Ahead in the Cloud: Navigating Cloud Security Challenges with Ankur Shah

Chad Watt: Welcome to A Head in the Cloud, where business leaders share what they've learned on their cloud journey. I'm Chad Watt, Infosys Knowledge Institute researcher and writer. Here today with Ankur Shah, senior vice president at cybersecurity firm Palo Alto Networks. Ankur is responsible for Prisma Cloud, Palo Alto's cloud native security offering. We're talking security in the cloud today. Ankur, welcome to the show.

Ankur Shah: Thanks, Chad, for having me. Looking forward to this conversation.

Chad Watt: We're talking about cloud and security. Cloud is great and companies can do so much more with it. Cloud keeps getting better, but it also gets more complex. So, if I give you 100 multinational companies that are using cloud, how many of those have a clear assessment of their security vulnerabilities?

Ankur Shah: This is going to be a hunch, not a scientific answer, but what I can tell you, I've been in this business for over six years now, and while the security teams have a little bit more awareness than it was six years ago where they recognize that the developers are leveraging public cloud to lift and shift or build applications that are in cloud data, I think there's still a lot of blind spots. The average conversation I have with the CISOs is still, "I don't know what's going on in the cloud. I don't know what we're doing towards security." They have some controls in place, but there are many blind spots. So I would say if you were through survey 100 CISOs, 80% would say, "I think I've got some understanding, but there's a whole lot of stuff that I have no idea."

Chad Watt: Backing up a little bit, how many can give you just a full inventory of what they're doing in the cloud?

Ankur Shah: I think what you will find out is a lot of the CISOs and customers have an awareness, the cloud providers that are in use, I think that's not a problem. I think most should be able to know if they have AWS, Azure, GCP, Oracle, IBM. There's always a notion of shadow cloud where developers are spinning up clouds off of their credit cards, but most of them know because some of that decisions are now getting centralized. What they don't know is specifically what cloud services are being used. Are the applications deployed in the cloud? What are the risks introduced in every stage of the cycle? The in-depth understanding is why they'll bring in Palo Alto and Prisma Cloud to at least do an assessment of what's going on.

Chad Watt: I was given two big lies in cloud recently and I wanted to see if you agree with these and is this all of these? One, security is somebody else's problem, and two, cloud is going to solve security for me. Agree, disagree, build on those two?

Ankur Shah: I disagree with that fundamentally. On the first one, security is a shared responsibility between not just the cloud providers, but the dev and the sec teams. The security teams can't just do all of that stuff on their own. They can write the security guardrails, but ultimately the dev team is responsible as much for securing their applications and infrastructure, so that's number one. Number two, the cloud providers, there is a shared responsibility model that's very well-defined. While cloud providers can take care of the physical security and at the infrastructure and operating system level, but the stuff that goes into cloud infrastructure, your applications, your data, that is not cloud provider's responsibility, that is customer's responsibility.

Chad Watt: In this kind of hybrid multi-cloud world, you have a primary cloud, you have a secondary, a tertiary cloud, and then you have some stuff that's on-premises that's never going to migrate anywhere. How does that contribute to these security blind spots?

Ankur Shah: So first just take a step back, Chad. What we're seeing is in the hybrid world there are sort of broadly speaking, three classes of customers, customers who have completely moved to the cloud, 100% they said, "Shut down the data center," those are still in minority, like you said. Number two is sort of this hybrid, but even then customers who are trying to take advantage of the modern CIC pipeline containers and Kubernetes, but they have some sort of workloads in data center, but they're still using OpenShift and other technology to still leverage the modern CIC pipeline to shift application faster. And the third class is they still just have a lot of legacy applications and deployment in hybrid cloud. So, customers have a spectrum of all this and it is difficult.

The customer in the second bucket, which are still using containers, Kubernetes to modernize the application, taking advantage of the modern tooling, et cetera, for them it's easier to have consistent security in hybrid, as well as multi-cloud type environment because they can apply similar security control, but if dev's got legacy infrastructure and modern infrastructure, it's difficult. They have to use two sets of tools, but legacy infrastructure is just the traditional network security or traditional endpoint security or host security tools, but more cloud native stuff, they reach out to Prisma Cloud to do what we call code to cloud security. So, it's difficult to be honest, but like I said, customers are getting more savvy and I'm seeing more and more customers in that second bucket.

Chad Watt: Whose responsibility is it when you're a security provider or security advisor? Whose responsibility is it to check for the blind spots?

Ankur Shah: Ultimately, the board and the CEO wants a single neck to choke, and that's CISO, so ultimately it's CISO's job to make sure that their applications are secure, their data is protected, that's it. But like I said, one of the things that folks don't often understand is that the game is lopsided in favor of dev teams. There are almost 33 million developers, less than 3 million security professionals. The people who actually know cloud and security in the security organization are probably less than 10,000. So, how the hell is the CISO team supposed to keep up with the pace of innovation and new stuff that developers are bringing? So yes, it's the CISO'S responsibility, but it's tough. I feel for them.

Chad Watt: So, developers know cloud, security guys know security in the kind of IT, CIO, on-prem legacy system context. How do you get those security guys schooled on cutting edge, caffeinated developer cloud?

Ankur Shah: It's not an easy... It's something that the customers and the CISOs often ask me like, "Hey, look, how do I do this?" And I have a few simple recommendation for them. One is pay the top dollar to hire the folks who understand the dev and DevSec. Not that many available, but do that. Retrain the existing folks, get them to get certified in AWS and GCP and Azure security and dev certification. You have to do that. You have to retrain people and ultimately you want to start building a practice where you understand cloud a little bit more. And the reason, Chad, this is important is that when you then go to the dev team and say, "Hey, I want you to fix this problem," you have a lot more credibility.

The developers will know you know cloud, you know what you're talking about, and once you build that trust between the teams, then the developers will start doing what you have to do. So, that's sort of one aspect. The second one is a lot of the modern application development team, they have a what's called DevSec function. So, you talked about how do you have the centralized security team and learn cloud, but nowadays the dev team, so they know security as much, have introduced a sec function, so they become the conduit between the apps team and the centralized security organization.

Chad Watt: We have DevOps and now we have DevSecOps.

Ankur Shah: Correct.

Chad Watt: Can you talk about an instance where you've really seen DevSecOps shine or really deliver? It's aspirational, you hear the term, but have you seen DevSecOps work and really delivering?

Ankur Shah: Oh, absolutely. If you have a DevSec function, these folks are generally studying DevOps. They are engineers by craft. They understand how to build, how to deploy, et cetera. They get certified or trained in security, but it's much easier to teach somebody security if you are a developer than the other way around.

Chad Watt: Why is that?

Ankur Shah:Oh, because if you're an engineer, once you know how to code, you understand how the pipeline works, then it's just a matter of learning, what are the security guardrails that they are in place? It's much easier to train them on security stuff and make sure that every step of the application pipeline, they're securing the infrastructure and the apps. The challenge, Chad, is that if I am a large enterprise, I'm a financial institution, I'm a large healthcare provider, I've got hundreds of apps, and if I have 100 DevSec function, who the hell is doing the auditing? Remember, the board wants a single neck to choke, the CISO, and you can't have this function be centralized. We live in an interesting world now where CISOs are still responsible for this, although a lot of the ownership of fixing problems lies within DevSec, so they have to do periodic auditing, checks and balances, break bears, things of that nature, and customers are at a different level of maturity, which is a topic we can talk about later in the conversation.

Chad Watt: You keep mentioning the single neck to choke. I guess that's the question to the answer to, who should own security in the cloud?

Ankur Shah: Correct.

Chad Watt: Where should the CISO sit? Where should this chief information security officer sit in an organization and who should be at the table with that CISC?

Ankur Shah: It's an excellent question. Before I answer that, I have seen all variations. I have CISOs reporting directly to CEOs, I have CISOs reporting to CIOs, in some odd cases CFO because there's a budget. I have seen CISOs reporting to the chief product folks, chief product officer, CPO, and there are different models, there are different pros and cons because if you're in the centralized organization and that IT or CIO, you can take care of the application security as well as the corporate and IT security all together.

The best model in my view is when the CISO is reporting to the product development organization. So, that means if you've got a large enterprise with a whole bunch of R&D teams, if you've got a CPO, if the CISO reports to CPO, you can do product security significantly better. There is not as much politics and problem between two organization because you're part of the same org structure. It's much easier to have a conversation with the DevSec and the development team because you're part of the same leader and we've seen a lot of success with that, but that's a minority today that generally does not happen where they're in the R&D organization and I think that's the right model.

Chad Watt: So, development keeps moving faster and faster and the developers are encouraged to move faster and faster. How can security keep pace or catch up?

Ankur Shah: Look, I will break it down into three simple steps that the security team, especially in cloud can follow. I call it the cloud security maturity model, it's super simple. Either the first step is for the cloud security practitioners to get visibility and control into what's happening in cloud first of all. Understand you can't protect what you don't see. So, you got to have understanding what cloud services are in use, what's risky. You have misconfigured resources, vulnerabilities, et cetera, et cetera. Get a highly prioritized list of stuff that is broken. So in the first step, what do I have? What's broken? Help me fix it, simple stuff. Then, what the security team have to do is take that list and work with the dev teams in the second phase is to ask them to fix those problems, but in that, they ought to have a conversation with the dev team and say, "Hey, now that you understand what these problems are, would you like to secure by design?"

That's the second phase and secure by design is, I'm going to ensure that security is embedded as part of the development lifecycle. You're basically bringing security where the dev teams are. It's a second phase because it does require working with the dev teams, it's not hard. You have to break barriers, you have to have guardrails and controls in place, et cetera, et cetera, and the last is what we call run type protection. That phase basically is where what could go wrong in our business does go wrong and need active prevention and detection technology, so that if the bad actors are trying to exploit a vulnerability, you can block it. A bulk of the customers I talk to, they are still in the first phase, visibility and control. What do I have? What's broken? Tell me the most important thing, I've got to fix it and then help me fix it, that's it.

Chad Watt: Right, and that's that kind of question of finding the blind spots.

Ankur Shah: Exactly.

Chad Watt: I suppose the only thing worse than blind spots is the known misconfigurations. You have known vulnerabilities that don't get patched. I'm thinking of SolarWinds in this case or something where there's a known vulnerability that could be addressed and doesn't get addressed. How do you get to the point where that is just a habit, just automatic? How do you get to the point where when a blind spot is realized, you actually address it?

Ankur Shah: It's a good question, and this is why I said secure by design is your only option, your only hope in the cloud world. The whack-a-mole approach of I found a problem in cloud and then I'm going to open up a ticket for my dev team to fix it, and it's going to take a couple of weeks and I'm going to have a hammer, it's not sustainable. By the way, if I've got a vulnerability production right now and I try to patch it, guess what's going to happen two weeks later? A new release comes along and you have introduced a new vulnerability, but the modern application stack, you could write a Hello World app and you'll have a whole bunch of vulnerabilities in the app. What are you going to do? So, the developers are building new apps, they're doing new releases. By the time you're done patching it, it's introduced again. So, what the industry called shifting left, as you can see on my shared, which I think your audience can, it says shift happens.

Chad Watt: Shift happens.

Ankur Shah: Secure from code to cloud. The key operator word is secure from code, meaning bring security in the code pipeline early on where the developers are in their IEDs, when the code goes to your source code repo, when the code moves through your CI/CD pipeline, and then ultimately when it goes into production, that's the only way to do it.

Chad Watt: We're just recording audio for the audience, but I did take a picture, so we can upload that in the show notes. So, I've got a good shot of you there, so we'll be good on that front. Let me come back to Prisma Cloud very quickly and take me, Ankur, through what Prisma delivers, what Palo Alto and Prisma deliver, and what the obligations are with the client, with the CISO and down the line.

Ankur Shah: A little bit of history on how this whole thing came about. I've been in security for over a decade and over time, initially I built mobile security product and SaaS security and CaaS V, et cetera, and then I joined a startup with this public cloud security that Palo Alto Networks acquired. One of the things that four years ago I kind of saw was the industry was in the process of repeating the sins of the past by having multiple tools and technologies now do cloud security. What do I mean by that? There was the CSPN risk configuration stuff, there was a virtual protection, one management identity data security, so cloud security alone, there was an ecosystem of vendors developing hundreds of them literally, and then if you think about the cold phase of the development, there were already a whole bunch of incumbents and newer coming in.

They're like, "Oh for modern AppSec practices," and our vision was from the get-go that enough is enough. We can't have customers be leveraging eight or 10 different tools to secure their applications. It just can't happen. We had to take a very audacious goal over four years ago. We acquired a whole bunch of company. Palo Alto has dropped over $1 billion in acquiring companies and building a whole bunch of stuff organically to build out what's known as Prisma Cloud, which is now code to cloud security. It is the most comprehensive CNAP platform on the planet, and we're light years ahead of where the market is, but ultimately it's all in service of helping our customers. Our customers need help. They don't want multiple tools, they don't want operational burden. If there is a vulnerability in production, they want to trace it back to the code because they want to fix the source of the issue.

They don't want multiple tools, and that's how Prisma Cloud... That's been our mission. Basically, we want to prevent application breaches from code to cloud. It's a very simple thing that we want customers to understand. We want bad actors out and we believe that the only way to do it is through code to cloud. So, that's got a little bit of our journey. We're now the leader in the space recognized by Forrester and other top tier analyst community, but there's a lot of work to do. Our customers need help and we're going to keep chipping away at adding to our platform to ensure that they have what they need to secure their applications.

Chad Watt: Do you think that the revelation that came with generative AI about the power that AI has and the potential for good, the potential for bad actors to really use AI to break into anything and everything, has that helped your discussions around security, help people think more seriously about their security situation?

Ankur Shah: Absolutely, I think this is top of mind for a lot of customers, and you can leverage generative AI, not language model for good use, and the bad actors are going to use it for the bad purposes, introduce new malware, initiate the new next set of supply chain attack. You can ask ChatGPT to give you all the different reach. You can have a supply chain attack and I think they're going to get easier. AutoGPT, you can automate all that stuff as well. We live in an interesting world. You're going to have hundreds of open source LLM model that customers can use inadvertently, and if you have a malicious piece of open source code, you can lose your IP.

And different customers are dealing it with different ways. Some are just blocking ChatGPT and other AI technology, and I'm not sure if that's the right response, but I feel for them because it's just unknown. Ultimately, look, those of us who are building security product, we are optimists. We always think that the only solve for the bad guy with a ChatGPT is a good guy with Chat GPT or AI. It is our responsibility to build the next gen technology, leveraging generative AI and other to ensure that we are giving our customers a superior security outcomes.

Chad Watt: Thank you for your time today, Ankur.

Ankur Shah: Been a pleasure. Thank you, Chad.

Chad Watt: This podcast is part of our collaboration with MIT Tech Review, in partnership with Infosys Cobalt. Visit our content hub on technologyreview.com to learn more about how businesses are moving from cloud chaos to cloud clarity. Be sure to follow ahead in the cloud wherever you get your podcast. You can find more details in our show notes and transcripts at infosys.com/iki, that's in our podcast section. Thanks to our producers, Catherine Burnett, Christine Calhoun, and Yulia De Bari. Dode Bigley is our audio technician. I'm Chad Watt with the Infosys Knowledge Institute, signing off. Until next time, keep learning and keep sharing.