Paul Hadjy (Paul)
Hi, everyone. Welcome to another episode of Ask A CISO podcast powered by HorangiHorangi. Every month you get insider tips and insights on the newest trends in cybersecurity from top CISOs to help you improve your domain knowledge and get better at your job.
My name is Paul Hadjy and I'm the CEO and co-founder of Horangi, and with me today we have Lucas Kauffman, who is a AWS security consultant. How’s it going, Lucas?
Lucas Kauffman (Lucas)
All good, Paul. Happy to be here.
Paul
Great! Great to have you.
So just a quick introduction to Lucas: Lucas is a security consultant with Amazon Web Services here in Singapore. And prior to that, he spent almost nine years with EY, Ernst and Young, where he started as a junior IT security consultant in Belgium and moved to Singapore in the beginning of 2016 as a senior consultant where he specializes in DevSecOpsDevSecOps, cloud security, and red teamingred teaming. He joined Amazon Web Services in May this year after leaving EY. Lucas graduated from Royal Holloway, University of London, with the Masters of Science in Information Security, and has a very impressive list of certifications under his belt, including being a CREST-accreditedCREST-accredited penetration tester and security analyst. And besides his numerous certifications and extensive experience in cloud security, Lucas is a published author of several articles on security publications, and also quite a linguist. He speaks four languages fluently: Dutch, English, French, and German.
I speak only one of those, sadly, but it's super exciting to have you here today and I’m glad to kind of get the conversation going. Yeah, maybe just to start off, maybe you just tell us a little bit more about yourself outside of your bio I just read out.
Lucas
So like what you mentioned, I used to be doing DevSecOps and cloud security at EY, and then recently moved to AWS. So I guess now I'm a bit more focused on helping customers migrate, especially like security teams and CISOs answer some of the more and more common questions about what are the security implications of moving to the cloud? What do we need to think about when we start moving our first workloads? And that's something that I really like to do because I really feel that that's something that is bringing impact to our customers at AWS.
Paul
Yeah, that's awesome. And as a big AWS user, and partner ourselves, I really appreciate having you on board to help out with those because definitely can be challenging, especially customers who are adopting the cloud for the first time. And in line with that, what are some common trends that you've observed in the course of your six months, seven months now at AWS?
Lucas
I think that we see much more adoption in some of the emerging markets, especially Vietnam, there seems to be a lot more traction there, especially customers in the financial services industry that are now moving to AWS. I think people were a bit more risk-averse in the past. But like, I think that it's now getting a lot more traction, people are getting more comfortable with moving some of their more sensitive workloads onto the cloud. So yeah, I think that that's one of the main trends. We also see that there's a need for more guidance. So I think that there's also guys like you helping our customers as well, with knowledgeable consultants and tools in order to help customers get that trust, or at least some confidence when they move to the cloud that they have all their security controls in place.
Paul
Yeah, definitely. In a way, that's why we built WardenWarden in such a way that it kind of focuses on helping educate people as they move then, of course, addressing security concerns there. What are some kind of interesting war stories or observations that you've seen in the past seven months that you think might be interesting for the listeners?
Lucas
I think that one of the more recent ones where we helped out was for a customer in the automotive industry. They had a near-miss in terms of getting a breach. And they started realizing that they were struggling with basics like incident response and forensics. So we recently helped them automate a lot of their forensics so meaning that we have a one-click button that allows you to fully isolate an EC2 instance and then automatically dumps the memory, snapshots, disks, and then basically sets up a forensics environment for like an analyst to go into reviews. And then in addition to that, of course, also looking how can we make some of the detective controls more resilient so that we can reduce the time to detection to the time of response. I think that was one of my more interesting projects that I've worked on so far within AWS, but I guess that there's going to be a lot more to come.
Paul
Yeah, definitely. I think, you know, a lot of people adopting the Cloud and, you know, like, as you know, they are your security, like, as more people kind of adopt, it's going to be one of the more important things that happen. And just like in traditional infrastructure, of course, there'll be issues. That's good to have you guys to help out in those cases.
You've been in South-East Asia for quite a while. What are some observations you had around this region? And where do you think the market is kind of headed?
Lucas
I think there was this trend where people outsource quite a lot, and now they are insourcing a lot more in terms of talent, which was a bit more present in Europe, I guess. I think that that's definitely something that's required. Like, because a lot of customers, I mean, sometimes like, when you outsource a lot, sometimes there's a bit of control. And because the cloud is so different, they're more dependent on third parties to decide on what good looks like, for instance. So I think that some of the trends that I saw were that there's more insourcing.
There's more push now also for grooming talent. And that's not just in security, but in general in the technology space. That's happening. And from a security perspective, I felt that Asia lagged a bit behind Europe when it came to investments in not just people but also technologies to monitor. It's a bit more of a price-sensitive market. I kind of see now that it is becoming less and less a question on pricing. And it's starting to move for some companies at least more into what is like the actual capability. And I think that's more driven also especially when you're talking about cloud, and when companies are moving, like some of their more critical workloads, and these are like revenue-generating workloads. So I think that they are becoming more aware that they need to invest in good talent, in good tools to basically smooth out that path when they're moving out workloads, or when they're trying to achieve some of those business objectives that cloud basically enables them.
Paul
Yeah, definitely agree in and the talent piece, I think, is, you know, one of the biggest problems we're gonna face over the next five to 10 years in this region specifically, I think, ISC2 puts out this infographic every year of like, the shortage of cybersecurity subject matter experts every year, and Asia is just always, like, four or five times worse than the rest of the world in terms of expertise in certified individuals. So yeah, I mean, doing our part to catch up. But I think we’ve got a little ways to go to get there. So agreed that that's, you know, kind of one of the bigger issues that we face. And, you know, good to see that companies are investing in it, because that's really, I think, what's going to help decrease that demand amongst the more jobs being created in the space, absolutely more expertise that will be built-in.
Obviously, lots of sort of buzzwords in the cloud security cyber security space recently, like AI, Zero Trust. Shift Left? What do you think is kind of like the thing that we're going to hear about most stuff in the next couple of years? And why?
Lucas
The one that I think that's going to be important is Zero Trust. Just because I think it's the, it's not something that is brand new. It's something that people know how to do. I think that it was very difficult in the past when you're running an on-premise environment implemented properly because you're very constrained to how your physical networks work and your appliances behind it.
But I think like if you're looking at environments where you have more software-defined networks, and tighter coupling, or easier coupling with certain services that allow you to automate workflows, I think that that's going to really enable zero-trust because it's just going to be easier to implement. In terms of the thing that I see coming where I think that we don't have a lot of visibility, but I think that was going to be a huge impact is probably security and AI. So security for machine learning models — it's something that we have been talking to customers about and thinking about how we can help customers there because it's a very nascent area for the area itself. So the AI, machine learning models, it's something new. It's also something where it's hard to find people that are very good at it.
Then at the same time, the security like, how do you go about? So like one of the customers that I was working with, they're very concerned that because they use their machine learning models for safety, so it's the physical safety? So they were very concerned about how could people actually, for instance, manipulate those models or the algorithms that are working on? So those are things that I realized that there's not a lot of research that's been done yet? So I think in the next few years, I think that there's going to be a lot of innovation there, and how to protect yourself?
Paul
Yeah, definitely I feel that that term kind of coming up more and more as well. But yeah, I agree. I think it's important, especially with like, you know, almost everything in our case being migrated to like APIs and sort of like how we use them in the development process, like, yeah, it's gonna be a hard problem. And I think lots of interesting companies will be built in API security space, to following basically the zero-trust policy. Right. I think it's one of the more difficult pieces of security as we kind of move into this more developer-driven concept, and have known a couple of companies that are being built currently and stop this problem. Curious to see how it turns out?
Yeah, attacks are becoming more sophisticated. A lot of companies are now migrating to the cloud so what do you think is good advice for them, as they think about this migration, given that, you know, for most organizations that are moving to the cloud, security is one of the biggest concerns whether rightly or wrongly. So, curious to hear what kind of advice you give customers who are making the jump or thinking about making the jump.
Lucas
I think the first one is to get started with like, for instance, the governance very early on, really looking at like, because most of the first times if customers are moving to cloud, it's not like Big Bang, but they just move like a few workloads. But it's still important to basically get it better then set the right foundations. Because like, often, like once that first workload is migrated, that's the base on which they're going to build for the rest of their, of their migrations.
At the same time, I think for security teams, it's very important to understand that the technology works a bit different from the traditional on-premises, and that means that there are different types of security concepts. Like, for instance, the backbone of AWS is basically our identity and access management, because that really controls service-to-service communication, it controls what users can do.
And it works slightly different than what you would traditionally see, because of the way that it's very highly integrated, for instance. At the same time, networks can be ever-changing. So there again it's about understanding how do you set up controls for, like, let's say container workloads, where you might have a network defined now, but that network might not be there with the containers might not be there a while later.
So it's a changing environment. I think education is very important for security understand, and the reason why that's important is because if they don't understand that they tried to bolt on those traditional controls that we have, what I've always seen happen is that the technical teams that are trying to build workloads when they start applying those security controls, it becomes very crippling for them. And that basically is going to cost that those teams are not going to be able to achieve their business outcomes that they want to drive for the company. So that's why it's very important for security to work very closely together to understand not only just how the technology works, but also how do we then apply that knowledge of how controls are a bit different on the cloud to basically enabling the engineering teams to build their solutions.
Paul
Yeah, I agree. I think the training and sort of like, understanding the differences, I think, with securing a traditional infrastructure in the cloud is one of the things that I always tell companies to invest in just because it's, you know, it's easier in a lot of ways, but there's some gotchas that you need to know that before jumping into it. Yeah, I mean, that's why it was created. AWS specifically has a ton of training content, that's really great. And most of it's free also, which is awesome for companies adopting it.
What do you think is one of the most misconceptions you talk to companies like moving to cloud or already in the cloud, around like security issues?
Lucas
So I think the biggest misconception that I still see is like data control. In a sense, I feel that on the cloud, you actually have more control of your data because of some of the mechanisms that we have like data tagging and automated discovery of data content. So in that sense, you are much more aware of what type of data that you actually have on the cloud.
And you still have full control of that data. A lot of people think that once you put data on AWS, AWS then has access to that data, and can put that data anywhere across the world. But in reality, it's really up to the customer to decide in what geography they want to store data. They also have full control over the encryption of that data. And even in the backend, there is no way that, for instance, AWS can get access to that data. Like we have a lot of controls in place to prevent that. We have independent at the station for that. So even for environments where you have a lot of regulations or requirements of control, whether that's banking or the pharmaceutical industry.
Those are already migrating to AWS. But we still see that some customers that aren't too familiar with that, that's like the general they're still their biggest concern, which is that if I put my data on the cloud, it's now in AWS and now owns that data, and they have access to it, which isn't true.
Paul
Yeah, definitely. You know, it's been, I guess, the early stages of my career doing a lot of on prem-work at Palantir. And then, you know, kind of cloud was picking up back in 2010. In the US, like, that was everyone's common misconception is basically that and I think, yes, people still have it, though.
So there's this misconception, which I'm sure a lot of like, we hear this from customers, which is, AWS or the cloud provider handles my security. And then, you know, explaining to them about the shared responsibility model is an important piece of education that I think they need to understand.
And, yeah, I think that that's another feature that we see often. And it's something we are constantly educating people about, but definitely, it’s gotten better over the past 10 years. I think in both cases, people are starting to understand the model much more. And a lot more people are obviously using it, which I think helps.
In just like kind of the last question on sort of the AWS cloud security side of things like, what are some actual tips that you can kind of give to the listeners in terms of what they should focus on from a cloud security perspective.
Lucas
For any customer that's moving into the cloud, we now offer Control Tower and Control Tower is literally something that you can almost enable with the flip of a switch. And it basically gives you a lot of controls out of the box that you can just turn on. And it really controls some very basic stuff, for instance, not allowing s3 buckets to be public, or preventing people from disabling security detection mechanisms. So I think that that's pretty key to enable that.
In addition, we also have config rules. So if you want to have full transparency of certain settings and who's who changed what setting at what time, there's also something that we are conformance back so you can just enable it or not, and then you can just recreate it like that's like a very basic thing that that I would recommend everybody to do, because that's going to give you like a lot more visibility and a lot more initial guardrails in place for people are moving on to the cloud, but they're still kind of educating themselves on how to do cloud in a secure way.
Paul
Yeah, definitely agree there. And I think, you know, some of the things I think Control Tower covers are quite important. Depending on your environment, of course, but for the majority, the customer thing makes 100% sense.
So now I'm going to kind of switch the conversation over to the REA&HREA&H side of things. So it's obviously that both of us are jointly launched the service for resilience and excellence with AWS and Horangi, but maybe you can give the listeners kind of a short introduction about REA&H and why we kind of came together to launch this offering.
Lucas
I think the REA&H was important for us because we want to work closer with partners like yourself, experts in the security industry. And it's primarily also for us to help bring scale — we can't handle everything, we’re also not built to handle everything.
So we need knowledgeable partners that can provide security consulting to the customer, that can enable the customer to move workloads to the cloud securely and help them do security. So I think with REA&H what we wanted to do was basically provide an offering where we jointly run a three-step program.
So for instance, do an assessment, and then we look at what are some of the basic controls that we need to build? And then, how do we improve further on that, and it's looking beyond just what is like AWS assessment, you can also look further deeper into some of the application designs, threat modeling, which looks a bit more holistically than what we would normally do as Proserv, which will be generally more AWS-centric.
And I think in addition to that, I think Warden really enables that, like when we were using Warden I really liked that Warden gives you, like, we're always talking about education, right? I think that one thing that Warden does very well is that when you have a finding that it actually gives you sample code, sample rules to basically go and fix stuff. And I think that that's very important for our customers. So that's, I think, one of the main reasons why we're partnering with Horangi is because you guys are a good tool, and you guys have great people as well to work with.
Paul
Yeah, thanks for that. And, yeah, definitely. I mean, it's a big focus of Warden, especially for companies that are a bit newer to the cloud, to basically, you know, provide lots of information in terms of why this finding is important. What can happen if you don't fix it, and then giving them sort of steps, or with one quick remediation, just the lambda functions actually fix the issue, which I think is, you know, one of our biggest sort of differentiators too in the space. So, I'm very proud of that. And the engineering team has done quite a great job of doing that also.
Do we help with Lift and Shift? And if so, like, for this, there's like, how do we start with that?
Lucas
I think that you guys can come in, like at different steps of the process like, typically, if let's say, even if we're doing like, a lift and shift, you guys can probably help run the assessments, run the threat modeling, basically help planning what type of basic security controls need to be in place for the customer.
The issue is that a lot of security teams sometimes don't have that knowledge. And I think that you guys can really help bootstrap customers with specific AWS knowledge, but also broader knowledge on how to run security governance, how should I be advising a CISO on how to run this from a planning perspective. So I think that that's really key to where Horangi comes in. It really helps customers get the right knowledge at each step, and not just looking purely at the technology, but also at the project planning, the security controls planning the governance around the project itself. So I think that's pretty important for the business outcomes for the customers.
Paul
Yeah, definitely agree on that front. And yeah, like, I mean, we help a lot of companies who are making that transition in either with Warden or with our consulting side, as well, Looking forward to doing more jointly with the REA&H program.
This is a question from one of our webinars that we didn't get to: I'm on the cloud, and I have a multi-cloud environment, like how can REA&H help in that case?
Lucas
I think that REA&H, the good thing is that while we're coming from an AWS angle, I think that you guys, both Warden, as well as your consultants do not focus just on AWS. I think that you guys have experience as well with Google Cloud. Do you guys have experience with Azure?
Paul
Yeah, we have experience with pretty much all of them at this point. Both from an engineering angle in terms of building integrations with them, but also on the consulting side and doing testing security on them, as well as helping companies kind of have a strategy around shifting to them. It is like, of course, like most of our certification, that sort of experience is on AWS, but we have people certified on all the clouds at this point.
Lucas
I think that that's important because like, even though I would happily have all the customers come to AWS, the reality is just a bit different. And I think that we were pretty open about that. We have customers that run some of their security operations on Azure Sentinel so we also help them integrate our security controls in Sentinel, and again, I think Warden being cross-platform is something that also helps in maintaining governance over the various platforms that customers might be operating.
Paul
Yeah, yeah, definitely in, you know, we see, it's an important piece of our strategy to integrate with all the cloud service providers. And kind of like make sure that the companies do have a multi-cloud strategy have sort of their security concerns are addressed kind of across all of them. And it's difficult. I think we do have multi-cloud to kind of do that. But Warden obviously helps quite a bit with that. So it's a strong selling point for us. Multi-Cloud organizations. Yes. So what are kind of the most important resources as I prepped to kind of like, you know, make a move, engage with REA&H? And like, who are the right POCs to kind of be involved in this process?
Lucas
I mean, definitely, security is going to be one of them. I think that it's very important for security teams to work closely together with our engineering teams. And because those guys are going to be the, they're going to be the ones that received the most impact from what we are doing. You're also going to get if you work very closely together with the engineering teams, you also get a better appreciation of what you're actually building, you will see business stakeholders to actually understand what kind of workloads that we're building, right? Because especially when we're talking about like, for instance, threat modeling, a threat model for the banking application might be very different than an application that is just used for, let's say, advertising, right. I think it's important to involve both business, the engineering teams, and security so that everybody comes to the same understanding as well. So that security can also push their objectives and their expectations early and everybody agrees at the get-go of the project.
Paul
Yeah, agreed. And yeah, I mean, yeah, ultimately, all those people are very important in terms of getting it done and getting them involved early on the process is an important piece of doing just because there is, you know, lots of work and stuff that comes up, like making the move. So important to have people plan around it and understand. And good planning, I think is a part of, you know, being successful and making the shift to your talents, then it can be if you don't plan.
Yeah, so kind of last question, wrap it up. Any final words or advice for those listeners in terms of the cloud and things that you've seen?
Lucas
This is just me not talking as like a consultant for AWS, but just in general, I think the one thing that really amazed me about cloud technology, over time, is that it makes life easier for security people, like I realized that once I started working with it, there's a lot of stuff that you can automate more easily. There's more integrations, you have a lot more APIs to work with. So whereas before, you needed to start pulling information from 10 different systems, like let's say, to run an identity review, this becomes a lot more easier, just because you have those cloud platforms with their APIs available that you can run through automated tools.
I think that if you are considering moving to the cloud and you're afraid of security, I think that that shouldn't be the case anymore. I think it really makes security a lot more easier. But it does require you to basically skill up and understand how the cloud actually works. And, and be aware that it's not that it's very, it's not as it's not similar to how we were doing things traditionally on-premises. But once you've made that switch, I wouldn't want to run anything on-premises anymore.
Before I left EY to AWS, there was one project that we still needed, where they were choosing between on-premises and on the cloud. And I think the difference in time versus was like three times the timeframe if we were implementing it on cloud versus doing it on-premises.
Paul
I mean there may be some reasons, I guess, to stay on-prem, but 99% of the organizations out there shouldn't be thinking about it, or already be in the cloud. I’m in agreement on that front.
And another thing that I think is, you know, it's talked to like a lot of the incoming people to the company and about security as well and you kind of touched on this is basically you can't stop learning, right? Because, of course, technology is ever-changing and security is no different, right? Because we're constantly facing with the nature of AWS, I get an email every couple of weeks about like 50 new things that are being released.
So as I think, you know that that brings in some security challenges, but you know, ultimately like, it's good because, you know, we have to learn about what's changing in the space and have to understand and I think that's that's also the challenging part about security, but also the exciting thing, which I guess is why both of us are in space.
So with that, I’ll wrap it up and thanks, everyone, who's listening to the podcast. Thank you for tuning in. Once again, this is Ask A CISO podcast. And this is Paul Hadjy signing off with Lucas. Have a great day!
