A Deep Dive into IAM and Cloud Security

Show Notes

Are you prepared to redefine your approach to securing the public cloud? Join us for an enlightening discussion with Jeff, an InfoSec veteran, where we unravel the intricacies of securing public cloud-native platforms. As we step into Jeff's career of over two decades, we explore the world of cloud security and emphasize the role of cloud providers and the necessity for a shift in our security approach. 

We have a powerhouse guest from Sonrai, who gives us a detailed inside look at the complexities of identity and access management (IAM) in the cloud. We tackle topics like the risk of maintaining multiple admin level accounts, the urgent need for visibility and clean-up, and how companies like Sonrai assist in addressing these challenges by identifying and eliminating unused identities. As we journey through this episode, we also touch upon the concept of least privilege and proactive measures to protect against potential cyber threats. 

We're not all business and no personal growth. In this episode, we also share our experiences with overcoming imposter syndrome, the value of certifications in the job market, and the crucial role of headhunters in the info sec industry. Finally, we take a glimpse into the future of IAM in the cloud and its role in a cloud-native world. This episode is a must-listen if you're interested in rethinking your cloud security strategies and gearing up for a successful career in the ever-evolving world of technology. Strap in for an information-packed episode that promises to leave you with fresh insights and effective strategies.

Sonrai Security
Sonrai prides themselves on being able to reveal every over-privileged identity and all paths

Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Support the Show.

Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Chapters

• 0:01: The Challenges of Securing Public Clouds
• 7:03: Challenges and Fascinations of Cloud Security
• 11:28: Understanding Cyber Garbage and Identity Litter
• 19:26: Embracing Humility and Seeking Career Growth
• 29:37: Skills and Certifications in Job Market
• 35:47: Recruiters' Role in Job Search
• 46:18: IAM and Cloud Security Importance
• 52:00: LinkedIn and Sunrise Security Introduction

Transcript

Speaker 1: 0:01

How's it going, jeff? It's really good to finally have you on the podcast here. You know we've been trying to put this thing together for several months but then you know it's just one thing after the other in both of our lives that you know randomly comes up like 30 minutes before we're going to do it.

Speaker 2: 0:21

I know, I know the the stars have finally aligned, joe. It's good to finally, you know, make it happen. So glad to be here.

Speaker 1: 0:28

Yeah, definitely. Well, I'm sure we're going to have a great conversation, you know. Hopefully it'll be valuable to some people out there.

Speaker 2: 0:36

I hope so. I hope so. It's an interesting world that I live in daily, that you know. Hopefully we can get a couple of nuggets out there that are really helpful, just based on what I see day to day with this world of insane access and privilege risk in the in the cloud.

Speaker 1: 0:50

So oh man, I can talk about IAM forever, but you know, before we get into the IAM stuff, you know, jeff, why don't we start with what your background is, why you got into IT, why you got into security, what that journey was like. Was it faster than you expected? Was it slower than you expected? What was that like?

Speaker 2: 1:10

Yeah, so I've been in InfoSec now for a little over 20 years now. Yeah, and I've been in IT since 99. And it's interesting, you know, I went to college here in Atlanta and I got a degree in human resources. Joe, it is the last thing that you would expect with what I've been doing the last 20 plus years, but I quickly realized that after I went to business school that that is not what I wanted to do full time. I was really a nerd at heart and riffing apart PC since I was, you know, since the early nineties log into BBX's and all that crazy stuff using GoFer and all that. You know the stuff that really, really dates me as I talk about it now and think about it. But I was like you know what I want to get into tech? That's what I really want to do. And back then, like one of the big training centers all over the world was called Executive Train and I went there and got my A plus cert back in 99. And they saw I had a passion and they offered me a gig. They were like, do you want to? Just, you know, a job here setting up classrooms every day? And, joe, that fast tracked me through the whole. You know NT4, mcse and you know setting up 13 Microsoft classes a day. You'll learn real quick, right, and so that's how I got an IT. And then I got into information security at what many think is the original Internet Security Company, which was Internet Security Systems here in Atlanta. And if you look at the today, there's hundreds of InfoSec companies that have spun off because of ISS back then. So that's really where I just dove straight into InfoSec and I've been doing that ever since.

Speaker 2: 2:51

And you know I was focused on on-prem infrastructure security for many, many years, like I'm sure you were right, like we all were, through the early 2000s.

Speaker 2: 3:02

And then I left Cisco around three and a half years ago where I was leading, you know, a team of sales engineers to come over to Sunry and focus on public cloud security full time. And Joe holy cow was, I humbled. I thought I understood the public cloud and I thought I understood how to secure it when I was at Cisco, because of infrastructure as a service and monitoring flow logs and protecting VMs, I had no idea about what was happening at the platform level in these cloud service providers, and so that's what I've been focused on the last three and a half years. It's what I do day in and day out, and you know I consult I, you know, teach customers how to build, you know, a platform security strategy focused around access and privilege, and so that's what I do full time, and it is it's a challenging, challenging world that we are trying to protect now as it relates to cloud native, and so I'm sure we'll get into it here, as we, you know, continue the conversation.

Speaker 1: 4:01

Yeah, absolutely, you know the cloud. I always tell people that you know cloud security is like that graduated level of security. You know you need experience in several other domains, you need to be deploying technology in those domains before you start jumping into cloud security. Because you know cloud security, you can't walk over to a server and unplug it right. You can't walk over to a server and console into it. You know, like that stuff doesn't exist and a lot of people you know their. Their initial response would be like oh well, that's a problem. On the cloud provider, it's like these contracts are written very differently. It's so true, and the cloud provider is like never.

Speaker 2: 4:50

That's a great point, because a lot of what I do nowadays, joe, is I as I relate the public cloud situation to the world that you and I both came from and so many of the folks listening right, securing data centers and colos and hardware, and you know, rack and stack and servers and routers and switches and dealing with core and access and distribution issues and firewall right, and you know what I like it to you know, as far as the world that I see all the time is, it's almost like you built a data center, right, and what we do when we build a data center, we fortify it, right, we put in our firewalls and we build our DMZs, then we build out our different access layers and it's all zoned and segmented right. That's just what you do. It's not a nice to have you got to do that right, but when we plug into here at Sun, when we plug into customers environments, it's very interesting, to put it gently, because everything's flat, everything can talk to everything in so many scenarios, and it's just because organizations, just like you said, they were thinking well, the cloud provider is going to take care of all that for me. They're going to secure it, they're going to segment it. They're going to zone it. Each little thing that I provision, each little resource or microservice that I provision, it's going to be in its own little of and again, to liken it to the network days its own little broadcast domain, okay, where it can just talk to itself and maybe, if I tell it to go talk to something else, that's great.

Speaker 2: 6:17

But that's not the case, right? And so they're just not aware that they really need to be thinking of securing the public cloud the same way that they do on-prem. That you really really got to be thinking about segmentation. But in a cloud-native world, when we do the segmentation, is it layer three, layer four? No, it's at layer seven, it's at the application layer. Right, it's abstracted through the access fabric. That's how everything lives, breathes and communicates, is through the. You know, like you said, I am, but you got to start thinking of I am like a network, because that's what it is, and so it's so true when you relate it to something that they're very, very familiar with, all of a sudden, you know, folks eyes open up.

Speaker 1: 7:01

Yeah, it's a really good point. You know, at my current organization, right, I wanted to, you know, create a resource that I could reach out to the internet. It's in a dev environment, you know, because I was trying to test something right, and the entire dev team that owned that entire function was like it's impossible, you're not going to be able to do it. We're not turning off this rule. That auto, you know, removes it, all these things, right, I was constantly told it. I was like, guys, I'm going to get around your rule. Like I'm getting around it. You know, like, whether you like it or not, I'm getting around it. I know what I'm doing. I'm sorry, like I know that you've spent, you know, five, six years in the cloud and whatnot, but I know how this thing works.

Speaker 1: 7:47

I don't get these certs by not knowing how this, how AWS, works and you know sure enough, right, I got through it. And then the next thing that they're complaining about is I'm firing off a lot of alerts, like, okay, I'll just bypass your alerts.

Speaker 2: 8:03

That's not a problem. Yeah Well, I think that you know, back in the days of the on-prem world, you know everything was you know the IT staff. They could do that. They could, you know, manage everything through very, very specific, finite Ingress egress points. Right, and if you wanted to do something to test, you had to put in that change control request and you had to. You know you were at their mercy. But now you know, joe, if you want to go, do that, just go, do it, just go build it. I mean, there's not in the cloud, there's not you know one or two Ingress egress points, there's thousands. I think it's fascinating, I think it's absolutely fascinating, joe, that if I want to log into your cloud right now, all I need is a cred right and my laptop right here. So technically, my laptop right now is two commands AWS configure. It's two commands away from being dropped dead in the middle of your cloud. That's fascinating right.

Speaker 1: 9:04

Could you imagine if, like AWS had a you know some bug that bypass their login? You know, like you were able to just do it via the console or something like that. You, if you, just if you guess the account number right, you know you're in the account, whatever it might be. I always think about that because it's like man, we're putting a lot of trust into this thing to not fail, and it's created by people like me and you know I'm not the smartest person in every single area, like I'm a little dumb here and there, you know.

Speaker 2: 9:37

Yeah, it's, it's. It's fascinating. I mean it's bypass all of your security measures, right, all I need is a credit and with one command, when the you know the AWS or GCP or Azure SDKs, with my laptop here, I'm just dead center in the middle of your cloud. It doesn't matter what you've got protecting it at the perimeter, and so that really, I think that's what fascinated me when I started to learn about identity. Risk is is how quickly you could be in the hub of a customer's cloud environment, regardless of what they've done to protect the spokes that they think are the entryways. I mean, they are entryways, but more and more often, what you know you and I are seeing now in the market is seeing is that folks are just logging in, they just log right into the center of your cloud and what and that's where things get really really hearing.

Speaker 1: 10:25

Yeah, it's really good point from a cloud engineer, slash architect. My biggest problem is I am by far you know it's, it's I am trying to manage the roles right, what roles we have, what accounts we have, what services are using, what. It's a pretty close to impossible task without, without a solution that is dedicated to it. You know, it's really frustrating. The most frustrated time that I've ever been was when I was working in I am on prem. That's when I used to have hair. It's terrible, you know. It's like it's a. It can. It can really make your day very difficult or it can make it relatively smooth, right, I feel like it's just like up to the power of that. I am service, or whatever it might be, is like are we going to have a good day or are we going to have a bad day?

Speaker 2: 11:19

Yes, yeah, and it really is is daunting. You know, I recently heard a term that it just it resonated so well with me. I heard it. I just came back from September this was in September, but it was back in. It was in Seattle, bellevue, right, and hosted by the cloud security lines, and I heard a comment that just really really resonated so well with me, and it's that you've got to be thinking about cyber garbage, identity, identity, identity litter. Think about that. That's what we're up against is like you said you know I am.

Speaker 2: 11:57

When it does work, it creates all of these personas, these usually non-person identities, which are vast and vague as to far as what that constitutes. Right, but it's just as equally, if not more, dangerous than a person identity. But projects come and go, priorities change, life turns over, for whatever reason. Right, attrition, and what's left is identity garbage, identity litter. Right, but it is scary because it has rights to go do things right.

Speaker 2: 12:31

All it takes is an access key associated with a role or token or someone getting a cred out of. You know GitHub or you know S3. It's still happening, right. Global exposure is rampant, still. So you have all of those different kind of vectors that are just sitting out there, hundreds, if not thousands, that you just don't know about. Like you said, if you're not intentional about it, if you don't have a tool that's designed to go crawl and map it all out and figure out what's out there, what can it do and what can it access, then these are all things that you're blind to, but they're all entry points straight into the heart of your cloud. It doesn't matter how much vulnerability scanning you do or you know which compliance standard you're adhering to. None of that matters, joe. Throw it all out the window when someone grabs one of those creds and uses it to their advantage. So really you've got to be intentional about understanding what's out there, right, and cleaning it up, getting rid of the litter, getting rid of the garbage and then governing it moving forward.

Speaker 1: 13:34

Yeah, it's a great point. You know it's hard to fathom the scale at which you can create thousands of IAM accounts and roles in your environment. And I'm in this thing, right, I do this every single day. It's even difficult sometimes for me to imagine it, and you know so. I work for a large automotive manufacturer, right, you can easily guess whichever one it is. I'm not going to say any more than that. But you know, we consume cloud services almost as a service, because our parent company, the one that owns us all, negotiated the contract with the cloud provider and kind of offers up these services as a service to us, right? So they're building out our cloud tenants, they're giving us a blank template right to work with and they have their own controls around it. And their thought, you know, I was talking to these guys and they said well, how bad can it really get? Right, we're not giving them everything. Why do they need to create all this stuff? They literally said I bet they won't need that many IAM accounts or roles, right, Because we're giving them the template.

Speaker 1: 14:52

And very quickly, within six to 12 months, we were at 200,000 accounts, 200,000 accounts across our tenants. And how do you expect that? How do you have a solution that manages that? You know, when I was doing IAM on-prem, we were dealing with 42,000 accounts and we had maybe 2,500 employees. Each employee had five accounts. Most of them didn't even know that those five accounts existed and so, like, we had a lot of data counts, right. So, like, if you really factor that in, we're probably at, like, you know, 10,000 accounts, right, 10,000 actual user accounts that are being used. This is 1020X that.

Speaker 2: 15:47

It's insane, it is. It is. You're talking about a very person-oriented landscape. I would venture that for every one person identity that we at Sunrise see here in customer environments, there's 10 non-person identities to go with it. That's what's really really fascinating is the explosion of NPIs. We call them non-person identities, and they are roles, service principles, managed identities, access keys, tokens, things that grant access and privilege to go do things, but they're not as simple to understand as hey, we're just going to create a user account. It's NPIs that we really really have to be thinking about.

Speaker 2: 16:32

The other thing, joe, is, even it doesn't matter if it's a user account or a non-person identity. You've got to be thinking about the permissions on them, right? It's not just hey, we're going to go create an account that lets you go do things. You've got to be thinking about the excessive permissions and entitlements on these things and treat that as risk as well. Not just thinking about cleaning up things that are orphaned and abandoned, but the things that we do need for the applications to run. There's a concept that is growing, thankfully, in this industry of lease privilege. It's a holy grail. Can we get to lease privilege? I don't know if anyone's ever going to truly get to lease privilege, joe. That's like saying you're going to fix every vulnerability. You're never going to fix every vulnerability, right. But if you understand which identities mean the most to the business, then you can focus on at least getting them to lease privilege so that if and when someone does get in, they can't go wreak havoc in your environment.

Speaker 1: 17:27

Yeah, getting to a full lease privilege state. I mean, the only way that you do that is if you started from the inception of the company.

Speaker 2: 17:36

That's literally the only way that you you got to build into the development process too. That is a lot easier said than done, my friend. When we plug in, everything's already out there. Everything's already living and breathing. The litter and garbage is out there, but in a greenfield environment. Oh my goodness, how cool would it be if you built in leased privilege into the actual development process. That's something that we preach here at Sunray is being able to do that, so that when you do push to production, you've already removed all that nonsense. You've got to have a lot of cooperation and collaboration with the development team, though.

Speaker 1: 18:20

Yeah, that's very true. You have to have everyone on board. When you were starting out or even throughout your career, did you ever feel like this isn't a fit for me? This is too far above my head. I don't understand what's going on here. They surely hired the wrong person. I asked that because I started in IT, I guess technically, in high school. I didn't know anything. I knew how to plug in the USB and install whatever was on it, that's it. But as I went through my career, for instance, one role was nothing but Linux. I might as well have Linux on my laptop that I was using for the job. That's how much we used it I felt like I was not a fit for that role at all, by any stretch of the term. I asked this question because I actually get a lot of questions about that. I feel like I don't know enough, this isn't a fit for me and whatnot. I feel like it's more about time and you putting in the effort than anything. It will eventually come. I'm wondering if you experienced that as well.

Speaker 2: 19:30

I did. It's a great question. It takes me back. It takes me way back when I left that training company and got my first network admin role. It was at a company called Dicecom, which you may have heard of I don't even know if they're still around, but it was like the IT job site back then, before Monster. I was their network admin for their training division.

Speaker 2: 19:55

I will never forget being given the keys to that server room and looking at all the routers and switches and the firewalls and everything. They're like okay, it's all yours. I was like okay, I may have bitten off more than I can chew. I don't know the first thing about any of this stuff. As far as the routers and switching, all of that, I could administer Windows till the accounts come home. But I'll never forget we had an outage. I had to deal with the PIX 506 back in the day. If you remember what a Cisco PIX was. It predated the ASAs. I started with the ASAs. Yeah, I will never forget. We had an outage and luckily there was a senior administrator who got on the phone with me and walked me through the crypto map statements and all that isocamp stuff, if you remember.

Speaker 2: 20:46

I did not know what I was doing. But I really, really I felt over my head a little bit of imposter syndrome, if you will, but I was humbled enough to not be afraid to ask for help. I think that's the key is that I realized you know what I can do, this, I can be successful at this if I don't act like I know what I'm doing, if I'm able to say you know what, I'm not an expert at this, but if you can show me I can take this and run with it. I think that that was a big, big turning point in my career is not being afraid to ask for help, not feeling like I have to be the smartest person in the room or anything like that. But then you got to do the hard work. You've got to actually apply it so that you really do understand the next time it comes around.

Speaker 2: 21:35

You're not asking that same person that same question. Can you come in and do it for me, as long as you prove to someone that you're learning, that you're listening, that you really really do care. I found that folks really want to pour into you. They do. Folks love teaching other people things as long as you're really listening and absorbing and being appreciative. I think that was one big thing, right, so that in fast forward to today, I look at how often that has helped me out in my career, right. Or I'm not afraid to say, hey, you know, you're really amazing at this, is there a way that you can mentor me, right? And so I just I think that's it Be humble, don't be afraid to ask for help and be appreciative. It really it's amazing what people will do for you If that's what you do.

Speaker 1: 22:22

Yeah, I think that's a great point and that's definitely something to keep in mind too. You know, when you're going through these different roles, like you're not going to know everything you know, and even on this podcast, right, I recommend that if you fit 50% of the job requirements and a posting, that you should be applying to it. You know, because if you're at 50%, I can teach you the other 50%, right, and yeah, it may be a faster pace, environment and whatnot, but we can get through that.

Speaker 2: 22:49

When it's.

Speaker 1: 22:49

when it's less than 50% it gets a little bit more difficult because it's like, all right, you don't have the foundation that we need to build this thing, Right? I've got a comment on that.

Speaker 2: 22:58

So you know I've done a lot of hiring over the years as I've led sales, engineering and even post sales tech support and TAM teams at various companies, and you could not be more right, joe, about you know the 50% role. What I want when I'm looking at folks to join our team is is passion Right? Obviously, personality Right Is there? Does this person seem a great character? Do they really seem genuine? Do they really have an interest? Is there a path? Is there a drive? Right? I can teach you the other 50% from a technical perspective, if you can bring 50% to the table.

Speaker 2: 23:35

And what we've started doing and what I've started doing in my career because there is such a tech skills shortage, especially in the area that you and I live in is, if I can give you a project, I'm going to give you a week. Right, go build this lab out in AWS and I want this lab to do X, y and Z. And what I want is in a week we're going to circle back on a Zoom or whatever and I want you to walk me through how you built the lab. But I want you to show me which resources you use to learn. I want you to show me that you can go figure it out and that you are.

Speaker 2: 24:07

You know that you're creative, that you're a problem solver. I don't care that you didn't know this a week ago, but if you can go learn this and explain this to me and show that you can do it in a week's time, that's all I need to know Because we can work with that Right. And so I think that, absolutely, if you've got like 50% skills or whatever and you know there's another half that you're not, don't be afraid to go for it and take a shot and, heck, offer it up. Say, give me a chance to prove myself. I think you'd be surprised at what hiring managers will do when they see that level of energy and an intent from a candidate.

Speaker 1: 24:46

Yeah, absolutely. You also got to be taking copious amounts of notes. I found throughout my career when I was learning different things, I mean even now I'll take a bunch of notes. But when I was learning, not knowing or not even having the background in an area, I had to take an insane amount of notes. It was an embarrassing amount of notes. If you looked at my, I think it was like notepad or whatever it was. I mean, you could scroll on that thing for like five minutes, right. But in doing that you become a very valuable resource, because not only are you experiencing it, you're taking notes on it. Those two things reinforces it in your mind and from that you turn into an internal resource for that company.

Speaker 1: 25:39

In a certain area For me at this company, it was security. Whenever there was a security problem or anyone asked about security, it was immediately just go to jump right, he's the only one that spent any sort of time with it. That's for engineers, that's for developers, that's for the architects, like that was for all of them. And I was like the lowest man on the totem pole, right. Well, I got there because I took a huge amount of notes and I got to encountering these stupid problems, and so I was forced to learn it. I had to learn it, otherwise I was going to lose my job, right, and I think taking notes absolutely helps, especially when you're starting in a new role.

Speaker 2: 26:21

It does. It shows you're listening the cream of rice to the crop. And for all of us, I think, at this kind of the level that you and I are at in our careers I mean, we started, like I started, in tech support level one right, you got to start somewhere and your work will speak for itself, right, if you are passionate and if you, like you said, you take notes, you pay attention, you show that you want to just kick butt at the role that you're in. The work will speak for itself, people will notice and it will open the door for new opportunities for you. Absolutely Right, and it's just, you got to work hard in the beginning, right, and it will be noticed.

Speaker 1: 27:04

Yeah, absolutely. I think, a part of working hard I feel like some people are worried about that being noticed part, you know, they feel like if they put in the work, they put in the time, it's going to be for nothing. You know, I think that that's the worst. That's the worst feeling for anyone to feel. You know, when you're putting in the hours, when you're doing the work, and you're still not getting the job, you know you're still not meeting the bar, right, how do you keep going?

Speaker 1: 27:34

And, to be quite honest, even with this podcast, I have felt that at times, you know, like I'm doing these episodes and I'm putting all this time into it, I'm learning how to edit, you know all these different things, right, and it feels like, oh, nothing is coming from this, it's going nowhere. I'm putting my time and effort into something that's not going to help me in any way. It's almost like, you know, the universe, right, shows up, just gives me a little nugget, like, oh, you didn't think that this would ever happen and it happens. You know things like that, it's a grind, it's it is, it's hard, there's no way around it, unfortunately, yeah, it's true, but I mean, that's how life goes.

Speaker 2: 28:18

Yeah, right, you got to fight for anything worth having and it's not going to come easy and you're going to have to stick it out. And you know, like you said, that's happening with the podcast and tap with me in my career. But I will say this also, you know, by the way, I'm not known for having a great filter. I'm known for being overly transparent at times, right? But guess what? If it's not working out for you, if you're working your butt off and it's not being rewarded, if they're not noticing, right, and you think that you've done the things that you need to do to be noticed, then don't be afraid to make a change. I'm serious, don't be afraid. Don't think that you're stuck in this rut and that there's not any options out there. Don't be afraid to put yourself out there to see if there's other opportunities that could be rewarding, right? And I think that that's kind of what fascinated me so much about coming to Sunry from Cisco. You know, like I said I was because I there's a reason that Cisco is the number one company in the world to work out. It's fantastic, you know, I just so tell me friends over there and everything. Maybe one day we'll all go back to work at Cisco, right?

Speaker 2: 29:19

That's not really the point of the conversation here. The point is that I want to try something new. I wanted to try something adventurous, right and and Sunry gave me a great opportunity to do that right. For you know, back then it was a series A startup. I took a big risk right, and Sunry is a fantastic place to be now. But you know, the point is that if you are, if you feel like you're you know, like you said, not getting rewarded, if you are working your tail off and you don't see a trajectory, then stand up for yourself and make a change. Don't be afraid to.

Speaker 1: 29:51

Yeah, it's a really valid point. You know, and I don't want to, I don't want to linger on this topic too much, but I think that this story will help someone out there for sure. You know, I have a good friend that I worked with at a financial firm and you know he was very content with his role, with his company, everything like that. And the management didn't believe in him, you know, because they paid for him to get a certification, like two times, and he failed the test, you know, not for lack of trying, it was just a really hard test that he was taking. And so they told him hey, we're never going to fire you, but we're never going to give you a raise. You're going to get the same bonus. You know you're on out, you're going to be in the same role, you're going to be doing the same sort of stuff. You know you're not going to lead a project or anything like that.

Speaker 1: 30:43

And you know he worked with all of his friends For him. He values, you know, friendship over everything else and he stayed in the job for 25 years and this year he got laid off and he never took the time to develop his skills, he never took the time to invest in himself or anything like that. You know, when I was there I told him I was like dude, if they ever lay you off, like you're going to have to completely reinvent yourself. Like because the skills that you have are so outdated at this point no one uses the stuff that you're familiar with. They only have it here because you're here. They keep you busy with that stuff. And now he's in this year-long journey of figuring out what he wants to do, doing some soul searching. You know it's like do you really want to be in that situation when you're 10 years away from retirement? I mean, this guy is 10 years away and he has to reinvent himself. That's the time to coast, in my opinion.

Speaker 2: 31:45

I'm sad that that's becoming a very frequent occurrence, I think right now, especially in this current economy, and, like you said, if you're not in a position to have to put yourself out in the market to be relevant, then I think you're doing yourself as a disservice.

Speaker 2: 32:04

Maybe you won't ever have to hopefully you won't ever have to be in that position but if you are, I think it's crucial that you have skills and can not only talk the talk but walk the walk with modern technologies, especially the cloud. I mean, there's such a shortage of folks, whether it's on the vendor side or on the business side, that don't understand how the cloud works. You know, and in this world that I'm in, if you don't understand infrastructure as code and terraform and cloud formation and how things like you know we're talking about IM roles and how all that works then you're gonna have a really big up to battle trying to market yourself to companies right now that are looking for folks to secure their networks or looking vendors that are looking for folks to sell their products right, because everything has a spin now. That's cloud native. So I think it's crucial that you go ahead and get ahead of that.

Speaker 1: 33:03

Yeah, it's a great point. You know, with the cloud and I didn't know this until pretty recently you know, one of the gold standard certs out there, especially for the cloud, is the CCSP from ISC squared. At least in my opinion it's a gold standard. You know it's gonna be what the CISSP is known, as you know, kind of that gold standard cert. And I figured, okay, you know I'm one of a million that's got this cert. You know, whatever it might be, you know I figured I wasn't an outlier by any means or anything like that. I looked it up and in North America there's only 5,500 people with the cert 5,500. There's a whole lot more than 5,500 companies in North America. Right, and it's not because, like the cert, yes, the cert is extremely difficult. That test was, like probably the second hardest test I've ever taken, you know, next to the AWS cert that I got that I unfortunately have to renew pretty soon here. I'm not happy about that.

Speaker 2: 34:11

Is it the solutions architect?

Speaker 1: 34:12

No, it's the security specialist one. Yeah, okay.

Speaker 2: 34:17

I just I unfortunately I let my solutions architect expires, but I was supposed to renew it this time last year and I'm like I'll get around to it and I still have it. But to your comment on the CCSP, I agree. So I'm a CISSP and to this day I've always said that's probably definitely one of the hardest tests I've ever taken in my life. So I can imagine what you went through for the CCSP, because I don't have that right. But I agree that, like that is very, very telling it, there's only 5,500 CCSP's in America right now, because that's just very indicative of the shortage I was referring to.

Speaker 1: 34:50

Yeah, it shows you too that if you put in the work, you know when you get these certifications right, there's opportunity available. You know, I think the last time I checked there was a shortage of something like 5 million jobs in North America, or maybe that was worldwide, right, 5 million security jobs where it is literally there's more openings than there are people in the field. You know, that's why security professionals are always at 100% employed. Right, when we change jobs, we're taking two weeks off. It's not because we were laid off or anything like that. Like I had a buddy that was laid off at the beginning of the interest rate hike because we were at a very interest rate sensitive company. He was laid off and I mean the guy took a two week vacation and he was back at work at another company.

Speaker 2: 35:44

Like that's what I was. You know it's interesting. One thing I want your audience to hear too is and this is something I learned when I came to Sonry is don't be afraid to talk to a head hunter. Yeah, you know that's. The whole reason that I came over here was because a head hunter approached me. I was super apprehensive. I'm like I've never talked to a head hunter before. I just go to a company's website or it's a friend that gets me an in or something like that, you know, through the network. But don't be afraid to talk to a recruiter, because it opened my eyes to this whole world.

Speaker 2: 36:14

Joe, I didn't know it was out there where companies actually exclusively work through recruiters. They're not going to post jobs all the time on their websites, right? So if you've got a recruiter and trust me, you know it's like one of those accident attorneys they only get paid when they get you hired, so it's not going to cost you anything, right? But they're experts in marketing you and they have inst all these different companies where they can market your skill sets, right? So it doesn't matter if you're kind of you know, like you said, entry level, you don't have all the skill set, or if you are recently, for whatever reason. I mean, this is an economy right now where you know RIFs and LRs. We're seeing that more and more common, unfortunately. Don't be afraid to talk to a recruiter because it's amazing, you know kind of the doors that they can open for you.

Speaker 1: 36:59

Yeah, it's a really good point. You know, I've actually explored partnering with some recruiting firms that I've used in the past. That I trust, you know, because I've had really bad experiences with the recruiters and I've had average experiences with the recruiters and then these couple that I use, they're just superb, they're head and shoulders above everyone else. You know, like it's a huge difference, right, and so I'm actually looking to kind of provide that full suite right for my listeners where they get that idea of, hey, maybe I should talk to a recruiter, well, who does security on filter recommend.

Speaker 2: 37:35

Yeah well, I've got some folks that I have grown to really really respect and love and work well with over the years. That's, you know, maybe offline, you and I can exchange those contacts or whatever. But that's another thing. Is you got to find a good one? Yeah, right, you got to find one that actually has the relationships, the connections.

Speaker 2: 37:53

But there's oftentimes, where you know, there's info sec recruiters specifically. Right, these info sec recruiters have got ends with big companies. I'm not going to say who, but they've got ends with big companies where they feed them really well qualified, better candidates. Because I'll tell you right now, you know, if you post a job on LinkedIn I've been there, done that you know you'll get 500 applicants within two days and it's all you know. God bless everyone. But you know it's mostly career changers and folks that really just, they need to be vetted, right, and what that happens for us on our side, on the hiring side, is that it's we can't filter through, that it's not manageable, right? So we really leverage the recruiters to filter and do that initial screen force to give us, you know, a decent set of canvas that we can talk to.

Speaker 1: 38:39

Yeah, that definitely makes sense. You know for why you would use it. They have that in and they're able to sell you typically a whole lot better than what you would be able to from an external perspective. Just to circle back right to the cloud, when we're talking about cloud IAM, a lot of people kind of still have that legacy IAM perspective going into it, and I know I had that perspective too of you can have service accounts, you can have user accounts. You can also have accounts that are used only for service to service talk or user to service talk. You know there's so many different variations. How in the world do you keep track of it all?

Speaker 2: 39:24

How do you stay on top of this? Yeah, I mean, listen, it's interesting, like you're talking service to service, et cetera. I mean, you know, like let's just say that we recently were working with a customer, we found 100 admin level accounts. When we say accounts, we had to be careful, we're talking about identities. But we found another 900 that had an AWS, that had IAM pass roll privileges Wow, well, what's that mean?

Speaker 2: 39:46

It means that the other 900 with one command could give themselves full admin rights. So essentially we've got 1,000 administrative level accounts. Well, what does an administrative level account mean? It means it has star permissions. It doesn't have permission to go access one service. It has access to go access 150 services and delete everything that you've got in them if it's used nefariously. That is frightening, that is frightening.

Speaker 2: 40:16

And so that's where we and I don't wanna make this too salesy, but that's what I do, that's what we do at Sunray is we come in, we plug in, we illuminate everything, we give you visibility into these orphan things and things that aren't used anymore and just identities that you didn't know about at the admin level and all the other levels that you just did not know about, and then we help you clean it up, right. There's a method to the madness here. It's very strategic. This is what we do We've learned a lot about this landscape over the years and we help you remove everything that's out there that's not used. We figure out is it used or not and we help you get rid of it. Just remove it with a single click in the product. That's massive for making a dent in that risk landscape, joe. And then with what's left, that's what's there running, that's what's needed. So what we'll do is we'll figure out how to right size each one of those things right, and that's the whole least privileged thing that we talk about so much. You do your best, and the way that you do your best is that you focus on the identities that matter the most, the ones linked to the crown, jewels, not everything in sandboxes and things like that. You get them to least privileged, right.

Speaker 2: 41:25

But I think the most important thing that folks aren't thinking about, joe, as far as really wrapping their head around this mess, is how you govern it moving forward, right, you need a capability out there that can put tripwires around your break glass accounts. They can let you know if a new identity can suddenly access that sensitive data store because of some junior admin putting a new trust relationship out there that they had no idea the impact that it would do, because it created these new bonds in the platform. They'd be like a network, right? They created this network conduit to what matters most to the business from a sandbox because they were just doing a quick test, right? And you never can know how infrastructure is code. No matter how much you lent it, no matter how much you scan it, you don't know what it's going to do until it gets out there and it starts living and breathing and interacting with what's already out there. You need something that's watching that and able to tell you holy cow, we've got a cross account situation and we've got separation to do these or whatever.

Speaker 2: 42:31

So I think that governance component is super, super key to really really being able to tackle this. But make no mistake about it that's one thing that we've learned over the years here is that you're trying to secure identity in the cloud, and I am. You got to focus on taking out all of that unused litter and garbage. Get rid of it. Make sure that you're governing for new unused litter and garbage, but then double down on what's out there and restricting it to only the permissions that it needs, so that you vastly reduce that risk landscape. Before a credential gets thrown out and get hub on accident, someone tries to use it against you.

Speaker 1: 43:06

Yeah, I feel like the technical side of it is often thought about first before that governance side of it. Exactly, with the cloud, it is so easy to run into a situation where you resolve it within, let's say, a week and then the next week you're right back where you were. If you don't have the policy side of it set up, if you don't have the checks and balances already set up before you start resolving it, this is going to be something where you're always chasing your tail, so to speak, and trying to figure it out.

Speaker 2: 43:41

And if you don't have the buy-in of the engineers and the developers, guess what's going to happen? You remove all this risk today and tomorrow they're going to push out a terraform update that's going to put it all back. Right, Think about that. All this work and they just go put it all back. That's something you have to think about. You have to account for the fact that infrastructure is code responsible for 80% of this mass.

Speaker 1: 44:04

Yeah, that's a great point. How do you make that switch in your head? Because I'm coming at this from an engineering perspective. Engineers are hands on keyboard. They just want to get stuff done, they want to make progress, but a lot of the times the engineer is the one that's also driving the process, because when you're in these sort of situations, where you're in over your skis, you probably don't have a very good governance to begin with. You probably actually have the engineers going through and trying to create these policies and whatnot.

Speaker 2: 44:41

Well, yeah, they're the ones that are pushing everything out there and have been for years with star permissions Because it's easier for them to get their code out there, especially on two-week sprints.

Speaker 2: 44:50

I get it. They're under timelines, so they're not thinking about building least privilege into the application with whatever particular widget they're responsible for. I think the key from an engineer perspective, is you have to sell this story to them in a way that does not come across as impeding their ability to do their job. Joe, we're actually going to flip the script and what we can do is we can enable the business we're actually enabling you to build more securely. So if you fit into the way that they do their code Terraform, cloudformation, whatever if you fit into the fact that they work out of Jira or ServiceNow or ChatOps which is something that I'm now learning about, which is evolving like crazy, like they're doing all their jobs through Slack if you fit into the way that they work, then I think what we have learned is that it does a complete 180. And they actually are much more open to considering building in the pipeline from a secure perspective, versus just pushing it all out there and saying, infosec, go fix it.

Speaker 1: 46:01

Yeah, I think that's something that's still critical, that we have to point out and deconstruct Is that perception that InfoSec is only there to make our lives harder, to put barriers in the way of me getting the sprint done and showing productivity and whatnot.

Speaker 1: 46:18

There's a lot of the times where I'll come into a company and I'll see exactly that, where it's almost like there's a brick wall in between security and the rest of the organization and, brick by brick, you have to take that thing down. And I mean one time it took me a year just to get one team on my side and it was a lot of lunches, I paid for a lot of drinks, I paid for a lot more than I'm willing to admit to my wife, but it enabled me to get more done in the organization and allow them to actually trust me and say, hey look, just give me this one little thing, I'll show you it's not that bad. We're going to teach you how to use it, we're going to teach you what to do with it. All that sort of stuff you kind of have to take it over into a white glove treatment sort of thing, where they get priority even if to your manager they don't get priority, but to you they get priority.

Speaker 2: 47:17

Absolutely. And again, I think it's all about integrating into the way that they want to work. If you integrate into the way that they want to work, they're going to be much, much more open. Oh, my goodness, we've got a privileged escalation scenario. We've got an SOD violation, whatever it might be, but guess what? We routed that risk to them the way that they want it to be notified and they can actually go fix it on their own and then they can come and automatically it'll self-heal on the summary side or whatever tool that you're using it, versus them having to go manage yet another tool that they're getting nagged about or whatever.

Speaker 2: 47:46

You've got to start to break down the barrier and I think that the more that we start to introduce identity security into DevSecOps, I think the better things are going to be, because you're in lockstep, then, with the development team, with the app team, with the actual business itself from a security perspective, and it's because you're introducing security into the development process instead of just pushing all that out there and then saying, ok, it's working. And this is what we see all the time. Joan, it's super scary, these amazing applications, but it is an identity crisis. When it gets to be part, it's spaghetti. Everything can talk to everything. How do you fix that? Because now the business is relying on this application and this is the plumbing that you built for it.

Speaker 1: 48:31

Yeah, absolutely. Well, where do you think Cloud IEM is going in the next five years? Right, I think back to the beginning of the cloud. No one thought about IEM as an attack surface, and now it is the edge of your cloud. It's how you get in. It's no longer the network, right, you can lock that thing down. But if you have accounts that are open to the world, people can get in.

Speaker 2: 49:00

Well, here's the thing. I think that four or five years ago, securing IEM on a priority scale for most businesses was a nice to have. Well, back then, that's when we would say identity is the edge, Identity is the perimeter. I think we're way past that. Identity is the new network. Everything lives, breathes, functions and communicates through the identity fabric. In a cloud-native world there's no network landscape. Everything the accepts and denies, the permits and denies, are in the identity fabric, on those JSON policies attached to these person and non-person identities, not through managing the security and firewall rules or next-in firewalls that you're trying to cram into a VM. They don't have their place in a cloud-native world. They don't right.

Speaker 2: 49:44

And I think, if you look at the way that the market has evolved over the last couple of years, we're seeing more and more companies that are starting to put identity at the forefront of their security strategies.

Speaker 2: 49:54

It's not a nice to have, it's an absolute requirement. And when you do that and then you attach the fact that you're focusing your identity strategy on what matters the most to the business, meaning the crown jewels, not just we're going to secure identity, to secure identity and start playing whack-a-mole, you start with what matters the most to the business who and what can access that data container, that table, whatever it might be. Start there, and then you work your way out. So there's a method to the madness there. Right, you do that. You focus on the hub that's what I call it instead of all the spokes, Because right now, so many in the market are still focusing the spokes. Focus on the hub. When one of those spokes gets popped, it's going to be a dead end. It's a beautiful story. Folks just have to be willing to accept and understand that identity is the new network and it must be secured from the inside out.

Speaker 1: 50:50

Yeah, absolutely. I mean, that's the whole thing. That's changed completely with the cloud. Well, jeff, I really appreciate the time here. I feel like we could keep going with this conversation for sure.

Speaker 2: 51:07

It was very fascinating.

Speaker 1: 51:08

We went through a lot of different rabbit holes and whatnot, but I think overall it shows the importance of IAM in the cloud for sure.

Speaker 2: 51:17

Absolute pleasure talking to you. Like you said, we could have gone on and on and on and, like I said in the beginning, I hope that folks listening across the rabbit holes that we went down, I hope that they captured nugget. Maybe it's about your career, your job, whatever your skills, but certainly I hope that you picked up a nugget or two about really rethinking how you are securing your cloud as it relates to where IAM and identity and access and privilege are from a strategy and a priority perspective. It's important.

Speaker 1: 51:49

Definitely. Well, jeff, before I let you go, how about you tell my audience where they could find you if they wanted to reach out to you and where they could find sonar security if they wanted to learn more?

Speaker 2: 52:00

Absolutely. Jeff Moncree Fund LinkedIn. Please hit me up, please connect with me. I'd love to answer any questions that you might have. And then I've worked for Sunrise Security and sunrisecuritycom, and we secure some of the world's largest companies as it relates to helping them with access and privilege in the public cloud. We're definitely a thought leader in this space, one of the OGs, if you will.

Speaker 1: 52:23

This is where purpose built for this, so we would love to talk to you about what we can do for you Awesome, and all of the links that he mentioned will be in the description of the episode, so if you want, go ahead and check them all out. All right, thanks everyone.