DO YOU NEED A CLOUD SECURITY POSTURE MANAGEMENT (CSPM) ?

View Show Notes and Transcript

Episode Description

What We Discuss with Gaurav Kumar:

  • If I am starting in Cloud today, do I need a CSPM?
  • Do I need a CSPM if I am in multi-cloud with a small foot print?
  • Story behind Gartner not recognising CSPM as a legit space?
  • What are the current problem spaces that are being solved or not solved in Cloud Security?
  • Is Security Observability, same as behaviour analysis?
  • Do you see compliance at scale done really well?
  • Are there are any good resources for Cloud Security training for staff?
  • And much more…

THANKS, Gaurav Kumar!

If you enjoyed this session with Gaurav Kumar, let him know by clicking on the link below and sending him a quick shout out:

Click here to thank Gaurav Kumar on Linkedin!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

Ashish Rajan: [00:00:00] Hey Gaurav!

Gaurav Kumar: [00:00:01] How are you?.

Ashish Rajan: [00:00:03] Good. Thanks for coming in. And I think I’m really looking forward to de-mystifying Cloud Security Posture Management I do want to say when I’m first met, Gaurav! Gaurav, had a beard and him and I was thinking, or at least I was thinking we can twin the beard, my COVID beard, but he got annoyed by the beard way before I did so.

Maybe next time we can make it happen. I’m going to start with another question, which is obvious, which is what was your path into cybersecurity? I was always , interested in the way people started. So what was your path into cyber security?

Gaurav Kumar: [00:00:35] Yeah, well, I would say that. I started off when I was a little kid, I was never interested in like playing with the toys, but rather breaking them apart and looking at how they really work.

I was a teenager when I started, learning more and more about electronics and from electronics, I’m into computers and I’m in general, very inquisitive. So it was a [00:01:00] natural progression for me to just work in cybersecurity.

Ashish Rajan: [00:01:04] Oh, right. Okay. I’m not. So I think it’s, it’s, it seems almost like a team as well.

Where, anyone who’s been inquisitive about dismantling things, although parents hate it. If any parents are listening to this, you should just like encourage it. Cause you potentially have a, a cybersecurity person there, in the, in the making isn’t it. What about cloud security then? Like, what are your thoughts on like we know, I mean, I guess cloud security, it’s very definition and you can’t really have a connotation of our cloud security posture management without talking about, what is cloud security?

What does it mean for you?

Gaurav Kumar: [00:01:39] That’s a good question. And I would say that in general, I like to think from like very fundamentals and principles. So. Okay. I think security in general or a period of time, I would say for me, it’s about having a psychological safety and having the confidence of working in an environment.

Right. [00:02:00] then, and you can apply similar principles to the cloud, right? I think in cloud also, you need. To have that safety, that I have an environment where I can my business without having to worry about security issues. So I think to me on server would remain the same, right? I mean, having a, a cycle logical safety in the cloud it’s specifically cyber is prosperity.

Ashish Rajan: [00:02:26] Interesting. And so maybe let me put it another way as well then, but do you see it as an opportunity or as a problem area? Like, do you still, like, how do you approach clarity? I know, I know it’s only, like, it’s not say as old as waterfall or some of the older ones, but you know, a cloud security being in the industry for like what, less than 10 years.

What are your thoughts on cloud security now as an, is it an opportunity space or a problem space? What are you look, how do you look at it?

Gaurav Kumar: [00:02:54] I think every problem is an opportunity. So I think it’s up to the people [00:03:00] like us to figure out if that’s the, if that’s something they want to solve. I think personally that

it is much more rewarding to solve cloud security problems than your traditional enterprise network security problems. And. I have my own reasons for that. but yeah,

Ashish Rajan: [00:03:21] a few more reasons as to why. Why that space. And I think the reason I’m going into that question a bit more because, for people who haven’t, and your bio yet, actually, but it was like calling out that you were the cofounder for red log, which is a CSBM as well, which got bought by a Palo Alto.

And now you’re doing your own thing as well. So you’ve clearly worked in the cloud security space and I’ve got a few people who are. cybersecurity founders as well in the mix who watched the show and listen to the show quite a bit. And I’ve also got a budding entrepreneurs as well, who are probably looking at this space and exploring this.

so, keen to know from your experience as to, [00:04:00] what challenges did you see that people like? I think first of all, cloud security posture management, what does it really do? What does it mean? Yeah,

Gaurav Kumar: [00:04:09] I think as the name of suffering negates, it’s about having a. Security portion management. Right? as I was saying though, it is much more rewarding.

I won’t say it’s necessarily easier, right? It’s just a warning. The reason is this. And then we can go into the CSPs specific things in the, on prem world. If you think about it, it’s really like wired, wired, vests. You’re most of the time you got generated and the framework is not structured. So if you go back like 15, 20 years, it will find that most of the security startups and companies, they have sizable engineering team, whose job was to simply parse.

The messages, the logs in [00:05:00] modern cloud word, things are more and more API driven. You have a consistent request format, response format. They are EPA specifications available. So you don’t have to do the boring grunt work. Okay. So that’s number one. And secondly, it’s, the access is democratization of. Access to their tooling.

So in the past on-prem enterprise is you want to build a security product, anyone, or say 50 different systems. How are you going to get access to those 50 different systems? You don’t have an easy way in the power of your just sign up. Right? All the cost service providers have metered super easy. for, I think hobby projects, you don’t even have to pay anything.

Right. And you get this access to all the data that you need and you can innovate at a much faster pace. So that’s the reason I believe that it’s [00:06:00] actually more rewarding.

Ashish Rajan: [00:06:01] Interesting. And I think too, to your point, API driven is probably one of the, I guess, qualities of being in cloud as well. And that means a lot more things that are available at your disposal, as you mentioned.

So if anyone looking at this as an opportunity area for maybe even let’s just talk about the maturity as well, right? Because a lot of people find it hard to talk about cloud security to the organization. Have you had some experience where, people will look trying to find, or I guess seeking some guidance in how do, they.

Highlight the importance of cloud security, especially in an organization which is moving into cloud, like probably in the initial migration stages. Like what do you tell them a why cloud security or actually, maybe let me just put it another way. If I am starting in cloud today, do I need a CSPM.

Gaurav Kumar: [00:06:50] , I think there are two dimensions, about it. The first dimension is the, scale,

Ashish Rajan: [00:06:57] right? Right.

Gaurav Kumar: [00:06:58] Anything at scale is [00:07:00] hard. Okay. So if you are starting out in the cloud and you have a very small for crane, I think it’s, you probably don’t need an expensive CSPM tool. .

Ashish Rajan: [00:07:11] Yup.

Gaurav Kumar: [00:07:11] . so that is scale.The

Ashish Rajan: [00:07:13] other

Gaurav Kumar: [00:07:13] is maturity.

, if, you’re going to use those infrastructure as code, IaC templates to manage , your cloud and , your developers are security conscious, right? And you have some sort of a security DNA in that, in the engineering group, then I think you will be able to get by it. Simply using your cloud native tools.

Right.

Ashish Rajan: [00:07:36] Okay.

Gaurav Kumar: [00:07:38] All right. Thanks to start with breakdown like. well, I’m in the small office and we are just four or five people just starting up a new company here, ask anyone. I can raise my hand and ask, Hey, yeah. You know, what does this IP or does doing? Or what does this user about? Right. Then you have thousand people in the company.

Ashish Rajan: [00:07:57] Hmm. Yeah. [00:08:00] Yeah. even if, to your point about a hundred people, a hundred is a lot of people and if a hundred of them are using AWS or Azure, and I think, what about the whole, to your point about the scale, what about the layer of multi clouds? And there were a lot of us, security folks.

And I think that when I do a lot of consulting, I kind of realize that inevitably, without even knowing a lot of people have started going multicloud. And it’s like, everyone thinks that they’re an AWS only, but then you find out this really weird, small exposure that you have into Azure for some reason or GCP, for some reason.

Like, is that also a time when you would consider CSPM that if you have any multicard footprint, even it might be a small scale.

Gaurav Kumar: [00:08:43] That’s a good question. I would say that it’s a function of how. How much resources you really have, like if you know somebody who these clouds,

Ashish Rajan: [00:08:55] right? Yeah.

Gaurav Kumar: [00:08:56] Then again, you can use a native tooling, but if you don’t have [00:09:00] the bank to go ahead and figure out integrity is obvious cloud, then probably yes, I can see SPM in that case would probably make more sense.

I mean, that example is, yeah, like I forgot to end up doing it. Plus word work. He’ll call us. Your roles are very different. And if we go to GCP, the roles are very different. Right.

Ashish Rajan: [00:09:24] Yep. Yeah,

Gaurav Kumar: [00:09:26] no. If somebody has been working in AWS for a long time, he or she might just try to apply a similar thinking in GCP and that wouldn’t give great results.

So, I would say so that, yeah, I mean, if you have a multicloud, then it probably make more sense because most likely you have a development team who is. Who knows one cloud, right. More than anything else.

Ashish Rajan: [00:09:48] Yeah. And I think it’s, yeah, that’s an interesting point as well. Like what are the problem areas? Are you seeing in the cloud space?

And I’m looking at a few people here who’ve joined in re like Paul McCarthy and other people. They have startups in the [00:10:00] cloud security space as well. And actually, the whole CSPM space is this for a while. And Gartner not made it official. Do you remember that story or would you want to share that story?

I think I remember where. I’ll be a red lock probably was the first company that kind of started talking about cloud security, posture management, but then officially that the thing that exists until Gartner made it official is that they, what was the story behind that?

Gaurav Kumar: [00:10:25] I think it always happens though.

They industry analysts, they have certain way of thinking and they work with a certain set of customers. And then your industry, I think you’re moving slightly different pace. Right? Right. Well, that happens all the time. I think my favorite story that comes to my mind is that how long it took for Gartner to say that web application firewalls.

Are an independent market. It probably put them like probably six to eight years, maybe more like regularly, just to be [00:11:00] their opinion, that web application firewall, that function belongs to the IDs and IPS. It does not make sense to have a separate category I’m not trying to blame anyone.

I mean, it’s just a nature of things that it becomes a wire for people to come to some sort of consensus that, okay, this sort of makes sense. Let’s just do it this way. So it took a while for everybody to recognize that there needs to be, like vertical called CSPM

Ashish Rajan: [00:11:31] CSPs. Right. And I think, I think the great example, just taking off your WAF question or WAF statement about, I think I’m pretty sure you would have seen the Signal Science got bought by fastly for 700 and they are a WAF.

And I’m like, that’s all they do. They’re a WAF I’m like, Hm. I wonder if WAF thing didn’t exist in the Gardner space, I would never have sold themselves for $700 million. Like that is just insane, but shout out to the Signal Science [00:12:00] team of I’ve known Zane and other people for awhile. Great, great guys.

And so, to back in coming back to our statement about the problem areas in cloud security, what do you see as the current challenges that are being solved? and I do want to go and do a bit of. Gatsby as well. Cause there’s another product space that kind of has been been there for some time. So it’d be good to go into it.

But what do you see as a problem spaces in cloud security that either are being solved or not being solved or not being looked at? Like what do you see as the problem areas?

Gaurav Kumar: [00:12:32] Yeah. I think there are two major problems that I see that people are struggling with. the. First is really getting a handle.

No, on variable. I begin verbal. I have to, where do I start from? Right. Because I think that like in the all know that it’s cloud security, cybersecurity is a very. If any busy market, like lots of vendors out there [00:13:00] to start figuring out, Oh, I need our disk encryption solution. Right? And you go to Google, you look for solutions.

You will find hundreds, probably thousands. I don’t know. Lots of vendors out there who can provide you a great solution as soon as they’re, you know, they’re they are looking for business encryption and

Ashish Rajan: [00:13:20] right. Yep.

Gaurav Kumar: [00:13:22] So similarity you can actually extrapolate. And the problem statement just becomes that if you know, this is where you are, then figuring out how to get where you want to be becomes very easy because you have lots of, lots of tools available, but just getting a sense of, Oh, I have these many cloud accounts, cloud projects and the identities and my developers are using these third party.

Tooling in the product. So just getting a sense is very, very hard. Okay. the, the second [00:14:00] problem is, the scale, problem, right? That’s just like, there are so many changes which happen. In, in an environment every single day, like people are pushing to production. Now it is Bluegreen deployments are becoming very, very common.

So, so many things are happening at the same time. when it comes to security, I think we need to recognize that we need to up our game. I came from thinking in terms of security, visibility, to going into security observability.

Ashish Rajan: [00:14:35] Okay.

Gaurav Kumar: [00:14:36] and what I mean by that is visibility. is. some what easier.

As I said, you have access immediate access to the data, right? You call API, you call API, you get the response and you can show the data in a database. You can write the query is day in, day out, and you will get visibility. That’s good. Observability is [00:15:00] about having. a mental model of, , observations, being able to observe things, not just see them.

. For example, like you will find that, if your virtual machine in the cloud is making an outbound connection to some IP in some port. Do you have ways to see that traffic? I will say yes, every single Cloud service provider gives you VPC flow logs or things like

that.

Ashish Rajan: [00:15:28] Right. And you

Gaurav Kumar: [00:15:30] look into the traffic when you need,

Ashish Rajan: [00:15:31] right.

Gaurav Kumar: [00:15:32] Observability, Is where that connection is being made and is that connection being made, in a malicious manner or it’s a benign new skills? If you don’t know, we know that we have data, we have tooling, we can credit, we have visibility, but to be able to observe, we’ll be able to give Symantec meaning to that data.

That’s [00:16:00] observability.

Ashish Rajan: [00:16:01] It’d be more so sort of behavioral analysis, so, right. It’s a different,

Gaurav Kumar: [00:16:06] it’s not necessarily behavioral analysis by, it’s about. Having a, giving meaning two Kings. Right? So for example, like on a, like in a, in a database, if you have a SQL database, a row in a database it’s yeah, it’s a row, right?

It’s it can represent a network. Traffic going to a certain IP and port, but what is the meaning of it? ? The meaning would be that, Hey, there is a source and then there’s a destination and there’s a connection being made. And, and the edge of this graph, there’s two note graph that represents the activity, right?

So giving meaning to the things is. What I would call observability that connection happening as opposed to thinking in terms of, [00:17:00] I guess I have a database row, which represents this connection.

Ashish Rajan: [00:17:04] Interesting. Cause I I’ve, I’ve heard the ultimate reality, but in a logging context and how a lot of people, I think Atlassian and a lot of other people are going down the part where the thing, a lot of observability around logging.

And so, so you’re seeing that kind of appear in the cloud security space as well?

Gaurav Kumar: [00:17:21] I think so, because we have getting to a stage where. We just have so much on big guys, impossible to really make sense out of affair. So we need to start thinking in terms of giving first class, it is an approach to these different models,

Ashish Rajan: [00:17:37] right?

Gaurav Kumar: [00:17:38] So network traffic as a first class citizen, you’re whether they are assets or they are users, your permissions, your, all of these things don’t really have a. sort of observability in the cloud, people just. You know, they are using very general purpose solutions, [00:18:00] which are not made for security.

Ashish Rajan: [00:18:02] Oh yeah. , I think I get what you mean. So I’m not going to name the tools over here, but to your point, it’s more like a lot of those cloud security tools at the moment are talking about things like this is what is wrong with the system. I don’t know why, but because the checklist told me that this is wrong.

So it is wrong. Is that what you mean? But then observability is that layer on top it’s like, or if I’m just a checklist, you know, this behavior you should look into this, what is that the difference between like a simplified difference between what you’re seeing. The products doing versus what they should be doing.

Gaurav Kumar: [00:18:35] Yes. It’s a, it’s of our ability to reason things like why this has happened happening. If somebody is asking you a question, Hey, can you explain me why this machine is talking to that machine? If you think, and I’m soft visibility, your answer would be there. Yeah. Yeah. It’s able to talk because, this is a log.

This is a Network traffic log. And, is he able to talk to you? I mean, you want to be able to go to the [00:19:00] depth of the technique for connection, right?

Ashish Rajan: [00:19:02] Yeah.

Gaurav Kumar: [00:19:03] The lady perspective should be able to explain, or it’s able to talk because, there, there is a firewall, a firewall has rules. The rules are allowing the connection to happen.

This is the process listening on this particular port. This is the traffic and everything, right.

Ashish Rajan: [00:19:19] Wow. And am I right in saying, it sounds like it’s a lot of, it’s a lot of maturity that will be required before you even can go down this path. Right. Like, I can’t imagine someone to your point earlier about if I have one AWS account or one Azure subscription or , one Google project, I think.

and maybe even if I’m a startup, for example, like, I feel like observability, should that, should that be a thing that you started before? Like you should start noting down these behaviors before from the beginning, they can of how you say, I mean, a lot of people say you should have the right security foundation that you should try and go.

I’m going to have cloud trail turned on the day, the day I start, but no one really looks at is there [00:20:00] Root Console login. I have an alert for, or should I have an alert for Ashish logging in? versus Gaurav logging in like no one talks about that. Everyone’s like switch on cloud trail. make sure using CloudWatch, make sure you have AWS security hub and guard duty.

I mean, you know, there’s this checklist that people go through, you feel like people should start looking at these or asking these questions and that point already, like, is that what they should do?

Gaurav Kumar: [00:20:23] Yeah, I would say that I think people should rather start backwards, figure out where they want to be, where they have the data and where the risk lies and then work backwards on how do you go about it?

securing that environment, as opposed to blindly applying some checks, right. That’s been a very big pain point in the past life. They are, people have simply just said, Oh, they are compliant that this regulation and that regulation and everything. And yet they get compromised all that time. And they see that it becomes like, you know, they simply wash up [00:21:00] their hands and , we did everything we were supposed to do.

Yup. You are compliant with this. And yet we got compromise. So it must have been a Zero Day, some crazy hacker even to do. And eventually it dropped down to something. as simple as, somebody’s not putting a password on their database server and exposing it to the internet.

Ashish Rajan: [00:21:25] and I think related question for Vineet, is it is asking, is it like Trail or is it like the, yeah.

It’s like trail or find insights from it? Is that what you mean by observability? Is that like, finding insights from something like a cloud trail? I think that’s kind of where he’s going with it. Would that be an example of observability?

Gaurav Kumar: [00:21:42] the example for me would be, It having the ability to reason why something is happening. I think I Cloud trail and the cloud trail insights are tools which can enable you. [00:22:00] But more importantly, I would say that, Having security coordinator in a, in a V there, you can just look at it and reason. Okay. This is how things are working.

You know, when you got an example there, I’ve been writing on, of course, and people who are application developers here, they can attest to it that it’s like , test driven development is really important. Right. And unit test cases are important. And people should look for code coverage and everything.

Ashish Rajan: [00:22:30] That’s right.

Gaurav Kumar: [00:22:32] That’s what I mean by observability. Right. I observability, like in the dev ops world, the observation observability loosely, you think people were saying that what is our P95 and P95 latency? Right. So people have very defined metrics, a very defined mission, the model of how they have great quality code.

Right. that there it’s a compile time where time runtime [00:23:00] security, right. security becomes more of like just next gen machine learning, AI, ML Threat detection. so. For me, it’s about, as I said, having the ability to reason things , and the reasoning doesn’t really have to come from like run time data.

If you look at what we need is a mentioning, like our trail, the cloud trail is more of a runtime data. Sure. Yeah. It’s like, you can look at the logs to make some sense out of it,

Ashish Rajan: [00:23:29] but you

Gaurav Kumar: [00:23:29] can also look at your code and see how the code is behaving. Right.

Ashish Rajan: [00:23:35] Oh, right. Okay. So two, I guess, cause there’s another example here from Harsh via thing is Azure ATP and windows defender.

ADP are the examples. They give deep insights into how we can make the most out of the log. Although they both required tons of tuning. . ,

Gaurav Kumar: [00:23:51] I think, yeah, , and I’m glad that the cloud vendors are moving into that direction. If you think about the recent announcements [00:24:00] from the AWS GCP, all the cloud vendors and new offerings they are providing now, they are more in line with how.

I would like security to go. They are not there yet. but I think we are getting there, which is a very cheap

Ashish Rajan: [00:24:17] thing. That’s a really interesting point because I mean, I think, I feel like you and I are that age where we can talk about this, where a lot of security for especially for people who started off with being sysadmins and network security, a lot of conversations we used to be around.

I need all the logs. I need all the logs from all the applications. I need all the logs from every Tom, Dick and Harry that you can find in the company. I do not care where, I need all of them. Right. And I remember that, from my conversation, right, a lot of people are across trying to get into this problem space as well that people actually don’t look at those logs.

I can, a lot of those logs just disappear. You just have a huge collection of logs. But then [00:25:00] Splunk and all the other SIEMs solutions came along. Then you can have this, I guess, almost like a dashboard for this amazing insight. Well, I don’t wanna use the word insight. It’s more like, where do I want to get alerted on it?

I always took that as a SOC tool. I never did it like this is telling me what I should be looking for. This is the behavior that I should be stopping. And I don’t want to go into chaos engineering or one of those that chaos engineering experiments, but they all believe in that concept that, well, what’s the point of having all the logs, because that’s the question that a lot of security people get asked.

And then the only answer that I’ve been able to come up with or I’ve heard is or needed in cases, an incident I need able to go in and have a look. I mean, but what’s, I mean, But then now we have cloud providers who store the logs for us. Why do I need a separate theme for that then?

Gaurav Kumar: [00:25:48] Yeah,

Ashish Rajan: [00:25:49] three. I mean, are you seeing that shift as well as where I guess this is the next level of maturity from that.

Gaurav Kumar: [00:25:55] Yeah. I mean, it’s the thing about the entire DevOps ecosystem. It has evolved [00:26:00] from requiring you to log everything and then people use to parse the logs and everything. These days matrix is your de facto standard. You have metrics. You have precinct data available and, You have a year ago and a bunch of these technologies available in the modern microservices architecture.

So, I think security is somewhat lagging. Like, like for example, we talk about infrastructure as a code, but we don’t talk about security as code. like the technology is like CloudFormation template or ARM, and. Terraform all these technologies, none of them were really the designed to describe your secure they were designed to describe your infrastructure as code.

but I think that we will eventually get there. Maybe we will have the ability to declaratively say that this is how I want my security posture today. We have a lot [00:27:00] of reliance on runtime data. I think that will eventually come down. Just go.

Ashish Rajan: [00:27:05] Oh, that’s really interesting. And to your point about, how data is being looked at right now in terms of, I guess we’re not doing a good job at it, is that why?

I mean, coming back to the question, is that why it’s still a problem that people haven’t identified yet? Or, I mean, majority organizations, organizations still just collecting logs, I guess lessons.

Gaurav Kumar: [00:27:27] Yeah, I think we are sort of N minus one thing. So if the latest and the greatest innovations in the, and the dev ops engineering is,

I think security is one step behind the advent of cloud. I think we will be at a stage where we will be almost close to n. And if not close to n, right then thinking on this in terms of logs, logs and stuff. Cause we were thinking more and more about, okay, give me the metrics. give me your codified [00:28:00] security and the, that as I started, you know, the reliance on the runtime data, it’s not a great thing for security.

Ashish Rajan: [00:28:09] coming from a world where. A lot of people in the cloud security space are thinking that actually the remediation is the way forward. Like auto remediation is a way forward. Like, you know, people not even thinking from a like hardware, I’ve got all this data coming in and I’m responding to a lot of that.

But a lot of people not thinking from our perspective, well, why do I need to alter immediately when I can it, I entered in the first place. Right? I think people that aren’t thinking prevention, they’re actually thinking. And somehow that’s proactive and I’m like, I don’t know how that’s proactive to auto remediate.

The whole messaging for me was wrong. Although the whole industry keeps talking about you should prevention is better than cure. It’s like a, such an old proverb. But do you feel, observability is also a step to the whole prevention way where you, or is it more. [00:29:00] Something that is a foundational layer for, I guess, prevention.

Right?

Gaurav Kumar: [00:29:05] I think it would be very unfortunate if you start thinking about visibility and observations, but in terms of runtime data, actually,

Ashish Rajan: [00:29:13] right,

Gaurav Kumar: [00:29:14] to me, observability means that I can go to a git repo, look at the code and, and say that, that, that system, those are working the way they are supposed to be working.

Right. If I think that the changes happening to the cloud can happen only via infrastructure as code or the security as code, whatever you want to call it. Then I just don’t have to look at runtime data. Right. I can just look at the code and say like, okay, no, this can’t happen. Like, you know, it’s like, then.

If your systems have gone down, we are having an outage, right? When we’re done, of course, they look at their own time data that gives them some sort of that. That’s how they get the [00:30:00] indication that something is wrong, but to debug. Right. They have to look at the code, right? So I think something like that this will be done for the security world.

We had a mediation where we can simply look at a gallery ball and reason about our security.

Ashish Rajan: [00:30:18] Actually that’s a great point. And I think, people still, and I think, I know I have a lot of fellow supporters here who believe that the new world of security that you’re turning into like security folks that are running in the coders as well, may not be the best coders, but at least we’re turning into code, developers of some form, developing infrastructure or security controls, or codifying them.

And, and I think it’s probably a good segue into the other topic that I wanted to cover as well, CASBs, like for people who don’t know what CASB is if you can just give a What’s your understanding of CASB and where do you think of that space?

Gaurav Kumar: [00:30:52] Yeah. So the way that I think about, CASB versus CSPM is more of a consumer versus [00:31:00] publisher of software, right?

So let me explain.

If you aren’t consuming, a lot of SaaS applications are, you may not be consuming a lot of sense applications, but you have your, you have a business critical needs and you have a reliance on some SaaS applications like Salesforce or box, right? I think that’s where you probably want to think about CASB because you are consuming a software and you want to , make sure that the consumption is done in a secure manner.

Whereas, if you are building applications and you have your customers who are going to consume your application, the publisher, you are actually a software publisher was what is uploading your code to some cloud, and then people are going to consume it. That’s when you probably want to think about CSPM. Now, from a security, the core principles still apply.

And that’s why you will find that CASB players that are trying to get [00:32:00] into aura are getting into the CSPM space vice versa.

Ashish Rajan: [00:32:04] Oh, yep. Okay. And I think that kind of goes into it. Paul’s comment as well. It’s also known as the way in for sec fines, rogue, AWS.

Gaurav Kumar: [00:32:13] Yeah. That’s a start. I mean, although I think to Paul’s point I’m in that that’s a, I come off a problem.

I would say the problem itself. Like any of you have to manage spreadsheets and, and some sort of wiki to simply look at your digital assets. I think you are doing something wrong, especially if you are an, any sort of a. reseasonable scale

Ashish Rajan: [00:32:43] at first. It’s really interesting. You mentioned that because as a part of this, talking about, letting people know about this episode, I had a poll out and if you had a chance to look at it, but I think the poll question was more on how do you manage the assets or how do you find out what to protect in cloud?

And some of the options that I had was [00:33:00] a conference page spreadsheet, and ESPN majority answer was CSBM, but there was still a few people who had spreadsheets and gone through it and I’m like, okay, I wonder what point would they have to shift? Cause I still feel like if you don’t know, I mean, I guess, yeah, my personal opinion on this is that said CSPM is still not like a true reflection.

Sometimes. Like you could have multiple organizations. Right. You could have a legacy. You could have a, like one main organization in AWS and using AWS, for example, over here, and that male, new AWS organization has your CASB and everything, or the CSPM in there, but the all organizations aren’t even looked at yet.

There’s no way for this to find out that, Hey, yeah, another organization, you probably should have looked at that as well, but people would look at this and go, actually. Yeah, this is, I know all my assets in cloud. I’m like, Hmm, maybe not, but I mean, that’s my obviously reservation from, from what I’ve seen in the industry.

do you feel it’s. [00:34:00] As part of maturity as people are going into the space, should they start looking at like, even if they’re starting today and say Azure or cloud, or, I mean, con conference outside non-conference Azure, AWS, should they start using these digital assets as like a CMDB kind of a thing as well?

And you may not, we’ll go for a CASB or a CSPM in the first go. But at least we can start pulling this digital asset information, like, is that because they’re open source tools for that, that you and I obviously have quite a bit old about? Yep.

Gaurav Kumar: [00:34:31] It should be really the step. One of anyone thinking on the cloud security journey, I would say is that you just need to know what you have and if you don’t even know what you have, how can you go about securing it?

I would say that anyone who wants there’s that my CMDB is a, is CASB or CSPM. I would say that’s half truth because that’s the one that you know of. That’s someone that they’re you [00:35:00] actually deploy or CSPM,

Ashish Rajan: [00:35:02] right?

Gaurav Kumar: [00:35:03] The ones that you don’t even know

Ashish Rajan: [00:35:04] off,

Gaurav Kumar: [00:35:05] this is sort of an unknown, unknown problem that you don’t know what you don’t know.

Ashish Rajan: [00:35:11] Right.

Gaurav Kumar: [00:35:12] Yeah. So that’s why I think that, there is a need for somebody to start investing. Like I ever say anything, someone who’s, who’s starting out on any security program and the first thing, the very fundamental, just get an inventory of things and, and please don’t use spreadsheets and don’t and your answer.

Shouldn’t be like, Six months back, we went through this audit and this is the spreadsheet.

Do you know how many accounts, how many organizations were created in AWS?

Ashish Rajan: [00:35:43] And how many new services AWS released or Azure release that you’re not even aware of. Like, I mean, shoutout to the podcast started there for last week, AWS and other ones as well. They’re there. I mean, they’re just, they’re ours.

Knowledge base is [00:36:00] dedicated for finding out how much, how, or how many services have been released just in the past week. That’s how quickly this thing is evolving. and just quickly on the comment, Paul mentioned that this is why attack service mapping is evolving into this space as well. Any thoughts on that?

Gaurav Kumar: [00:36:17] Yeah, I think that, and I’m glad that there are actually new startups who are trying to. I saw this problem. They are there. Look at, your security coverage. So they look at this as these are the digital assets you have. And this is, this is a security tooling you have, and it seems like. Based upon what you have, your cooling is not covering this majority is covering this much.

So this is somewhat analog as to like, Oh, you have a hundred lines of code. And 70% of that lines are not even being covered. So I’m glad that people are starting to think in that direction.

Ashish Rajan: [00:36:57] I’ve got a question from Darpan as well. He’s, he’s a big fan [00:37:00] of yours, by the way. Any recommendation on getting over the alert, fatigue resulting from the CSPM and

Gaurav Kumar: [00:37:07] CASB.

So I would say that started out, in sort of listing walking need from a CSBM vendor. I mean, if you think about our day. CSBM vendors. Give us you a lot of options, a lot of policy politics, right. But do you really need all of the policies all of that time? Probably not. Right. So figure it out the important ones and start monitoring those.

so that would be my first recommendation. And second one is that. look into root. Cause why are you getting the alert act first place audio, and don’t recognize the symptom, but don’t all of the symptom, right? Trying to figure [00:38:00] out the problem behind the problem. Right? So oftentimes we do the, get some data.

We can go. This is a problem. I’ll just go and fix it. I think take multiple steps back and think about why did it happen in the first place, right?

Ashish Rajan: [00:38:13] Yeah.

Gaurav Kumar: [00:38:15] So these are the two things like

Ashish Rajan: [00:38:16] observability observability all the way. I have one more question about, I guess the space itself as well. in, in terms of like we spoke about CASB and we spoke about CSPM as well, and we spoke about.

I guess at what stage would you require and to come taking the lead from Darpan’s question about alert fatigue, there’s almost like a compliance at scale question as well. That’s constant. I mean, a lot of people look at CSPM and CASB as compliance at scale. Like, Oh, I can look at, I can be compliant to earlier your point.

I know I was compliant because all these checklists is passed. Right. Do you see that being done well, using CSPMs or is that also something which people [00:39:00] need to kind of. Have another observability layer or how do you see that done or if it’s done well at all?

Gaurav Kumar: [00:39:07] Yeah. So I would say that none of us ESPN, startup, I think people who are compliant and have a good security posture, it’s not because they’re actually invested in CSPM.

That’s good to have nice to have these going by. Actually. It’s good. I think all of those things, like people who are happy, they’re happy. Yeah. And I’m happy because they have some of those things, right. So it’s like following the similar principle, like, you shouldn’t go out and start chasing compliance, right.

Started chasing your fundamentals and you will recognize that once you do that, you will automatically become

Ashish Rajan: [00:39:48] compliant.

Gaurav Kumar: [00:39:51] AWS word you have now concept of SCPs, right? Six service control policies. If you just start out with having very [00:40:00] restrictive SCPS is to begin. I think you will be mostly fine, like disable the root login, only white list, certain services that you cannot use recognize that your attack surface has reduced considerably.

Right. Most of the times you are not running in multiple regions. Like most critical applications are running in a specific region. And, you know how, as I said, you know, security is all right, following a step behind the. The application engineering and the latest and the greatest, and that need the tech.

So from monolithic applications, people went to microservices, right? So similarly people are, I think people should start thinking about moving away from mono clouds to micro clouds and have application specific. cloud accounts, right? Yes. Was it easier to manage? So to answer your question, this isn’t sort of a roundabout way to answer your question.

[00:41:00] Like how do people, how can you do a good job of being compliant at scale? I would say that don’t, first of all, just follow their principles and tried not to have a monolithic cloud and have a. Purpose of their cloud accounts and projects for your needs.

Ashish Rajan: [00:41:25] Oh, I, and I it’s just screamed my bias as well. I feel like a lot of people have a very different motivation to get into the cloud and, it, it slowly, George has an interesting common theme.

I disagree that security is a lagging behind development.

Gaurav Kumar: [00:41:40] Yeah.

Ashish Rajan: [00:41:42] It’s like, we all know the, that’s why he’s like, there’s a reason for that smiley, with, I think it’s really interesting, To your point that I feel like a lot of people are approaching the cloud in a different way. Like a lot of reasons that I was listening to why they were moving to the cloud.

One was [00:42:00] cost saving, moving fast. Did you feel like there should be a third one about security as well? Cause you know, we kind of touched on this thing that, Oh actually you can have a lot of, a lot better security because you will be more aware of where your assets are real time. You can have an insights layer to what you’re collecting.

Without buying an additional theme. Like there’s so many things they’re getting, I mean, I know I don’t want to sound like a, I get, I’ve been drinking their cloud cooler for awhile that I take, keep telling people to go in the cloud. But do you feel like they should be like security should also be a reason why people should go in, like, I think into cloud.

And if there is a I to, I guess, to Joe Joy’s point, we’re very lagging behind, but you’re not that behind as well. There’s one that we can actually embrace it and be at the same base as the dev ops team or one of those. But what are your thoughts on that? Yeah, I will

Gaurav Kumar: [00:42:49] say that in general cloud is easier to manage than any on prem environment.

So, that, [00:43:00] that ease of management, you honestly get benefit in security also.

Ashish Rajan: [00:43:04] Right, right.

Gaurav Kumar: [00:43:06] Yeah. And then as I said, I, that’s why I chose my words carefully when I said that it’s more rewarding because I’m not necessarily say that it’s easier, right? Yes. It’s is here to manage, but you still have to put in some effort, so you still have to learn the.

The nurse and the boards of the cloud and the data structure, this and that. But that’s a word that I think people we’re enjoying more than writing Regex to parse the log.

Ashish Rajan: [00:43:41] Or REGex to have your WAF, something which is particularly as well as that’s a good one. And I think it’s worthwhile and it’s kind of like towards the tail end of our show as well.

It’s what we’re calling our, it’s good to have a, I guess, almost to conclusion kind of a thing as well. And we’d love to get your thoughts on, on this, but [00:44:00] I feel like CASB is a good CSPM it’s a good, depending on what state of cloud maturity or how much you’re in cloud already, but. There were always be that you still need to have a team which understands cloud.

You just can’t just rely on a tool and think that, Oh, it’s all good. Like I’ve got a CSPM and full covered. I’ve got a CASB and it’s all covered. I know exactly what’s happening. Would you agree

Gaurav Kumar: [00:44:26] strongly? Very strongly. Yeah. I mean don’t, as I say, if you’re not don’t chase compliance, don’t chase these tools and everything.

Just follow their principles. Right. And, you know,

Ashish Rajan: [00:44:39] I know, and I think it’s been really interesting cause I, I personally haven’t found a lot of people talking about cloud security training and I feel like, I mean, to the point that, I’ve been doing some kind of a bee beta course as well for this.

Cause I feel like there’s, I’m keen to know from your side, how do you find people doing cloud security training , have you come [00:45:00] across anything that people use for? And I know I don’t want to use a cloud guru and all because I don’t think they do. They’re more for engineers and developers.

They’re not really for security. Would you? I don’t know if you’ve seen those and if you have resources.

Gaurav Kumar: [00:45:13] I haven’t come across. The VNA, like cloud security focused, curricullum, and, yeah, no, I, I think, that would be nice then. That would be nice for first.

Ashish Rajan: [00:45:27] All right, guys, you heard it first. There’s no one. I mean, I can definitely make it like I’m making the first one. Then I can, like, I was the first guy to make cloud security podcast in the first guy to make a cloud security training.

That’s pretty awesome. Any final thoughts before we move on to the last segment, any final thoughts you wanna share with people about, CSPM and CASB,

Gaurav Kumar: [00:45:48] let’s see. Yeah, as I said, focus more on. Codifying security use CSPM because CSPM vendors and CASB [00:46:00] vendors. I would say that over a period of time standard fabulous find that they’ve been not have just one offering like it.

I won’t be accurate to think that Oh, CSPM has for runtime security because CSP and manuals are also evolving with times, right? So don’t just focus. It’s on runtime security, focus on your infrastructure as code and. Also for sure. Just don’t focus entirely on Infrastructure as code. It’s not like you’re not going to look atyour guardian, the alerts in, in AWS.

So find a balance. Right. But I just find that oftentimes people buy the tools. They enable, they put them in, they get a lot of alerts and then they got burned. They spent all their time in addressing the alerts. And then they questioned and the meaning of life that, what am I doing? Like are day in, day out, all I’m doing is really investigating the security alerts and they happen [00:47:00] to be false positives.

Ashish Rajan: [00:47:02] Oh yeah. Buffet. I think it’s a good segue. And a good conclusion to this, I guess, technically from a technical perspective, but I’ve got some fun questions as well. And I do want to call out, the fun questions. I just, I know I didn’t mention this though. A little bit. Just like raise super, super simple.

the three questions. Where do you spend most time on when you’re not working on cloud or technology in general?

Gaurav Kumar: [00:47:26] Oh, I. Like to just learn about things a lot. I just enjoy searching things and going to the depths of things, which I find interesting. So for example, I you’re simply not present. It’s been awhile.

I got into coffee and.

Ashish Rajan: [00:47:45] my language,

Gaurav Kumar: [00:47:47] I have been on this quest on how did I make the greatest cup of coffee? And it made me realize, you know what I mean? You can actually draw some parallels there. A lot of people invest a lot of money in like [00:48:00] coffee machines. The very first thing they will ask you about their coffee is their key, which coffee machine do you use and which, which mechanism do you use?

Similarly, I have a friend of mine. He’s a great photograph offer at any time. people are looking at his pictures, he’s in Charlotte. They said, Oh, wow. what camera you have? Put the cases, it’s not a coffee machine, which makes great coffee. It’s not the camera, which is making, which is taking great pictures, right?

It’s actually the coffee. You have to find the greatest coffee. You need to find it. Freshly roasted coffee, take a picture. You have to focus on your lights. You have to focus on your lens. Camera is the least of their problems. And you can grow some prevalence in how we actually do cloud security or anything else is like, don’t focus on all these tools and just focus on the fundamentals.

[00:49:00] Ashish Rajan: [00:48:59] Yeah. Oh, okay. And I sound like I need to go a bit more deeper into the cloud, the coffee thing with you, but I’m going to leave that. What is something that you’re proud of, but it’s not on your social media.

Gaurav Kumar: [00:49:13] Oh, no, it’d be very hard because anytime. You do anything interesting. It comes from forefront media.

It’s very hard to not like somebody else will actually

Ashish Rajan: [00:49:25] protect. Oh yeah. Fair enough. It’s like, it’s hard to control that though.

Gaurav Kumar: [00:49:30] Yeah. but I’m gonna say that I am very proud of all the work that we did at red log and the tire team. And, it’s a, it’s been fairly early warning. I think. More than the product and everything.

Yeah. I think we were able to make people recognize the need for cloud security. so as more like, you know, as a company, we were. Claim that we were not talk leaders.

[00:50:00] Ashish Rajan: [00:50:01] No, I mean, I think, I think you guys work and I still remember when I got into this red log, ages ago, I probably, I met Varun and it was like, yeah, you guys are way ahead of your time, man.

At that point now everyone’s like, Oh, at CSBM blah, blah, blah. But. I think there were, there were very few, Oh, Paul is like, I would argue

fair point fair point fair play. last year question for you. What’s your favorite cuisine or restaurant that you can share with us? Oh,

Gaurav Kumar: [00:50:26] favorite cuisine, coffee.

Ashish Rajan: [00:50:29] That’s why we’re on coffee. That’s pretty much it, man. That’s a great answer. I think that’s pretty much a you and I both injecting ourselves for three.

Wait, how many cup of coffees you have in a day out of curiosity?

Gaurav Kumar: [00:50:40] I’m trying to cut down. I’m at two now.

Ashish Rajan: [00:50:42] It’s kind of cut down to, like, I thought we want to increase, like, isn’t that a good point? You’re like, I need to have more.

Gaurav Kumar: [00:50:48] Yeah. But then, you know, the more you have it, the more you want him to have it.

Ashish Rajan: [00:50:54] Yep. Yep. Fair, fair point. My friend. Fair point. so where can people find you on [00:51:00] the internet or worlds too? I guess they want to follow up on something and find, talk more about Clark’s security space, where they can they find you

Gaurav Kumar: [00:51:06] just pick me up on LinkedIn. Send me a message. I. Except most of the requests, I think, except for the cookers, but, yeah,

Ashish Rajan: [00:51:15] just give me a fair point.

I really appreciate it. and I’ll put the link in the show notes. Well, for people who are listening in to the podcast, so they can come and connect with you and talk to you about this as well. But this has been really awesome. And I think I’ve, I’ve definitely learned, I don’t know, a few more layers.

I thought I knew what the Caspian CSPs, but they definitely have given me some interesting insights as well. but yeah, I’ll be, I’ll be awesome, man. Thanks so much for taking the time out. I really appreciate it. And I’m pretty sure all the guests did as well, based on the questions and the comments you saw as well.

I, yeah, that I want to bring to a close, but I’m going to see everyone else next week and hopefully I can bring you back as well sometime

Gaurav Kumar: [00:51:52] for sure. Thank you. Thank you for having me.

Ashish Rajan: [00:51:54] Thanks for coming in.

No items found.