Guest: Rob Hirschfeld (LinkedIn)
Company: RackN (Twitter)
In this episode of TFiR: T3M, Swapnil Bhartiya sits down with Rob Hirschfeld, Co-Founder and CEO of RackN, to share his insights on security in the cloud-centric world.
Current trends in the market:
- More concern and deep scrutiny on how systems are getting built behind the scenes.
- Customers have been moving into a process to fully build deployment images inside of their CI/CD pipelines.
- There is a stronger focus on developer empowerment.
- Emphasis on improved security postures of systems throughout their lifecycle.
- Customers are getting much more aggressive about properly building transport layer security (TLS) infrastructure and managing their certificate infrastructure, which is a key piece of doing zero trust.
Cost cutting impacts security and security teams. When the same people have to do significantly more work, there will be a lack of discipline, something won’t get done, something will get done more slowly. These will all be vulnerability vectors for organizations.
Current security issues stem from:
- Organizations/systems that don’t have well automated processes.
- Organizations/systems that allow people to bypass the process in order to give access or have an exception, and then didn’t automate around that exception.
- Zombie APIs.
RackN is helping customers:
- gain control of their infrastructure. If the infrastructure is reliable, they can add in automation, run automation more regularly, do resets and rebuilds in places where they might not have done before.
- do dev tests and prod fidelity. This allows them to have confidence that when they test something in development, it’s going to work in their test and production environments without having manual changes.
Advice for companies looking to improve their security posture:
- Treat security as a service, not an add-on or an overhead. It means ensuring people have continuous access to the system.
- Think about the half-life of the environment. If you’ve been automating things to make them very easy to get, remember to automate to make them automatically get destroyed or torn down. If you’re not looking at both sides of that equation, you’re potentially leaving yourself open to a zombie environment or a zombie API that sticks around and, and people aren’t even aware that it’s there.
- If you’re not dealing with automation that’s reliable, i.e., if reliability isn’t the first test for your automation, then you’re going to have trouble with zero trust.
- Make sure that you’re embedding security into your native processes.
- Embed security into the automation you’re building. Make sure that you can quickly scan, reset, and rebuild an environment.
- Threat posture is better when the ops and automation teams are efficient at building, rebuilding, and resetting environments, and the system is dynamic with regular patching and regular rebuilds.
- Do not assume that any part of your supply chain is secure. By default, you need to have a degree of ownership on all of the components of your system.
This summary was written by Camille Gregory.