What roles do Identity, Edge Protection and CNAPP play in Cloud Security? At AWS re:Inforce this year Ashish sat down with Brian McHenry, Global Head of Cloud Security Engineering at Check Point Software to talk about critical aspects of securing cloud environments and the importance of understanding both identity and edge security.Brian speaks about the shared responsibility model in cloud security, the concepts of 'front door' and 'service door' vulnerabilities, the role of CNAPP (Cloud-Native Application Protection Platform) in enhancing cloud security posture and how organizations can leverage it to mitigate risks.
Questions asked:
00:00 Introduction
03:21 How has networking changed?
04:40 How has the on premise world changed?
06:31 Moving network security to a hybrid world
07:54 The role of CNAPP
10:34 Cloud Native vs Third Party Tools
14:04 Edge Security and Identity in Hybrid environments
17:00 Future of Cloud Security Tools
18:21 The Fun Section
Brian McHenry: [00:00:00] We're trying to move data around and do it securely. That's the only thing that all of this is about. Are these things configured properly? Do they have vulnerabilities? What are the assets I have in the cloud? What am I doing about, compensating controls to your point? Can I fix the security misconfiguration?
Can I patch that server? So we're not saying don't patch. We're not saying don't get your configurations right. We're saying, make sure you have a way to close that down so that the window of exploitability, the risk window is as small as possible. It is really important to remember that, in the shared responsibility model of a cloud, that there's a lot of security responsibility that falls on you, the end user or customer of the cloud.
And that's really important is acknowledging, what are the gaps that, it really isn't scalable for one of the public cloud providers to provide me.
Ashish Rajan: As cloud security practitioners, we have been talking a lot about identity as a new perimeter for cloud, but we may be forgetting something.
And I learned this concept called front door versus service door from Brian from Check Point, who just came on the show. And that's what this episode is about. Brian has been in the network security space for a long time, started as a sysadmin, moved to network security, did about 14, 15 [00:01:00] years in network security and still continues to be in that ground for talking to customers about what is Network Security's future in the world of cloud.
If you have been a network security person like me who probably taught CCNA was the best thing in the world back in the day. And being a firewall person was that the coolest job that you could find in the blue team side, of course, outside of application security, this time we spoke about how the data centers of the old school world. As some of us cloud practitioners may believe, because you and I have been drinking the Kool Aid for cloud security from the CSPs for a long time, they were talking about how data centers are also catching on the capabilities of what the same cloud provider is providing and how a lot of enterprise who are both hybrid or multi cloud, they find it challenging being cloud native.
All that, and a lot more in this episode on how the network security world is evolving for this conversation. So I hope you enjoy this conversation with Brian from Check Point. If you are here for a second, third time, if you enjoy conversations like these, if you know someone who is in the network security space looking for what does their future look like in the world of cloud and multi cloud and AI.
[00:02:00] Definitely share this episode with them. As always, I'll appreciate if you give us a follow, subscribe. If you're listening to this audio episode, or if you're watching this on YouTube or LinkedIn, definitely give us a subscribe and follow. I hope you enjoy this episode and I'll see you next one.
Hello everyone. Welcome to another episode of Cloud Security Podcast at AWS re:Inforce. I've got Brian. Thank you for coming on the show, Brian. Yeah, thanks Ashish. Maybe to kick off the conversation, if you can tell us a bit about yourself, your professional journey and get straight into it.
Brian McHenry: I affectionately refer this time at Check Point as the third act in my career.
I started, my first decade was in it. I started in desktop support, like so many moved up to sysadmin and then network operations, security operations roles. From there, I actually got an opportunity to join F5 as a sales engineer. And I found out that sales engineers are some of the most technical human beings on the planet.
And I spent almost 15 years at F5 finishing my time there as the VP of product management for all their web app firewall and API security, feeling like I stuck my flag in the mountain there. All right. I ventured out to seek my next opportunity and I really wanted to get back to be customer facing and I wanted to go to a [00:03:00] cybersecurity company first and foremost because that's my passion.
Check Point has this tremendous growth strategy for leveraging the cloud first and foremost and I really love what they're doing in terms of, how they are taking CNAPP to a different place. And so I'm leading sales engineering and customer success at Check Point now, been at it for about six weeks. Yeah. So don't quote me on everything I say.
Ashish Rajan: We'll try, but I think your sysadmin background is an interesting one because for me the memory of initial starting in IT was the whole firewall certification. Getting a CCNP Check Point firewall, like that used to be the jam back in the day. And now somehow because now we live in the cloud world, it's a lot of change.
And I'm also curious because you've spent such a long time in that network security space. It's way longer than I have as well. How have you seen the transition of networking as it used to be and how networking is today between cloud and hybrid world we live in?
Brian McHenry: Yeah, networking used to be if you locked down the network, you were secure.
Yeah. Because that was the front door to [00:04:00] everything. And then what happens is attackers figure out that, hey, I've got to move on to the next office target. They're moving up the stack to the API, they're moving up the stack to, web applications in particular. No longer were they just knocking for open ports on the network.
So things changed there. And then we had coinciding with this the massive movement to the cloud. There was the promise of, faster time to market, more agility, cost savings that all the public crowd promised in spades and in many cases delivered. But with the public cloud, with the move to a new data center paradigm, came new security challenges that I think only recently are we really taking head on and really addressing in a meaningful way.
Ashish Rajan: We've been consuming a lot of the cloud Kool Aid for some time, I think at least 10 years, 10 plus years. And I somehow forgot what the on premise world looks like sometimes, unless I have a conversation with the enterprise and I'm like, oh yeah, that used to be a thing. Because we were talking about this, that the on premise has been keeping up as well.
How has the on premise network space changed now?
Brian McHenry: They've been [00:05:00] observing what the public clouds are doing, right? And in many cases, they're looking at their cloud spending and going maybe I'm not saving quite as much money as I thought I would. And can we adopt cloud concepts in the modern data center?
And absolutely they can. And they can get that agility from automation and orchestration. The efficiencies of things leveraging containers in particular. Containers, I feel, are really delivering on things that virtual machines endeavored to but never quite got to. So there's a lot of more possibility now, if you're designing a new data center from scratch, you can design it with cloud concepts in mind, taking all the lessons that Azure and AWS and Google learned for us and applying them from scratch.
And so there's a real opportunity to save time, money, everything else by implementing some of the cloud concepts on prem. And that's important because, as we know, some data can't move out of the data center.
Ashish Rajan: Yeah. And I think some of the biggest challenges we talk about data sovereignty, as you mentioned, for me, it's like, not every cloud has a data center everywhere, but data centers have existed for so long, everywhere.
It's it's not that IT today is starting today or 10 years ago, [00:06:00] IT's been there for a while. And that to me is also, I just, as you said that, I'm like, Oh, does that mean all the cloud service providers of the world are getting competition from the existing data centers now? Because they have equal capability.
And if they already have the customer in the data center, The customer really started to justify why am I moving to a cloud which kind of brings me to what happens to the network security people, like what's happening in that transition between the on premise and now to hybrid world. What's their challenge?
Brian McHenry: Network security people are trying to figure out because they're responsible for security everywhere, not just in the on prem data centers. How do I secure the network in the cloud? How do I keep applications data segmented properly? Oftentimes they're finding that either they didn't, they either didn't know they had other options.
So they go with the cloud native network security tools. Or they found more often than not that AppDev DevOps has said I've deployed an app and the network security tools I could call by API are the cloud native tools. Yeah. Yeah. So something's been selected and then they have to figure out, can they [00:07:00] consume this operationally, which is a challenge because they got to learn a whole new set of tools for network security.
Do these network security tools in the cloud native world meet the standard that I'm accustomed to? Yeah. Does it have all the features, functionality, protocol support? And then once they've made that assessment, does it do everything I needed to do? Can I consume it operationally? Oftentimes, they're falling back and saying, no, right?
They're saying it doesn't meet my standards or and or I can't consume this operationally and they search for another solution
Ashish Rajan: because we were talking about conversations and customers around who are from that network security background talking about how they are tackling cloud and some of their challenges.
You're going to mention that the cloud space is limited, but they have that whole CNAPP tool that they've been talking about for a while. And so where do you see that, the gap that we are referring to and what does CNAPP do, as to your point for the network security part of the world and where is the gap at the moment?
Brian McHenry: So a lot of the third party cloud security tools, first of all, exist because of hybrid and multi cloud, right? I can't [00:08:00] have the same security tools everywhere if I'm relying on Azure's native tools or AWS's native tools. So that's one thing, right? So CNAPP does three things in particular. It does identity and entitlement management which is important, knowing who gets access to what and where the cloud workload protection, which is monitoring the workloads and the data moving in and out of a workload and then security posture management, CSPM, which is probably the one that most people are concerned with is are these things configured properly?
Do they have vulnerabilities? What are the assets I have in the cloud? But all of these things amount to essentially inventory, not control. Yeah, they tell us what we have. Which is very important. That's the building blocks of good security operations. What do I have? Then how do I protect it? What's my attack surface?
So CNAPP does a great job of that. And it gives you a view that's, cloud independent. You can have one dashboard that says, where's my security posture and my assets? Everywhere. Across all my clouds. Public, private, you name it. But then the question comes, how do I prevent these things from being exploited?
And that's really the thing that's got me excited at Check Point [00:09:00] is they've integrated CNAPP into their network security and their web app firewall solutions making it possible to take the context that we learned with CNAPP and then provide prevention and protection. So those things do not get exploited. I
Ashish Rajan: don't think we talk about prevention enough. You talk about, I think one of the reasons I wanted to have this conversation is also the fact that a lot of the focus for when we talk about CSPM, I was like, hey, if I close that misconfiguration, I'm secure. But to your point, a lot of times it can't be done straight away.
I have to wait for someone in dev or someone else to fix that for me, pick that ticket up and go, okay, this is important. Or someone else, it's been like a political effort to even get that to be closed. In the meanwhile, what we were doing in network security in the on premise days was like, oh, if there's a zero day or if there's another vulnerability, there's a way to prevent that from being exploited.
So you're saying. I guess the way you're seeing a path forward could also be the fact that, hey, it could be CNAPP with that additional capability of what networking has been for us in the past.
Brian McHenry: Yeah, [00:10:00] absolutely. So you and I were talking before, we've gotten really good at network security.
That's the good news in cybersecurity. We've gotten really good at it. It's very hard to penetrate networks if you have the right tools in place. So part of that, get those tools in place. But then what am I doing about, compensating controls to your point? Can I fix the security misconfiguration?
Can I patch that server? Or is that going to take some time? And I have a compensating control at the edge that, that can close it rather quickly while I have time. So we're not saying don't patch. We're not saying don't get your configurations right. We're saying, make sure you have a way to close that down so that the window of exploitability, the risk window is as small as possible.
Ashish Rajan: From a CNAPP perspective. And from bringing that to the edge with the WAF, as well as anything which is like edge facing for lack of a better word. What are some of the things, maybe for CISOs who are probably listening to this conversation or leaders who are thinking about this as, I do this already, like I think what would be different if I'm using like an AWS provider versus say another provider.
Like why would I switch between the two?
Brian McHenry: Yeah, so there's a couple of things. [00:11:00] One I get dashboard fatigue, right? I talked about consuming cloud native security tools from AWS or Azure operationally, right? It may not be that there's a deficiency there. It may just be, man, I got to learn a whole new set of workflows. I got another dashboard to go to. That's really at the end of the day. That makes it harder to detect threats and attacks because I'm trying to bounce around. I might be using the same tool to aggregate event information, what we offer a Check Point with CloudGuard and CloudGuard Network Security is one dashboard to rule them all right, the proverbial single pane of glass, which I don't love that term because it's been promised many times and not delivered, but what we're saying is if you've got a on prem like hardware software based Check Point Quantum Firewall that you've trusted for many years to do exactly what a Stateful Network Firewall, which by the way, Check Point invented the Stateful Network Firewall.
Ashish Rajan: Oh, really? I didn't know that.
Brian McHenry: It's genesis is with the founders of Check Point. Once you've trusted that for years, you want those same workflows, you want those same set of capabilities in the cloud. We can do that with Cloud Guard Network Security. And it's one dashboard you log into. You can see, what your network security [00:12:00] posture is across all your different environments in one place.
And the same goes for our web app firewall. It can be deployed on prem, it can be deployed in your cloud or it can be deployed as a service. But, in the end of the day, same dashboard. One place to, rule all your things. But also, more importantly, the detection and protection posture is the same.
The behavior is the same. So if I've got a false positive one place, I know it's going to behave the same in another place. That's not a great example because it's a negative, but I also know that if I'm going to protect it here, it's also going to be protected over there. Now, the second point beyond dashboard fatigue and new operational processes is vertical integration, right?
Is this virtuous loop that we want to create between CNAPP and these edge protection tools? If it's detected by one of the CNAPP tools, how do we automatically protect it in the WAF or automatically protect it in the CloudGuard Network Firewall? And that's something that we're already offering some of today, and we're going to continue to embellish that.
And this is all, as you could imagine, driven by AI. Yeah. But we offer a push button manual [00:13:00] intervention so that you don't have to necessarily trust Skynet to secure your network. And we give you the tooling to say, all right, there's a suggestion here.
Hey, if you, we've detected this vulnerability, it's part of this, application network flow. Would you like to mitigate it over here on your web app firewall? Imagine the day Log4shell came out. And somebody said, where are you vulnerable? You probably don't know, right? That's where you're CNAPP tool comes in and tell me, where am I vulnerable to this latest thing?
And then figure out? All right, what are the paths to that vulnerability? Is it exploitable? And then how do I patch it? How do I? Either patch it, at the server or at the edge. And so this kind of automation and this kind of integrated, orchestrated workflow is really promising for cutting down that risk window to the minimum possible.
Log4Shell is not the best example when it comes to Check Point, because if you had our WAF deployed, you would have been protected on zero day because it's incredibly advanced. One of the reasons I'm also at Check Point is I dedicated most of my career at F5 to web app firewall and API security and the product they have over here the service for the web app [00:14:00] firewall and the API security has blown me away in terms of what it can do on a zero day.
Ashish Rajan: So we talk about identity is the most important parameter in cloud but we exclude one obvious thing in there that most organizations these days have applications that face the internet. And nine or 10 times those applications are not using the identity that is people like you and I who work for as the employee of the company, it's usually customers.
So at that point in time, it's usually a WAF or an API gateway or one of those ones are the like, and in a lot of ways, I think the reason I was excited is because we kept ignoring that component now for thanks to the AI world with API being more attentive and not only applications are being more data coming in conversation as well.
It's a lot more. conversations about edge security coming in. So for people who probably have been very cloud first and probably created a lot of custom dashboards because the native ones for not waiting it like I think I know AWS WAF, Azure WAF, take whichever WAF you want, you have to build your own dashboard to even see what are you getting, customization to even [00:15:00] add, hey, whenever this happens, do this action kind of a thing as well, which usually is not a problem with a vendor product as well.
So for people who have been cloud native for a while and are large tech enterprise as well. Is there a obvious thing you see there that needs to change from an edge security perspective, they're probably missing. Cause I get your point about the zero day part. Is there something that you're noticing on in that space where, Hey, if you're a cloud only, you probably don't have to worry about this or probably have to worry from perspective that it's no transition, but if you're a hybrid, then you probably need to have this conversation about identity as well as the edge security as that future.
Where do you see these words go?,
Brian McHenry: There's two edges. There's the front door, the internet facing, and then there's a service door, right? Where even identities can be compromised, right? So even, you and I are working as a contractor inside the IT organization.
And I'm sloppy with my credentials or I get mad 'cause of my contract didn't get renewed. Yeah. And now I'm the disgruntled insider, or I'm just a full on insider threat. I'm the spy. Yeah. I'm conducting espionage. So identity is definitely the most important perimeter, [00:16:00] but it certainly is not foolproof.
And that's in the cases where you can assert identity, and that's mostly on the internal side. On the external we want our internet facing applications to be free and easy, right? Yeah. Yeah. We want to be able to access 'em without logging in. Yeah. APIs are particularly notorious for this.
They're often unauthenticated whatsoever. So that's where you see gateways coming in and, authentication gateways coming in, in front of the API to provide something that wasn't built in by the developers. Identity is great, but it isn't always there. And still it needs, you need additional layers of security.
Again, compensating controls. This is. Security 101 stuff, but it is really important to remember that, in the shared responsibility model of a cloud, that there's a lot of security responsibility that falls on you, the end user or customer of the cloud. Yeah. They don't do everything, right?
They walk you up 24 miles of the marathon. You got to get that last 2. 2, right? Yeah. Yeah. And that's really important is acknowledging, you What are the gaps that, it really isn't scalable for one of the public cloud providers to provide me?
Ashish Rajan: This has been interesting. I think I'm glad I'm able to shed some light on this as [00:17:00] well.
So maybe where do you see the future go with this as well? That's the final question.
Brian McHenry: I think we're going to see more convergence, right? We're going to see and by that I mean we're going to see more on premises data centers start to look like cloud, more cloud data centers have, public cloud providers have more advanced security tools to try to keep pace, but I think there is a cutoff line for the public cloud provider to say again, and that's shared responsibility model.
What is it scalable for me to provide versus what I should expect? The tenant or the customer to provide? So we're going to see a lot of consolidation to in the security space. We have a lot of point solution tools out there right now. CNAPP is particularly in this space and has been and you're starting to see a lot of the CNAPP vendors get acquired but we're going to continue to see that convergence We're also seeing, the big, vendors looking at, not just CDN now, but MCM multi cloud networking to provide more advanced tools than just a CDN can provide and then your convergence even there with web app and API security coming together, WAF and API [00:18:00] security are becoming blurry one thing, which is good.
Because a lot of the API security solutions we see today are again, a news engine. It tells me what APIs I have and it tells me what they're vulnerable to, but it doesn't provide me enforcement because they tend not to be in line. So that's a good thing if a WAF is consuming API security and bringing that into its capabilities.
Now you have an enforcement engine, not just a news engine.
Ashish Rajan: That was like the technical questions, I have three fun questions for you as well. Okay. First one being, what do you spend most time on when you're not trying to solve network security problems of the world?
Brian McHenry: Of late, I am trying to deal with the fact that I have two sons one just graduated college and the other one just finished his first year majoring in computer science.
Oh, wow. So it's a big transition for my wife and I to navigate life with grown children. So that's one thing. So we were trying to find new hobbies and to that end I started to learn to play guitar, teach myself to play guitar.
I'm not very good yet, but it is something I spent some time on and then, I love to travel.
One of the things I love about being in sales is it provides a lot of opportunity to see the world [00:19:00] and with my kids growing, my wife and I, if I'm traveling for business, she's traveling for business, we accompany one another and extend the trip. So travel is a big part of life.
Ashish Rajan: Awesome. And second question.
What is something that you're proud of that is not on your social media?
Brian McHenry: Proud of my marriage. I've been married 22 years. Oh, wow. And I, my wife, Aliah and I are just as strong as ever. And I'm really proud of that.
Ashish Rajan: I'll make sure I clean this for her to see , get you some brownie points in there as well.
Final question, what is your favorite cuisine or restaurant that you can share with us?
Brian McHenry: As a traveler of the world I love to sample everything. I'm an adventure eater, if you will. But to pick one favorite very difficult. But I'd have to say if I, desert island pick, I can only have one cuisine forever.
It'd probably be Japanese. Oh, nice. Because, and that's a bit of a cheat because I can go everywhere from hibachi and teriyaki. All the way through Katsu and Sushi and everything else. So I got a, you got a nice smorgasbord there, a range of different things that you can you can say,
Ashish Rajan: Japanese is a good choice as well.
But now where can people find you on the internet and connect with you on talking on more about the space?
Brian McHenry: So I'm on LinkedIn, as I [00:20:00] mentioned BA McHenry is my my handle on there. So LinkedIn URL slash BA McHenry is where I'm at. And I'll share my talks on there when they're recorded.
Oftentimes like I shared this week that I'm going to be at re:Inforce. So if, folks want to find me
Ashish Rajan: I'll put these in the show notes as well, but thank you so much for coming on the show. I really appreciate this. Thank you for listening and watching this episode of Cloud Security Podcast. We have been running for the past five years, so I'm sure we haven't covered everything cloud security yet, and if there's a particular cloud security topic that we can cover for you in an interview format on cloud security podcast, or make a training video on tutorials on cloud security bootcamp, definitely reach out to us on info at cloud security podcast.tv. By the way, if you're interested in AI and cybersecurity, as many cybersecurity leaders are, you might be interested in our sister podcast called AI Cybersecurity Podcast, which I run with former CSO of Robinhood, Caleb Sima, where we talk about everything AI and cybersecurity, how can organizations deal with cybersecurity on AI systems, AI platforms, whatever AI has to bring next as an evolution of chat, GPT, and everything else continues.
If you have any other [00:21:00] suggestions, definitely drop them on info at CloudSecurityPodcast. tv. I'll drop that in the description and the show notes as well so you can reach out to us easily. Otherwise, I will see you in the next episode. Peace.