Sponsored by Sumo Logic

Critical Steps to Secure Your Cloud-Based Apps and Infrastructure

Organizations run into many obstacles today when trying to secure modern apps and infrastructures. In this video, RTInsights interviews Paul Tobia, senior product manager at Sumo Logic, to discuss security challenges in cloud environments, how traditional security approaches break down, and steps organizations can take to improve security.

Tobia also discussed the need for a platform that brings all the relevant logging and monitoring data in one place so that it can be analyzed to spot potential problems and troubleshoot them before they impact an organization’s security posture.

Transcript

Joe Mckendrick: Hi. Welcome to today’s webcast. Part of our discussions are ongoing series of discussions here at RTInsights with leaders and thought leaders from across the technology world. I’m Joe
McKendrick, your host and contributor to RTInsights and I’m really pleased today to be speaking with Paul Tobia, Senior Product Manager at Sumo Logic.

I think it’s safe to say that Paul is very passionate about information security and perhaps ranks as one of the most knowledgeable people around on this topic. He has been involved in information security for 20 years now developing programs, safeguarding critical information for various companies. His career spans information security positions with Scripps Health, Symantec, and Sharp Health. And he is also very active with the San Diego Chief of Information Security Officer community.

Paul, welcome. Happy to have you here with us.

Paul Tobia: Thanks, Joe. Appreciate the opportunity.

Joe Mckendrick: Okay. Let’s start talking information security, a very important topic. Paul, what do people, especially business leaders and the technology leaders as well, tend to miss when it comes to application information security these days? We hear a lot about it, but, you know, it’s still a big issue.

Paul Tobia: I think that specifically when we’re talking about application information security and, as you mentioned, my background, I’ve been doing computer security, information security, cyber security for a long time now. To keep up with the latest advances in how computing occurs, to make sure that as technology changes that the information security programs or the cyber security programs keep up with that technology is a tough thing to do, and it’s a critical thing to do. But it’s where I enjoy…, want to put my mind towards.

I think the major challenge that we’re looking at here is that computing itself is changing. The way that the rise of the developers, the rise of the way that computing occurs across the industry changes some fundamental things about information security and cyber security. But when you get down to it, it is still the same thing it was 20, 25 years ago.

You still have to identify, protect, detect, respond, and recover. It’s just with new technology and new
methodologies and new players in the space, as well. So the things change, but the fundamentals are still the same around information security.

Joe Mckendrick: Okay, fantastic. And of course within recent years, everybody’s gone to the Cloud. And I think there’s a kind of an assumption out there that the Cloud provider’s gonna handle a lot of this security. In essence people may be feeling that they’re able to outsource some of their security concerns to the Cloud, and this, this is probably an erroneous assumption. Paul, what should organizations do? What steps should they take to secure their Cloud-based applications, data, and infrastructure?

Paul Tobia: I think that, um, you’re right. There is, there is certain responsibilities that the Cloud providers will do for you. Um, but there’s a limitation to what they, to what they accomplish. They set the table, they provide the table, they provide a certain level of the infrastructure that you’re running on, so there’s things you don’t have to… You don’t have to run a data center, you don’t have to worry about physical security to the hardware, things like that, those are what the Cloud providers are gonna, are, are going to give you as part of that service. But everything else on top of that is still your responsibility. So there, there’s certain, there’s shared responsibility models that each of the Cloud providers have. So it doesn’t abdicate (laughs) the responsibility of the individual’s security providers or the organization’s security providers. It’s still those same challenges that we faced a, a long time ago.

Uh, again, I go back to that identify, protect, detect, respond, and recover. What, what is my computing
environment? What are the threats to that computing environment? What’s the level of risk that I’m willing to take, um, and what are the things that I can implement? What are the protections and processes, people, process, and technology that I can implement to reduce that security risk to a manageable level? And then how do I operate that on a, on a, on a day-to-day basis?

Joe Mckendrick: Great stuff, great stuff, but I’m sure there’s, uh, you know, obstacles be it organizational, technical that obstacle, that organizations face in achieving this. You know, can you discuss, you know, what organizations tend to run up against, uh, the obstacles and challenges, uh, and how to overcome them?

Paul Tobia: Absolutely. Um, I mean, first and foremost is that the rate of technology, the rate of change of the methodologies of getting computing, of getting these absent services out to the customers, um, is
accelerating, continues to accelerate. Um, less than 20 years, we’ve gone from basic virtualization and VMs all the way to the leading edge of, like, no code applications or low code applications. Um, that doesn’t necessarily… You don’t see that’s, you don’t see that slowing down. But that is also just the leading edge. So the, the distribution of these new technologies is uneven, as well. Not everybody is running on a Cloud service. Not everybody is running through a, through a, through a Cloud provider. There’s still plenty of on-prem capabilities that are out there.

Um, things change in the computing environment, as well. Um, before the, before the COVID pandemic, um, computing was a lot more centralized. And now, there’s a lot more remote work, things like that, which adds new challenges. So new technology is a huge obstacle, um, in making sure that you understand that new technology and those new capabilities. Um, there’s really, because of that acceleration of technology, there’s a lack of mature-specific security standards around these technologies. So a lot of it’s being provided by the vendors and the open source, uh, communities that build up around these infrastructures on how to manage or how to, how to defend against them.

Another one that I talk about is just the scale of computing nowadays. So now that you’re not as limited from a physical plant perspective, you just buy the services, buy computing as you need it. Um, the capability to spread is huge, um, not just from a volumetric scale, not just that you can be running multiple and multiple instances of databases, services, all of that, but also the leaning towards that microservices architecture, right? We’ve moved away from the three-tier app, uh, end user app database, uh, paradigm, and now you’ve got potentially hundreds of individual microservices all talking via API to each other to provide an application to it. So you’re not just looking at large scales in terms of running hundreds of instances across multiple regions and globally availability, but you’re also talking about instead of managing, your app consists of a whole bunch more individual components that you’re looking at.

With, with that level of scale, then comes the manageability of it, which becomes automated. So you’re
talking about the as software, whether it’s infrastructure as software, platform as software, that the
idea that you’re scripting and you’re managing your, your environments, you’re managing the stack
through code, you’re managing, uh, all of that through that automation because you can’t physically
from a human standpoint manage all of those things like we manage servers, like we managed servers
back in the day.

Um, that leads to kind of tools sprawl. So there’s a whole bunch of different management capabilities and security capabilities that are out there. There’s some consolidation that’s going towards the providers, so the providers are kind of consolidating a lot of security services underneath them. But there’s plenty of security vendors out there, and especially as you get towards those leading edges of how you’re managing your Cloud or your application-based security. And then as we all learned back in Log4j, supply chain is a big issues, as well. So what are those services when we talked about that shared responsibility? Um, there’s shared responsibility, but then there’s also the libraries that you’re running, the systems that, code that you’re taking in to make part of your platform. Do you understand what that code is, do you understand the vulnerabilities for that, for that code and where it, where it lives within your app and your services, as well? So there’s a ton of obstacles out there. There’s a ton of new stuff, right, for, for security practitioners to manage.

Joe Mckendrick: Oh, yeah. And I love the fact that you mentioned low code and no code. I mean, that’s something we’re seeing a lot of. It was a lot of excitement, a lot of hype around it. You know, the citizen developers can do what they want and not, not have to go to IT for everything they need, which is great in practice, but I don’t think enough is being said about the security implications, you know, the, the guardrails that are needed to, uh, you know, (laughs) keep things from, uh, going askew.

Paul Tobia: And, and that always comes back to it. That’s why I kinda, that’s why I kind of open with the basics of security, right. E- even, even if with cutting edge technologies, even with citizen developers out there, open source systems, things like that, the job of the CESO is still the same as it was 25 years ago. It’s to manage risk for their organization, it’s to be able to, you know, have a security program in place that
identifies what your computing environment it is, that you put in the appropriate protections, you detect the bad guys, you r- you respond to those, and you recover back to normalcy after, after the attacks happen. So that, that’s still the same whether you’re, w- no matter what computing technologies you’re working on. It’s just that the environment and the tools and the players all, all continually change, which is fun, which is why you could make a career out of it, right, and why, why I’m not bored after 25 years of doing this stuff. (laughs)

Joe Mckendrick: (laughs) Yeah, every week, a new thing to, uh, crops up, right?

Paul Tobia: That’s right.

Joe Mckendrick: And, uh, you know, and, and, and you’re talking a bit about this, Paul, already, but, uh, you know, the, the shortcomings, uh, you know, of the traditional security approaches, you know, with all these new environments, Cloud, uh, APIs, uh, low code, no code. Um, you know, a lot of stuff cropping up. Uh, traditional solutions that are still out, you know, what, what, what’s, what’s the issue and, uh, how can, how, how do we need to address that?

Paul Tobia: Um, the, the thing is, the thing that we see, um, is that bringing that information together, making that information useful. So whether it’s the applications itself, the infrastructure that they have, the services that you buy on top of it, that’s all providing data. Um, but being able to consolidate that data, being able to, being able to pull the signal out of that data and understanding and feed it back into your security program so that you understand that you can do that identify, protect, detect, respond, recover, that you can understand what are the threats that are up against your environment, that no matter what part of the application development process that you’re in, whether you’re building, deploying, or running systems, that you’ve got visibility into what’s going on in your environment and you have visibility to the potential attacks that are occurring and the realized attacks that are occurring.

Um, that kind of speed, that capability to live in both worlds or multiple worlds, that ability to have the tool set that, because evidation is still happening. So as, as you mentioned, right, as those, as, as those, um, technologies get more and more prevalent and get deployed, then the services on top of them, the vendors and the innovation come on top of that, and they provide the additional management and security services that are on top of that.

So you can get a tool, you can get, like, a Cloud security posture management that goes out there and looks at your Cloud, uh, deployed environment, your Cloud infrastructure environment and sets it against certain standards and says, “Here’s where you’ve got policy issues. Here’s, here’s the things that you can do. Here’s the things that you can’t do.” But how do you take that information and synthesize it, put it into your security program to do that risk management that you’re, that you’re responsible for doing? So it’s that speed of response, it’s the capability to keep up with that technology, it’s the capability to be neutral around it. Can you pull in this digital exhaust and this information that’s coming from multiple service providers? You may not just be locked into a singular one of the big three Cloud providers. And can you, can you provide a view towards your end users, as well? Can you provide a view towards your on-prem stuff, as well?

Um, so taking those individual sources and pulling them together into a single, a single view, I believe, is very important. Um, the other thing is when we talk about the people who are involved in security now, so the rise of the developers and the responsibility that they have now, which was, a lot of it was done by traditional IT, that’s also coming into the security realm, as well. So how do you teach developers to be security practitioners, and how do you teach security practitioners to understand the development environment? One of the examples that I use is that if you run a secur- uh, you know, the, the corporate IT or the CESO runs a vulnerability scanner against your environment, and they find out in a modern app security environment that the java version is incompatible, right? They need, there needs to be a security update for a java version at this one IP address.

What does that mean from a developer’s standpoint, right? What’s the, what’s the, what’s the ephemeral container that was lying underneath there that was running on a particular pod that was responsible for a particular service that was pulled from a particular repository where the actual java code was, was submitted and put in there, right? So you give them an end point of that, of that IP address, you hand that to the developer, and the developer’s gonna spend four or five hours, better part of the day just hunting down where to actually make that change. So, so having that communication and providing the value out of that data I think is pretty critical.

Joe Mckendrick: And you raise a good point there, as well. Security needs to be, uh, a concern across the enterprise. You know, uh, in days gone by, larger enterprises had security teams that did nothing but worry about security and nobody else had to worry about it at the time. Um, you know, now, it’s developers, even the database administrators, the data engineers, uh, all folks across the chain, right, that really should be involved in the process and understand what’s going on, right, with security.

Paul Tobia: Security continues to go up the stack, right? It doesn’t just start at the physical layer. It gets in the, you know, in the network layer. It gets all the way up into the application side of things. So even if you go beyond the run time stuff… Some of the things that we talked about with the java thing where, where you’re talking about the, the mitigation to, to a security threat or a vulnerability is not a network change, it’s not a firewall port, it’s not a patch to be loaded. It’s, it’s actual changing of the code that happens way back at the repository, way back in the build phase before the build deploy run occurs. So making those connections and, and finding the places where you can reduce your risk, um, and speaking to the right people, accountability, all of those sorts of things, it’s just, um, more complex.

Joe Mckendrick: And, Paul, we know, uh, you’re, you’re doing a lot of work in this area. Uh, Sumo Logic is doing a lot of work in this area. Can you talk about, um, you know, what, what you folks have, uh, underway and, uh, you know, what, what you have to offer in this regard?

Paul Tobia: Yeah. Um, so, so I think some of the advantages of, of Sumo Logic… So Sumo Logic at its core pulls in that, pulls in that information whether it’s from a security standpoint or an observability standpoint. So
it’s not just security use cases that, that Sumo does, but observability, as well. So we’ve already got
developers in our platform using our systems to manage that huge fleet of microservices or manage their kubernetes pods or manage their containers and repositories. And we also do the security side, as well. So we have a, a, a SIEM that’s out there, a SOAR capabilities within our, within our platform, too. And because we are neutral, we’re not, we take data from all of those data sources, all of those Cloud providers, all of those individual organizations who are innovating and providing their own security services and pulling all of that, pulling all of that data together, including the on-prem stuff, we exist in a Cloud where a Cloud-native service that we’ve got. So we can handle that scalability. Um, and since we are a Cloud-native service, we’re also very agile. We’re also very responsive to adding new information into the system and supporting new, supporting new data sources. Our SEIM supports a couple hundred, uh, different, different vendors and products that are, that are out there, and we add, we add more and more every week.

So being able to pull all that information together into one place and then being able to do analytics on top of that, um, that’s the core of what our, what our platform does. But then there’s also the detection and response piece, the SEIM and the SOAR type, type features that we’ve got on there. And the advantage is, is that we treat data as data. So whether the information comes from a traditional three-tier application’s structured architecture or whether the information is coming from, you know, fully-orchestrated through Kubernetes modern app stack, we’re still going to be able to provide you the same analytics and detection tools to determine what’s going on in that environment to, and to make the right choices around what you need to respond to, what you need to recover from, what you need to protect, detect, et cetera, et cetera.

Joe Mckendrick: Wonderful, wonderful. And, Paul, uh, any final thoughts on, uh, security, you know? It’s, it’s something, uh, everybody needs to be concerned with, uh, you know, and, and, you know, we need to do a lot of education and, and in, in the market to, uh, help people understand what they need to do, um, how they need to work with Cloud and, and, and, and security takes on a whole different cast, you know, when you’re working with Cloud, as you’ve been telling us. You know, any final thoughts on what people should know in addition?

Paul Tobia: Yeah. That’s a great point, Joe. Right, it’s the people and the process. It’s not just the, it’s not just the technology. Um, there is, there’s a convergence here that’s happening. Security practitioners need to understand software better. We need to, we need to, uh, we need to think more like developers. And then developers are getting more responsibilities and accountabilities in security. So there’s, there’s these two areas that are kind of driving this innovation and driving where we’re going in terms of computing, and the capability to bring those two groups together and have them start working together as opposed to at odds to each other, I think is very exciting. Um, the capability to, to learn on the job and embrace something new, and, and to keep moving security in general forward is, is super exciting and, and stuff that gets me up in the morning and, uh, and (laughs), and, and moves me forward. So.

Joe Mckendrick: That’s good [inaudible 00:20:30]. It’s great to hear that you’re out there looking out for us (laughs). Thank you. Uh, Paul Tobia, uh, senior product manager for Sumo Logic, uh, great having you on with us today.

Paul Tobia: Thanks, Joe. Appreciate the opportunity.