Episode Description
What We Discuss with Vandana Verma:
- Shared Responsibility Model
- Multi-cloud
- Hybrid model
- Infrastructure as a service
- Platform as a service
- Software as a Service
- Vendor Lock-in
- Infosec Girls
- And much more…
THANKS, Vandana Verma!
If you enjoyed this session with Vandana Verma, let her know by clicking on the link below and sending her a quick shout out at Twitter:
Click here to thank Vandana Verma on Linkedin!
Click here to let Ashish know about your number one takeaway from this episode!
And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.
Resources from This Episode:
- Tools & services, discussed during the Interview
- Cloud Security Alliance
- Cloud Security Academy
Ashish Rajan: [00:00:00] Hello, and welcome to cloud security podcast. Today. I have a special guest, a wonderful environment. A lot of you may already know her, and I’m really excited about this. Not only because she is a calc security person, but also she does a lot of things. I found out recently that she does outside of work, which I really would love to get into as well.
But before I keep going on about how awesome welcome Wunderman actually have you here. Thank you so much. So people who don’t know you, can you introduce yourself to the audience?
Vandana Verma: Hi everyone. I am . I am. I’m working as a senior architect with one of the multinational companies. Apart from that, I do not have community.
With us and we’ll say, good, none. That’s
Ashish Rajan: we definitely need to get into this, the social life thing. We here to talk about cloud security and I’ve got to divide the whole thing in three segments. Right? The first one is just about what, why and how, and being cloud security, cloud security, public cloud. What does cloud security mean for you?
Vandana Verma: Security is the security of data, information and applications, anything which you are trying to host on the. Earlier days, a lot of organizations were not very [00:01:00] comfortable in moving their data out of their premises or moving to the cloud. So they thought anything that is in-house is more secure. Now when we are moving to cloud more rapidly, because in the past five years, we have seen a huge shift from in-house in-house or on-prem to the.
So we need to be very careful with the security measures. We put it into into the cloud that’s cloud security. Also we can say cloud security is protecting the data, which is stored online from any theft leakage or might be
Ashish Rajan: deletion. Right. And would you say, I guess some of the components that people kind of get into around infrastructure and application?
I guess I look at it as 50, 50, 50 divided. Do you agree? Or do you feel that I’m all parts to then to do cloud security than infrastructure application? I don’t like, what else would you add in.
Vandana Verma: So I would say the cloud when we talk about cloud, but they have different, we have different models, right?
Interested in as a security platform, as a service or software as a service. So everything has security. Security points or security measures, I should say, because when you are mad at [00:02:00] you and you are taking a capture from the cloud service provider, you have certain sets of roles that you have to do now, provider will try their best to provide you security, but there’s always a shared responsibility model that you have to abide by similar case.
You are taking the whole service from someone else. You just only have a consultant login and manage everything, which means it’s just the first login piece that you have to manage. But if you’re not managing that also that identity piece.
Ashish Rajan: For the audience members who don’t know shared responsibility model, and you’re going to touch upon what shared responsibility model I guess means with your example of SAS, but for people who don’t know share responsibility model, how do you explain that to people?
And why is it important for cloud security
Vandana Verma: responsibility model is a kind of a model wherein there are some responsibilities that cloud provider. Take it off, let’s say hardware, they will take care of hardware, data center. They will take care of the physical security or traditional security of all the things that they are managing.
But your data is your responsibility. Let’s say if it’s AWS, Amazon, Amazon web services, GCP, or any other cloud that you’re [00:03:00] taking care of, they will give you an interface to log in. So you’ll have to make sure that you are managing their interface. Now you are putting your data in a. If it’s public, which means anyone can access it, no provider will not be responsible for those breaches.
So then we are shifting to cloud or moving to cloud. We have to make sure what the assess, what we are moving to the cloud. And. What are the security measures that we need to have while we are doing that, because there are security services, which which is provided by the cloud provider, and we’ll have to leverage it.
Let’s say in case of Amazon, you have a cloud. Or many of the services that they are giving, but you have to use it. If you’re not using those services, you are in trouble. So in ingest, you can see, there are a few responsibilities which cloud will take care of. A cloud vendor will take care of. There are certain responsibility that we have to fulfill as the owner of the day.
So
Ashish Rajan: if you’re on a security architect, listening to this, I guess the big takeaway with the era is that to your point earlier, if, depending on the kind of cloud service you’re using, whether it’s an ISDN pass or [00:04:00] says, depending on what led or what kind of service you’re using, you’ve still have a lot of security responsibility on yourself.
And it’s not that you’ve kind of given, I guess, All the responsibility to the vendor. It’s it’s your responsibility as well to make sure you’re, I guess you’re locking your doors and closing your windows, I guess, for lack of a better example.
Vandana Verma: Yeah. And the best way to think of it is a slice of pizza, because I remember when I was starting off with cloud security, there were a lot of models.
So this one is like present as a service.
Ashish Rajan: Okay. What does that, what does that mean?
Vandana Verma: So I’m in the bizarre word. You’re doing everything yourself. Let’s say if you have on provides model, you’re cooking everything. You, you have to get the vegetables. You have to get the base. You have to knead the dough, everything.
That you have to make sure that you are doing everything on your own. So you so there’s another thing too. It is like you’re trying to milk your own cows and needing your own though.
Ashish Rajan: I like that, like, kind of like the pizza one, mainly because I don’t think I can make pieces. The fact that you, you know, what.
The fact that, you know, what goes into making a pizza is amazing because I [00:05:00] do not think I would have actually thought about that, but I’m glad that is a service like this. If there is, I was like this, I would definitely sign up for that because, well, I guess Domino’s is a service like that though.
Like Domino’s and pizza hut do the same thing. They just deliver. I just ordered it. It’s like a size, but it’s a visa which is coming instead of like a self France.
Vandana Verma: Yes, simply for software and the service. We can say that we are going via dining out and doing the templates or any other place that we like, we just order and we get,
Ashish Rajan: yeah.
Yeah. Wow. I mean, that’s probably the most simplest way to explain it. I kind of like how we went in that direction and we at a really odd time, which makes me hungry as well. I probably should move on to the next question. Before I started getting hungry. You got to mention Google cloud Azure and AWS as well.
Right? And a lot of enterprise obviously have to what you said earlier data centers as well. So they’ve obviously got a massive I guess, firewall deep inspection back and all that, everything that’s going on in on-prem world and a lot of people, maybe not sure if hybrid is a thing or does more declarative thing.
What are your thoughts on first [00:06:00] multicloud and.
Sure.
Vandana Verma: So multicloud is basically in simple terms using one or more cloud providers. It can be any cloud provider, so which can be a mix off infrastructure as a service platform, as a service on a software. So, for example, we might consume a vulnerability scanner from a cloud, from a service security provider, and we are using identity from some other provider.
It’s like we’re trying to consume services from different providers. Now why we are talking about multi cloud strategy, because earlier days we were saying that one size fits everything. In today’s world when we are, when we are aware the breaches are happening, there are so many things which are having happening.
Someday a cloud vendor comes in and then suddenly the person the vendor goes off. So you might choose multicloud to cater to specific business. You might also choose it to avoid the vendor lock-in because if you have full services with one vendor, that means your love to that window.
When you are moving away, it’ll take so much of a. And then you will [00:07:00] have to make so many decisions because whether the other vendor might be able to cater to you with all the services that you are using or not. Yeah. That’d be a big challenge. So I think this multicloud strategy is, is a good
Ashish Rajan: one.
Right? And do you feel it can ex go exist with hybrid or should be to look at switching to cloud completely as the cloud vendors want us to. They would just want us to go fully AWS. So fully Azure, fully GCP, but obviously enterprise has a lot of history and a lot of legacy systems. So what are your thoughts on them coexisting together?
Because to your point about people are saying multicloud and a lot of vendors want us to kind of go down that direction of fully going into their space, right. Fully going to AWS, or I’m sure they don’t say it, but it would be good for the business if we do. What are your thoughts on, I guess, multicloud in a hybrid world and what does that mean for security?
So,
Vandana Verma: When we say multicloud strategy, we understand that we are keeping multiple cloud providers. And when we say hybrid in the hybrid model, generally some data is in-house, which are, let’s say some confidential services, which are on [00:08:00] promoters. And then some of the services are on. Yeah, and we are bridging them together so that we can comply with the certain audit policies, compliance policies, or even security requirements we might know, or one organization might not want everything to be on the cloud.
Yep. Still it exist. And truly it’s, it’s a debatable topic. When some people say we are happy to be on cloud, let’s see small services startups. It’s a good way to be on cloud because earlier procuring the procuring, the hardware managing networks. It’s a big headache. Yeah. Everybody knows. Now we can see so many startups because we have.
And it’s one of the best ways weekend
Ashish Rajan: Cato. That’s right. That’s right. I kind of enjoy it. And I think the it, it definitely is an interesting space for people who are starting off as well. That whole delay in hardware coming through. And I guess getting the right approval, what’s the size, or like almost.
Ordering for overcapacity planning for 10 years in advance that kind of has gone away with the cloud. So yeah, I, I agree with you on that. They can definitely co-exist. W where do you think [00:09:00] it means for security though, obviously it makes it more complicated, but. Do you, do you feel, I guess, where do you feel the, see the learning focus security in this?
I guess obviously learning cloud is probably one of the step one as you and I are both doing, I
Vandana Verma: guess. Yeah. So in this, we have to take care of multiple things because we have to make sure we are on-prem that. And then our unplowed data is also seen. So in that case, we need to make sure we have appropriate encryption when the data is getting transferred.
If we have any compliance that we have to follow, we are following it properly because that’s one of the important things to be considered. Let’s say you are dealing with some credit card information and your data is getting trusted. Between on-prem and cloud and you’re not securing it properly, then you are in trouble.
You will do the lawsuit. So apart from that, any human error, but we all have to have proper exercises because strips that you are running on for mice and trying to fetch the data from. Those have to have proper access to all those other things. If you don’t have appropriate access roads, they can get you in trouble.
[00:10:00] I have seen companies using root accounts or access and SSH keys to run the production load. Who does? That’s a big challenge.
Ashish Rajan: Yeah. I mean, I guess thanks for that. People like Joel as well. I guess it’s scary at the same time. It’s complicated is do you feel like as a, as a security person, yourself was working in the cloud space for someone who’s listening as probably not done cloud before and is slowly seeing the onset of cloud in their company, what do you recommend to them as like more so baby steps they can take today to be well-equipped I guess.
Vandana Verma: The first step that someone needs to do when moving to the cloud that understand your inflow first, understand your assets. If you don’t understand your assets and your infra, it will be very difficult for you to manage outside where everything is hosted on the cloud and you just have to manage, it would be better because you don’t know what you’re in trying to understand what are the services that.
Because if you don’t understand that these are the specific services I required, then you might sign a contract with a vendor and you, you will ask later a later point of time, you will see that this service is not [00:11:00] there at all. What will you do in that point? That that’s a big challenge. Apart from that, understand that how to secure those services take help from the people who are working all around, who are going to be working on the cloud, train them.
The people who are working and they don’t know security, it’s a, it’s a big, big like we’re trying to find a fish, a small fish in a big scene. So it’s for security person. It’s not always. They wouldn’t be available, but then if somebody was working on ground, no security. It’s like a cherry on top.
Yeah.
Ashish Rajan: Yeah. Yeah. Nice. I love how you use analogies to describe everything which makes it makes the understanding so much more easier.
And so that was the first day when we, we kind of went into what, why and how about cloud security? The second segment is offense versus defense and it’s basically. Is there a, how do I put this? If there’s a cloud security incident, which you have either been part of, which you can disclose publicly, or if you have heard of from friends or colleagues in the space of cloud security incidents, which may not have been in the news.
So then
Vandana Verma: having many incidents that I, [00:12:00] I wouldn’t say that I’ve been part of any incident,
so I am good. I’m sharing from my experiences. What I have seen that I wouldn’t say anything.
Ashish Rajan: Sure. So let’s pretend it’s not one than I, who did it. Who’s part of it. Someone else lives.
Vandana Verma: Yeah. So the incidents that I’ve heard is people had open S3 buckets. The S3 buckets were publicly open data, starting from the customer’s email addresses, customer communications and whatnot was.
Yeah. Yeah, that’s right. Even the goof ups included the authentication credentials secret API data, digital certificates, decryption keys including the customer data that I mentioned. So it was like huge mobile data, even over 1 37 GB.
Ashish Rajan: Oh, right. That that’s that’s a lot. Wait, so is that so, so in Australia we had this thing called the mandatory breach kind of a thing.
And obviously of course you work in India. So is there something similar where if there was a breach, so people like companies have to disclose it, is there like a.
Vandana Verma: I think there is one where, when, if you are breached, you have to report it to the [00:13:00] authorities so that people that you can have with the people who are part of the breach,
Ashish Rajan: right?
Yes. Yeah. Okay. So, and is there like a dime period to it? Cause I think so. I think that they say, and it’s very loosely mentioned as well. Like, cause people are gonna say that, oh, it’s 72 hours. So 72 hours from the point that you’ve realized that there has been a breach, but there has been a breach it’s a very loosely used term.
Right. Because you could still be saying I’m investigating. I’m not sure if I’m. I
Vandana Verma: am 72 hours, but I would have to check on
Ashish Rajan: that. Oh no, that’s fine. Sorry to put in the sport. I was just curious because when you mentioned the bridge and it kind of like, oh, I wonder if someone gets breached and if they’re liable to tell the, I guess the government authorities, cause it could be a legal thing as well.
Right?
Vandana Verma: Lyrically, because whenever there is a breach, there, there are, there’s a lot of data which might be consumers or organization data. And those organization needs to be informed within this stipulated period of time, as soon as you get to load, because if you don’t let them know and the right authority, then you are in trouble.
So it’s a, it’s a proper procedure that has.
Ashish Rajan: Right. Okay, cool. All right. [00:14:00] And that’s a good segue into our next segment, which is the MythBusters, which basically you kind of spoke about shared responsibility more earlier. I’ve believed that’s a huge myths about shared responsibility model. For a lot of people is, well, the vendor takes care of everything.
I don’t have to do anything, which we have clarified already. For apart from that, what are the other common myths that you may have heard of or seen that people still believe is a case in cloud security, but it’s really a myth.
Vandana Verma: I’ll start with people say the cloud is more vulnerable to breaches.
This is like one of the biggest misconceptions that we have here about the cloud. If I say, if I put it this way, that in reality, There have been no evidence that indicates that actually portrays that cloud service providers have performed less security than the end user organization. Make sure that security is there, but then it’s our responsibility.
It’s like everything that we talk about when we come to breaches, we have to make sure that we play our part. Because if you have not playing a part, we can’t blame anyone because any cloud security provider or cloud provider that’s true. Even there was one [00:15:00] report by Gartner where in the recent history.
Has demonstrated that brand name or multitenant services. I’ve never, never any kind of attack. So they’re highly resistant to attacks because any service provider or vendor that comes into picture, they take. There bit first environment resiliency first, and then they come into the services after signing all the security certificates
Ashish Rajan: and whatnot.
Yup. Yup. Yup. And do you feel like people feel, I guess public clouds are more vulnerable? Is that only in, is that only in the technical community or does it go above like managers and people. Absolutely. Absolutely.
Vandana Verma: Yeah, absolutely. When we say the C-suite people they’re also have Mets about like cloud security is very difficult to achieve or data security, data and compliance.
It’s not easy in the cloud. Because anything that is in house is like super easy even we’ve seen that logging and monitoring has been like a biggest challenge. People think that logging and monitoring is very, very difficult in the cloud. So that’s like coming from top and then they think that, yes, these are.
The things are [00:16:00] the challenges that a VC they in and day out and not just that people also have misconception apart, like generally when we say cloud security, it can be segregated in different sections like developers, because they’re working on the ground. Then there are some people like security.
Then then there are the leadership teams, they have their own set of things to discuss. So if, if I say that there’s one section things that in cloud, there is no human error. Most of the breaches act happens because of the accident or it’s like accidental losses. Yeah. So in the class also, I remember there’s a company called blur.
They announced that they like someone by by mistake, exposed the file with 2.4 million names or password, huge number. That’s a huge
Ashish Rajan: number. Hopefully they had a data breach policy, then they had disclosed it, I guess.
Vandana Verma: And they disclose it. But yeah, the the passwords, hopefully they are not disclosed.
Ashish Rajan: Yeah. Hopefully the faucet, just the names, not the passwords. I, and I guess your point about, obviously you spoke about a bad example. I look at cloud security podcast has also a space for us blue team to be, I [00:17:00] guess, using the platform Blackboard wins as well. Is that a win? I mean, obviously we read, but we busted a few myths is in a wind that you can share.
It doesn’t have to be something that you can, I guess you can, we can hide the company name or how are you gonna use it? Is there any way that you would want to share with us where you were able to say successfully blocked someone or an incident, which you may have heard of, or not being part of, or, or as we said earlier, one that has not noticed possibility on this that you felt was a good example of a blue team during the.
But I guess as all business, there was no credit given to it. So is there an example that you can share that you felt like, oh, that was an awesome win. I wish it was put on the poster.
Vandana Verma: Yeah. So I said, if something, I would say it was a breach or it was stop the breach, but so let’s say there are over 200 accounts that are part of cloud because there are different foods that are going to the cloud and then you’re sending not every account is being maintained by.
Yeah. What’s your organization, right? That person organization. You’re nowhere. Yeah. So how about managing it under one umbrella? All the 200 accounts or over 200 [00:18:00] accounts from one billing account, because money will be paid from only that account. Rather you will not get the money,
get anything in one umbrella and then managing the policies for all those. Then they were using the root accounts, remove that live with certain specific permissions. You will know who is where exactly, or what service account, if something happens.
And you can just wipe out that person sent from the account, or you will know what are the services that has been accessed or reached, and you will remove those services and you want to bring up
the infra was like the biggest. But then you understand what your services are, what are your accounts? What are the applications
Ashish Rajan: wow. And doing it for hundreds of accounts. Yeah, I think that does definitely. Yeah. I kind of like that you would definitely go a long way. So I guess, do anyone who’s listening, who hasn’t done this and Polly manages hundreds of accounts with hundreds of root accounts.
We’ve got, I think we were talking about AWS over here and it’s a great model to just bill everything in one. Under one account, one billing account and not have multiple accounts everywhere. Yes, that’s right. And I guess there’s something called AWS organization as well. Even AWS is saying you should do this.
Do not just get a single account, especially if you have a lot of AWS [00:19:00] accounts now, that’s, that’s a, that’s a, yeah. You’ll be able to do that. That’s a great win children. Spend some time on the work that you go in the InfoSec with girls’ face, which you haven’t touched on. I did wanna touch on that because I’m kind of like yourself.
I’m a massive bus, I guess, supporter of the community growing in the community. So we’ve kind of answered God security, people questions. So anyone who are probably a female in the audience, could you talk about infect girls? I’m calling it the Unicon segment, what is in for the girls. And what can you share to the audience about that?
And why?
Vandana Verma: About in say goods. We all started off with thinking that we need to have a place where we all can speak up because it’s not that we get intimidated because this is a specific thing that we say it’s about. Sometimes there are a hundred people in one room we ourselves have. Notions that we are not comfortable.
It’s not that the other people are making us uncomfortable. So so we started off with that notion, but then slowly and steadily, it became a place where we started teaching the school students. We started teaching the college students, come be the boy, be the girl, any person who [00:20:00] wants to learn we trained people at the conferences for free at multiple conferences for free.
And apart from that, we keep driving towards educating. So you would see that we have a YouTube channel where a lot of people have gone. Even a lot of eminent guests have gone where and who started off. So. No section the program, let’s say Jim medical, he’s the one, he’s one person who was very much into 10, but then people take that as benchmark.
So we had him, then we had, we had so many people who shared their views and on those forecasts, we had Indian limit as well as part of it. So we can collaborate similar way people from different geographies come together on that. And we speak on different. Get to know each other. Nice. Also we have so many other things done for future.
Keep enhancing, keep growing, keep connecting with people because that’s very important. Let’s say you are in Australia and I am in India. We, we never knew each other was suddenly through LinkedIn. We reconnected and we started chatting and now we are
Ashish Rajan: that’s right. [00:21:00] That’s right. It’s almost the you in the room with me over here.
We just talking as friends over here.
Vandana Verma: Yeah. So that’s the most amazing thing. Like even if you ordered a podcast or a video chat with someone and suddenly at a conference or somewhere at networking, even you meet that person. Yes. I know I knew you from there. That’s what happened with me. Like I met so many amazing people.
Ashish Rajan: Wow. And I guess the work that you’re doing is quite interesting as well, because I guess a lot of people talk about, there is a shortage of cyber security professionals, even though we would be this, they would be a famine for lack of a better word of cybersecurity professionals. This is kind of like your way of kind of helping.
And I, I love the fact that you’re actually promoting the whole community. Do you want, you want to grow with the community? That’s what I love about the whole thing. Anyone who trying to learn from the space, if someone wanted to get in touch or get involved, or to your point someone who has it, who may not have written the top 10, but has done something interesting in the cloud security space.
Can they, can they reach out, I guess, can they join the community or is community only, I guess in my only kind of thing, how does that work?
Vandana Verma: It’s an open community. All the details are there, there is a mailing list. There’s a [00:22:00] YouTube channel. Everything is open you just, if you want to be. Please feel free to like, be more than happy to grow.
Right now we have over a thousand people part of it, and we would love to have like, over and over, like you want
Ashish Rajan: to grow 10,000 people love to see that. Well guys and girls who are listening, we’ve made sure underline gets a thousand people. I’ll join the community as well. This is my budget. I’m definitely sure.
We’ll get, get there one day. Thank you for sharing that information. And that’s kind of like a unicorn segment. It’s kind of like the, towards the end. Where, what have you fun questions for you? I’ve got two questions the way it works. It starts with a bit more serious. It gets a bit more fun. And then, then, then it’s really fun.
Right? First one. Where do you spend most time on when you’re not working on cloud? I
Vandana Verma: spend time with my son. But I spend a lot of time with the community.
Ashish Rajan: Yeah. I kind of kind of expected that. What is something that you are proud of, but it’s not on your social, like LinkedIn on Twitter. It’s not there, but you are really proud of and you do it in your personal life.
Vandana Verma: No, no, no, but I love cooking. I can, I can cook good food. Anything that I see. Like I can tell what’s the ingredients and I, I can just go to the deal and cook for sure. [00:23:00]
Ashish Rajan: Really. Cause that’s, that’s, that’s pretty interesting because my next question is a great segue. Is what’s your favorite cuisine or restaurant that, that you can share with the audience?
It’s funny how that question is Quinten perfectly.
Vandana Verma: So my favorite cuisine would be that market and garlic naan, which is like more of Indian.
Yes, I have a baby from insight. Like I can enjoy Italian food, European food anything like I’m a big foodie when it comes to thing that I love the most, I would just get that McKinney with garlic naan or.
That’s the most
Ashish Rajan: pieces and we spoke about garlic. Now this is like making me really hungry though. I think, I, I think I noticed some food from visa as a service option. That’s the time we had, and I really appreciate you taking the time out for this. Thank you again. Is w if people reach out to you, where can they reach you on what are your
Vandana Verma: socials?
I am very much reachable. You can search with Vonda, Vermont. And also I am very much active. My DMS are open on Twitter with InfoSec InfoSec, I N F O S sec, Wanda V N
Ashish Rajan: D N. I think Julian, the shortest as lots of people would know that as well. Thank you so much for coming on the [00:24:00] show. Really appreciate it.
Thank you for sharing the knowledge and thank, thank you for the awesome work you do with InfoSec girls. I hope we reach the 10,000 mark.