Episode Description
What We Discuss with Houston Hopkins:
- How Capital one pioneered as bank moving into AWS Cloud?
- How AWS native tools for security observability compare to vendor product?
- What are some of the Security challenges to solve when looking at a large cloud landscape? (threat detection at scale, continuous compliance etc)
- The Immediate challenges around multi-cloud – Maintaining visibility of assets and secure configurations in a large multi-cloud environment
- What does detection and prevention look like in a cloud landscape?
- How do you keep track of all the AWS services?
- What security controls across compute heavy vs serverless vs containers in a multi-cloud world
- How do you get visibility in the current poly-cloud or multi-cloud world?
- And much more…
THANKS, Houston Hopkins!
If you enjoyed this session with Houston Hopkins, let him know by clicking on the link below and sending her a quick shout out at Twitter:
Click here to thank Houston Hopkins on Linkedin!
Click here to let Ashish know about your number one takeaway from this episode!
And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.
Resources from This Episode:
- Tools & services, discussed during the Interview
- Cloud Security Academy
Ashish Rajan: Hey, Houston. How are we?
Houston Hopkins: Good to see you.
Ashish Rajan: welcome to the show. I’m so excited to have you here, man. I think it’s, it’s really, I’ve been talking to you offline for, for some time and we’ve met in person as well.
So I’m so excited to have you. and I can’t wait for us for everyone else to meet you. . Cheers. I’m gonna, start with, a bit more about yourself.
. The first question is more around about yourself for people who may not know of Houston. how’d you get into cyber security.
Houston Hopkins: so I think we could take a whole hour to talk.
Ashish Rajan: Yeah. Yep.
Houston Hopkins: So it’s kind of a bridge version is, have a really good friend, Tony, Laura, who works at Akamai by the way.
And he’s made a career for himself as well, but, Tony and I grew up skateboarding together and, Tony got interested in hacking. And I thought it was really strange at the time. Right. I thought like, you know, why, why would he waste his vacation to go sit in the desert with a bunch of hackers? Right.
Like I just thought it was so strange. but fast forward a few years and I [00:01:00] got into it as well . So it got interested then, And then, you know, Tony and I had always stayed in touch and we ended up ultimately working together after doing a little bit of hacking of our own.
I’m just learning things. This is back in the days when backtrack was still new,
you know, we were doing a lot of offensive security things, just learning how things worked. and we both had experience from our jobs. So parlayed into an actual security gig. I guess I started out in identity management, I think.
I share that with you as well. So my security management background security administration, and then moved over into kind of like, building defenses mechanisms around infrastructure and a bit of architecture, active directory, all those things that you get in inside of a big company. So I was working at a, you know, fortune 50 at the time and saw a really, really interesting things.
And then, after a very long while, yeah, 11 years at that company, I pivoted to a startup. And from there I got to run everything inside now from the security side. And I’ve worked directly with [00:02:00] Tony again . So here we were at the startup, it was a mobile payment startup. and it was super interesting.
We did everything from the product security side. We learned all about NFC and we were, you know, knee deep in various RFCs about secure enclaves, et cetera. But we were also like doing everything, like Manning the door, like watching to see who didn’t match it. And like we had, when you’re in a startup, you kind of run the whole thing and.
I built a centralized identity, an access management program there that had a lot of good segmentation isolation built into it. But then same time we did a lot of hacking there too. So it was fine.
and, and, got some tastes of, of automation in my previous job and really pulled it over and tried to try to use it at the startup.
But you know, you think most startups back then, this was 2012, 2013. You would think it started hearing about cloud more, but there wasn’t a lot of like dev ops talk, at this particular company. The other thing was startups as you’ll find like they [00:03:00] like to, write off their expenses for servers and they have ways that they handle operational expenses is really interesting.
so we didn’t have a lot of, Crotty things there, but, I was at the time really getting my feet wet into the whole concept of dev ops
which had kind of evolved from server automation and systems automation and process automation, all these things we used to call it. And then it got a really cool name, like dev ops.
And I always loved the idea of building security in a way , that was easier. And I always thought dev ops ops offered that opportunity. I think, early . It’s fun. Cause I’m friends with rich mobile now. But I remember listening to the networks security podcast, many, many years ago and like, hear him talk about like, Oh, you don’t have to patch you just cycle in a prebuilt instance.
I was like, that’s perfect So, you know, anyways, partly from that startup over into what I would call a growth company that had a financial twist. And, was a one of three consultants there, main consultants. And we were basically whatever [00:04:00] security function, any one of the six CISOs that we consulted for needed , they would drop us in on a parachute and say, Hey, come help called the vulnerability management program.
We’ll help run a red team or, help build our SIM. Can you help us with some detection? Give us everything. So it was basically, we had to be. Not only a mile wide, but a mile deep. Still some of my best friends where there’s other consultants I work with there, they’re all, we’re all spread out again, really great people, lots of great experience there and then made my way over to, capital one specifically because they were doing crazy cloud stuff.
And I was super excited to hear like, here’s a big enterprise. It’s going head into cloud. Cause most of my experience has been Azure, before that .
A complete replacement for a data center.
An enterprise, lots of sassy type things, right. SAS stuff. So going to capital one and trying to figure out, I remember, I used, Some point in that previous role, I started getting into threat intelligence, which is a weird thing to call it, but just really getting into the defense side of [00:05:00] network security security in general, made a lot of great friends through various trust groups
and so anyways, this is supposed to be the abridged version.
and then really just see what was going on with modern software development, because on the inside it’s a software company, right? Like they’re building lots of interesting things. You have a team of developers at their resources. So
Ashish Rajan: that’s, I find that fascinating more capital one that, you know, people kind of always think of capital one as a bank, but it’s technically like you hear so many software initiatives over there, like the cloud custodian and a lot of the other things that have been released publicly and you’re like, But that’s a bank.
And your point is that, going back to the episodes of the largest regulated enterprise, which is really interesting because you always imagine that it would have to be a super fast startup. That’s doing all this and releasing open sources and like moving into the cloud, but. I was really fascinated.
I think the first time I heard about cloud, journey from capital one was during an AWS reinvent talk. And there [00:06:00] someone from capital one’s talking about the, and, and how everything was, and like, This is so cool. I can’t imagine. And this is like, by the way, this was before I said the world is going, we are for cloud.
am I right in saying probably in front of the first few banks to kind of move into this space, like fully move into the AWS space?
Houston Hopkins: Yeah, I would, I would say that we qualify as one of the early banks to go all in on the cloud. before I joined capital one, they were already really, really getting their feet wet, but I’ve seen it go from, you know, maybe 20, 30% to near a 100% of our stuff runs in the cloud. I know. I think you had Caleb on last week talking
Ashish Rajan: yeah, I was going to say, cause Caleb did mention by the time he came in, capital one is already 30% in. By the time he left, it was only 70 to 80% and I’m like, wow. Okay, there you go. I feel like ]that comes with the challenge as well because capital one being such an old organization.
And when I say old, not in terms of age, but more in terms of the legacy that it has for technology, I imagine there’s the mainframe and it’s like on-prem, which has been there [00:07:00] for 20 plus years.
Houston Hopkins: With all kinds of digital transformation, no matter what your company is, right? it takes from the top down leadership buy in.
Right. So I think the, the interesting part when I talked to my colleagues and maybe other companies is the struggle that they might have for, Hey, I’m trying to convince my leaders that that dev ops isn’t a fad or that cloud isn’t a fad or cloud is not just rot with security issues.
I’m very, very spoiled, right? I’m in a company that has a mission, understands this a lot better than maybe some other people in the same legacy. But again, I think , if I had that conversation in 2015, right. It would be one way, but it’s 2020 and I think everybody is pretty close to getting into the cloud.
They either know they’re in the cloud or they don’t know that they’re in the cloud already. it’s not the huge differentiator, but it was at one time. But I think the fact that our mission is great because it is a cloud is a heavy part of everything that we do.
It’s not even something we necessarily think about.
Ashish Rajan: Right. And to your point, As someone who’s listening into this, and [00:08:00] I’m sure some of the other banks or regulatory industries listening to this what are the immediate security challenges that you think of that people should consider when moving from say a traditional regulated enterprise, or , hybrid world that you’re trying to create for yourself.
What are the immediate security challenges that you see for a regulated enterprise?
Houston Hopkins: I honestly, I think, you know, living in the hybrid world, there’s actually additional risks, right? If you’re saying, Hey, I’m kind of over here and I’m kind of on in the cloud because you got to know both things, you got to really understand how those two things interconnect.
Right. it takes a lot of wiring, I guess it’s virtual wiring. In most cases, there’s probably, there’s a little bit of physical wiring as well, but, , as you approach more and more to, to holistically being in one environment or the other. and, and I would say if you’re moving towards cloud things, get a little more clear, right?
Because then you’re saying I’m really focused on the way this, the way I can operate in this infrastructure and this in particular environment. and It’s [00:09:00] refreshing to finally get there, but I would say, you know, the challenges you’re out for immediately is just saying like, Hey, my, my traditional world, maybe everything was controlled with, a LDAP system.
Right. My LDAP system provided who has access controls to X, Y, and Z. How does that translate talking about the cloud world ? Right. And just understanding, I always think that the greatest thing and, What has been incredible in my journey. Right. And very humbling from how I thought things worked in the beginning were, and I always say this, how I thought things work yesterday, versus what I knew today.
I’m always very humbled to learn more. But, no, just kind of taking that general, like here’s how things have traditionally worked inside of an enterprise. And here’s how that translates to cloud. It’s not necessarily. Different, but sometimes it takes a little bit of mapping to get there. Right. I’m not saying it’s the same, like I’m not one of those people that, that would, the cloud is somebody else’s computer, one, but saying the cloud is an operating system is way closer to reality.
It’s got its own nuance. In fact, it’s , I think that’s a much better representation. [00:10:00] You’re going to change your operating system mechanism. Like you’re leaving your world of standard data center, operating system to cloud operating system. And you’ve got to rewire a few things, but conceptually, a lot of stuff is the same.
They have to address some different ways. But I would say the one thing though in that hybrid world is really starting to ramp up your associates. It’s about. Changing that mindset, finding the people that are willing to come along that journey. There’s a lot of people that just aren’t. Some there’d be holding into the way things were before. And it’s not, I’m not saying that’s even bad, but you need to find who’s ready to go on this journey with you and then find, and hire people that are willing to take that challenge, because it will be challenging for quite a while.
As far as I know we’re going to be employed for as long as I can see, because there’s a constant stream of challenges, constant stream of new services, new clouds.
Ashish Rajan: I definitely want to get into some of the new cloud challenges as well.
So Arun has an interesting question. Do you prefer to use AWS native [00:11:00] tools for security observability or a vendor product
Houston Hopkins: this is really good question, right? It’s actually strange. I could have anticipated this question. I actually think, I thought of like, Hey, what if anyone’s going to ask her how deep we want to go on this?
So, I think I have some unique experience of being involved in cloud for at least the last five years. if you would have asked me, was this question five years ago? I don’t think we had all the tools we really wanted. But I do, I think every year the native tools get better and better. So depending on your size, start there figuring out what the native tools don’t offer you.
I also say I’m a huge fan of where things are headed in the vendor marketplace. Like I see a lot of great products coming up. I think they’re all worth a try. I think you should always have some openness to experimenting with the vendor tools to see what they solve and what they dont. I’m a fan of like short term contracts with different people or paid POC where you can really dig in.
I’ve seen, the native tools go from basically nothing to amazing. [00:12:00] And that being said, if you just have cloud trail and you’ve got a lot, if we’re talking AWS, right. So cloud trial itself. And once you learn how to mine it, it learn what it’s telling you, you have the ability to aggregate it. it can go a long way.
and then some of the tools that, the cloud providers are offering on top of their logging services for additional information. I mean, they’re all doing great things now, but, I would say, start with the native tools to see what they can do for you , once you dig in and you get intimate with any of them, they are going to be things that annoy you.
I will say by and large, the things that we find that annoys us about the native products. Some of the pay for products don’t solve that problem. Right. They’re not making that problem any easier. So it really helps to know, to help build your requirements, right. For what tools you need.
Everybody’s trying to solve some of the same problems. And a lot of people just, I haven’t gotten there yet.
Ashish Rajan: Right. I have a follow up comment on that, which probably is a great segway, which is large enterprise may also have a large number of accounts using vendor products and integrity. [00:13:00] So integrating consolidating all accounts may be challenging as well.
I’ve got another question that I want to attach to this where the challenge of scale. From a security perspective , whether you choose the native path or you go to the vendor path after a point you need something which is scalable.
And, and I guess to your point about the challenges with native tools sometimes, like, I think it’s, guard duty is still per region and you know, there are challenges. You almost think it should be per account. Like why would you not do that? Why would you not consolidate everything in one place?
Keen to know your thoughts on the challenges of scale, that you come across as well?
Houston Hopkins: they’re tied hand in hand. I love this question just because , I think I’ve actually seen my pendulum swing back and forth on this answer all the time, but I think it’s something you have to consider depending on your size.
Right? I think, Part of me. I’ve seen such incredible advancements with AWS organizations, right? And the different, different ways you can do stuff. If you’re starting out fresh, you have control tower and some other things you can really dig into to [00:14:00] help kind of. It sounds silly to save it like cookie cutter, stamp out accounts and do things in it.
I’m also coming from a place that didn’t have those tools, right. We didn’t start there. They were not available when we built things. And thus tools like cloud custodian were born to help us manage the fleet and custodians now a very mature there’s other there’s other tools that do very similar things.
But I think once you get a certain size. you can look at things two ways, right? How many AWS accounts you need? I’ve always thought of that as an IAM question. Right? So it’s how granular do you want to go with all of your IAM roles for that specific account and this gets really interesting because there’s no simple answer of course, but.
if you’re saying I have, you know, these 15 roles I’m going to stamp out an account for these 15 roles. If there’s something that. Challenges the trust boundary between the people using that and put that in another account, they have big roles and we don’t mix them together.
And so you could really end up with thousands of [00:15:00] accounts and many companies are doing that. And it’s probably the best practice right now is to go smaller and smaller accounts to keep your eye on granularity, where it should be. I think there’s a challenge though, and that is, it goes back to what we were talking about with things like guard duty, even cloud trail or things that, When you’re just starting out.
it’s kind of hard enough to wrap your mind around just getting it from one place. We’re having to aggregate from all these different regions and all these different VPCs and all these different accounts and get them into one place. And it’s doable, there’s an industry of people who have done it, but it takes some time and expertise and tweaking.
And by the way, even us to think we’re good at this find out things all the time. So , be prepared. I think, There’s no simple answer. Right. But I also say like we have a tremendous number of accounts it’s growing dramatically I think we’ve seen this in the world, across all of AWS specifically, is this move towards smaller and smaller accounts, to really say this is per application or per team or per environment, do you even have an [00:16:00] account?
You know, for this particular test, if you’ve gotten really good at spinning up and spinning down accounts, I think the spinning down accounts is a whole other topic.
Ashish Rajan: Yep,
Houston Hopkins: I think it’s definitely part of the challenge.
Right. So figuring out how big your size is, how you want to divide that up. I would always say challenge yourself. If you have the ability to decide for yourself, you’re going to build your own tool suite and you have some freedom. If you’re looking into a specific vendor, they may guide you on like, Hey, this the kind of science you need use those resources effectively , I think.
There is, it’s just a shift. I think you could do one huge account, and still do it safely, as scary as that sounds, but you’re going to be a really granular with IAM. You’re going to be very, very specific and AWS has giving us the power more and more every day
if you wanted to go that route and you can get really granular with IAM.
Right. And, and it’s beautiful. It’s great to have that choice.
Ashish Rajan: Yeah. And I think coming from an identity background, maybe you and I have a bit of bias, but how [00:17:00] does accountability work? You know, how one of the pillars of identity is it’s great that you have a resource or a server, is accountability, a challenge as well at scale.
Houston Hopkins: It always has been
is interesting. and the way I think of it in the cloud world is really paying attention to the identity that your resources take on , it’s not a human right. I can’t necessarily point at Ashish and say, Hey this was you. I can say this was the server that this team runs, It’s critically important to think about some of these cool new concepts.
Like when you get into cloud, it’s like immutability because it matters. if you’re running systems that aren’t immutable. You’re going to challenge accountability, because if you have someone who say SSH into EC2 instance, that’s executing AWS commands. It’s going to show as the running role on the instance, which is not the same as the user executing us, logged into SSH, the accountability can be traced there with the [00:18:00] right logs, right?
You map things back. You can tell who did it, but it’s not easy. And a lot of people aren’t doing it. take some lessons learned before you start knowing you have to do that
mapping.
Ashish Rajan: I was going to just add to that where accountability is kind of one of those concepts, which is kind of slowly.
I feel it’s evolving in the cloud world where it’s great that we have an insight into how many EC2 instances and all that but sometimes you lose that fact that, Oh, Houston had 20 EC2 instances that he was running, but they were on yesterday, not on today. So I guess. He’s not the owner anymore, so he doesn’t have accountability.
I find that really fascinating.
Houston Hopkins: You know who is challenged by this are a lot of vendors that have great products that worked really great historically to map the internet and show you what everything looked like from the outside. They’re extremely challenged to do that for companies now because of the ephemeral nature of how things spin up and spin down.
It actually makes me think like accountability is a big term, right? We could probably get deep into it. And [00:19:00] there’s challenges that arise and you have to really pay attention inside of cloud from a portability perspective.
So suddenly you’re dealing with credentials that you have to be very, very detailed and controls, to make sure that you can’t just take that credential to some other part of the world and use it or if you have to make a conscious risk decision to say, do we want to stop someone from doing that?
Or is it part of the way we do business? Or do we just want to know if someone does it and try to figure out why? those accountability challenges end up spawning more challenges, because then you’re dealing with the speed of cloud problem, which is really bleeding into part of this like detection stuff.
So protection versus prevention.
Ashish Rajan: I would love to kind of explore that as well, and probably a good way to start that is also when you’re trying to do security across a large landscape or whether its AWS or anything, is your approach to standardize security which is what a lot of people do, or what’s the alternative
Houston Hopkins: well, again, these are fun ideas, right? And it [00:20:00] really depends on your risk tolerance of your organization. and the size, I come from a history of some threat intelligence and I think about like trust groups and we often talk about how. As the size of our groups go up, the amount of trust goes down
they work inversely. And I think likewise, if you look at your environment with the number of associates that you might have, or number of developers or engineers that are working in AWS, if you’re a small shop with 10 people, you probably know those 10 people very well. And if one person messes up you can hold them accountable.
If you’re in a shop with a couple of hundred or maybe getting near a hundred, those numbers get interesting, right? Because suddenly you don’t know everybody when they’re working, what they’re doing, you have a lot bigger footprint to cover and there’s, you know, tooling and visibility to help you with that stuff.
I’m a fan of guardrails. I think sometimes that term gets overused, but I specifically mean, You need to allow people enough freedom to be creative and to challenge, , to be, [00:21:00] innovative, try something new. Here’s the thing we’ve got to figure out how, when you need to give them some leeway to allow those things to happen, to test, to see but at the same time, you need to put the appropriate guardrails on.
But my favorite guardrails are the things that do not impact the way the person operates, service control policies that are a great place to start playing with this idea, but like using your service control policies effectively to apply those guardrails across your organization, My favorite ones are like, you know, reducing the regions that you operate in , the region restriction on your USP, an SAP for that across all your accounts, because you don’t necessarily need to operate in regions that you don’t operate in.
Monitor Brazil if I’m not in Brazil , that’s a really interesting guard rail that now narrows your threat landscape narrows your attack surfaces, if you will, and then you can kind of focus in. And so it’s not like traditional, like saying, Hey, I’m telling you, you can’t do this thing, but I’m saying you can’t do it there because it’s really, really difficult to monitor everything everywhere all the time.
[00:22:00] by and large, if you’re not like someone would only spend something up in that region, probably on accident, they weren’t paying attention to where they were in the console. Or I could never fathom all the cases, but I guarantee you, it does. you know, people spend stuff up in random region.
Ashish Rajan: Yeah. Yeah. to your point, the simplest example is every time you sign up for AWS, it takes you all to North Virginia region. Right? But to imagine if someone from Australia is going in there, we also get North Virginia as a first thing, but we’re going to have to switch over to Sydney, but anyone who’s working in a space where data sovereignty is a question that data cannot be hanging around anywhere outside Australia.
Suddenly without even knowing it you’ve created something in North Virginia.
Houston Hopkins: Yeah, I bet that happens way more. I’m pretty sure, like new stuff defaults to Ohio.
Ashish Rajan: you could be right, because that’s where identity is hosted, but going back to what you were saying earlier as well the trust group is kind of still reducing.
And if you can do things which are not blocking someone from doing that day to [00:23:00] day, , if you don’t need to be in say the European region, then unless you have a really solid business case for it just because there’s a new service, but it doesn’t really mean you should just, I’m going to switch on something in the European region too
the trust level is quite low at that scale.
Houston Hopkins: Yeah. Yeah,,
Ashish Rajan: With the detection stuff that you mentioned, and, I’ve been a fan of prevention. Unfortunately, I don’t feel there is prevention enough, in this space, but I don’t know what your thoughts are on, detection and prevention in a cloud landscape.
Houston Hopkins: I love this question. It’s probably one of my favorite topics in general. and. Within the cloud security community. Yeah. We we’d have these discussions all the time, which is great colleagues across many places. I think what’s really interesting is you need both, of course, like nothing’s changed from anything we’ve seen in the past.
I think what’s interesting with cloud is oftentimes I find it’s easier to do prevention. Than it is to do detection. And it sounds so bizarre because it’s always been the opposite. And I think even in our mindset where I was like, well, can we detect it? Okay, [00:24:00] cool. that mitigates, you know, so much of the risk we’ll know if it happens and I’m like, look, we can actually just click this button and prevent it.
And I think there’s a, there’s still like, you know, natural fear of like prevention means someone can’t do something that they need to do. And so it’s all about being very strategic and testing things and oftentimes challenging yourself and challenging the outliers. If you’re testing a scenario where you need to put in a preventative control and that preventative control is relatively easy to do, but it’s going to disrupt this one outlier, go figure out what that outlier is doing.
Figure out a way to allow them to continue to do what they’re doing, but not break down the guardrail for everyone else. I’ve seen our community have a lot of success approaching things that way there’s the legacy security vibe that people come in and say, no, you’re a security guy. going to come in and say, no. I think we’ve all been there I still feel like security as an enabler is still the goal, you’re always [00:25:00] gonna be put into a conversation where it’s not that way.
And I think that’s where you start having that detection and prevention discussion
I fully believe detection is there to tell you whether your preventative controls succeeded or not. Sometimes maybe you can’t get the preventative control because you have a dependency on a thing.
But you have to build the detective control. This is a fun topic. We’re probably not going to tell you anything you don’t know.
Ashish Rajan: also your point earlier, you can’t really predict all the prevention steps as well. it’s like predicting when zero is going to come in , I love the example that you had given earlier about switching of regions. That’s a great guardrail, which is a preventative as well. If you can prevent yourself from, I guess, getting exposed and reasons why they shouldn’t be.
I think Paul kind of mentioned the interesting thing over here where, not to mention that many services are centered in US-East-1 CloudFront work mail are examples. So just the use of these services mean you’re breaking the sovereignty barrier already.
for anyone who’s listening if they decided to use a service, probably should check [00:26:00] where the services are hosted.
Houston Hopkins: Yeah. those are great examples and it doesn’t matter where you live, there’s some sovereignty needs whatever companies you operate in and you’re beholding to their regulatory needs. So we have to think about that quite frequently. CrowdFront is an interesting one
it’s a very useful service. It’s very simple to use the most granular service out there. If you’re going to choose where to serve your CloudFront data or where to cash it, you have like a. Couple of check boxes. You can hit in there. I don’t even remember what the us and Canada, and then it’s like U S in Europe, North America and Europe.
And then that’s it. Everywhere everywhere, but China, but there’s a lot of really interesting conversations going on about Hong Kong region right now,
we don’t know those are not considered part of China. So you really have to think about it. It’s mixed a lot of cool investigations by the way. No, one’s born knowing that and you have to go look it up and figure it out.
Ashish Rajan: I find that really fascinating sometimes. [00:27:00] and people ask questions in interviews where you almost feel like they should know all AWS services. They should be up to date in what happened this morning.
Do you feel that that’s a pressure that our community kind of creates about different region, different locations?
how do you keep a track of this? I mean you have your own full time job already, but on top of that, you’re going to have to like, Oh, wait 30 services got released by AWS yesterday 30 services got released by Azure yesterday. What’s your strategy with that?
Houston Hopkins: what I have is closer to a sickness, right. To try to, and maybe it’s born out of imposter syndrome and maybe that’s a whole other podcast, but it’s hard to keep up. people who know me, you know, I try my best, but also the things that the fire hose that’s fed to us. So new. Not even new services, but changes like, and you can share the auto network changes from 2018 and AWS, man, I’m still catching up, right?
Like you can share with PCs and now you got. You know, I can’t even think of all the acronyms for all the little switches you can do now for the networking changes. And, [00:28:00] or maybe it’s hypervisor for lambda or hyperplane for Lambda. .
I kind of understand most of these things. I will say that I’m following the right people on Twitter makes a difference. Oh, Aiden, follow the people that just toy with this stuff all the time. like Scott Piper, try to pay attention to what they’re doing.
often they’re doing your service evaluation for you down
so finding the people in the community that are constantly, Pressure testing every product that’s released by the cloud providers. I know there’s been a lot of talk lately about finding who’s the Scott Piper equivalent for cloud X. We need to find them because I need people that can give us perspective on Azure, GCP, Salesforce Alibaba. I want to know it all,
I’m extremely fortunate to have a very good team of people and other people that I surround myself with inside my office, outside of my office, inside my home, even. and, and so we try to keep up that way. No, one’s perfect.
it is tough
because you feel the pressure . I often think about this a lot, because there’s just certain services I’ve [00:29:00] never used because I have no need to use them or maybe because I’ve never worked in a place where those were services that we thought were good enough
to use yet
some competing service that meant we didn’t need that service.
but they’re all super interesting. And then I hear people will talk about them and I’m like, Whoa, that is, there’s a thing that does that, but I know we’re not alone when every possible medium for this stuff. Reddit has a really great community for talking about cloud security stuff, AWS security, there’s Slack channels trying to keep up with the conference circuit.
It is impossible. Don’t you know, I would just say like, it’s, you’re never gonna, I don’t think people that work at AWS did invent these services. You can fully understand them right away. Right. It takes time,
Ashish Rajan: the scale of it as well. Right. I mean, you kind of have to boil it down to your individual but AWS has teams dedicated for services and most of us are listening to this.
And trying to solve this for our companies or for our businesses of all our products. We have a goal in mind. [00:30:00] We’re trying to do AWS as a business. They basically have a team dedicated for each of the services, which are just constantly producing stuff. There’s a no realistic of way to put yourself under the microscope and go, I need to be aware of all the services coming out .
how often would you actually migrate everything? And we haven’t even gone to technology yet. We have containers. We have serverless, we have EC2 instances. And now if you add another barrier for Azure or GCP or Alibaba, and you’re like the complexity that comes with it. I feel it’s impossible.
And I’m really glad you mentioned Scott Piper and other people as well. I definitely recommend following these people cause they definitely make you challenge the, thought they are not drinking the coolaid for lack of a better word, just because it’s being sold.
Houston Hopkins: I should tell the story of like how I got into cloud, first started really challenging it, honestly, I saw daggers talk.
so Daniel Cassella gave a talk and he’s in Austin, Texas. And I think the talk was like the next grade breach. Right. And it was [00:31:00] about the way cross account assumable access works and how, it’s funny. Cause Kestin Broughton has now given a very similar talk years later in some of the problems still exist, but essentially how we allow certain vendors cross account assume all access into our AWS environments right. As a whole.
And they might see, you know, a hundred, 200 different companies and they have access to all of them. You know, what, if that person gets popped and like, what is the exponential side of that access? I remember listening to Dan talk and I was like, Oh my God, like I just, what am I looking at?
I think it just opened our eyes into like this whole, other side of like, how we need to think about these things. And luckily this was years ago, I think it was 2016.
Give the topic Kiwicon . There’s a horrible version of it on YouTube where somebody filmed it from the crop. Dan, Dan got me interested in like challenging some of that cooling and we’re getting to the point of like, started thinking about credential portability right off the bat. And, I came across paper, right.
[00:32:00] So CA came across Scott, and I came across here, Peterson who, X their code, and, Now, runs Kanzi route. I don’t know. It’s cost ops company. It’s really cool, serving with cross ops company. But back when he was at Vericode, he gave us really great talk, like bringing in a Apache to the Amazon, something like that, or bring I’m sorry, bringing a hatchet.
I don’t know what it is. Some kind of bring it up. Machete, Amazon, check it out on YouTube. He’s given it a few different times, but in this old man, it’s an old talk. I remember thinking, Oh my goodness, someone else gets this. That there’s some, some parts of the cloud and specifically around security that the world just wasn’t talking to him about later, found out Andres Rancho also knew this stuff, Mike.
So I immediately like that, that, you know, that weird thing where you feel like you’re seeing something and you might be crazy. Cause like, it just feels like you’re explaining census the law and find people that think like you, or [00:33:00] like suddenly had this really great team of people. I could bounce ideas off.
And, you know, so I just, you know, find ways to reach out to them, be like, Hey, when you did this, did you S like, yeah, man, this is exactly what I’m talking about. Like, why doesn’t the world like react,
but now, you know, fast forward a couple of years, we’ve seen all this progress from the cloud providers to solve some of these problems really around credential portability it really around How we protect the cloud or from these very, Kind of more nuanced problems, right? So, I think Amazon is doing a great AWS specific, typically the IBM team and those teams have done a great job with organizations.
With utilizing a different context, keys for solving problems, the AWS via context, case of AWS via AWS service, which is a mouthful to say, but it is probably my favorite thing that the IBM team has released, in the last year or so. It’s just beautiful. It allows you to do things like source IP restriction without, without having to go through the headache [00:34:00] of everything that blows up and Amazon does on your behalf.
I think you also have teams at GCP. I’d love to call out like the work that they did with GCP VPC service controls, which is kind of partnered with the team who did Istio, which is probably not a coincidence, but did these ways to make the public cloud more private, right? So you can use these public Cod channels, but a public cloud control plane and a private way.
And those are where, I think from an interview from the large enterprise, maybe a regulated enterprise, You kind of have to do it like, and, and, and they were the things that we, how do you know people in this industry we’re trying to solve with a bunch of complex, weird tweaks. And now we’ve got our cloud providers that actually took the problem seriously and gave us ways to make it better and better.
And we’re still continuing to do it. So. those advances, I think every major enterprise or big company, or even small company, that’s getting into it. If you have the ability to control the egress of your users, if they use a VPN, they use a, [00:35:00] the scaler and you know what IP addresses they go out on.
Ashish Rajan: you
Houston Hopkins: can build some pretty cool restrictions inside of IAM to make sure that those are the IP addresses, that your cloud allows them.
Meaning your, your control, plane, your console, your, when you’re talking to the CLI with them, right. I am older. I am user it’s coming from the right places. Those are amazing. Like that’s just really, it’s not perfectly like there’s no perfect anything, but it doesn’t let us to sleep a little better at night.
They can be built into. a lot of the services, right? So where you’re running compute, I know serverless containers, like if you’re running If you’re running EKS or ECS or just containers in the cloud, and they’re using IAM in any way, like some pretty cool, con context keys in there that, that save you.
if things ever do get leaked, you’re probably a little safer than if those weren’t there. Trust me. It gets really cool.
Ashish Rajan: I think so as well. And I’m glad you brought the Google cloud thing as well, because some of us are seeing this as a reality where it’s not a [00:36:00] single cloud anymore, or Alexander, one of my peers here, it’s a poly cloud world now that we live in , what’s your way of getting visibility across security ?
Cause I’m pretty sure. And other enterprises who are listening to this. They’re going. I need someone who knows Google cloud. I need someone who knows AWS. I need someone who knows the Azure in my team I technically feel it’s impossible to find one person who has all of it deep level. Is it just not practically possible, but keen to know about your experience with multicloud and maybe how you able to tackling some of this, or how do you view this as a challenge?
Houston Hopkins: It’s an extreme challenge, right? It desktop, I would say the greater part of my 2017, 2018 life was spent trying to figure out if I could normalize cloud X against cloud Y against cloud seat. only to realize that. It’s not easy to do at all. They’re all like, they’re all the same in some ways they’re like, Oh, they’re all kind of running this weird Zen hypervisor.
They all use the same, [00:37:00] you know, metadata services things. And then you get a little bit under the cover. You’re like, God, they do it so different. Like, it’s, it’s not, it’s not super easy for you then again, it’s not entirely different, but. You, you have to kind of roll up your, your club governance, right?
If you’re going to say, I need, this is a baseline for what I need a cloud to do. I need each cloud to meet this baseline. And you’re going to find one that doesn’t do it a way that you like and just push that cloud provider. If you came right in granted, I’m not sure everybody works for a huge company that has a big voice to do that.
Use your voice. You can like, I found that, Inside of our cloud security community. If you will, you can usually find some troops to rally and then go have a conversation with the cloud provider, even if you aren’t a big company. And hopefully that pulls weight because they need to, most of these clouds and while it’s nice that they have big enterprise customers, they’re not built for big enterprise, they’re built for everybody.
Right? Like I always think about the concept of a consumer account. [00:38:00] Versus a enterprise account. And guess what? We use the same exact clever,
I’m not in gov cloud. Like that’s a different thing or secret clouds or whatever these other clouds are. I have no idea what they are, but I’m not in, so it doesn’t, it’s not something I can worry about.
I’m in the same cloud that every other person using AWS from their home is it’s a big challenge. Right? That’s that’s crazy. It’s a big challenge for those crop providers that think, Hey, if I implement this thing, that huge enterprise needs, because they’re regulated super important, that’s going to blew away all my mom and pop business.
Right. So they have to really find those risk trade-offs like internally and then make sure that things are optional. Cause to ask you there’s sometimes things like why in the hell? Can I ask three, read a bucket, be public. That’s so crazy. One of my other favorite ones is why. Why can club friends use domain aliases that across in a lot of this was fixed in April of 2019, but [00:39:00] like, why could you just quit any old domain inside of the CloudFront alias when you’re setting up conference?
And you’re like, well, there’s probably someone’s business who says, Hey, I’m your CDN. And they’re just, they’re just CloudFront and everything for you, 25 different domains that they meet front or whatever. And it’s not from an account. That’s where the stuff is. I haven’t been it’s this as a service model and it creates kind of this beautiful, industry.
Right. But from an enterprise perspective, like why could someone just put our name in this thing and. you know, we challenged, this is a great example. We challenged AWS and say like, Hey, this is, this has become a huge problem. Not only for us, but for the industry. And you can see the broadband payouts happening and they put in a change that helps, right.
People have to validate domain ownership via certificates. And granted that may not be perfect, but it’s a hell of a lot better than not doing it. And we’ve been just really impressed with our ability to work with the cloud providers when we need to see those big changes. Yeah. It’s also interesting to watch.
What I [00:40:00] would say you have kind of your incumbent cloud provider and AWS, is that a provider? I love people try to say that it’s not, but it is. And, and you can see the other cloud providers have learned from, Hey AWS. Maybe didn’t think about this thing right? When they released the service and they’re having a hard time coming back to it, but they can become the differentiator in this new cloud.
Right. And the next PCP can probably roll out something a little faster. Maybe Azure can a lot faster. I don’t know what IBM cloud, if that even.
Ashish Rajan: Yeah. Or Oracle cloud. I get the drift, but to your point about the cloud governance of, multiple cloud. So 2017, 2018 is when you go kind of exploring whether you can map them out and normalize them.
So what’s your view now about, I guess you just are better off just having one person in the team who does Azure one person in the team,
Houston Hopkins: yeah. I said, I don’t think I, probably someone that’s very deep and all the clouds right there, probably if they’re sleeping on a nice bed of money, [00:41:00] ultimate unicorn that can do everything and understand the security of all the clouds.
I think it’s, it’s probably a best interest to have. you know, maybe you have a release train of, of, of all your club people, right? Like in that job, we all work really close together, but they are separate teams. You have separate pizza box teams for reaching those clouds and then, you know, they need to work together from the government perspective, the governance has to see all your clouds need to meet these things, but you have the specialists.
In certain areas. And eventually I think people should cross train, right? To understand a little bit about, Hey, how this other cloud solve this problem? I think I was fortunate enough to be part of the team that tried to do it all for a while. So I have a little bit of perspective, but not a lot. I would advise.
I feel like I did a lot of name dropping and that wasn’t necessarily on purpose. I love that the community, everything I know is because I knew somebody way smarter than me, that taught me something. But. when looking into the multicloud thing, I can’t recommend following rich mobile enough, if nothing more, just to see the stress that it [00:42:00] induces on him to try to get some of these other clouds to do what the other class already does.
cause he’s a probably I’m on Twitter. Yeah. Funny. It’s like you just read like some of the answers, like I can’t believe this thing doesn’t work this way and I’m always like, that’s okay. It’s good to know that going in. Right. Or if like, Hey, I know, or how did I miss that challenge when I looked at that thing before?
Right. So, you know, use your resources, look at what other people are doing. I think. If I was trying to think of anyone that’s trying to do a lot in Azure and a lot of AWS and GCP, it’s probably rich in the disrupt ops team. I don’t watch it.
It’s pretty intense. so yeah, and learning that those guys are helping push right.
Push the industry to where we have. There will never be standardization. Right. I think just it doesn’t exist, in cloud.
Ashish Rajan: Yeah. Yeah. I think it’d be really interesting to your point. A lot of us, or at least a lot of the organizations that we look around us, they’re definitely quite deep in one cloud [00:43:00] provider and have bits and pieces of the other, but technically it’s still as from a security perspective, it’s still a poly cloud or multi cloud problem because you’re like, ah, I don’t want to completely, it’s maybe minimal, but I still want to have some visibility on it as well.
Not completely let that go.
Houston Hopkins: Well, you’re going to find your differentiators, right? So there may be something that exists in that cloud that you need, or that works better. Or, you know, I think a long time big query was that thing, right? Like everybody’s agency piece. So you had to figure out like, well, how do I get the, you know, they want to use big query for this.
And then, you know, finding Amazon coming up to par or at least like getting something to compete with big query took awhile. So there’s like that model of like, Hey, I’m going to use each cloud for this. Is it recognition? Is that what it’s called?
Ashish Rajan: Yes. I is recognition that’s right. Yeah.
Houston Hopkins: So that’s another big one, right? Everybody wanted, Hey, I’m doing some, you know, I need recognition. It does this thing for me. So there’s that kind of differentiation model. And then. You have the big challengers. And I think a lot of that you’ll see the monitoring companies that write about this. And [00:44:00] I think, I think the guys, a lot, a lot of the Hashi courts, et cetera of the world are trying to solve these problems.
Now. I was like, how do I operate my service across all clouds at the same time, that is extremely challenging but possible. And I think it will because there’s no consistency between clouds. Like even the way they implement encryption, et cetera. Either. You’re going to have to find a common service bus or common service layer for everything to be translated to.
I have to, as things, exit CapEx, you have to realize that you do this thing. That means they can be used by crap. Why? And it’s , not necessarily translation, but finding the. Lowest common denominator or at least, and using the constructs of the internet for what they are used, your TLS affecting.
Ashish Rajan: I feel this is kind of where the whole service oriented architecture kind of came in from as well . Big query or Google cloud is amazing for big query. Redshift is [00:45:00] shit, the last time I logged on redshift, it was very clunky, you just want something start quickly. So it may have changed, this information, maybe six months older .
I feel like we are all going in that direction where exactly what you said, because you’re not using the Swiss knife anymore. It’s like, AWS is my swiss knife.
You almost have, Oh, this is my chef knife for BigQuery. This is another knife for like my bread knife or AWS. it’s going to be really interesting as we go deeper into this and how it kind of transforms.
And, I think I’ve got a comment here from Paul as well, just to say AWS organization.
Isn’t very elegant solution relative to Azure. Yeah. Yeah, it, Azure resource group of subscriptions or GCP groups is actually obvious when you see some of the crazy, I am contortions that companies do to make multiple AWS accounts. Well, Oh yeah. Identity across multiple resources and multiple clouds.
There’s so many layers to identity these days. I think back in the day you just want a single sign on or different services, great. Or, or then like now it’s just, Oh, there’s so many layers to this.
Houston Hopkins: I [00:46:00] kind of worked with the Senator in there when I saw them made the comment was this, this just has to do with, AWS was older. I mean, it’s been around longer. So to go back and implement that change is probably why organizations deemed more likable time because it is. and the other, the other cloud providers, one is, you know, Azure to their credit.
he used some of the constructs that we’re all familiar with from an ADA perspective and what Ady has become in the last 10 years or seven to say like, Hey, let’s just use this this way and we can break down things and no, you structure and largely that’s what all the other cop providers are not doing, including AWS, but it does, it is a bolt on, but it works it’s trust me.
It’s better than not having it. I, it is, it is a beautiful thing. So yeah.
Ashish Rajan: Yeah.
Houston Hopkins: Every IAM thing is an IAM contortion BTW AWS IAM policy is its own art. It really, really is.
Ashish Rajan: Yep. And imagine the number of tools that have been just created just for that. And I feel it’s really fascinating that a lot of people still haven’t been, I [00:47:00] think. You look at Pings or Oktas of the world. I don’t think they can solve that problem as well.
I mean, identity itself is so complex and then you add accountability when resources don’t exist and yeah, I feel it’s really interesting world for identity moving forward.
Houston Hopkins: Yeah. Yeah. I think there’s a lot of opportunity to keep pushing and finding the solutions that. Maybe they become that service pass or maybe that translation layer that gateway, or I am gateway that able to speak to all clouds.
I think, you know, we sell a promise promise from Cosbys and other kinds of solutions that we’re going to come do these things for us, but they’re not to say that they didn’t solve some of those problems, but they definitely didn’t do it in a cloud native way. In my opinion, what made the service that the cloud provided you did work anymore?
Unless you did it the way that the CASB could actually. And, you know, they’ve come a long way. So I’m not saying it’s bad. I’m just thinking these are hard problems to solve and lack
Ashish Rajan: Yeah. And Complex complexity kind of grows. The more [00:48:00] organization gets deeper into a cloud and to Paul’s point earlier as well, it’s multiple AWS accounts and you add Azure in the mix, you sprinkle some Google cloud and someone just bought an IBM cloud and Oracle cloud.
They’re like, Oh great. I might as well just throw a towel in this and just walk away from it.
Houston Hopkins: Yeah. I do think it’s imperative on organizations to this kind of decide, you know, pick, pick their, the way that they’re going to approach things, probably pick a cloud that makes them a sense for you. It doesn’t matter.
It honestly doesn’t matter which one, but pick one and then the differentiated services you might need from a few of them. But be really hesitant to just say like, Hey, I’m gonna let, I’m gonna let team X go ahead and decide to use IBM cloud this week because they have somebody on their team that thought that was cool for whatever reason.
It’s just that that can spiral out of control really, really quickly. And there’s still no. There’s nothing that rolls every kind of cloud up the way we wish they did. Like caspase might be able to help you detect all the cons are using [00:49:00] definitely the control suite and keeping up with the amount of API changes and what new clouds come up this week?
I would, I would highly recommend building some guardrails to keep people from operating in clouds where you. I don’t see a good opportunity for business differentiation. So sort of maybe against what I said earlier, like, I want people to be creative and whatever, but yeah, from a trying to keep your understanding being within your control and not have a woman in your people try to minimize how many different copywriters you’re using, if at all possible.
Ashish Rajan: Yeah.
Houston Hopkins: That would be a good price and most people would probably agree, right?
Ashish Rajan: Yeah. A hundred percent, a hundred percent i agree with you on that. I think we’re on the tail end of our show as well. And I’ve got three fun questions for you so people can get to know the other side of, Houston as well. first, what do you spend most time on when you’re not working on cloud or tech?
Houston Hopkins: so I, I do still ride my skateboard. Not as much as I used to. [00:50:00] Most of my time is definitely spent, with, kids, you know, so, so I think, not enough time, like I still regret every minute. I’m not spending with them your work way too much. I think that’s probably a pretty common, since I tinker, this is kind of interesting.
I do. I tinker with cars. I’m a, I guess I’m a closet car person. Like I’m not, I’m not, I’m not like going to car meets and I don’t wear like, you know, car T shirts or anything. But I like, I’d say the reason I liked cars is because it’s. Unlike our jobs. I can take something apart and put it back together and I can I’ll break stuff and things won’t work.
Right. But I find a solution to that problem, but it seems much more finite. Like you could finish a project pretty easy, and I changed this thing or I did this, you know, whatever. So, so I do find myself getting lost in this projects. Cause I think they’re more mindless. Right? I like mindless projects that I feel like I can accomplish.
We do out of that. [00:51:00] studying. Yeah, I guess studying kind of counts as work. So I don’t know.
Ashish Rajan: Well, I was going to ask, was you a skateboard? Is that one of those electric skateboards or like the push ones?
Houston Hopkins: Definitely a push skateboard. So if not along board or not have given quarter or anything like that, it’s like, I read real escape words.
I’ve been doing it,
Ashish Rajan: right? Like a long board.
Houston Hopkins: No, not like a real like normal skateboard nose and tail.
Ashish Rajan: Right, right. So
Houston Hopkins: we’re skate bowls. I skate street stuff like ledges. I love curves. I’m like really? I’m getting old. So curbs are just the thing I skate.
Ashish Rajan: Oh
Houston Hopkins: yeah. It’s a thing. It’s sort of a culture and a.
I’ve been doing it for gosh, like 30, some odd years. Now my body is hurt. I’m not a small young person anymore. My body definitely aches. My knees hurt a lot, but I love it. It’s the culture I grew up with. I still have lifelong friends all over the world. You know, we’ve [00:52:00] skateboarded together at one time or another.
So
Ashish Rajan: that is often, and that’s awesome because I think, as an adult trying to learn, skateboarding, I can tell you it’s not easy. Like I always fascinated my, I had this dream about riding a skateboard as a kid, then do it as a kid. Tried learning it as an adult. Oh my God. I’m so like, for lack of better, I’m shit scared sometimes.
And it’s like, my head is going so fast, but when look at the video, I think it’s really glacially. Like, no, it’s like, I’m so slow. Like, yeah, of course my own challenges, I guess
Houston Hopkins: I’ve been doing it for 30, some odd years and still in my head, I look like something and I see clips of me and stuff like, yeah, I guess that’s okay.
That’s not what I look like, but we have our own worst critics and it is tough. I can tell you I’ve been doing it forever. I skateboard better than him. I guarantee you, I get hurt walking, but I could skate. I can hurt skateboarding too, but not like I do walking. So it’s just funny. It’s yeah. Yeah,
Ashish Rajan: I might, I might take this to [00:53:00] me on skateboarding off of this, then I think I’ll definitely do that.
The next question that I have is what are you, something, what are you proud of? Which is not on your social media?
Houston Hopkins: That’s a weird one. So I’m not, I’m not super big on social media for like, I don’t know. I don’t over communicate anyways, but,
Ashish Rajan: Usually, so a lot of people talk about their family, the kids, and to your point, I guess the things that, you know, careers moves, that what I’ve done, that’s changed their life kind of thing. So, I know it’s a bit of a deep question, but it’s a, it’s an interesting one. I find that cause a lot of people techniques seem to be more on social media these days.
Cause you know, I unfortunately go to LinkedIn and stuff. Now everyone kind of has to be there.
Houston Hopkins: Yeah. And, and, but I, you know, I think. There’s probably a lot about me that you could, I would, I would, I think I’m not saying I’m a super private person or trying to hide anything, but I don’t, I don’t rush out and tell crazy stories on LinkedIn or on [00:54:00] Facebook, et cetera.
I do enjoy reading people’s lives and staying in touch with my relatives and stuff that way, but that’s not something I really rushed to do. I think, something that wouldn’t know, I guess about me that I am super proud of is my sister. Right? So these, Nine years younger than me. So we we’re pretty far apart, but she is an amazing person.
so she’s, she’s in the U S military. she, has, you know, you stayed in the military will probably retire in the military ranks, so she’s, Constantly getting new accolades and awards. And you know, she’s a real leader, just a different, total different background than me. Like she’s not a, not that she can’t use a computer, anything, she’s not a computer person.
We still lean on each other from that. So here’s something you wouldn’t know about Houston? especially on some people know this about me, but not many. I’ve never shot a gun in my life. Right. Like, I just don’t I’m in Texas. My name is Houston. People would probably say,
Ashish Rajan: I’m going to say, like, [00:55:00] you’ve been in Texas and you’d never shot a gun.
Houston Hopkins: Yeah. So I’m not, I’m not a, I’m not a traveling right at all. I guess I never thought I just never shot a gun. It’s kind of interesting things. and I’m not saying that I don’t know what a gun, I’m definitely not saying that, but it’s like, I don’t, I don’t do, it’s not something I’m super into. Right. I mean, I have a lot of friends that are really, really into it.
It’s kind of interesting to see. Cause it’s different than my culture and like the way I must have vegetarian. Right. Like, I guess I sound like a hippie all of a sudden
Ashish Rajan: my next question, like, so what’s your favorite restaurant within, so what’s your favorite vegetarian cuisine?
Houston Hopkins: so I eat a lot of black beans and rice.
So just different Mexican food or El Salvadorian, food, Indian food, like, you know, Thai food, pretty, pretty much all your standard vegetarian answers probably
Ashish Rajan: have a favorite.
Houston Hopkins: I’d say that like a good tie. Curry’s hard to [00:56:00] beat.
Ashish Rajan: Do you guys get like a green or a yellow Curry? Do you guys, you guys can, which
Houston Hopkins: probably red Curry.
I’m more of a, more of a red Curry person, better green and yellow is what I started with craze. I think. Yeah, but I think our chilled out into like nice, really spicy red Curry.
Ashish Rajan: Oh yes. That is. Yeah, that definitely. I mean, if you’ve got a good one, it’s funny, for a, for a long time, my go-to was pie fried rice with an egg of fried egg on top.
And, Oh, I did not know this, but because I’ve never been to Thailand, but a friend of mine went to Thailand and he said, dude, you should try this. Like, cause people would just order hi, fried rice, at least in Melbourne, they were ordering it, but no one would ask for the egg. And I did not notice a very thing to do.
Like when you order Thai fried rice. He asked for a fried egg on top. That’s a very tight thing to come on when you do that. And like, Oh, you’ve been to Thailand. I’m like, I mean, no I haven’t, but someone told me it’s a good thing to try. I added that, that [00:57:00] stuff is thorough active. I must say it’s like another layer, but I can keep going on about this, but I want to say thank you so much for coming in.
And I really appreciate all the insight that you’ve given. I’m pretty sure everyone else enjoyed it as well. We can people get in touch with you if they have any follow up questions.
Houston Hopkins: probably the best place to find these on Twitter, at I H O P K, which is, like my name. That’s the first thing, the name of it, the first few letters.
you can find me on Twitter or LinkedIn, you know, you can, Frank Houston Hopkins on LinkedIn. I’m not hiding. I once used to be a top Google head. really, if you searched Houston and Hopkins, I was the first hit and it was me skateboarding, which is really beautiful. But then, the Houston Texans football team, had a player with the last name pocket, and she’s now left the text.
And so maybe I have a chance to fight my way back up there,
Ashish Rajan: the house, like, cause when I was looking for images, it came up with someone from the, American football. I’m like, who is this guy? And I’m like, Oh, right. [00:58:00] Okay. Yeah. He’s definitely all over the internet as well. Yeah.
Houston Hopkins: He’s an amazing football player.
So he deserves it. I’m not, I’m not knocking it, but yeah, you can find me on LinkedIn. Pretty probably, LinkedIn and Twitter. I’ll use just ways to get ahold of
Ashish Rajan: me. Perfect. . Now, thank you so much again, and I, to be honest, I can’t wait to bring you back in again, man. I think we definitely have to have some more conversations, polio, skateboard, and imposter syndrome and life as well.
But thanks again for coming on the show.
Houston Hopkins: Cool. My pleasure. Thanks. Thanks.
Ashish Rajan: Thank you.