Ashish Rajan: [00:00:00] Welcome to cloud security podcast today. My guest is David Linthicum. Well, where do I start about David? And to come? If you were to read just his bio, he’s an author for more than 13 books with 5,000 articles is done. He’s been he’s appeared on info world wall street, journal, Forbes, NPR, and I can just keep going on, but I don’t feel I would do enough justice to David. 


So welcome David. And would you be able to introduce you to your thoughts? 


David Linthicum: Yeah. Number one. Thanks for having me, Dave Linthicum I’m actually the chief strategy officer for Deloitte been there for a couple of years. Prior to that, I was with cloud technology partners, was there for about five years that was sold to HP a few years ago. 


And prior to that many jobs as a CTO or a CEO of several different other startups or enterprise companies, and most of those. And just love technology and just kind of look at what’s next and just kind of thrive on inventing and being innovative around new things. So that’s, that’s why I love doing the thought leadership stuff. 


And I love doing things like this because it does allow me to interact with smart people. Like. 


Ashish Rajan: Oh, thank you. My first question usually on this podcast is [00:01:00] where does cloud security mean for? 


David Linthicum: Well, it means keeping them, keeping my clients employed because they mess that up and it’s not going to work well. 


The cloud security is really you know, has very similar patterns that we had with enterprise security. However, there is new innovative technology in the stack. That’s starting to appear, which means we have to leverage both traditional features like encryption and identity, access management, and advanced features, multifactor authentication by authentication, things like that. 


And so really when you think of cloud security, you have the opportunity to kind of take security to the next level. In fact, I always have this conversation with my clients. Your system is going to be more secure in the cloud than it is on premise typically because the security technology and the cloud has been looked after for the last five years where the security stuff that’s been on premise as not, it’s been, you know, legacy stuff. 


A lot of the stuff has been sunsetted. And so when I actually looked at the R and D budgets of the security. Providers out there for spending 75% of their R and D budgets on retooling for the cloud. And so they’re putting [00:02:00] all their innovation and effort into building security systems and I work in the cloud. 


So when I think of cloud based security, I think of the opportunity to kind of take your security systems to the next level. Of course you have to get around the fact that everybody’s kind of freaked out about their data, not physically existing in a data premise, and it has to exist in cloud that you have to trust people to run. 


That model is actually more effective because you’re able to defend things centrally. You’re able to spot patterns of attack as a multitenant based system. Versus you trying to be all things to security within your particular system. And you’re not gonna be, you know, the best of the best at doing security, proactive, monitoring, all these sorts of things. 


So I think a cloud security, I think a lot of security issues being solved. A lot of people don’t agree with that. They, they think that on their remaining on because of the security issues, but, you know, that’s it, that’s it. So if you want to add the best of breed security systems do in the cloud, 


Ashish Rajan: what does data security in cloud? 


David Linthicum: Yeah, I mean, that’s basically what we’re really securing. That’s the, if security is the verb, then that’s [00:03:00] the noun that we’re securing and. So information is stored in a variety of different ways. And the thing is within cloud based security, you have to think of it as tiers. So in other words, I can secure things at the operating system level where people can gain access to files or physical storage systems, so they can gain access to the data. 


But that’s typically too binary because we’re either allowing or disallowing people access to systems. And of course we have identity access management, which actually secures people to objects or tables or relational systems, and even that’s too limiting. And now we have the ability to kind of set up governance and security, you know, down to the record and record an object level in the system. 


So if you and I are. Leveraging data. I can lock you out of half the database because you don’t need it. It’s none of your business. I’m running an HR system and if I’m running the age, so you’re the manufacturing person. If I’m the HR person, then I need access to people’s salary information and things like that. 


Well, I can through number one, data governance is involved in this, but also data security. Make sure that you can’t [00:04:00] see. The information that you can’t see. And the other thing too, is I can encrypt data using that kind of method as well. So we have two different encryption keys. We’re leveraging two different ways and we’re authenticating to the data and you can get to a level of sophistication. 


I don’t think we were able to get to on premise. And so, the data security things that I see coming down the pike, and most of these aren’t. Widely leveraged right now they’re available in the cloud. If people aren’t using them yet have these capabilities, which really people have been desiring for a long period of time. 


It means security has always been a pain in the neck with everybody. It’s a lot of overhead. They have to go through different levels. You have to have a security administrator, things like that. And ultimately you get frustrated with it because it’s going to lock you out of things you think you need. 


Well, the ability to have something that’s more configurable at a fine grain level and the ability to kind of attach any sort of security system on it. And most importantly, The ability to integrate your security system with governance. So I can govern not only limit your use of data, authenticate you to get to the data, but I couldn’t put policies around how you’re leveraging the data. 


In other words, you can’t access it at a certain time of day. That’s [00:05:00] that’s actually a good security parameter during management monitoring the system. So we can proactively spot when there’s issues. We can tie AI ops and AI security systems to those things as well. I mean, it’s, it just gets really, really, almost sophisticated to the point that it’s going to be almost a hundred percent secure, even though it’s never going to be a hundred percent secure. 


But using the zero trust model and all those sorts of things are starting to move in. That 


Ashish Rajan: what’s the maturity difference that you see between say, cause you’ve worked with startups, you work with enterprise as well. What do you see the difference between a security maturity between someone who’s just starting off today or a startup, which could be a more thing Facebook as a startup anymore, but an insurance startup, which is, has a lot of customers has a lot of data and is in the cloud, was his enterprise, which. 


Something that has been in the data center for a very long time, has a lot of legacy applications are moving to cloud and now speed putting them like that makes them sound like two different worlds. But I wonder when they go into cloud, what’s the maturity difference that you see? Like what’s our maturity in Europe. 


David Linthicum: Yeah, that’s a good question because they both have limitations and some risks are dealing with, so startups don’t have an unlimited amount of [00:06:00] money. So they’re typically always going to big cloud and they’re typically going to do so in a way that’s most economical to. And so, you know, back when, in my CEO days to start a company, I needed at least a million dollars to get data center space and servers and things like that. 


Not needed anymore. You’re going to spend a thousand dollars or $2,000 a month. So by being born in the cloud, you have the opportunity to leverage secure. In the best practices manner, but you’re not necessarily going to do it. I find a lot of the startups don’t have the security talent because they can’t afford it. 


They can’t afford a, a security administrator that’s, you know, on the market is we’re $250,000. And typically you don’t want to work for a startup. So they, in essence, apt to kind of have people wear multiple hats and things like that. And that’s where the insecurity comes in. That’s where they’re not configuring things correctly and finding things like, fuck, you know, AWS S3 buckets are exposed. 


‘ cause, they’re not, they’re not even taking the defaults or undoing the default security and things, you know, just minor things that need to be fixed, but they have the potential of having a much better security solution than anything within the enterprise. So the enterprise is limited by the fact [00:07:00] that they have a legacy. 


And so those things typically may not have a path to any kind of sophisticated security system. They, they may not be able to accept identity access management encryption systems may have some sort of a, an issue with the processor that they’re on. So they’re limited by. The physicality or basically the the degree of the technology they flavored in the past. 


And unless they’re willing to upgrade that, which by the way, costs a tremendous amount of money are moving into the cloud. For example, they’re not going to reach a level of security that they feel the requirement, by the way, they have plenty of. They just can’t spend it in such a way because they have to make earnings per share. 


And so even though they’re, you know, $50 billion company, they’re still going to kind of cheap out on security stuff because it’s overhead it’s, you know, it, and you know, it is supposed to sort of the business and those sorts of things. There’s opportunities there. If someone’s born in the cloud, they can make their stuff extremely secure. 


Somethings people are leveraging. Enterprise is kind of the old stuff around this. 


Ashish Rajan: That’s an interesting one, because I always find this question fascinating. Where is cloud security? A thing at sea level and continuing to speak to a lot of people at that [00:08:00] level as well. Even something like dev cycles, which a lot of people slip trench every time I say that, it’s is it, is it, is it something that they’re talking about? 


Is it something that’s important? 


David Linthicum: Yeah. I mean, look at the morning news, it’s riddled with breaches and, you know, companies that have you know, gone under because of some of these pretty shifts. So it’s absolutely the biggest risk. I think that they run it’s even more, it’s more of a risk than an outage. 


If you have personal data, you know, that stolen and exposed. And many of these existing legacy companies that are running legacy systems, we just discussed it. Yeah. It’ll have systems that aren’t, aren’t being improved. They’re not being loved by the security providers that have been loving them for many years. 


They’re spending all their money in the cloud. And that’s why you see, anytime you hear about a major breach, the clouds never near it. You know, it’s always a legacy system. Some patch got forgot to be applied. You know, some phishing scam occurred or, you know, some internal employee was went rogue and. 


You know, hurt them in some way. And so that an Amex, a security kind of really go to, not necessarily the value of the business, but they go to the business, the businesses viability. I mean, one of the things that I would [00:09:00] do between jobs is I’ve worked for venture capital firms. It would send me in to companies are about to invest in and I would do a security audit because their biggest concern is not an outage or not. 


The moving into cloud. Their biggest concern is about them getting breached and having the value of the company be cut in half in a day and potentially not even recovering. And so if it’s not a sea level risk issue then that I would get a new board of directors and a new CEO. 


Ashish Rajan: Right. And so people who have known, and I think that’s a good, good way to explain it to people who are not convinced about cloud security, being important for them, even though a lot of people still have cloud-first strategy and they’re all going out, I need a SAS first as, and then I, as I kind of like that kind of model, is that something that you’re noticing in your I guess the customers and the people that you’re talking to them. 


David Linthicum: Yeah, everybody’s wants to move to the cloud. I just think they’re, they don’t know what they’re, they don’t know yet how to do it. And so they’re at the experimental stage, even though you read some of the, you know, 20%, 30% of migrating in the cloud, a lot of that’s going to be software as a service systems, which are kind of baked into the application migration stuff. 


But as far as migrating systems [00:10:00] from an operating system platform, within a data center, into an infrastructure as a service cloud, that’s all fairly slogan. And that’s because it’s very hard to do that. I mean, I just put a blog in InfoWorld world today. That’s published today. I said, just this just in cloud is hard. 


And, and a UK firm kind of did a study on the fact and lo and behold that it’s not as easy to move into cloud as we thought. And people are kind of beyond the low hanging fruit and trying to make the move to those systems. And so. That becomes kind of the drudgery of it. So everybody wants to have a cloud first strategy. 


They’re just don’t know how to execute on it. And also the big thing is how they pay for it because you have to have an accordion of money that has to hump up to spend on the migration stuff and the spend on the security and the governance and building the common services and things like that. 


And some are willing to do it. And therefore they’re going to fall by the wayside. 


Ashish Rajan: Yeah. And I think to your point, if you ask questions like, well, if it’s not broken, why am I trying to fix it kind of thing as well? It’s almost like asking people to innovate or invest in what could be a potential rather than, oh, this works fine. 


Don’t worry about it. 


David Linthicum: Yeah, and I’m, I’m not a cloud bigot. [00:11:00] And so when I show up, I don’t go cloud cloud, got it. Moved to the cloud, got him into the cloud. Amen. I’m all about making an assessment into what you have opportunities you have to modernize in the cloud things you can do such as better governance, better security things we already talked about, and then looking at the viability of making it happen within the budget that looking to spend, and also putting together the business case, true business case. 


What they’re going to gain in efficiencies, what they’re going to gain and agility, what they’re going to gain in cost reduction, and then kind of set it in front of them and then they can pick out the way to go. And here’s the priority order in terms of things you should move here’s priority order of things. 


It shouldn’t move yet. They have maybe in a few years, there is no platform analogs that exist in the public cloud. You know, yada yada yada, it’s a very complex thing to go through that kind of an architecture planning with a customer. And I think with a client, I think that’s what we’re missing right now. 


We’re missing that skill inside of enterprises that aren’t willing to, you know, kind of take an academic pragmatic look at one of 


Ashish Rajan: the reasons we have in talk security port, because we have a cloud security awareness program. The more, I spoke to people, even something as basic, as you mentioned earlier, identity and access management [00:12:00] encryption, they think, oh, I need like my hair to SIM for my on-prem why complex wide, the complexity is great. 


They don’t trust the cloud, but would you trust someone who’s spending a lot more money than you on a data center, trying to secure it with millions of clients versus your hundred and thousands of clients? Like, I think that. It just boggles me that you thought like, oh, we made a course around that. We’re making it available online, but it’s really interesting to your point about the awareness of cloud and how security could be easy if you’re doing cloud natively as well, that you don’t have to go to Alta provider. 


What are your thoughts on that? I’m just curious. Cause it’s almost like you feel as a gap in security event 


David Linthicum: security and on premise, 


Ashish Rajan: sorry. I meant security events in cloud and cloud security. 


David Linthicum: So I think that people aren’t necessarily considering all the all the alternatives right now and they just, they’re just not aware of, I mean, one of the problems is we have so much information that there’s no one who’s really to kind of boil it down and just some talking points and people people can look at. 


So, ultimately. It is the fact that we’re hitting everything on all cylinders is [00:13:00] going to make a break cloud migration. It’s gotta to be security, governance, management monitoring. It’s gotta be operational excellence. It’s gotta be ability to deal with dev ops, or if you want to call it dev sec ops those sorts of things, and also an ops model change and also a talent change that exists within the organization. 


If you’re not willing to do those seven things. Inclusive of security, but guess what? It’s just a light in the soul. That’s holding a lot of other stuff up. It doesn’t make sense to secure something. If it’s going to be down, you know, seven hours a day. Yeah. Then you’re typically not going to be successful and you’re going to have to loop back and fix things. 


And that’s what I’m finding people are doing. And so they’re creating solutions that are too, ill-defined not planned and too complex. They don’t have common security services. They’re using different encryption mechanisms, different identity access management mechanisms. I may find five directories that are there and eldap and active directory and things like that. 


And so when they deploy it, It did happen that way is because they’re a bunch of dev ops pods that are in essence, doing best of breed, selecting the cloud technology. And so their solution is going to be whatever they think [00:14:00] is going to be right at the time based on their own religious beliefs. And ultimately we end up with 50 different solutions. 


And then also we ended up with 50 different security parameters. No common security, no common directory. And guess what? We got a problem. We can’t operationalize that we can’t run a security system around that. So we have to back that up, and actually undo a lot of the work that’s been done and put in a common security system, common governance, common directory services, and bind everything back down to those things. 


And that seems the mistake that everybody’s making. So it’s not necessarily. Having security on the radar screen it’s that they don’t have a consistent common set of security on the radar. Oh, 


Ashish Rajan: right. So I guess everyone has the right intent, but they have multiple tools trying to solve the same. 


David Linthicum: Yeah, I mean, you and I, you know, create a pod within an enterprise. 


And then we’re told to come up with whatever technology solution we feel is going to be right for the application. And we’re not communicating with the other 50 pods within the company that are. You know, scrumming up and building things and doing all the things that Angela does. Then our security system by definition is [00:15:00] not going to be the same as everybody else’s. 


And then we throw it over to cloud ops to operationalize it. And guess why they’re like, we can’t do this. We have 50 different security systems. We have no common mechanism here, no management monitoring thing, no operational planning. And I think that’s the, that’s the biggest hurdle that we’re going over right now. 


I noticed that in 2019 cloud kind of plateaued. When I looked into why that was occurring. Mainly it’s because of the complexity issue, either operationalized, complexity, security, complexity, governance, complexity, just kind of hindering development and people are bouncing back and redoing a lot of the stuff. 


In some instances that are mandating, they can’t do multicloud because they view it as too complex. They get back to a single cloud environment and that actually makes things worse. But so when you start taking things off the table, that could be part of the common services. And we just get in this big kind of. 


Odd loop that a lot of enterprises are in right now. And I think it’s probably going to be another three or four years before they get out of those loops. 


Ashish Rajan: I’m glad you bought multicloud cause that’s a good segue into my next question. What, is multi-tiered thing? 


David Linthicum: Yeah, it’s definitely a thing, everybody. 


I mean, all my clients are multicloud clients. Of course, they [00:16:00] may have, you know, AWS center, this stuff on AWS and maybe 10% of the stuff on Microsoft and 5% of stuff on Google and 5% of the stuff on IBM or Oracle or something like that. But the acceptance of the fact that it’s not going to be a single cloud provider and really kind of looking to the fact that we’re going to leverage all these different cloud solutions to really, with the battle cry of best of breed, you know, as a real. 


And people are putting that on the radar screen. However, I think lock-in because you’re still going to get locked into what they, the cloud you pick of use cloud native features. It does add complexity. However, there’s tremendous amount of benefits from it, but you have to figure out cross security across cloud. 


You have to figure out governance across cloud management monitoring. And then we get into cloud management platforms. We get insecurity managers, we get into lots of things that people didn’t anticipate, but the thing is if we’re going to leverage multi-cloud and I agree that we probably should. This is going to have the best of breed stuff. 


Then we need to have the that we need to have the common services that are built in and plan for. And that’s where people fall down. And it’s the same discussion we just had is because they kind of see multicloud is the way to kind of open up everything to varied systems. Will what we just talked about, the scenario where we [00:17:00] have the 50 pods within. 


Suddenly, they’re not just picking security solutions on AWS or picking security solutions on Microsoft and Google and IBM and Oracle and chances are they’re going to have no coordination between them. And complexity becomes 10 times, 10 times as bad, you know, as they try to operationalize. So it’s okay to go multi-cloud and certainly you can secure multicloud. 


You can actually do a really good job of securing multicloud, but there has to be a significant planning effort that occurs. You have to do the, our architecture, the micro architecture, the security architecture, you have to do operational planning and a lot of these things that people aren’t spending the time doing. 


So if you don’t have the talent in the organization and you’re not partnering with a consulting firm who knows how to do it, you know, chances are you gonna make a big honk and a mistake and have to hit the reset? 


Ashish Rajan: And that’s the interesting, also to what you mentioned about managing security and governance across multiple clouds. 


Do you feel anyone doing this one? 


David Linthicum: Yeah, there’s a few and I can mention any companies, but if we look at, 


Ashish Rajan: I’m curious about how, what does it look like? Cause I, I would be like a lot of people struggled with, and I’m sure a lot of people who are listening to this as well. I know that in Australia we have this new mandate coming up where all the [00:18:00] banks have to go multicloud. 


And multi-colored in the sense that if one of the cloud was considered a security risk and they, and the government basically tells the bank that. You cannot be on AWS. You should also have Azure because AWS is security. It is. But if everyone is just in one cloud, that means well, well, I, I guess didn’t really have any option at that point. 


You kind of have to shut down the bank. Right. That’s why the government has basically said, oh, you kind of have to be multi-cloud or at least have another possibility, but the complexity that comes with it just like insane. And to your point about money spent on it. But I’m looking at that from a security perspective. 


I’m like, that’s even more complex. I’ve gone on prem. I’ve got AWS or possibly Azure and Google cloud, or, and I’m like, how am I going to, where am I going to start? I’m pretty sure I’m still just me. People listening to this vast. The same question is that, where do you start? 


David Linthicum: Well, you first understand the fact the matter is that multi-cloud security is going to take 50% more resources to get up and running. 


And so, and you’re going to find that on pretty much everything, governance, security, ops, monitor, monitoring, things like that. So you typically have to leverage some sort of security man. Used typically after leverage security, that’s able to go [00:19:00] cross cloud. And even on premise identity access management systems typically are really good at doing that. 


And so get those configure and you have to leverage some sort of a security system that’s down to the verticals that you’re dealing with, whether you’re dealing with healthcare and privacy, different countries have different regulations, different encryption standards in that. And you need to do that as a set of common services. 


In other words, it’s not native to a particular cloud, but it may exist in a cloud, but it’s a set of common services that all applications and all systems are able to leverage between all the clouds that are connected and multi-cloud environment that is hard to build. I mean, I’ve built a few of those in my career lately. 


And those things are really tough to pull together because everybody is, have is going to have different requirements and different security systems on it. And the, and the thing is too. Augment the security system to adapt to the needs of the application when it should go. The other way around the application needs to adapt to the security has to be purpose-built for the security that’s out there, but you want good security. 


You can do it. It’s going to cost you 50% more. I call it the multi-cloud tax and there’s a container tax as well. And you’re going to have to put the planning in place [00:20:00] to make it. And, and by the way, all these new tools that are multi-cloud enabled typically, maybe two, three years old. So they’re not all baked, you’re going to have to be very careful in testing and doing acceptance testing with this stuff. 


And also the public cloud you’re going to pick and leveraging those native capabilities and making sure that you’re operating those things in a successful way. 


Ashish Rajan: Yeah, I think I love the term multi-cloud tax. 


David Linthicum: Yeah, there’s multicloud side. It’s also a container tax. They’re going to build a container application. 


It’s about 25 to 35% more in terms of building them. So if I’m going to budget, building an application, that’s containerized, versus not, you know, somebody who’s just running cloud native and, you know, regular, regular compilers and developing that appointment stuff. It’s 25 to 35%. So because of talent, you got to hire people more expensive. 


It takes longer to architect if you do it properly, because really containers are distributed systems. And it’s if you really should do it right out of the gate or else, we ended up migrating twice and that migrating to a container and then having to go back and redo it. Which a lot of people are getting into now kind of double trouble. 


Ashish Rajan: Interesting one for me, because I go to this question [00:21:00] from one of my I guess ordinance members and I. It’s it’s important to know MultiCare, but there’s a shadow cloud happening in a lot of organizations as well. And then I guess multi-colored is one complexity. Then you go into the whole shadow cloud thing where someone has whipped out a credit card. 


And now, like, I can’t wait for my security to approve my AWS appointments. I’m just going to go with my credit card. It’s just going to pay, like, do you see that as, as a trend as well? And if yes, or do you, how do people. 


David Linthicum: Yeah. Not as much as a few years ago. I mean, we call it, shadow it here in the states. 


And that just means that different divisions are kind of sick of waiting for it to get their problems solved and they’re going out and hiring their own consultant and, you know, putting a AWS instance on Amex and then go ahead and get the database and build it. You don’t see that as much of an issue anymore because I think they realized that they had to maintain it and had to secure it. 


And they’re also liable. For security of that. So that, that can be a fireable offense. And they’re putting customer information on something that’s not necessarily auditable by the security systems that are there. And there’s a lot of regulations in terms of how we’re going to manage the data. People are typically wearing of [00:22:00] that. 


So people used to take risks because cloud was new and they could buy it, you know, per drink and, you know, go ahead. Basically leverage it for the technology they need to leverage, but there’s too many risks to do it. And a lot of what happened a few years ago was shadow. It is that people just kind of put it back on the doorstep of it. 


And they said, by the way, we built this thing, it’s your problem now. And so poor, it had to take it and accept it and deal with security and governance and all the things that weren’t built into the system. So if people do that, I can understand why they do it, but it’s not advisable. In fact, I think it should, it should be not only discouraged, but but against the policy of the company for them to start doing that. 


And by the way, with networks sniffers and things like that, they can see it out on the network and go get. That happens as well. That wasn’t as prominent, maybe five years ago, but I’m not seeing as much shadow it as we did in the past. Maybe Australia it’s become an issue. 


Ashish Rajan: I guess my question is more around say not shadow it in the traditional sense. 


I mean, we clerked to shutter idea as well, but it’s more, you already have a cloud presence, so you could be an enterprise. You have Google, Amazon, Azure. You have, you have [00:23:00] everyone, but. There is a set of accounts or set of subscriptions your organization would be aware of, but then there are these other ones that they’ve signed up for themselves. 


It could be before CareCloud cloud became a thing in your organization. And they’re running this as like a BAU kind of a thing like that kind of shallow clarify what I meant, where you’re, you’re already a company already has a presence in cloud, but people aren’t using that. They’re using their own version of whatever the cloud they want to go with. 


Like, have you seen those kinds of stories? 


David Linthicum: Yeah. Every once in a while. So in other words, what you’re saying is maybe the cloud company is running AWS and you want to run Microsoft, then you’re building on Microsoft and does it know about 


Ashish Rajan: it or not? Well, that’s the thing they don’t know about it. And that’s where the shadow cloud kind of comes in. 


David Linthicum: Yeah, well, that’s, that’s pretty much analogous to, to, to sh to shadow its where we’re building something outside the realm and control of it. And we did see it a lot. But like I said, people are consolidating this stuff because they realized the risk in doing that, risky your job. If you’re building data and putting data that shouldn’t be regulated, you can get a lot of trouble. 


So you do see it every once in a while. It’s easily to find out where those are using the tools and technology we have today. But you know, it doesn’t [00:24:00] seem to be growing here in the states maybe worldwide to have. 


Ashish Rajan: Oh, also is there, is there technology already out? Oh, I guess the CASBY space is that what you’re referring? 


David Linthicum: Nope, not he’s talking about the he’s talking about networks snippers. 


Ashish Rajan: All right now. Okay. Now I’m just wondering what kind of technology can help. Cause because I imagine from a traffic perspective, it just looks one AWS versus another AWS or one AWS versus another Azure. Well, 


David Linthicum: you can see using people are using on the network and different ports, open update, Ws that you haven’t authorized and using different accounts. 


And therefore it’s it’s pretty easy to spot people who are using cloud on, on the corporate network. Now, of course, they could go all out and run their own circuit, you know, all that stuff and be stealthy about it. But I don’t think people are really willing to do that. Now, even though they may be frustrated with it. 


At certain points. I don’t think they’re into building their own stuff as much as least it’s not as much of a trend as it was, but we found it a ton. In fact, in many instances, that’s how cloud computing group, I mean, salesforce.com you know, grew back in the early. Early two thousands, because of shadow it, those cause the salespeople were pulling out their [00:25:00] credit card and signing up for a salesforce.com account, to optimize their sales process and the big, the, it didn’t allow it. 


And quite frankly, for bad, it, in many instances, But they in essence became such a big user base, maybe a thousand, 2000 people. And then suddenly they just put it back on it store. We may be seeing things like that with infrastructure as a service clouds. But hopefully they’re working with it to make sure they’re working. 


They’re moving in the wrong direction, the right direction. I mean, my big concern about that typically. Shadow cloud is not going to have an architect. It’s not going to have a security administration. It’s not going to have a database administrator, things like that. They’re going to hire a bunch of interns to build it. 


You know, maybe over a summer and put it into production. And then suddenly it gets put back on the lap of it and they have to assimilate in essence, rebuild this thing, which by the way, is already in production. And therefore people are leveraging it. It’s almost like changing tires on a car, moving down the road. 


Ashish Rajan: Do you see people do assess cloud security. And is it a framework for people who may not be doing this right now? Is there a framework that you’re aware of that they can use to assess the cloud [00:26:00] security on the AWS accounts or whatever public, a public environment, and how often should they be? 


David Linthicum: Yeah, the cloud security Alliance is defined a process for assessing cloud security. 


I think you have to kind of take it to another level. So you’re hiring a security consulting firm or even a security technology firm that has a professional service arm to go through an audit your security and do the pen testing and the white, you know, the white hat and the black hat. To see where level you’re at level of encryption doing auditing for compliance and all these sorts of things. 


So it’s really something you’re going to assemble yourself. It’s not going to be something you can really kind of get a book and go through it, and you’re going to have to customize it for. The type of data you have the industry that you’re in the kinds of systems, you are the type of clouds you’re on the brand of cloud. 


You’re on all those sorts of things. So you can use those as kind of a main guidance is to go through encryption checking and directory services and all these sorts of things. But you’re going to have to, in essence, rely on your own expertise to create something that’s going to run you through an audit. 


And so self auditing is something that’s We okay. It’s kind of a lost art was you [00:27:00] practiced a lot, maybe 30 years ago. And now here we are. We’re in many instances we re centralized the data, you know, very much like it wasn’t the mainframes years ago when we decentralized that on PCs and distributed systems. 


And now we’re really centralizing back in the cloud. So the ability to audit those systems for something that’s repeatable and through tools that are able to, in essence, do the things you need to do, which are available to you is extremely active. And I think that in many instances, it’s good to hire an outside auditing firm, but you have to do some self auditing as well, specifically if you’re in finance or healthcare. 


And you know, one of these verticals where privacy is going to be an issue, because you’re going to get audited by whatever regulatory commission at one particular time. And so you have to in essence, maintain the integrity over a long period of time and maintain the stops. So that’s a combination of you doing internal audits. 


That’s combination of you hiring outside security audit auditors, and there’s a bunch of them out there that do it. And then understanding you’re going to get the government coming in and auditing you. So there’s lots of audits. I mean, that’s, that’s kinda what it depends on the industry you’re in, but you should be prepared 


Ashish Rajan: to have you worked, but see, August [00:28:00] CSA is a great one to start with. 


If you’re starting out today, building your own version of using CSA as a framework, you making it, I guess, giving it your own spin based on your organization to do a cell phone. 


David Linthicum: Yeah. I mean, you, you would use, I mean, I would, you know, look at the framework, it’s kind of a checklist and you know, it’s like a pre-frame flight checklist before you, you know, take a plane up. 


But the thing is, you’re going to have to adapt it for what encryption services you have, identity access management, some cases you may not have identity access management, some cases that may not use a directory. I may have a security manager was, may leverage a repository. It just keeps going on forever. 


And then how are you going to test each one of those things and do the penetration testing, smoke testing, you know, all the things that are going to be you know, important to see how stable that environment is. And that’s going to be something you have to develop yourself or hire someone to develop, but I don’t think it’s going to be generic things you can get from standards organizations, even though I have all the respect for, you know, all the respect in the world for CSA, and some of the other groups are out there. 


And even some of the technology providers. They don’t know your environment. They’re just going to kind of do what I do. I mean, when I write a book, I guess, at what your environment is, but he read my book, [00:29:00] I’m missing things you have in your organization that you have to kind of fill in the blanks. 


And so that becomes kind of an art into itself that many enterprises may be lacking. It is, we just don’t have enough cloud skills, people out there who know how to set these things. Yeah, good. Usually the regulatory, the auditors don’t have them either. So they’re not able to catch problems in many instances, but maybe everybody’s done, but we have to get smart. 


Ashish Rajan: Yeah. And I think to your point containers cloud, this wasn’t there like 20 years ago. This is like, there’s not enough. I guess, runway that these technologies have had so far afforded to become like, oh, every it’s like, it’s sort of like, how’s the sadness used to be such a common thing. And now it’s almost like that feels. 


In a lot of ways, it’s like it’s evolving, I guess not dying is right. Football is evolving is the right word for the turning of the DevOps and all these other people. But yeah, it’s, it’s definitely interesting. It’s a good way to get into the next segment as well. I call it the mid Busta and the questions that I come across as more, where does the most common cloud security myth or misconception that you hear? 


David Linthicum: The cloud is less secure than on-premise. 


Ashish Rajan: Well, so, and what are people not talking about? Lock secured. Let’s go with that. What is it that people are not [00:30:00] talking enough about cloud security? That is the general event is that I need cloud security, but what is it? Is there something that you feel that they’re not asking you. 


Oh, 


David Linthicum: yeah. The planning and architecture needs to go into a solid security solution. They don’t talk about that. They people like to lead with tools, you know, so I’ll hear about RSA and, you know, being identity and whatever tool the other, you know, their colleagues are using things like that versus actually looking at the security requirements, looking at the data, looking at where it is, looking at the locations, looking at the as-is and the Tubi states. 


Well, that gets into a bunch of boring planning as to occur and a bunch of thinking a bunch of research. But if you don’t do that, I think you’re going to miss the mark and providing a optimized security solution. Keep in mind that, you know, I have enough money in time. I can solve any problem. What I’m looking to do is in essence, provide something that’s optimized as that’s, as optimized as I possibly can make it. 


So if you create a solution that works, that doesn’t mean you necessarily succeeded. It just means you created something. It works. It’s inefficient. You need to create a solution that’s optimized and get something close to a hundred percent optimization. And that takes a [00:31:00] lot of planning and coordinator. 


Yeah, that’s almost an art form unto itself. And there’s not a lot of people on this planet that are able to kind of pull that off as, 


Ashish Rajan: yeah. It is definitely an art. I go to last section, which is a fun question section, which is just three questions. I didn’t really give you a heads up on it because they not technical. 


What do you spend most time on when you’re not working on cloud or tech? 


David Linthicum: Let’s see, besides a binge watching Netflix. Yeah, I build racing drones and actually also work on motorcycles. So those two things, there’s nothing drones as 


Ashish Rajan: well. Racing, drones, like actually competitions, or 


David Linthicum: actually go to competition because you built a drone and. 


It’s not a lot of exercise because you’re sitting in a lounge chair looking into it. It’s a, it’s fun to watch it. Advice that you made, you know, go around the course faster than other people. So, yeah, 


Ashish Rajan: well, yeah, that’s still fascinates me. W the next question, what is something that you’re proud of, but is not on your social media, like LinkedIn or Twitter? 


Oh boy. I 


David Linthicum: put everything on my social media. I was proud of it. Isn’t that what you have to do by law? I’m, I’m, I’m proud of my career. I think that’s, you know maybe that is on my social media, but probably the most important thing is I’m proud. I made lots of millionaires. That’s not on my social media. 


[00:32:00] So in all the companies I built and sold, I paid lots of mortgages and Dade, lots of college tuitions and myths, lots of millionaires. So I think that Saturday. So I’m, you know, people work for me for three or four years and they walked away rich, not, not quit your job forever rich, but I was able to make them comfortable for a long period of time and knock some things out of the park for them. 


And I think that’s what I’m proud of is I can get to helping people and giving them a share of the pie, things like that. I mean, it seemed like I work too long for people that were. Leveraging my talents, but not necessarily providing me with the the compensation I deserve. Of course, everybody thinks that when in their twenties you get up to other companies that I started. 


And so people were willing to take a risk with me and it got compensated well. And so I get Christmas cards all the time and you know, them in their new houses with their porches and front and things like that. And I get a kick out of that. They’re like, no, that’s not. 


Ashish Rajan: That is awesome. Yeah. Last question. 


What’s your favorite cuisine or restaurant that you can share with the audience? 


David Linthicum: Oh, it’s the steak house. Gotta be open America. Steakhouse mistake. Yeah, the steakhouse with green spinach, seems like I’m always eating a low carb. That’s always a low carb alternative and you know, sauteed [00:33:00] spinach, but, and sometimes the blue trees she’s crossed, but it’s gotta be a good steak. 


Gotta be a prime prime me. Nice. 


Ashish Rajan: Nice. Just making me hungry. It’s only 8:00 AM in the morning over here, making me hungry now. Well that’s pretty much what we had the time for. Where can people find you online? And if they don’t have any further questions about this, where can they find you on. 


Sure 


David Linthicum: you can always email me@dlinthicumatdeloitte.com. L I N T H I C U M. I’m on LinkedIn. Reach out to me there, seem to accept all imitations. And also I have my blog on InfoWorld that posts twice a week. I have the OnCloud podcast. That’s Lloyd creates that’s. It can be found on iTunes and it seems to be getting up to number one right now. 


So please follow me there. And, you know, I got some 30 some courses out on lynda.com. So you want to hear my voice overseeing multicloud, multicloud, work, cloud security, multicloud security, all those sorts of things. It’s all out there. And I basically created that because I had a lot of questions like this and how to do best practices in security and that people seem to enjoy them. 


And so go out and take advantage. 


Ashish Rajan: Awesome. No, thank you. I’ll I’ll make sure we include that in the short, in the show notes as well, but there thank you so much for your time. I really [00:34:00] appreciate them. And no worries.

‍