This episode focuses on problems that solution architects and security engineers tackle in the real world. Our guests, Jeff & Fernando work with organizations around the world in order to help tackle security challenges in the cloud. Our conversation brings to light these challenges...and they may not be what you expect.
Guests
Jeff Westphal, Regional Technical Leader at Trend Micro
Fernando Cardos, Solutions Architect at Trend Micro
Details
This episode was originally streamed on Mon, 04-Nov-2019 to multiple platforms. You can watch the streams (along with the comments) on-demand on:
Transcript
Mark: Hey, morning, afternoon, evening, depending on where you are, uh, on the planet. Uh, I noticed already, uh, on the LinkedIn Live comments, uh, there's folks tuning in from all around the world. Uh, very cool, very much appreciated.
Uh, we are streaming this live to, uh, LinkedIn, to YouTube, and to Twitter, um, just trying to reach out too as many, uh, folks in the community as possible. This is gonna be interactive. This is the first in a series of events we're gonna be doing like this. Um, so if you have questions, please fire them off in the chat on LinkedIn, um, on YouTube, or on Twitter.
Uh, we've got a team monitoring that because it's kind of crazy just for us while we're having that discussion, uh, to do it ourselves, so the team will pull those questions, uh, and bring them up to us so that we can include them in the conversation.
[00:03:24] In case you're wondering, um, we were batting around the idea. So, the, the team at Trend Micro, we're kind of batting around this idea and saying, you know, "Hey, we've been reaching out to a lot of folks. We go to a lot of events."
In fact, one of our guests today is at an event right now. Um, we've been going to all these events. We've been putting out different content, um, and we've been working heavily in the cloud, uh, publicly for, uh, seven years.
[00:03:44]Um, we've been, you know, experimenting and working with it internally for even longer than that, and we kind of realized that, you know, we dropped the ball on one particular area, and that was really sharing and highlighting, um, a lot of the deep expertise that we've got at the company, um, because we don't just make products, um, and services and sell that out, uh, to our customers to help you be more secure, um, on your cloud journey and in the cloud.
But we're a huge cloud customer ourselves, um, and we've got a h-, a deep bench of folks who know a ton of stuff, uh, about cloud and have seen every which way of this problem, um, and we haven't done as good of job as we should have about sharing that with you guys.
So this is the first step on a series where we are going to be, um, sharing that information out with you. Uh, we are going to be bring you different perspectives, uh, around moving to the cloud, around challenges in the cloud.
[00:04:27] Uh, my name's Mark. I'm the VP of Cloud Research here at Trend Micro. Um, today, we've got two fantastic guests, uh, called in, uh, from actually couple different places around the world, but I'll let them explain it to you. Let me just flip over to them live.
[00:04:52] Jeff: Uh, Dave [inaudible 00:05:04]. The, uh, show hasn't even kicked off yet, so I'm trying to hang out at the booth here, so, hopefully, it's, hopefully, the background noise doesn't get, get too, too bad, but just quick intro on myself.
So, I manage the technical team for our Great Lakes region. I've been doing that for about two years, but, uh, prior to that, uh, my role at trend has really been focusing on our, on a single solution for hybrid cloud.
[00:05:15] Mark: Okay, and Fernando, do you wanna introduce yourself, tell us where you're calling in from?
[00:05:19] Fernando: Sure. Uh, La Grande, Brazil, just to [inaudible 00:05:35] here for this week, and after come back to, to home, where I live right now.
Like, my main focus today is, like, uh, the solutions architect for all Canada to help customers to build, like, a, a security Dev-DevOps and cloud security across, like, [inaudible 00:05:51] cloud providers.
[00:05:40] Mark: Right on. Cool, and that really-
[00:05:41] Fernando: Yeah.
[00:05:41] Mark: ... you know, Fernando's story really highlights sort of the global nature of Trend, and we have folks all around, and we tend to bounce around a lot, [laughs], um, in a good way.
[00:05:49] Fernando: [laughs]
[00:05:49] Mark: Um, for those of you on the stream, uh, I know we had a bit of an audio issue in the intro. I'm just gonna recap real quick, uh, just to cover it. This is the first in a, in a line of Trend, uh, series that we're gonna be doing.
Um, we've been building stuff in the cloud for a long time for, for you, our customers, and for the community, um, but we are a huge cloud user ourselves, and we've got a ton of different perspectives, um, and we noticed that, you know, we didn't, haven't done a great job, um, as we should have been about sharing that expertise with you and letting you guys know, um, sort of the different perspectives to help educate.
So, this series is all about, um, education. It's not about product pitches.
[00:06:17] We're gonna try to share different, um, views on the cloud, see what that is. Um, so, Jeff and Fernando, I, are literally in the trenches. Um, well, not literally, thankfully, um, but they are digging deep with customers, um, doing real, you know, real work, helping solve real problems, and we thought that'd be a great way to kick this off.
Um, we are live on LinkedIn, we are live on YouTube and on Twitter. We've got a team monitoring the comments on all three of those platforms. Um, so if you have questions, um, please, uh, raise them there. We're gonna address them on the stream.
We want this to be as interactive as possible, um, because this is really just a conversation to try to, to ed-educate, to help inform, um, about various challenges that different organizations see at different times.
[00:06:51] Um, this is a live stream, so, uh, you know, it's maybe rough, like, with the, the audio problems on the, uh, on the intro a little bit there, and Fernando's literally dialed in from Brazil, um, so, hopefully, we've got adequate bandwidth and things like that.
You never know, um, so bear with us as we work through this. Um, also, a key point out because this is live, I know I have a coffee and came prepared.
[00:07:08] Fernando: [laughs]
[00:07:09] Mark: I believe Fernando has a coffee and came prepared. Jeff, do you happen to have a coffee this morning?
[00:07:14] Jeff: Oh, here it comes. I, I do not have a coffee this morning, nope.
[00:07:17] Mark: Oh.
[00:07:17] Jeff: I am not prepared with a coffee. I mean, I can run grab one quick-
[00:07:21] Mark: No, no, we're good. We're, we're good.
[00:07:21] Fernando: [laughs]
[00:07:21] Jeff: ... if you want me to do that, but, no, I can probably take my laptop with me, and then we can make it-
[00:07:25] Fernando: [laughs]
[00:07:25] Jeff: ...you know, give, give a tour of the show.
[00:07:27] Mark: We're not there yet. We'll do ... Maybe, maybe episode two will be, uh, Trend on the Go, and we'll just randomly get people walking through the day and do man on the street kind of things.
[00:07:35] Jeff: [laughs]
[00:07:35] Mark: No, we just needed to rub that in-
[00:07:36] Jeff: [laughs]
[00:07:36] Mark: ... because, as we were getting warmed up for this-
[00:07:38] Jeff: [laughs]
[00:07:38] Mark: Jeff was desperately trying to convince one of his colleagues to help get him a coffee because I wouldn't let him go anywhere, and, of course, that's not gonna happen. You didn't come prepared. It's not ... You're just gonna have to suffer through, man.
[00:07:50] Jeff: I'll try to stay awake. I'll do my best.
[00:07:52] Mark: [laughs] Hopefully, we're not that boring where you actually have a risk of falling asleep in this.
[00:07:56] Jeff: [laughs]
[00:07:56] Fernando: [laughs]
[00:07:57] Mark: That, that will be some good feedback from the audience. If we're at the point where one of our guests falls asleep, I don't think we're very entertaining-
[00:08:04] Jeff: [laughs]
[00:08:04] Mark: ... or interesting-
[00:08:04] Jeff: [laughs]
[00:08:04] Mark: ... for the folks who are actually tuning in, um, but, you know, hey-
[00:08:07] Jeff: That is true.
[00:08:08] Mark: ... we'll see.
[00:08:08] Jeff: [laughs]
[00:08:09] Mark: [laughs] Okay. So, first question I've got for you, and this, uh, you know ... I don't wanna go through questions, like, interview style because I don't think that's what, what's gonna be the value here 'cause I know you guys, I've known you for a number of years, I know the level of work you do, um, you know, world class solutions design, world class problem solvers.
So, I don't think going, "Hey, opinion one, two, three is gonna work." So, I'll just kick it off to warm it up a little bit.
[00:08:29]Um, so, you know, we see a lot of stuff about cloud. We see a lot of different, um, people, uh, positioning different things, especially when it comes to marketing of, like, "Hey, this is the biggest problem.
This is the biggest problem. Blah, blah, blah." Right? And there's a lot of BS out there. There's a lot of [inaudible 00:09:07].
[00:08:43]Um, let me start with asking you, Jeff, what do you see based on your experience, um, based on your team's experience? What do you think the actual biggest problem in cloud is? So, for organizations moving into the cloud, what's the actual biggest problem?
[00:08:57] Jeff: Um, honestly, the, what I see and when I walk into most organizations is you're talking to one team about one specific problem, but they're not communicating with other teams, and there's a lot of problems that sometimes can be solved by just bringing the teams together, getting them to communicate.
Um, so, regardless of, you know, the bigger, the bigger enterprises are, you know, they're further along, they have dedicated teams, and they're, they may be working well together, but, you know, for the most part, most organizations have almost siloed teams, you know?
We're starting to see more cloud teams forming, um, dedicated cloud teams, but that doesn't necessarily then mean that the cloud team is talking to the development team or the ... they're talking to then the security team, right?
[00:09:43] And we all could be trying to focus on a single problem, but, at the same time, each team is then communicating with one another, so, and when we look at that from a security perspective, that becomes a big constraint when you're, when you're looking at your design when those teams are not communicating.
So, from our perspective, it's, again, just trying to get all of the right teams in the room to kind of, to bring that problem, you know, together and communicate better to resolve that.
[00:10:14] Mark: Okay. And Fernando, I saw you nodding a bit. What do you think?
[00:10:18] Fernando: I ... Yeah, that, that ... It's the most important from, like, Jeff opinions, right? But one of the things that they start to seeing a lot is, like, uh, a lot of the companies, they start immigrating a lot of applications to the cloud as infrastructure as a service, right?
And, m-, when the clouds team or the [inaudible 00:11:04] teams, they using multiple, like, solutions, the [inaudible 00:11:08] or the, the operations, they don't know how to control that.
[00:10:45] Mark: Mm-hmm [affirmative].
[00:10:46] Fernando: They don't have, like, visibility across the cloud, that they, they start to have, like, issues of, like, misconfiguration or, like, permissions and couple other things. I think it's like, uh, trying to teach internally for all folks in IT how cloud and how the, the multiple service and call providers works will be fantastic.
You know, like, for example, when they go to, to, like, one cloud provider, and they start to using serverless.
[00:11:12] Mark: Mm-hmm [affirmative].
[00:11:12] Fernando: Right? A lot of teams internally, they don't have idea what is serverless, how that works, how it can protect those, how it can make it a permissions for, like, users or developers and all those things, you know?
[00:11:24] Mark: Mm-hmm [affirmative].
[00:11:24] Fernando: It's a, it's a huge challenge right now.
[00:11:27] Mark: And do you see that ... So, you mentioned, you know, you see people moving over infrastructure services, which basically means servers.
[00:11:34] Fernando: Right.
[00:11:34] Mark: Right? They're building virtual machines or instances and, and are they changing anything? Are they just kind of forklifting and dropping what they have?
[00:11:43] Fernando: Correct. Most of the time, like, grab everything from the old [inaudible 00:12:17] environment or the data center environment, right, and just move.
[00:11:51] Mark: And is that working?
[00:11:53] Fernando: Uh, works for, like, six months, and, after that, they start to see how expensive it is-
[00:11:59] Mark: Mm-hmm [affirmative].
[00:11:59] Fernando: ... to, like, run the same infrastructure in the cloud, and they starting, like, say, "Oh, my God. We need to adapt to this. We need to create, like, microservices.
We need to, uh, use containers. We u- ... We need to use, like, some platform as a service. We need to use, like, serverless." If not, no makes sense, right? If they don't start to using the cloud natives solutions, like, doesn't make sense to use, like, cloud environments.
[00:12:24] Mark: Yep, and I mean, th-th-th-that was, there was a report, um, that RightScale had commissioned a few months ago that said-
[00:12:30] Jeff: Right.
[00:12:30] Mark: ... uh, you know, "Organizations are, are, uh-"
[00:12:31] Fernando: Mm-hmm [affirmative].
[00:12:32] Mark: "... concerned at the cost of cloud," and the interpretation, at the time, I was like, "Um, that doesn't seem to line up-"
[00:12:38] Fernando: [laughs]
[00:12:38] Mark: ... but I think you just nailed it, right? 'Cause it's like, "Oh, if you're doing the same thing you've always done-"
[00:12:41] Fernando: Yeah.
[00:12:41] Mark: "... in a brand new environment," you're like, "why is this so much more expensive?" Because you added a middleman and didn't take advantage of anything that they, they offer. Right?
[00:12:50] Fernando: Correct.
[00:12:50] Mark: Um, Jeff, you were nodding. What do you, what do you think there? You've seen [crosstalk 00:13:26]-
[00:12:54] Jeff: Yeah, no, I totally agree, um, and that's ... I mean, they're, they're, they're moving their applications to the cloud, but then they're also migrating the same tools that they're using on-prem to the cloud, right? And it's, so it's almost twofold, right?
We're not ... There's ... We have to ... When we migrate to the cloud, we need to look at automating everything, right? And, sometimes, that requires redesigning your applications, but then that also sometimes means we need to change what kind of tools we use, right? We can't necessarily bring the same tools with us and expect them to operate, even if we do redesign our applications for the cloud, right?
We can't have them operate, um, kind of simultaneously like that, but, again, it, it goes back to just things like automating policies, just, uh, account governance, like, just you're reporting, and then bring all that together. It simplifies ... I shouldn't say maybe simplifies, but it, it provides more of a consistent, you know, cost analysis, right?
Consistent cost baseline, right? And that's kind of what, when you look at cost being the number one overall problem, right?
[00:13:57] It goes back to what Fernando said about the tools and your applications not just kind of being forklifted over, but, then again, it's all of these teams at the same time operating independently and not communicating, right? That's all boils down or I guess funnels back up to cost.
[00:14:15] Mark: Yeah. So, you said, you said a interesting word there, governance, which, you know, if we wanna put anybody to sleep, that's a great topic we can dive into, um-
[00:14:23] Jeff: [laughs]
[00:14:23] Mark: ... but I, it's, I think it, it's, I mean, it's critical for organizations 'cause it ties together a couple things that you both mentioned with not everybody being at the table, um, kind of, you know, not, um, taking advantage of the new cloud services and stuff like that.
Do you see ... Is ... How's ... Is governance just struggling? Is it something people are begrudgingly doing? Are they ignoring it? Like, it makes sense from an organization perspective that you have to have some guardrails up, but are people messing that up, or is they actually pulling it off?
Like, what are you guys seeing when you're talking to people?
[00:14:54] Fernando: Uh, they try to organize, like, in different, different, like, [inaudible 00:15:34], right, for governance, but, like, sometimes, they try to progress with the same way how they manage l-like a regular infrastructure.
They start to even trying to adopt their governance in, like, a compliance process and couple other things for cloud, but it, it's like [inaudible 00:15:52] than they think, in my opinion, right?
[00:15:20] Mark: And do, do you mean with that, Fernando, do you mean that they are taking existing governance from a traditional environment and try to make that work in the cloud?
[00:15:28] Fernando: Correct. Most of the time, I see those things, right? Um, but, but they, when they see, they don't have, like, so much control from, like, infrastructure side and a couple other things, they say, like, "Oh, we need to change those controls, right?
We need to follow maybe CSA, Cloud Security Alliance's, uh, controls," or they need to follow the NIST, uh, for framework or AWS Well-uh, Architected Framework, and a couple other things.
[00:15:52] Mark: Okay, and, Jeff, are you seeing the same kind of thing? Like, what Fernando kind of implied is that people are moving forward, failing, and then fixing. Do people, uh, do research ahead [laughs] of time? Like, do they look what they're doing-
[00:16:04] Jeff: [laughs]
[00:16:04] Mark: ... before they go, or is that a common pattern where they just make a push, and then go, "Oh, crap, like, I need to fix this. I need to fix that."
[00:16:11] Jeff: I mean, I mean, it, I totally agree with Fernando. Uh, at the same time, you look at it from an organization's perspective. You're getting cloud thrown at you in every direction, and if you look at how easy it is now to move to the cloud, it's ... I mean, it's a no-brainer, right?
You know, you're, you're getting instructed. These teams are being instructed to move applications to the cloud, and, sometimes, it's a couple clicks to get your applications out there, right? Um, but then at the same time, then, again, going back to the cost situation, when we do that, you know, you're not then delegating any authority to those same teams around governance, right?
You're just basically-
[00:16:49] Mark: Right.
[00:16:49] Jeff: ... telling our teams to say, "Hey, we need to go to the cloud. I keep hearing cloud, cloud. Let's, let's move our applications to the cloud." Okay.
A couple clicks later, you got some applications out there, but then there's no authority around cost management or, or, uh, policy assignment, right? And, and that's where, that's where the cost then gets, um, out of line.
[00:17:07] Mark: It's almost like some exec read something somewhere or saw a cool talk and came back and just told everyone what to do.
[00:17:13] Fernando: [laughs]
[00:17:14] Jeff: Hey, cool, I went to this cool conference call, uh, Microsoft Ignite. We need to move all our apps to Azure.
[00:17:18] Mark: Yeah, and I mean, that's, that's-
[00:17:19] Jeff: Yeah.
[00:17:20] Mark: I think that's part of the problem is that, especially when you're at ... Like, we all go to a bunch of conferences and events, is that there's such a great positive energy, and a lot of it is such hands-on, like, at Ignite this week, you're gonna see a bunch of hands-on sessions of, you know, how to tackle specific problems, how to solve X, how to solve Y, and people come back and get super excited, but it's that bigger picture that's nowhere to be seen, right?
They don't come back and go, "Wait a minute. What does this mean if we give up this responsibility or if we change this? How does that fit into-"
[00:17:47] Jeff: Right.
[00:17:47] Mark: "... governance [inaudible 00:18:27]?" 'cause, I mean, that stuff's boring, but then we end up in this pattern that Fernando's called out where it's kind of like, "Yeah, we're doing this, and, oh, we didn't think about that, and, oh, we didn't think about that." Right?
It's like when you do containers. Um, when you start rolling out containers, and ... Oh, [laughs] I saw Fernando's face…
[00:18:01] Fernando: Because, right now, I start to ... No, no, no, not, not just that, like, but, like, you're touching a very good point, right?
[00:18:10] Mark: Yeah.
[00:18:10] Fernando: They, they start immigrating everything to the cloud or moving a couple of applications to the cloud, and [inaudible 00:18:59], but I have the security from the cloud provider. I don't need you to do, like, nothing else. Like, for example, every piece protect the cloud provider, and it's like, "No."
[00:18:27] Mark: Yeah.
[00:18:27] Fernando: There is, like, a shared responsibility that you need to know very well where you need to, like, fix and feature. A security feature is to protect your workloads, right? And I, [laughs] that's a very good point, too.
[00:18:41] Jeff: I thought we were ... I thought we were past the whole cloud, uh, shared security model because I've been, I mean, five years, six years now, we've been kind of showing the same, uh, that, that poor slide that's in all of my slide decks. It just won't go away, right?
[00:18:53] Mark: Yep.
[00:18:53] Jeff: And we're not th-, uh, and I think we're ... we've definitely made pro-progress, right? But, as Fernando said, it kind of shifts when you talk serverless or you talk containers and you're moving your applications to more of a, you know, a pipeline.
[00:19:05] Mark: Yep.
[00:19:06] Jeff: That model shifts, and, now, we're almost back to the education around that shared security model and, and where different tools fit. What's cloud native? What should we use, and where, and where does it fit, and what ... When do we need a third party tool?
[00:19:19] Mark: Yeah, and I think that's, uh, it's s-spot on, guys. Every time we see a new way of deploying or building an app, everyone makes the same mistakes again, right? It, it's just, it drives me crazy 'cause I've seen it, you know, not just-
[00:19:31] Fernando: [laughs]
[00:19:32] Mark: ... in cloud, but way before cloud where we make the same thing again and again. So, we saw it with containers. We're seeing it with serverless. We're like, "Oh, I don't need to worry about anything," and you go, "W-we talked about all this. We understood we were good," 'cause I've got that exact same slide. Every cloud talk I give-
[00:19:48] Jeff: [laughs] Right?
[00:19:48] Mark: ... there ended up being that same shared responsibility slide and, you know, I'd like to think that the reason we have to keep repeating it is because we've got new people coming in, which is great.
[00:19:57] Jeff: Right.
[00:19:57] Mark: Right? More people building, but, yeah, it's like, "Okay, we're gonna be covering this for the next 10 years at least-"
[00:20:02] Jeff: [laughs] Right?
[00:20:04] Mark: "... on the basics [laughs] of how this works-"
[00:20:05] Fernando: Right.
[00:20:06] Mark: ... but it's [crosstalk 00:20:48]-
[00:20:07] Fernando: But what happens ... Yeah, but what, what happens, in my opinion, is, like, for example, when we starting talking about shared responsibility back in the day was associated with, like, infrastructure as a service, right?
[00:20:17] Mark: Mm-hmm [affirmative]. Mm-hmm [affirmative].
[00:20:18] Fernando: I think after they start immigrating to, like, platform as a service and couple other things, the customers start to think, "Oh, I don't need to, like, protect, uh, AS or SaaS or any other, like, type of, like, uh, as a service, uh, solution in the cloud because the main model of, like, shared responsibility, it's only for IaaS, right?
But it's not true. Like, for example, they need to protect the data, the encryption, the communication, to, like, uh, servers.
[00:20:44] Mark: Yeah.
[00:20:44] Fernando: They need to control the permission. They need to control which specifically service the serverless we will have access, and a lot of other things, but they forget those things, right?
[00:20:55] Mark: Yeah, and, I mean, I think, you know, I just came ... I was doing serverless conference in New York, uh, two weeks ago, and this sorta core community, great, the people are coming in now, exactly what you just said, was going, "Well, we don't need to worry about anything, operations or security-wise, 'cause that's the whole point of this thing, and it's like-
[00:21:11] Fernando: Correct.
[00:21:11] Mark: ... "No, it just shifts. There's difference. You, you have less, for sure, and that's good, but you still have responsibilities," and, you know, one of those things we always see is the misconfigurations, right? People making mistakes, not understanding that, you know, you need to lock down S3 buckets-
[00:21:24] Fernando: Right.
[00:21:25] Mark: ... or, actually, I should say S3 buckets come locked down, and you shouldn't unlock them, like everybody seems to, to randomly do.
[00:21:32] Jeff: [laughs]
[00:21:32] Fernando: You need to sanitize the API [inaudible 00:22:18] communications, for example-
[00:21:37] Mark: Yeah.
[00:21:37] Fernando: ... but people don't, don't think about those, right? [crosstalk 00:22:21].
[00:21:39] Mark: Yep. Yeah, 'cause, you know, you jo-, we joked about having a shared responsibility slide. Any time I talk about application development, I've got the same [inaudible 00:22:29] top 10 slide to show that despite 10 years-
[00:21:49] Fernando: [laughs]
[00:21:49] Mark: ... of application security efforts, s-, ef-, injection is still the number one attack when it's probably the easiest thing to stop, and, yet-
[00:21:55] Fernando: [laughs]
[00:21:55] Mark: ... 10 years in, we still, left, right, and center. It's, it's nonstop injection attacks. It's nuts.
[00:22:03] Fernando: And a fun fact, and a fun fact, they create, like, a new [inaudible 00:22:49] top 10 for serverless applications recently, right? And-
[00:22:11] Mark: Mm-hmm [affirmative].
[00:22:12] Fernando: ... [inaudible 00:22:54] one of the [laughs] those [laughs] top 10.
[00:22:12] Mark: Yep, it is. It is, right? And, I mean, the thing is is you go ... And I'm a developer. Don't get me wrong. I understand, but you go talk to Dev teams, and the first thing they say, like, you know, like, the cliché in the security, "Don't roll your own encryption." Almost every development team I meet, it's like, "Oh, yeah, we wrote our own input sanitizer." You're like-
[00:22:31] Fernando: [laughs]
[00:22:32] Mark: ... "Why? There's literally one well-maintained community edition free open source, like, free as in free beer, free as in freedom, input sanitization library for any language or framework you can find. Why do you write your own?"
[00:22:46] Fernando: [crosstalk 00:23:32].
[00:22:47] Mark: Anyway, that's a little, you know ... Gonna get me ranting real quick here.
[00:22:51] Fernando: [laughs]
[00:22:51] Mark: [laughs] Um, [laughs] so, let me change gears a little bit 'cause we talked a bit about, um, you know, adopting cloud, people getting, uh, involved, people getting onboard, and, and, you know, having those team discussion.
So, who do you see at the table for these discussions, 'cause most organizations, like, cloud's not a new thing, so who do you see who's actually talking about moving forward? Uh-
[00:23:12] Fernando: Moving forward, uh, the applications to the cloud, you were saying? Uh-
[00:23:16] Mark: Yeah, well, just, like, when you're having a-
[00:23:17] Fernando: Okay.
[00:23:17] Mark: ... cloud conversation, um, who's actually at the, at the table talking about this stuff? Like, is it just the development team? Is it operations? Is it security? Is it the PMs? Like, who, who's around having these discussions?
[00:23:31] Jeff: Usually, uh, it's one or two guys, [laughs] and they've been, uh, they've been delegated the cloud guy, so to speak, right? And, uh, the, the cloud guy then is responsible for everything there is cloud, and he's basically the one pushing, uh, certain application changes or using or leveraging certain tools, and he's trying to bring everybody that he needs to at the same table, but, obviously, that's, that's the big challenge.
So, usually, I mean, when you walk in the room and you've got the one guy that was ... He was on the infrastructure team. Maybe, he's, he was a security guy. I mean, I've had the endpoint guy come in and, and you are now the cloud guy. Congratulations, and that's usually how it starts.
[00:24:16] Fernando: [laughs]
[00:24:16] Jeff: Yeah, exact-, it, it's, uh, another hat, for sure, but that's usually how it starts, right? You have the one, the one cloud guy, and then you come back to the same organization a year later, and there's four cloud guys in the room, but, again, same thing, they're ... I don't know if these, uh, organizations are hiring with clou-, people with cloud experience.
They're more or less saying, "Hey, you're really good at XYZ, and you seem to love cloud. You, sir, are now on the cloud team." You know? And they sometimes bring different skillsets and things like that, which is needed, but, at the same time, the teams that, that have the authority or the control over what's moving to the cloud and how and when aren't always there.
[00:25:01] Fernando: Right. Yeah, like, there's this case, and, uh, they have some other cases, like, for example, some companies, uh, the business unit created, like, a new application. They move everything, right, to the cloud, and then main, like, l-lead DevOp, DevOps team, uh, or engineer from that, uh, specific application.
They come to us, and they starting talk, "Oh, we need compliance. We need to follow this, this specific regulation, like PCI, DSS, uh, SOX, or ISO 27001, for example, and couple other things, right? Um, it's pretty common right now. For example, most of the time, when we go for, like, [inaudible 00:26:32]
…um, a conference, Azure conference, or Google, those type of, like, guys, they came to us to talk about security, right, because they have the knowledge, they start [inaudible 00:26:42] by, uh, security and compliance to get those specific achievements for the application.
[00:25:55] Uh, the other case would be the, the case that, like, uh, Jeff just, like, introduced, like infrastructure, like, "Oh, this is, like, your new [inaudible 00:26:59]. Be careful of this."
[laughs] And they starting take care of all, like, the cloud environments, but they're never touching cloud, uh, solutions. Uh, yeah, those ... I think those are the two most common that I see in the market.
[00:26:16] Mark: Okay. Now, I'm gonna call Jeff on something because, um-
[00:26:21] Fernando: [laughs]
[00:26:21] Mark: ... he said in his example-
[00:26:21] Jeff: I don't have a proxy, remember.
[00:26:22] Mark: No, no.
[00:26:23] Jeff: Remember, I don't have a proxy.
[00:26:23] Mark: You said in your example that there was a security person or someone with security experience in the discussion.
[00:26:28] Fernando: [laughs]
[00:26:28] Jeff: And it's happened.
[00:26:30] Mark: It happened-
[00:26:31] Jeff: Rare.
[00:26:31] Mark: ... or it happens?
[00:26:34] Jeff: Okay, it happened.
[00:26:35] Mark: [laughs]
[00:26:36] Jeff: I think it happened one time.
[00:26:37] Mark: So, like, once.
[00:26:37] Fernando: [laughs]
[00:26:37] Mark: It was one time. There was one person. [laughs]
[00:26:39] Jeff: I think it happened one time. I think it happened one [crosstalk 00:27:37].
[00:26:40] Fernando: Very rare. Yeah.
[00:26:42] Jeff: One time.
[00:26:44] Mark: Okay.
[00:26:44] Jeff: Yeah.
[00:26:44] Mark: 'Cause it's, and then that's normally my experience, and I think, you know, as a, as an old-time security pro, I think we do it to ourselves, but very rarely is security normally on top conversation, like, from a team member.
People are worried about it, concerned about it, but it's not like the security team's there going, "Yeah, cloud." Um, you know, they're normally, they're going like, "Oh, you're making my life worse 'cause you're moving things even faster, and I don't like that," um, but, yeah, when you said that, I was like, "Wait a minute. Come on."
[00:27:10] Jeff: [laughs] I, I remember that [crosstalk 00:28:09] conversation even. It was one of those things where, uh, we said we were talking about vulnerability management, and he said, I, you know, we were talking, you know, what progress or what process do you use?
And, uh, he said, "Oh, well, the developers build their applications, and then we, you know, run some type of vulnerability scan, and then we print out this 30-page report, and then we hand it to them and we say, "[inaudible 00:28:31]."
[00:27:34] Mark: Okay.
[00:27:34] Fernando: Oh, my God.
[00:27:35] Jeff: And [crosstalk 00:28:34], "Okay, that's great," and then, you know, obviously, there is ways to mitigate that, and include secure in that design, but guess what?
The people that build the applications that manage that pipeline work in the room, so that we had to reschedule another meeting, you know, once we got to that topic.
[00:27:51] Mark: Hey, it's better than most, right?
[00:27:53] Jeff: Mmm. [laughs]
[00:27:55] Mark: And, I mean, to be clear-
[00:27:56] Jeff: [laughs]
[00:27:56] Mark: ... I fully believe this is on the security teams. I think we've done a horrible job as security folks of actually helping the business and being involved in the conversation.
Um, most of the time, we just get grumpy and say, "No," to things, um, and if you, you know, if somebody says, "No," all the time, you're not really gonna go ask them 'cause you already know what they're gonna say, right?
[00:28:14] Okay. I'm gonna hit you with something I didn't tell you I was gonna do, um, because why not? This is the first time-
[00:28:19] Jeff: There-
[00:28:19] Mark: ... we're doing it. So, I'm gonna, I'm gonna fire off a couple rapid fire. I want a one sentence, quick response from each of you, um, and your honest opinion.
[00:28:29] Jeff: Okay.
[00:28:29] Mark: There's no, there's no bad things here. Um, you know, uh, there's no repercussions. So, so don't sweat it. Uh, s-
[00:28:36] Jeff: The lightning round or-
[00:28:37] Mark: Yeah, lightning round, exactly. So, first up, Jeff, uh, DevOps-
[00:28:41] Jeff: Oh-
[00:28:41] Mark: ... is it a new coat of paint, or is it real change?
[00:28:45] Jeff: Oh, man. This is ... I gotta do this really quick, hey?
[00:28:48] Mark: Yeah.
[00:28:48] Jeff: Um, I'm gonna, I'm, I'm, I'm gonna call it a new coat of paint.
[00:28:52] Mark: Okay. Fernando? Coat of paint?
[00:28:53] Jeff: [crosstalk 00:29:58] do I need to explain it, too?
[00:28:56] Mark: No, no. We'll come back later. Fernando, new coat of paint or real change for DevOps?
[00:29:01] Fernando: Uh, real.
[00:29:02] Mark: Real? Okay. This is good. I like, I like some conflict. We'll, we'll dive into that in a second.
[00:29:06] Fernando: [crosstalk 00:30:12]. [laughs]
[00:29:07] Mark: Um, okay, this one should be ... Well, no, I can't bias it, so I'm not gonna say it. Fernando, private cloud, real or fake?
[00:29:15] Fernando: Uh, fake.
[00:29:15] Mark: Jeff?
[00:29:17] Jeff: I'll agree with Fernando on that one, that.
[00:29:19] Mark: Okay. Uh, Fernando, back to you. Automation, something actually people are doing, or just everyone talking about it?
[00:29:26] Fernando: Just talking about it.
[00:29:28] Mark: Jeff?
[00:29:30] Jeff: We're two for three here on agreement. Yeah, it, it, uh, it's just a discussion. Mm-hmm [affirmative].
[00:29:34] Mark: Okay. All right.
[00:29:35] Jeff: [laughs]
[00:29:36] Mark: Last, last rapid fire. Jeff, multi-cloud, is that a real thing?
[00:29:40] Jeff: That's definitely a real thing.
[00:29:41] Mark: Fernando?
[00:29:43] Fernando: Real thing, yeah.
[00:29:44] Mark: Okay. Let's go back for a second. Uh, Jeff, explain DevOps, new coat of paint.
[00:29:52] Jeff: I called it the new coat of paint.
[00:29:54] Mark: Yeah. Why?
[00:29:54] Jeff: Right? And I, I say that because ... And now it's shifting, right?
[00:30:04] Mark: Yeah.
[00:30:04] Jeff: Different ways to containerize and then orchestrate that containerization-
[00:30:09] Mark: Mm-hmm [affirmative].
[00:30:09] Jeff: ... and so many different tools to leverage that it, it's kind of changed ... I don't wanna say it changed the model, but it changed how we've done the deployment, right?
And, and, and it goes back to then automating everything, right, whereas, before, we may have used some of these tools and, and we may have, uh, leveraged a lot of these orchestration and build automations before, but, um, we weren't necessarily including all of the pieces in that, in that same pipeline, right?
So, that's why I say new coat of paint 'cause same maybe concept, right? At the same time, a lot of different new tools and ways to do it.
[00:30:46] Mark: Okay. Fernando? You had the opposite.
[00:30:48] Fernando: [crosstalk 00:31:57].
[00:30:48] Mark: You said it was real change.
[00:30:51] Fernando: Yeah, why I say that is because, in my opinion, and we see a lot of those articles and books and all those things, it's, like, every single company right now is, like, a software company.
[00:31:01] Mark: Mm-hmm [affirmative].
[00:31:01] Fernando: If they are not, they will die, right? They will die in couple more years, and this, this is real. Like, if they don't want that for, like, a DevOps culture fast enough, they will have, like, a huge problem, uh, against, like, uh, startups and new, new companies, Old companies that being adapted for, like, this new culture, uh, very ...
[00:31:22] Mark: Okay. Fair. I can see both sides. Um-
[00:31:24] Jeff: I agree with you a little bit there.
[00:31:26] Mark: Yeah.
[00:31:26] Jeff: I'm not agreeing with you totally.
[00:31:29] Fernando: [laughs]
[00:31:29] Jeff: But a little bit.
[00:31:31] Fernando: [laughs]
[00:31:31] Mark: Yeah, and, I mean, I think it, it depends on the organization, right?
[00:31:34] Jeff: The [crosstalk 00:32:45] thing.
[00:31:34] Fernando: Correct.
[00:31:34] Mark: Like, we've seen ... Um, I was talking to a friend last night, and, uh, he was grumbling at the fact that there was, uh, literally a team called the DevOps Team, um, and they just had relabeled their operations team.
There was no developers on it, and they were like, "Oh, these guys are DevOps teams because they had automated a couple things, and they were just an old school Ops team," um, you know, which is-
[00:31:51] Fernando: Yeah.
[00:31:51] Mark: I've, I've seen that, right? And then the flip side is if you've got a big, massive organization, culture change takes a long time.
So, like, taking two people from Dev and two people from Ops and saying, "I'm gonna form a new team, and it inevitably be, it ends up being called the DevOps Team," but form a new team just to protect them from all the existing rules.
And say, "You guys just go off and do some work. Figure out a better way to do things, and, then, hopefully, add more people to that team over time and basically tip the scales." That makes sense from a culture change perspective, right?
But everyone gets called the same freaking thing. Everybody's a DevOps engineer, which I just go, "It's not like ... Okay, fine."
[00:32:32] Jeff: [laughs]
[00:32:32] Mark: Like, "Great new title," and same old stuff, right?
[00:32:37] Fernando: Yeah, this is, this is [crosstalk 00:33:51]-
[00:32:37] Jeff: I think those resumes and [inaudible 00:33:52] DevOps in there, and, yep. Mm-hmm [affirmative]. DevOps, Kubernetes, Doctor, right?
[00:32:38] Mark: Yes.
[00:32:38] Jeff: [crosstalk 00:33:58] You have to, you gotta [inaudible 00:33:59] buzzwords. You gotta throw those in, in every resume now.
[00:32:48] Mark: Yes. You gotta be a principle, DevOps, Kubernetes, uh, engineer delivering serverless experiences for globally enabled businesses.
[00:32:58] Jeff: That, I don't know if that [crosstalk 00:34:12] would fit on a business card, but, yeah, I hear you. That's fine. Yeah.
[00:33:02] Fernando: [laughs]
[00:33:02] Mark: That'd get you through the HR scanning machine, for sure.
[00:33:05] Fernando: [laughs] My god.
[00:33:08] Mark: Okay, guys, we've been talking for a while. This has been fantastic. I got a couple questions to kind of round it out before we sign off, um, for this, and, you know, the responses online have been really good.
Um, you know, everyone's just kind of listening, which is great. I think we've been engaging enough that nobody's jumping in with, with specific questions, um, but I, I still gotta extra ... I got a couple interesting ones, a little more personalized here.
[00:33:26] Um, so, uh, Fernando, what's the weirdest problem you've ever seen, like, just straight up bizarre when you're doing some cloud work?
[00:33:35] Fernando: B-bizarre? Oh, my God. Um, the customer was thinking they could, like, bring their, like, firewall, their regular firewall to, like, AWS data center. [laughs]
[00:33:45] Jeff: [laughs]
[00:33:46] Mark: Like, physical one?
[00:33:48] Fernando: [inaudible 00:35:09].
[00:33:49] Mark: Like, like, pick up the box-
[00:33:50] Fernando: [laughs]
[00:33:50] Mark: ... and, and take it over to AWS and [crosstalk 00:35:13]-
[00:33:54] Fernando: Like, s-s-situate them [inaudible 00:35:17] starting using that as [inaudible 00:35:19] firewall there. [laughs]
[00:34:00] Mark: That's, that's one way to think about shared responsibility.
[00:34:03] Fernando: [laughs]
[00:34:03] Mark: Um, okay. That's, that fits the bill, my friend. Uh, Jeff, got any weird ones?
[00:34:07] Fernando: [laughs]
[00:34:09] Jeff: I don't know about weird as that one. Um, [laughs] that's pretty good, but-
[00:34:13] Fernando: [laughs]
[00:34:13] Jeff: ... what I was gonna say is, uh, I was wor-, I remember working with a large MSP, and they were trying, they were migrating all of their appli-, 'cause I, their customers, I should say, to the cloud, so everything's on-prem, but they're trying to move everything totally for all of their customers.
And they, you know, we, we started talking about how to do security and how to get the security updates, you know, through their systems using all of, and they, all of this traffic from all of their customers' on-premise sites to flow through a single server, server, like physical server, to the cloud-
[00:34:55] Mark: Whoa.
[00:34:55] Jeff: ... to a, like a public cloud provider, and so they're-
[00:34:59] Mark: Wow.
[00:34:59] Jeff: We're talking thousands of customers here that ... So, they said, "Well, we wanna redesign this, and we wanna have this physical server.
We wanna put your, you know, security relay on that server, but then also that, that thing's ever need [inaudible 00:36:35] the relay for all traffic to the public cloud," and it's like, "Okay."
[00:35:17] Fernando: It's like a router.
[00:35:17] Jeff: Uh-
[00:35:17] Fernando: [laughs]
[00:35:17] Jeff: ... yeah. That sounds like it must be one heck of a server. What does a physical server do now? So-
[00:35:25] Mark: And just one?
[00:35:25] Fernando: Wow.
[00:35:26] Jeff: That was, that was, that was, yeah, one, one physical server at every location is how they wanted to do that.
[00:35:31] Mark: And, I mean, there's always weird stuff [crosstalk 00:36:57] out there, right? Like, I, so I joined Trend, uh, seven and a half years ago, and before that, I was with the Canadian federal government, um, and there was always something you found somewhere and just went, like, "What series of decisions led you to build this?"
[00:35:49] Jeff: [laughs]
[00:35:50] Mark: Right? And, inevitably-
[00:35:51] Jeff: [laughs]
[00:35:51] Mark: ... you can kind of track it back and go, "That kind of makes sense, but, like, wow." Um, okay, last, last question then. I'm getting a little more personal, but not bad. So, out of Azure, GCP, AWS, uh, Fernando, what's your favorite cloud service?
[00:36:05] Fernando: GCP.
[00:36:06] Mark: Okay. Is there a specific service in GCP that you like to use, or what, what brings you to GCP?
[00:36:14] Fernando: The simplicity from there.
[00:36:17] Mark: Yeah.
[00:36:17] Fernando: Uh, the deep, uh, [inaudible 00:37:47] configuration that you can have through the networking side, and, uh, couple very, like, high in, uh, performatic, like, solutions, like, for example, machine learning, uh, the voice control system, uh, and couple example, another layer was trying to create, like, a new app or, like, a Google home and took me, like, uh, four or five hours to do the one, and AWS took me a little bit longer-
[00:36:46] Mark: Mm-hmm [affirmative].
[00:36:46] Fernando: ... but, like, in, uh, GCP is much easier for a couple things. Like, AWS has a huge, like, uh, number of, like, solutions, but, like, for example, [inaudible 00:38:27] GCP, the ones that they try to focus, they do, like, very, very, very in [inaudible 00:38:33].
[00:37:04] Mark: Fair. Okay. Jeff?
[00:37:06] Jeff: [crosstalk 00:38:38] I have to say, uh-
[00:37:06] Mark: Don't let the fact that you're sitting in a Microsoft event bias your answer.
[00:37:10] Jeff: All right. That's why I was looking if there was anything behind me that, that's Microsoft or Azure anywhere.
[00:37:15] Mark: [laughs]
[00:37:16] Jeff: But I don't have to answer, so, I mean, I'm gonna go with the fan favorite. I'm all, I'm AWS. I'm all in. Um, if I had to pick a specific service, uh, Cloud, uh, Cloud Formation, all day.
[00:37:28] Mark: Interesting. Interesting. [crosstalk 00:39:04]-
[00:37:30] Jeff: I can build up a entire environment, uh, with a script that sometimes are Cloud Formation, uh, simple that's handed to me, I can just click next three times, and I have an entire environment set up. I mean, you can't beat that.
[00:37:41] Mark: Yeah. Fair. Totally fair. Um, it's funny. I, I keep, I mean, I'm an AWS Community Hero. We at Trend have partnered with AWS, to GCP, with Azure. Um, we deal with all three regularly. I tend to go service by service.
So, like, in Azure, I love Cosmos DB, right? Just don't care what it is. Shove data into it and get back what you want. If you wanna create, like, a graph database, have fun. You wanna create, like, [inaudible 00:39:39] base, okay. Um, GCP, I love the thing that annoys everybody the most, um, which is the, uh, the fact that everything's off by default, so, like, you have to go in and enable each API, right?
Guess that ... From a security perspective, I'm like, "That's awesome." You can't mistakenly fire something up because your account literally won't let you. Right?
[00:38:22] And then, in AWS, I just love the fact that I get so much, like, cool new stuff every year, um, because I think they move faster at this point 'cause they, you know, different philosophies, right?
They put it out there when it's super early, um, so we get a ton of stuff, and, like, I've got a deep racer car next to me here that I got to crack open this week for fun, um, you know, and that, I, there's advantages to all of them, I think. It's interesting.
[00:38:40] So, um, great, fantastic answers, guys. Um, this has been a fantastic discussion. Um, we've had, uh, people tuning in from all around the world, uh, from Mexico, Saudi Arabia, um, India, Nigeria. Um, it's been really great to see the response, um, lots of good support.
This is the first of many of these coming up. Um, I think we've got six, uh, so five more on the books right away. Um, somewhere in there, um, you know, we'll have, uh, you guys back on the show at some point for sure. Um, thank you for joining us today. Um, very much appreciate it.
[00:39:08]Uh, Jeff, good luck at the, uh, the rest of Ignite. Um, if anybody's around Ignite, uh, head down to wherever, uh, Jeff is and hand him a coffee, um, 'cause he's gotten through this-
[00:39:16] Jeff: [laughs]
[00:39:16] Mark: ... entire thing without one.
[00:39:17] Fernando: [laughs]
[00:39:17] Jeff: I have a session in an hour, too. Yeah.
[00:39:19] Mark: Oh, [00:39:20] okay. What's, uh, hey, give a quick plug. What session are you giving in an hour?
[00:39:27] Jeff: Uh, it's, uh, we're basically talking a little bit of what we were going through just in the talk here, so we're talking about automating, uh, applications deployment, uh, [inaudible 00:41:23] build and run time security control.
[00:39:37] Mark: Awesome. Very, very cool. So, if you're at, if you're at Ignite onsite-
[00:39:40] Jeff: Theater 8.
[00:39:41] Mark: What is it? Sorry.
[00:39:43] Jeff: Theater 8.
[00:39:43] Mark: Theater 8. Go check out Theater 8, um, in an hour or so. Um, hopefully, that's when the actual time is. I know when I have been asked on the spot, sometimes, I can't remember the title or the time of the talk, um, but Jeff's a fantastic speaker.
Definitely go down, check him out. Uh, Fernando will be flying around the world somewhere, so take a look up and wave-
[00:40:00] Fernando: [laughs]
[00:40:00] Mark: ... as he passes your, uh, your city, I'm sure. Uh, gentlemen, thank you for joining us. Uh, everybody, tuned into livestream on LinkedIn, uh, on YouTube, and on Twitter, thank you for joining us.
We will be pushing it out, um, again, uh, the, ahead of time later this week to tell you what the stream is next week. Um, keep the questions coming. Uh, thanks again, guys. Have a great day, and we'll talk to everybody soon.