud providers, you would see, you know, robust world class, best in the world operations. And so if you look at that, you would say, Oh, yeah, it's really secure. It's more secure than many, many, many enterprises is probably more more secure than most enterprises. And then you'd fall into the camp of cloud is secure and forget everything else. However, the other Gartner line goes like this. Cloud is secure but are you using it securely. And this is where the other part of the paradox shows up. And I'm using these two quotes from my former employer, because they kind of help frame the thinking about it. So the idea is that if you approach a particularly build infrastructure, a secure operation secure, you know, everything, but then you deploy your own app that you wrote over morning coffee, and you're not too skilled in writing an app, who is responsible for security of that app? And to me, the answer is pretty obvious. You are, because of the shared responsibility model for security. Now, if you do that, and you're hacked, because you've put up badly written or badly from the security point of view written app in the cloud, it kind of isn't the providers fault, obviously. So the fact that provider's side is secure, doesn't really save you. So to me, the paradox is explained by what I just said by that framing. So Cloud is secure. The infrastructure is secure. The processes secure data centers are secure. But a lot of cloud usage really isn't. And to me, that big battle of the coming years would be to how to change that. How to make cloud usage secure and not just cloud secure. So, the clients or the organizations who say who think cloud is secure, usually look at the infrastructure and how people like Google and obviously the other two cloud providers do things and they say, Wow, that's really solid, better than us, very secure. And people who are thinking, cloud is insecure, cannot be trusted, usually look at breaches at and at mistakes, typically made by the clients, by the organizations who perhaps didn't think of moving to the cloud far enough. So they did things kind of badly, and then things they're insecure. And that becomes a generalization, maybe a long winded answer, but that's what I think.

Monica Verma  6:39  
Right. I mean, and you touched a good point about the shared responsibility model. I mean, that's really the holy grail of really working well with the cloud and ensuring that you have security in place both during migration and after when you're already operating in cloud. People also have struggled to understand the shared responsibility model and what do you recommend to those organizations? I mean, obviously, big the, the CSPs, Microsoft, Amazon, Google, they have come out with their own kind of architecture, infrastructure and documentation around the share responsibility model. Somehow, it's still quite challenging for many organizations, what would you recommend to them?

Anton Chuvakin  7:20  
So there, let me go through three cases, three, kind of three buckets of stuff. So it is one bucket of stuff where the responsibility is firmly with the provider. And generally speaking, you have nothing to worry about example, that simple physical security, we have enough evidence, enough proof enough transparency to show that we run data centers and other cloud providers do too, very securely and accordance across a vast list of threat models. So the parts of the shared responsibility model that are clear in provider hands are kind of okay, they're clear, and they're really not confused, usually. Now, the other side is things that are clearly at the hands of the customer. So for example, you have accounts for your employees, for customers, for whoever, that are stored in an identity management system by a cloud provider. If you don't enable multi factor auth, if you deal with credentials badly, if you share passwords, if you have passwords pasted in public code, you know, bad things happen. But it's also very clearly your responsibility, because this part, dealing with your credentials is on you. So this is kind of like two simple cases. Now for the really tricky case. What about items that are genuinely joint, say, network security. There are network security controls inside the CSP, i.e. at Cloud Security Provider's table, but how you configure firewalls, what rules you put in the firewalls, what what monitor what things you monitor are kind of in the hands of a client. So the joint items are typically where friction happens and where bad things happen. Now, there are two mindset about it. One mindset is just be confused about what's joint or assume that the provider does it or something else disfunctional. But the healthy mindset about the joint item is really working together with a provider like I've given this advice in my Gartner years in respect to MSSPs, managed security services, where you kind of have to jointly the operating stuff with them. And this is the mindset that works for the shared responsibility model, items that are truly in both customer hands and the CSP hands. Well, if the item is in both hands to keep it up, you have to both hold it. Providers generally do their stuff. So, the the idea is that customers should do, but that understanding is often lacking, that they don't get that they are joint items that you have to do jointly. I may be oversimplifying things. But ultimately, that's how you crack the nut on the shared responsibility model.

Monica Verma  9:55  
Right. Because that's the responsibility part, right. And we talked a bit about the breaches that have been happening. And let's, let's talk about that for a bit. Because when a particular breach happens, that's due to a cloud service, there's usually confusion between the accountability of it right. And it could usually, in an oversimplified a way one could say, Okay, if there is a data breach, due to services that you've consumed from a cloud service provider, if the breach happened due to misconfiguration, just a simple example, by the enterprise, then the accountability of the breach lies with them. And say, for example, if the issue or the reason why they are a breach happened was due to some inherent flaw in the framework that the cloud service provider provides, then the accountability lies with the cloud service provider. However, this is, this is a very simplified version of it, right? Because if I as an enterprise, have my customers, right. And I'm obviously using some cloud services from a cloud service provider and let's say a data breach happen, my customers data, got deleted, due to a flaw in the infrastructure or something that lies with the CSP. Ultimately, I'm still accountable for for the breach of the data of my customers. In that case, is it like accountability is both cases or how, how should enterprises understand that?

Anton Chuvakin  11:19  
So this is actually really tricky, and I'm being open admitting that in many areas, in many cases, there wouldn't be a crisp answer to that, because the reason why I'm saying that is because there's a question about what would be reported in the media. If there's a court case of any kind. Again, I'm not a lawyer shouldn't comment on that. But there would be yet another venue for debating this, that would be a contractual stuff. So to me this, like too many dimensions as far as who is really left holding the bag, and what they should do about it. To me, when I'm observing this, these things, to me, this justifies the need for enterprises to push cloud providers for more transparency, more accountability features, so that you can observe what's going on, so that you wouldn't be surprised. One bit that I've been dealing with a lot lately in the area of cloud data security is encryption key management. And we built this piece of tech called external key manager EKM, which allows customer to hold the encryption key in their hands for stuff that happens Google Cloud without ever giving the key to Google. And you may say, why Google's sort of better doing key management. And you're the right, Google is better doing key management. But that's not the point. The point is that for certain workloads, customers insist on keys in their hands, because of this accountability paradox, among other reasons. So if things blow up, and the provider has the keys, you still kind of have this way I'm ultimately accountable, wasn't really my fault. And because there will be a debate of some sort. But if you don't want this, hey, having keys in your hands, have the keys stored on premise in the system you want. And then ultimately, you're accountable, but you're also doing something about it. You're not just you're not just trusting. You're trusting less. To me, this is the part where if you are concerned with a scenario, choose the technologies that allow you to trust less.

Monica Verma  13:27  
Yeah, because this is really a very good example of control versus trust. Because when you go to cloud, there has to be, I mean, it implicitly includes some kind of implicit trust in the cloud service provider. However uneasy that is, or that may be for enterprises, or especially for security folks. And balancing that control versus trust is, is what is really the key here, what you also mentioned here with the possibility to have transparency, the possibility to be able to trust less, which basically builds trust at the end of the day cloud service provider. Because I know that you wrote something about it, and what have been your experiences around it. Are people, are organizations really adopting this trust less model better.

Anton Chuvakin  14:16  
I would say that this mostly applies in scenarios where it matters, or the customer thinks that it matters, because there would be a decent number of cloud use cases where it genuinely doesn't matter. And it's perfectly okay to keep keys with call provider, there's no real need to externalize the keys and reduce trust, you may be processing public data, or you may be processing other things that don't require this treatment. So to me, the model is catching up. But it's also, to me, it's probably not necessarily the model for everybody, for every use case of cloud computing. I mean, we build confidential compute stack, so that you can produce things without Google seeing them. So that's another example of something that will be hugely useful to people. But to me, it won't necessarily be everybody on the planet. Unless things really change around us, which who knows, they may, it's a year of change. One of the other blog posts I've written several months ago, kind of vaguely inspired by this area is what I call the reverse security theater. And you know, Bruce, Schneier's term Security Theater means security that's kind of made you feel good, but doesn't really secure. I've encountered situations where things are secure. But people don't feel good about them. I don't know. There are many, there are actually more examples of that, that people care to admit. For example, modern mobile OS, actually really well done from a security point of view, but there are still people who are kind of afraid of things. And there are many examples in the cloud as well, where things are done very securely. But there are still doubts in people's minds that they're secure. So that's why I said, hey, it's like reverse security theater. Things are secure but people don't believe that.

Monica Verma  16:00  
The point that you make here is very, very important. Because when people, when you talk about risk management within cloud, then definitely there is a very important need to think outside just cyber risk, because there is a lot of different kind of systemic risk, financial risk, geopolitical risk. And that holistic perspective is very important, which is just a perfect segue to my next question, because when you are migrating to cloud, a lot of organizations, more often than not, have not build any kind of cloud migration strategy or have any kind of security strategy, which often or not means that they don't have a security strategy for migrating to cloud? What are your experiences with that and is their a missing holistic approach here that you see, some recommendations that you would give to the organizations?

Anton Chuvakin  16:50  
So this is also a big, big question. And many of many dimensions of question lie way outside of my expertise. So I don't claim to be a cloud migration expert. I've met many at Gartner. And of course, I meet many of them here at Google. To be honest, I'll probably give you more like select, kind of select ideas rather than a structured framework. I don't have a framework in this area, this is not really my primary focus. So what I have observed in recent months, is that there is still a lot of companies that go to the cloud with a lot of on premise thinking in mind, essentially, they treat the cloud as kind of a rented data center space, I would say maybe. So to me, this creates a bit of a fear that people are bringing not only their practices and tools, from data centers to cloud, but they also bring in their mistakes. And so as a result, if there's a quote, unquote, cloud data breach happens to them, what would likely be the problem is something that they had on prem, namely, that they used it on prem, and they copy this to the cloud. But some of the realities of the cloud are different, maybe the threat model is different, which is another point I wanted to make. And so that type of lack of change of thinking, sounds kind of complicated, from on prem to cloud, when you migrate has been probably a decent source of problems. And again, this is just one angle and there are many, many more. And there are many different cloud migration scenarios, there are people who are cloud native, there are people who are kind of in between. I didn't really study all that I've read a lot of papers on this, but I don't claim to be an expert in this.

Monica Verma  18:30  
No, but this is still a very sound thinking and idea to have in the back of your head when at least designing or defining the security part of the cloud migration strategy. Just to maybe ask you or pick your brains on that, because you said a bit about mindset. And you talked a bit about yea, it's not just about moving something from on prem into cloud, that it's not just a lift and shift thing, even if you do it, there are still different threat models. It's completely different kind of technology. The The idea behind and the purpose behind is very different. Do you believe that this whole meme that we have been having for last, I don't know how many years now, cloud is just someone else's computer? Do you believe that's true?

Anton Chuvakin  19:12  
I think that it caused a lot of people to send their thoughts in the wrong direction. So I think that at some conceptual level, like, does it involve computers that belong to somebody else? Well, yeah, it does. But to me, I would probably kind of attack the were just, cloud is "just" somebody else's computer. So my point is, cloud is not just somebody else's computer, even though it involves somebody else's computers. 

Monica Verma  19:42  
Correct. 

Anton Chuvakin  19:43  
And then the reason why I would say that is that if you're used to Linux, and Windows and OS management, and servers and hardware, and you know, getting a screwdriver and putting stuff in the rack, and then administering the servers, and then you're like, thrown into the world of like microservices, containers, serverless, Software as a Service, like lots of buzzwords, whatever the point is that this isn't the same tack. Yes, there is somewhere server in the backend that belongs to somebody else. So to me, there are nuances to that. So on some level cloud is, cloud involves somebody else computers, but is cloud just somebody else's computer. No. And that's what thinking that you usually do making the same mistakes in the cloud. And that's why To me, this is funny. And this is somewhat true. But it's ultimately harmful to a lot of people's initiatives for both migration and security.

Monica Verma  20:44  
And Absolutely, I mean, the reason I ask is because I've been preaching literally the same.

Anton Chuvakin  20:49  
It does send you on the wrong thinking path. It just sends you on the path of like, ah it's all the same. And that's how you assume implicitly that you use the same control, same practice, the same approaches, and then you end up missing the change in reality, and then you end up missing different threat models. One of the fun part that came up in a recent Twitter discussion, connected to this was about somebody saying, if you have a server in your data center, you can make an application security mistake. You can make a system security mistake, but as long as you don't make a network security mistake by missconfiguring the firewall, you may still be okay. So in essence, or you can make a network security mistake and then not make an application security mistake, and you're still okay. Some of the stuff in the cloud is just different. It's a publicly exposed server, you really cannot make a mistake in your identity management because identity is kind of the name as a public identity is or is there accessible from the outside, if it's public cloud, you sometimes cannot make an application security mistake, because you're probably not using the same type of segmented network, same type of firewall layers as using on premise. So in that sense, threat model, threat models change. And you made up in the hot water.

Monica Verma  22:11  
Absolutely. I mean, it requires a change of mindset. And that kind of is not possible if you are thinking that it's just as somebody else's computer. So a lot of the CISOs today, obviously have to take care of ensuring that security is a part of migrating to cloud and ensuring that security while migrating to cloud is a part of their security strategy. What would be the top three recommendations you would give to CISOs regarding security, while migrating to cloud?

Anton Chuvakin  22:42  
So this is another big question to ponder simply because there are so many aspects of this. One, I'll give you one highlight, I again, I don't have a nice structured framework here. But I'll give you one highlight that's connected to what we discussed, I think that investing into the cloud specific skills, is going to be useful for more CISOs, which are not the CISOs of a cloud native organizations. If you're a CISO of a cloud, native org, you already have that you don't need to, it's kind of natural as brief in here, like, there's no real need to do anything. But if you're not, if you're a CISO of a more traditional organization, I would definitely invest more into like learning and skilling up for cloud focused, kind of like cloud focused technologies, like what controls you use in the cloud to achieve the same intent. And whether the threat model changes prescribes that the same intent still valid. So let me kind of rephrase it as more actionable advice. If I'm looking to move to the cloud, I would think are my risks the same, are my threats the same, is the threat model same? So this is one cluster of issues. Am I fighting the same adversaries? And the second is, what is the cloudy way to address the problems I face? Not necessarily what way I had on premise. So to me, cloud threat risk bucket, and kind of the cloud control bucket. These two would kind of ultimately, if you think about them, they would likely lead you in a somewhat useful direction. If you don't, if you just copy controls from on prem or you assume it's secure or something else, then you may end up in hot water. But to me this type of have my risks threats changed? Yes. Okay. noted, which of my controls would work for the changed risk? Okay. Are there controls in the cloud that do it better? Yes, no? Well, if the answer is no, then you bring your controls fine. Or you go by control somewhere else, technology somewhere else. But if you end up with seeing that your change risks are addressed by your changed controls, then you would be well on your way to doing security, the cloudy way. And for doing security the old way that is like in the 1990s. Hopefully I made it clear. I almost rambled a bit but I was rambling a bit but I kind of made this two points clear.

Monica Verma  25:05  
From what I understand. And maybe it also will help summarize and also for the audience is that, having the understanding of the threat, the threat landscape, and the risk profile that the cloud technology brings with itself for your enterprise is what a CISO should be aware of, and kind of have the kind of thinking to be able to build a security strategy for migrating to cloud.

Anton Chuvakin  25:28  
Yeah that works. You got up all the same points. Yes.

Monica Verma  25:31  
Fantastic. So, really fun conversations. Thank you for coming on the podcast show today.

Anton Chuvakin  25:36  
Perfect. Thanks for inviting me. This was fun.

Outro  25:40  
Lovely. So that was today's episode of We Talk Cyber with Monica. I'm your host Monica Verma. Today, you heard Anton talk about cloud challenges, security advice. It was a fantastic episode. I had fun. I hope you had fun as well. I'll be back with more amazing episodes, amazing conversations and fantastic guests. So until then, take care stay safe and continue tuning in.