EP#64 – John Grange – Head in the Clouds: Multi-Cloud Security & Governance

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (Intro/Outro) (00:00):

You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry (00:25):

Hey there, and welcome to yet another episode of the Virtual CISO Podcast. With you as always, John Verry. And with me, unusually with this open is John Grange. So john, good afternoon. Thanks for coming on the podcast.

John Grange (00:39):

Hey, good afternoon. Thanks for having me.

John Verry (00:40):

Always like to start super simple. Tell us a little bit about who you are and what you do every day.

John Grange (00:46):

Cool. I’m so I’m john Grange, I’m co founder and CTO of OpsCompass is SaaS software that helps operations teams, DevOps, SecOps, CloudOps, see, understand, fix secure, all their cloud configuration. So I spend my days helping companies, usually kind of mid market and up, really try and solve a lot of their kind of security and governance problems around multicloud. And really kind of at the level of the people whose hands are on the keyboard, those teams that are actually operating the environments and need kind of the visibility and tools to make it all happen. My background, I’m a career entrepreneur. So I’ve been, since I was in college, starting tech companies. And I’ve always been in the hosting infrastructure compliance security space. I co founded a hosting company that became a top five global Microsoft ASP.NET hosting provider in the early 2000s. And that’s kind of-

John Verry (01:42):

Oh, my God, ASP.NET. That takes me back. I mean, it’s Active Server Pages was one of those strangest, back in the day before the internet was the internet, I decided at one point, application shouldn’t be written to be client server any longer, they should all be browser based. And that wasn’t really being done yet. So I ended up using Visual InterDev when it was still in a beta format. And there was no debugging capability. So you would just constantly do prints if you were trying to figure out where something was in a stack or something of that nature. So when you say Active Server Page in the hosting side, the idea of that blended code, which side is this piece being executed, fun stuff, bad memories and good memories at the same time.

John Grange (02:27):

Yeah. And this was the kind of early to mid 2000s. So it was kind of web 2.0. Every company on the planet was building websites, and intranets and extranets and all these things. And ASP. NET was a good platform for that. But we built a big company, it kind of took off and that really springboarded my career as an entrepreneur, but more importantly, really, as somebody who, my career in starting companies that solve problems around infrastructure and security and compliance and things like that.

John Verry (02:58):

Cool. So before, before we drill in, I always ask, what’s your drink of choice?

John Grange (03:04):

I think you guys usually you kind of do the bourbon or beer.

John Verry (03:09):

Can be bourbon, can be beer, could be hot water.

John Grange (03:14):

I like green tea. If I’m going to do bourbon, I like a little Maker’s Mark. And gluten free though. So I don’t do a lot of beer anymore but I’m probably more of a vodka guy.

John Verry (03:24):

Tito’s?

John Grange (03:25):

Tito’s actually, yes. I love Tito’s.

John Verry (03:30):

Tito’s at the price point. You know what I mean? I mean, look, there’s a lot of great, some of the Polish vodkas are really wonderful. But I mean-

John Grange (03:37):

The Chopin, have you had the Chopin?

John Verry (03:39):

Yep, yep. Excellent. And then there’s another one I love Moskovskaya. If you ever find that it’s a Russian potato vodka that is ridiculously good. But anyway, but Tito’s at the price point just-

John Grange (03:54):

Can’t beat it.

John Verry (03:56):

Can’t beat it. If you’re going to buy a bottle of vodka, it’s a no brainer.

John Grange (04:01):

And nobody will give me any guff about it if they come over to your house. It’s a nice enough vodka that you can

John Verry (04:07):

I agree completely.

John Grange (04:09):

Now that we’ve covered the important stuff.

John Verry (04:11):

Now that we’ve covered the important stuff, let’s get to the dumb stuff. So thanks for coming on and obviously you did a good job in the intro of explain this. So we know that companies have been, or especially now quick to take advantage of the cloud for all the obvious reasons. Time to market is faster. It’s simple, simplicity cost. But to me, I always look at technologies and it doesn’t matter if it’s a sim solution or, whatever it is we have this tendency to invest upfront. But then we don’t really put the time energy necessary to invest the ongoing resources necessary to kind of ensure it’s doing what we thought it was doing, that we’re maintaining and things of that nature. And I think that definitely comes into play here in the cloud.

John Verry (04:52):

So if I’m governing an organization, if I’m the chief operating officer of a technology service provider that’s got, embracing the cloud and they hear all these wonderful things. How does the organization get a clear picture, if you will, of what they’re doing in the cloud, what the risks are to those resources, the controls? How should somebody look at this and kind of get that that clear picture of what’s actually happening right now?

John Grange (05:15):

Well, it’s an interesting question, because it sounds very elementary. If you’re coming from the on-Prem kind of world, what do you mean you don’t know what you have? Although I still contend that everybody way overrates how solid and how well managed and governed their on-Prem environments are but that’s another story. Again, it sounds elementary but in practice it’s actually hard to attain, particularly as an environment is getting larger, and maybe you’re using multiple clouds. But being able to have kind of centralized visibility. The reason why centralized visibility is important is because in the cloud, the cloud can be modified and interacted with in different ways, whether it’s through a DevOps pipeline or through a CLI or through a portal or through an API, there’s just lots of different vectors, by which people can make changes that are maybe consequential to your cloud.

John Grange (06:04):

So basic asset management, discovery, centralized inventory, those things are big. And then from an analysis perspective, if you really, truly do know what you have, and we can talk a little bit about why so often people think they know what they have, and they don’t, but then you need to be able to do things like cloud attack surface management. So kind of understanding what you have and how it’s related to other things. And where your end points and then cloud security posture management which is sort of about saying, “Hey, how do we quantitatively measure and assess our overall cloud security posture?” So that means saying, we have all these resources out there? Great. How are we performing against NIST, CSF? And how are we performing against ISO and, and so forth. So I think that those are kind of the core two or three things I mentioned there that really help you, that you really need to focus on to get a clear picture of what you have in the cloud and what’s going on.

John Verry (07:00):

It’s funny, because even if you look at the CIS CSE, the critical security controls, number one is always asset management in every iteration. And it really is, if you don’t know what you have, how do you know how to protect it? Have you know that it’s properly secured? So quick question for you. So with OpsCompass, I’m not familiar with your application, is it an application where you’ve got to teach what you have or if you were to, let’s say, use your application, will it actually discover these assets and give you an idea of how they interact and interrelate with each other where they’re being deployed within these hybrid cloud environments? If you put stuff in AWS, I mean, which region is it in? How is it interconnected? Will it help us with all of that or is that something that we need to actually teach OpsCompass?

John Grange (07:48):

No, and that’s kind of the beauty of it. A big focus of ours is to make sure that we do all of that automatically because, again, if people knew what they had well enough to tell you about it, and set it up, they wouldn’t necessarily need software to help them with it. So we do that automatically. But there’s also another component which is, many of these resources, understanding the entire state of them isn’t always completely straightforward. So we built kind of an engine on the backside where, so just as an example, certain resources in Microsoft Azure. To actually get a full definition of that resource, other things it’s related to, groups it’s involved, it’s in other kind of attributes or running PowerShell scripts and doing all sorts of things to construct as high fidelity of a picture into that resource as possible.

John Grange (08:38):

So then when we’re doing the analysis, we have very granular, detailed information to do analysis on. The example we show lot of customers is going to the CLI and just ask about a user and we do this in AWS a lot. And it’s just a very spartan return, here’s your user, here’s a couple other attributes but nothing about what other groups that users, a member of other interactions with roles and policies and things of that nature. So we put a lot of focus into the depth of kind of understanding and depth of visibility we have into these things.

John Verry (09:15):

Okay. So obviously, having these attributes of these assets and understanding how they connect with each other gives us a lot of the context that we’re going to need to be able to understand which practices, which best practice or which group of controls that we’re going to be applying to each of them. How do we add other levels of context? So as an example, it’s one thing to know that I’ve got, an EC 2 instance over here versus one over here, but it would be radically different to know that this one has data which is subject to CCPA and this one has information that’s relating to HIPAA. Because I’m going to want to apply different sets of controls. So how do you manage that? Is there a way that, do we teach again the environment like, Hey, this is what’s relevant for these particular resources or does your tool have some mechanism by which you can kind of figure out what is actually being stored. I mean, so nother way to say it is asset discovery or asset discovery and data discovery?

John Grange (10:07):

That’s a great question. The thing with data discovery is once we, if we look into somebody’s actual data bucket or storage bucket, now, we all of a sudden have a lot more responsibilities, liability and things of that nature. So we do not-

John Verry (10:24):

They might not want you to right?

John Grange (10:25):

They won’t. It’s tempting to say, “Man, OpsCompass should really maybe go the whole kind of end to end.” But if you saw what we have to go through with corporate procurement and risk departments, it’d be very hard to do that. So the way that we handle that though is helping customers. So there’s a little bit of on the OpsCompass side, we can help customers set up filters and some other things, so that they can have views into their environment with some specific context, much like what you’re talking about. But the other thing is and we can’t build software that just does everything for customers. So this is where, why can’t we just snap our fingers and just make it all happen?

John Verry (11:06):

I mean, yeah, you’ll never be hacked, you’ll always be compliant. I mean, come on. I mean, you said this is your third company. I mean,[crosstalk 00:11:14]

John Grange (11:16):

Yeah, exactly. But a lot of what you just said comes down to really having strong governance. And sometimes organizations have the capability internally. And they’ve really thoughtfully put together a cost center of excellence, and they’ve worked through these issues, maybe they’re a little bit more mature. But a lot of them frankly need other partners and folks to really help them kind of have a governance strategy for data and everything else. And OpsCompass ends up being a great tool to be part of a broader cloud security cloud governance program, but there’s just a lot of stuff that comes down to the people with hands on keyboards have to kind of design an architecture here that makes sense.

John Verry (11:54):

You see. You piqued my interest with something that you said there is that in order to have like a program, in my mind you need to have a strategy, a set of governing principles about how we’re going to effectively and securely use the cloud and how we’re going to validate that it’s doing that. How often do you see a cloud strategy? And if you don’t see it, from your perspective, should organizations actually have one? And if they were going to have one, what are the key things that should be in a cloud strategy? What are the key principles that they got to kind of have as their guiding missives, if you will, so they can use that to make all of their downstream decisions from.

John Grange (12:35):

Oh, man, you’re asking really good questions here.

John Verry (12:39):

You just you thought this was gonna be a layup?

John Grange (12:40):

I did. Gosh, cloud strategy. So, my first kind of pithy comment is that, well, when customers haven’t really used much cloud, and they’re very early on, and they have a cloud strategy, it’s usually something that they’ll be able to just rip up in a year, because I do think it’s very hard. I think it’s very hard to not have any experience in the cloud, and to have a bunch of kind of execs sit at a conference room and kind of put together like a cloud strategy. And I think in reality, the way companies really get started and end up with a consequential cloud footprint is a little bit messier, and stop and go.

John Grange (13:21):

Now, when somebody’s got their, when they’ve really kind of gotten in more than dipping their toe in, I guess, is what I’d say. There’s lots of details. And frankly, you guys, you might have more insight into some of this than I do. But I would say that the really critical component that your cloud strategy has to address is, what infrastructure is the organization going to centrally provision and manage? Maybe it’s shared infrastructure. And how much latitude are the cloud, the users, the consumers going to have to make decisions on how they configure things, what their best practices are, what the security posture should be.

John Grange (14:06):

That’s kind of where the landing zone concept comes from. Security and IT can get together and kind of instantiate an environment that then you can hand over to developers and for them, the walls are padded and nobody can get too hurt. Kind of that dynamic, upfront deciding how you’re going to handle that because people are going to be able to make changes to your cloud. Most of these services require that other services are avail, you’re not going to be able to kind of deny policy your way to making this thing work out for you. You actually have to sit down and think about what are you trying to get out of this? Who’s going to do what? What are we going to allow these sorts of stakeholders to do? Kind of all those things that nobody ever even thinks about upfront if they haven’t used a lot of cloud because it’s so different from the data center on-Prem world. They don’t even address it.

John Verry (14:54):

And I like what you said there. From my perspective, what I see missing when we talk about folks with this is is that last time you said about, what is the business trying to accomplish and how do we ensure that our use of the cloud meets us there? And there it’s, is it cost savings? Is it growth? Is it the ability to serve as a different type of a customer base? So am I might move to the cloud because I need to get to one of the Gov clouds because I want to service clients that are in the DOD or something of that nature. But I mean, I think that’s a lot of that strategy. And then understanding, okay, if as a company we’re going here in the next three years, we’re moving from conventional waterfall DevSecOps where these tools, these types of data, this type of size of our organization, then I can then build that strategy of understanding what are the trusted frameworks that we’re going to use to help manage and control this environment?

John Verry (15:51):

What’s the trusted ecosystem I need to put in place? How am I going to resource this in terms of people and tools. Products like yourself. What are those sets of repeatable processes I’m going to need to have in place? And how do I at the end of the day govern it? How do I validate that? How do I get the trusted information, that single pane of truth if you will, that I can look at to say, “Yep, things are good.” And then at the end of the process, of course, if the idea was I need to prove to my clients that we’re trustworthy, we’re provably secure compliant, what’s that access station strategy that we’re going to have to actually hand that off to them? So yeah, fun stuff. So we don’t see a lot of the strategy either. So I was curious, if you did. It’s increasingly a conversation though.

John Grange (16:32):

It is. There’s just this dynamic and I don’t know if it’s just unique to kind of some of the cloud dynamics here or if it’s just how companies tend to work. But customers are all really pretty good at executing on a project. So if the project is, hey, this is our first cloud workload, we want to have like a cloud strategy. And it’s really not a cloud strategy, it’s a strategy for how we’re going to get this workload running in the cloud. Lots of vendors can help you with that. That’s not very fraught. The clouds are very easy to work with. And actually very simple if it’s like a single workload or for a few projects. A lot of the problems come from scale.

John Grange (17:07):

So I think that what ends up hurting people and why this is so difficult, and why the people who have been there for a while actually have a plan. And the people who think they have a plan to get started don’t is that day two, day three, day four, as it grows, as it goes from two projects to 10 to 20. That’s where all this stuff matters. And the plan matters. And the governance strategy matters. And that’s where everybody falls down. I think that’s kind of at the heart of the dynamic here.

John Verry (17:34):

Quick question for you. So I’m trying to understand if you live in, one camp, two camps are kind of at the intersection of both of them. So to me, I got this idea in my head of operational controls, that’s the bread and butter, the things that happen on a periodic basis that are necessary to ensure that this stuff runs securely and effectively. And then you’ve got the validation component, I call it the act of monitoring, the measurement, the governance functions that help us verify that we’re complying with whatever standards that we’ve established. And we also use that to validate that at the end of the day the net objective is being achieved. So do you sit in both of those, sort of at the juncture them and a little bit in both of them are more on the pure governance side do you think?

John Grange (18:21):

So I’m not sure I totally understand that. So do you have the operational controls and then the governance you’re talking about is basically the active monitoring of those controls, right? I’m I following you?

John Verry (18:33):

Mm-hmm (affirmative).

John Grange (18:35):

I mean, I think that they’re both probably equally important.

John Verry (18:38):

But I’m just trying to figure out where your product sits in that.

John Grange (18:41):

oh, where our products? Yeah, got you. So definitely on the operational kind of monitoring side of things.

John Verry (18:47):

Okay.

John Grange (18:47):

And that’s kind of one of the big value propositions is you can plug in a product that takes 15 minutes to set up and at least get right out the gate to okay, we’re continuously assessing ourselves against these frameworks, these industry frameworks. Okay, good. Now, at least we have that stuff taken care of.

John Verry (19:04):

Got you. Would you say that what you’re doing is, it’s sort of cloud configuration management or validation? Are you looking for drift from, digging a little bit deeper about the value prop of what you’re actually doing there?

John Grange (19:18):

Sure. So they kind of starts with, at the core. And then almost it’s like temporal with your experience setting up OpsCompass. So you get it set up. So we have kind of your cloud asset management. We go out and get the inventory, you understand kind of what you have, and you’ve established that initial kind of visibility. Then from there, you’re able to browse through your inventory, query the inventory, look at relationships between resources, really kind of assess that attack surface of your environment, your exposures. Now, over time, as things are changing, deployments are happening, things are happening, you really want to understand your drift. And this is actually kind of the heart of OpsCompass is particularly a differentiator. Because we have the deep, high fidelity definition of all these resources, we’re able to do really advanced configuration drift monitoring.

John Grange (20:10):

And if you think about it everything I’m talking about here is on the control plane through all these API’s. And what’s interesting, and what’s happening in cloud and cloud native is there’s so much richness in that control plane now. For a bunch of these cloud, Kubernetes services, for instance, I can know everything about Ingress and Ingress controllers being added to Kubernetes, new nodes, scaling up, scaling down, policies, all these things through the control plane. So if you really have a grasp on drift, and how these things are drifting, you can actually, instead of extensively parsing through logs and using sim systems and all these other things, you can understand how all these critical components are changing really quickly. So drift is a big part of it.

John Grange (20:51):

The other thing that I’ll just add real fast is that DevSecOps, automation, CI/CD pipeline, this is how most customers we see are provisioning their infrastructure when they can. The trouble with that is that sometimes you can’t. And out of band changes are like one of the biggest problems that customers have, particularly as their environments starts to scale. So OpsCompass is great because we’re centralized drift monitoring and management. So if you’re using terraform, for instance, and a change gets made outside of terraform, your terraform plan command isn’t going to tell you about that change, well OpsCompass will and it’s kind of, again, part of that validation. I think that configuration validation, that’s a great way to describe it.

John Verry (21:34):

Got you. Is it just detective or can it be preventative? So as an example, let’s say that I wanted to ensure that Kubernetes containers were not being deployed except in a certain way or through a certain process, so will this block that or would this because it happens out of band, would it just become aware that it happened and alert me to tell me that it happened?

John Grange (21:59):

It would be the latter. We talked about kind of the operational aspects, the day two, day three, day four, one of the things you really need, the kind of operational visibility for is you don’t come up with all your policies and all your governance, day one, it’s part of a feedback loop from you did this in the cloud, this is what happened, you make changes, you update your templates, you update your posture. So what customers use OpsCompass for in a lot of ways is to find the things that they need to fix in their pipeline, to find the policies that they need to implement in their environment, hey, we don’t like what this did. Let’s make a policy to make sure that that happens. And also, let’s make sure we roll this back. And then OpsCompass will show you that you roll it back. And we make sure that happened.

John Verry (22:43):

Got you. And then can I deploy, so if I want to, let’s say validate a particular control is being applied uniformly across all my clients. So let’s just say for sake of argument that I’m a proponent of NIST SP 63B, I want all my passwords to be 16 characters long. I don’t care if they’re uppercase, lowercase, all that kind of stuff. I just want long passwords everywhere. Do I tell OpsCompass that I want long passwords everywhere and then it’ll automatically translate that into the right policy that would be unique to my individual clouds or would I actually go into each of my individual clouds and set that policy?

John Grange (23:20):

So the way we do it is we’ll support like a whole framework. And then that whole framework, unless you configure otherwise is going to be applied to all your clouds you have connected to OpsCompass. So if you’re using NIST, you can have an Azure, AWS, GCP, Office 365 and you’re going to be able to report on this across all of those.

John Verry (23:41):

Got you. One of the other things, which is, I think, often overlooked about the cloud. And I only know this because every once a while I jump into our Office 365 security and compliance center, and embed and buy it is the insane level of continuous development that takes place in office 365. So what happens is, every time I go in there, our secure score has changed. And it isn’t because we did anything, it’s because Microsoft did something. And as Microsoft rolls out these new features, these security features, I’m assuming that what happens is, on some of them, I know, they’re adding additional features on to something and we’re being set to a level by them to allow this feature to exist, or our security posture is getting lower effectively, because we didn’t know that was a new capability that we could implement. Because we’re just not aware of all of the changes that are taking place all the time in their environment. Does OpsCompass have any way to help deal with that, because that is painful.

John Grange (24:45):

Oh yeah, that’s one of my favorite use cases, to be honest with you because it’s one of the great reasons to monitor configurations because it isn’t a static thing. And the example I like to give people is it’s on Microsoft Azure, and it’s if you provisioned a storage account, two, three years ago using the November of 2018 API version. And you went and you looked at your cloud state today, you would see that you have like all these configs that don’t exist in that template that’s sitting in your repo that you think is exactly what you deployed. So you would have now a configuration that you can toggle to allow or disallow public access to all blocks. There’s a minimum TLS setting, which is really useful for you to force a minimum TLS except the defaults, TLS 1.0, which customers are typically not stoked about. But that’s there. And it’s not that they provisioned it on your behalf it’s because you haven’t really internalized how the cloud works. It’s software, there’s just new features for this thing.

John Grange (25:49):

And again, we talked a little bit about kind of DevSecOps and CI/CD, that all is great, and it improves your security and your efficiency, all of those things but customers tell me that they’re using what the template in the repository says, as the cloud state. So like, “Hey, I deployed this storage account three years ago, why is that template that deployment is not sufficient for me to know exactly what I have out there?” And this is like a great example why. So customers using OpsCompass would see drifts come in, they would say, “Hey, minimum TLS set to 1.0 on this resource now,” and it would be a change that’s actually attributed to nobody. We’re working on actually having a little bit better experience there but you can see you can see it plainly.

John Grange (26:33):

I actually just did a call this morning with one of our customers. He’s one of my favorites because he’s a power user of the product. And he’s like, I would say half of the reason why he goes through all of those drifts is it’s exactly what you said, Microsoft is constantly just adding things. And it’s not just that he’s worried about a bad default, like minimum TLS of 1.0 being forced. It’s what you said, are there new things that I can enable that make my environment more secure, that harden my environment in new and different ways? And the answer is a lot of times, yes.

John Verry (27:08):

So that’s actually a really cool thought process. Because if you think about it logically, any good information security framework, ISO 27001, does, the concept of continuous improvement is critical. And if I set a baseline, and you continually Tell me when I deviate from my own baseline, that’s helping me stay where I am. But it’s not helping me get better. If you are then saying now am I going to keep you at your baseline, but if your baseline should be moving based on things that are happening external to you, I’m going to actually help you become aware of that which gives me this ability. So just using your tool, in theory, at that point, if I’m cognizant of that, and I’m making those changes that make sense. I’m continuously improving, because I always say if you’re not moving forward in security, you are going backwards.

John Grange (27:58):

And in cloud security, I think that’s even more pronounced.

John Verry (28:01):

Agree completely.

John Grange (28:03):

Because the platform’s themselves, not only is your usage as a customer evolving, you’re getting better, your staff is getting better and more skilled with cloud, but the cloud providers themselves are changing too. And it’s this kind of dance, this back and forth, that continuous improvement becomes even more important. So I think you’re right.

John Verry (28:22):

Got you. And then in terms of when we talk about these baselines that we’re talking about, I’m assuming those baselines are either associated with a regulation or a standard and would they also be associated with let’s say that, like Salesforce, as an example, because it has some very good best practices. If I went into your tool, would I be saying, “Hey, I can align this with the Center for Internet Security benchmarks, I can align this with Microsoft best practice, I can align this with ISO, or NIS guidance,” is that how your tool works? I’d pick the appropriate set of constructs for each of the individual assets that I’m managing.

John Grange (28:59):

Yep, that’s exactly it. And then what a lot of people want to do is there’s kind of a few of them or maybe even as much as a handful, that it’s meaningful to align to, but then kind of going back through and saying, “Look, this is redundant. So we’re going to not worry about these controls, because we actually prefer the ISO controls that do that better.” And a little bit of it gets beyond my personal kind of knowledge of the whole audit process. And you might have more insight into that. But I do find that customers generally don’t just want to align with one of these things, that there’s kind of layers to these frameworks and why they want to align that way.

John Verry (29:34):

Who buys your product? Because I’m listening to you talk and I see security component of what you do and I also see a compliance component for what you do. So who’s the typical person that sees your tool and says, “We need this.” Is it a security person? A compliance person? Does the security person pay for it and the compliance people love it? The compliance people pay for it and the security people love it?

John Grange (30:00):

That’s a great another great question. It’s typically security who buys it. But a lot of times, security, compliance is in their purview, or at least monitoring for compliance and producing stuff for a compliance team. So we always have users from compliance. The compliance use case in our product, one of the things for us is we want our product to be something that people use every day, at least at the minimum every week and the compliance use case, a lot of compliance teams are not used to being continuously involved in an operation. There’s a lot of pulling reports on a weekly or monthly basis. So we end up kind of having a pretty dynamic user base where security is often the buyer security definitely as users but there’s also developers and kind of CloudOps people that are users, because they’re keeping track of different sorts of network drifts and other things going on with databases and things like that.

John Verry (30:55):

So I literally had a podcast last week, I don’t know when it dropped, it might have literally dropped last week, relative to when this drops, it won’t be that if somebody’s looking. But I had a really interesting conversation with a guy on this subject. So I’m curious as to whether or not your product could also fit into the same problem solver. So we were discussing the fact that there is a fairly significant gap between compliance, old school compliance, and Agile DevOps, CI/CD worlds. The old way is if you go into a more traditional organization where compliance is a separate function, in the old days that come in and say, “Well, show me three examples of where the application went through the right security gates or milestones for the last build, ” and there was two builds in the year.

John Verry (31:46):

So when you’re in a world where things are been built three times a day or 10 times a day, I mean, this whole idea of traditional compliance people trying to apply the same types of sampling rates, and looking for the same types of artifacts really don’t make any sense anymore. And you got the compliance people don’t really understand DevSecOps, and the DevSecOps people don’t either understand compliance or really don’t want to deal with it. Can we use this product to bridge that gap a little bit, to solve that challenge?

John Grange (32:18):

I definitely think so. I hadn’t heard anybody present it on those terms but I think you’re right. Kind of an example of where you’re right is look at Center for Internet Security controls, the cloud controls, that’s really a security best practices. That’s a security kind of best practices framework that’s very prescriptive for Azure, AWS, and GCP. But it’s also what many, many compliance departments need to report on to their auditors, because these auditors have been kind of stuck in this place where, well, how do you audit cloud? Ephemeral resources, all these other things, what we’re hearing from customers that are in regulated industries is auditors are saying, “Look, you need to show us that you’re CIS 7.2 compliant, or you’re NIST CSF compliant, and that’s how we’re going to kind of audit those aspects of your cloud.

John Grange (33:14):

So I think that right there, there’s this, and again, part of it is that the shared responsibility for security in the cloud is such that there is complete overlap in many cases between what the security people want to do from a security best practices standpoint and what the compliance people need to demonstrate the auditors.

John Verry (33:34):

Can you in any way, shape or form help them tie, so do you have any type of like bi directional JIRA interface? Because if you think about it logically, what you’d want to be able to do is kind of tie all of the processes in that workflow into some type of centralized way to see evidence of conformance with process. So you’re definitely part of that. Is that something that you guys are doing yet? Is it kind of more, I don’t know the right word would be but the kind of integrating into that flow?

John Grange (34:11):

Yeah. So we have an API, like a webhook API too where you can have these, when something is provisioned that’s not in compliance with one of these frameworks, maybe something gets modified and now it’s out of compliance, that can be sent to Slack or a ticket system. We also have customers that they actually onboard users from their company into our product that are like Scrum masters, who are taking basically exports of their compliance report, essentially, and then going and creating tickets from it. And we’ve actually added some features to that export that have been just feedback we got from Scrum masters, they’re like, “Hey, it’d be easier for me to do the analysis. I need to make this ticket if you did X, Y or Z.”

John Grange (34:56):

So that’s definitely an emerging use case for us because honestly even a year ago, a lot of customers were saying, “That’s ultimately what we want but we’re not ready to do that yet.” Everybody wants to run their cloud and kind of this separate bubble for however long. And we’re just now starting to see kind of the cloud operations and really get kind of brought into what you kind of normally think of as just kind of the water company IT operations.

John Verry (35:24):

Got you. On that API, so if I was running a process, and let’s say that my process deployed a container or deployed an EC 2 instance, whatever it might be, could I have my workflow trigger your API to sample what I’ve just built and validate that it meets our policy, our configuration requirements?

John Grange (35:52):

So right now, that is not how it works. So right now, what would it be is you deploy it and if it was wrong, we could send the-

John Verry (36:02):

You’re just continually sampling the environment?

John Grange (36:05):

Yeah. And well, what we’re doing is we’re listening for events that happen on the environment, and then going in and inspecting. But we’re also-

John Verry (36:12):

You’re sitting in the logs of the cloud service provider, and that’s how you’re kind of being aware of what’s going on.

John Grange (36:18):

And we’re only using the logs as a signal for something happened, we’re not using the logs to parse for a lot of information other than user attribution.

John Verry (36:25):

Okay, I see something happened in the log, I know there’s a new resource, I’m going to go and assess that resource and I’m going to alert if it doesn’t meet the requirements.

John Grange (36:34):

And what we’ll actually do is we won’t just assess that resource, we’ll actually assess the entire environment, because part of it is is that resource might not be the only thing that was changed. And if we only look at that one, we might not see the whole picture. One of the features that I’m most excited about that we’re building right now, that is going to be a fourth quarter release, I believe, is a command line interface tool that’s going to do exactly what you were talking about. We’ll provide DevSecOps with kind of an in CI/CD pipeline capability to say, “Show me what this will deploy.”

John Grange (37:09):

So here’s an example of that storage account I was talking to you about. If you were wanting to provision an ARM template that was using a 2018 version of the API, OpsCompass would still tell you that you’re going to have those additional attributes, because we have millions of storage accounts in our database. And we know what these things are supposed to look like. But also just some more basics too like, hey, is this going to create a compliance problem? Am I going to be out of bounds on ISO with this? We’re really excited about that. We kind of have early versions of API right now that you can programmatically get a list of resources, list of compliance problems, resource definition for an individual asset, things like that.

John Verry (37:53):

And just out of curiosity, you generally want to meet people where they work every day. And so the people that are not going to tool every day, you’re pushing this data to them through their sim, you’re pushing this data to them through a ticketing system, you’re pushing this data to them through, how does somebody, if your system is off running in the corner from my perspective but something and I haven’t been there in a few days, and something’s going on, how are you getting that information to me?

John Grange (38:19):

The most popular thing is Slack. So teams love having a Slack channel where you can know that certain things are happening, certain drifts happening. The other thing is we have digest emails that can be configured in the product that’ll basically give you an email on a regular cadence. That’s a roll up of, hey, here’s how many changes you’ve had in the last whatever time period, here’s how your compliance score is right now, here’s your performance over the last seven days and trying to make that more rich. That’s a big one for me, because I don’t know if you’ve ever used something like New Relic before, but New Relic I think is a competitor so maybe our marketing people will get pissed at me for talking about them but I don’t care.

John Verry (38:59):

You know what I did hear about New Relic? I’ve heard that terrible.

John Grange (39:03):

I don’t even mind I hate that stuff. Sometimes I don’t like what our marketing department says anyway.

John Verry (39:11):

When you have a great product, you don’t really need to worry about your competition. That’s the way at it. We invite our competitors on the podcast all the time.

John Grange (39:18):

Yeah, it’s fine. We’re just talking about cool stuff. But, New Relic, I’ve used it in the past where you’re working with a customer on a consultative basis, and you’re helping them out with whatever, performance or whatever it is. They invite you to their New Relic account so that you can see their metrics and you end up getting this awesome little email every morning or every Monday morning, whatever it is, that it’s all the useful information you need. And I always appreciated New Relic it was like, gosh, I’ve been using this product for like three years and I don’t think I’ve logged into it in three years other than clicking through from the email.

John Grange (39:57):

So with OpsCompass, we’re not as far along as they are with that strategy of course, we’re kind of early days but that’s kind of the vision for me. Because I found that to be a very useful workflow on top of you got to have integrations to do system ticket systems and IT Service Management Systems. By giving you that email where you can just click because most people who are managing a cloud, there’s a couple metrics that they know that if they could just see it on a semi regular basis, they could just tell that, okay, I need to log in and look at something.

John Verry (40:28):

Exactly. Last question, what’s the right skill set for folks to be managing your tool and leveraging the tool? Is it a compliance person? Is it a cloud engineer? Is it just a broad based InfoSec guys, that a guy that’s in the DevOps process? If I was going to buy your product and I wanted to make sure that I had the right person to manage it, and use it every day, who would that be?

John Grange (41:00):

Yeah, so the person that’s usually kind of takes the lead with customers is typically somebody who’s a leader on a team that’s responsible for the cloud, or the architect that’s responsible for it. And part of it for them is they usually have a very complete understanding of all the pieces, and generally what the mission is and they care about the big picture. And then from there, it’s oftentimes InfoSec it’s good information but they don’t always have all the context around cloud. That’s a big part of it but not the whole picture. The cloud engineers, a lot of times they’re great users, obviously skill wise and everything the products easy, but they typically will only care about a couple projects or two, so then they have their different scope.

John Grange (41:47):

So we kind of have this patchwork of different users that care about different things. And from my perspective, all of it is the same stuff that’s relevant but inside companies, you have these different kind of domains of expertise and domains of responsibility. Right now though the best users are usually the ones that know the most about cloud and they understand and we’re always working on user experience to be more and more accessible, but when you know what you’re doing, and you see that I can go see and get this thing at OpsCompass real quick in a couple clicks, whereas in the cloud, I’m going to have to go write this command. And I might actually have to write a little Bash to iterate through it because AWS CLI’s kind of weird.

John Verry (42:25):

Or just have to log in and out of eight portals.

John Grange (42:31):

That’s exactly it.

John Verry (42:32):

I mean, it’s versus going to one unified interface.

John Grange (42:37):

It’s a great thing for if you’re kind of starting some troubleshooting, and you want to really quickly be able to see, hey, how many, what other lambdas do I have on the same VPC? You can definitely go find in lots of different ways but that’s a very trivial thing to go find at OpsCompass. So sometimes it’s great to get really a power cloud admin to get into OpsCompass first and be that power user, because then they end up helping the other people in the organization understand that they can get the information they want in there, too. So get InfoSec and get compliance.

John Verry (43:09):

And I was just going to say, I’m listening to you talk and I’m realizing that it really needs to be idealized, it is a team effort. Because you’ve got legal folks that are going to kind of make sure that we know what regulatory and contractual obligations apply to the different types of information and data that we’re putting in different places, risk as well. Then you’ve got your cloud guys, because you’re right, if they understand really what’s being used, how it’s being utilized, how it all interconnects, and then you’ve got the security guys that are going to say, hey, from an ISO perspective, or a NIS perspective, or a CIS perspective, we need to implement these control sets in this way.

John Verry (43:50):

And then you’ve got the compliance people that are saying, wait a second, if you’re going do all this stuff, I need to know that it’s actually happening, how can you generate the reports and the information that I need to do my job? So it seems to me like if you got those four basic groups together, that you’re probably going to have a pretty successful implementation.

John Grange (44:06):

Yep. The network too is another piece of that.

John Verry (44:10):

Really? Exactly just now we’re seeing so much software defined networking. I mean, network infrastructure is now code. So I mean, is that why that that group is important?

John Grange (44:22):

It is in the hybrid cloud, the prevalence of hybrid cloud. So these environments are connected to on-Prem networks. Also container platforms. When you go use containers in the cloud, depending on how you configure the networking, for instance, you might have to allocate hundreds of IPs just to get started. But it probably doesn’t surprise you that developers will often build clusters using just the 10 dot range slash 16. And it doesn’t matter at first because it’s not a real project. It’s maybe not something that’s live or in production, but when it goes into production, do you see these network guys just get infuriated because they’re like, you’re going have to rebuild and re IP this whole thing because we don’t have 600 IPs to give you in the ranges that you want.

John Verry (45:12):

You just brought up one of my favorite things is that there truly is no such thing as a proof of concept. Because the minute a proof of concept is at least marginally successful, no one wants to start over and go through a conventional rebuild. It’s like, well, let’s just kind of push that into prod. And we’ll kind of tune it up later. And inevitably, your POC ends up being your product.

John Grange (45:35):

Totally. And another kind of constituency we’ve seen companies add to the product is procurement and entitlements.

John Verry (45:44):

How does that work?

John Grange (45:45):

So if you think about if your company is now spending four or five, or six or $10 million a year in the cloud, the cost now becomes real kind of business risk. So they’ve got people that all they’re paying attention to is what kinds of new things we’re using. What kinds of new things are being set up.

John Verry (46:04):

I saw a guy recently and a client of ours, that his title was dead thin ups. And his job was nothing more than to understand the financial implications of what they were doing, how they were doing it, and to manage cloud cost. And I started to laugh, and I was chatting with him and I said, so this sounds like My Verizon, you migrate from optimum for $99 for three years. And three years later it’s $268 a month, and I’m looking at the bill, and I have no idea how it got there. And we have a footprint in Azure, we have a footprint in AWS and Office 365. And the bill just goes up and up and up. And you look at the bills, and no one. What’s this? What why is that there? Do we really need this? Does the server need that much resources? Yeah, I can imagine in like a lot of organizations, it’s probably a full time job. So if you’ve got a tool that would allow them to kind of have some visibility into that, I would think that would be fantastic.

John Grange (47:11):

Yeah, that’s a drift. We call it drift concerns. If we just showed you all changes of everything that happens, which you can at OpsCompass, I call it forensic mode but that’s just kind of what I call it. It’s too noisy. Just everything under the sun is changing all the time. So we have what are called drift concerns where you can turn them on and it’s data, networking, and containers and all these things that you’ll be able to start to pick out changes in really critical settings, and kind of ignore other noisy stuff.

John Verry (47:42):

Can they set alerts or can they concentrate on the ones that would cost them the most. Like hey, this cost a lot. If this happens, let me know.

John Grange (47:55):

Exactly. And the cost drift concern is one that customers love to turn on because it’s picking up drifts on things like the skew changed, the number of nodes changed, things like that. So then you can kind of hone in on and a procure person could just say just show me all the cost drifts that we have and kind of narrow down. We aren’t a cost tool. If you think about it, we’re very much about a tool that helps you understand what you have, and how it’s changing. And then what that means. And there’s a lot of changes that just it’s not a security problem or anything, but it’d be nice to know that we’re running a whole different skew of this database now.

John Grange (48:33):

For certain Azure resources, it’s not easy in AWS, which is why we don’t support it. But for certain Azure resources will actually based off of your pricing will give you a quick, “Hey, if you leave this on for the next 30 days, this is how much money you’re going to spend.” We’re not going to turn into a big cost and billing tool but we do want to give people really good intelligence about configurations.

John Verry (48:54):

No, I think that’s hugely valuable. And going back to that original conversation where I asked you about what a strategy would entail. I mean, obviously, cost control definitely needs to be part of the cloud strategy because it’s easy to outspend what you thought you were going to spend by a fair degree.

John Grange (49:12):

Yeah, and a lot of it comes from what we were just saying, people start to use products out there, and they’re using it at such small levels that it doesn’t show up on the bill. And then when it becomes a production real thing, they turn everything up. And they validated security and everything happened to get it to the place where, hey, this can be a real production service, but no one ever bothered to look at how is this thing billed? Is it a metric based billing? Is it skews or how are we keeping track of this? How does it work? So just understanding what you have, one of the reasons why you want to know what you have is so you can understand how you’re going to be billed for stuff.

John Verry (49:53):

I think every CFO or CEO listening just kind of shook their head. Well, this has been fun and I think we’ve covered an amazing amount of ground in a short period of time. Is there anything that we missed that you wanted to touch base on?

John Grange (50:07):

Gosh I don’t think so. This is sort of an exhaustive survey of the cloud security posture landscape.

John Verry (50:17):

A lot of people say that I’m exhausting to spend time with so you’re not you’re not helping my ego, John. Unfortunately, it’s my wife who’s usually telling me that.

John Grange (50:27):

As you’re just saying, it might just be your wife.

John Verry (50:32):

Well, listen, man, this has been this has been fun. I appreciate it. There is one question that I asked people, but I didn’t give you a lot of warning. I don’t know.

John Grange (50:41):

No. I’ve been waiting for it.

John Verry (50:42):

You’ve been waiting for it. All right. You know what I like a guy who’s prepared. So what fictional character or real person do you think would make an amazing or horrible CISO and why?

John Grange (50:52):

So in the 15 minutes, I had to prepare, I came with an amazing one and a horrible one.

John Verry (50:58):

All right, wow. A twofer.

John Grange (51:02):

I’ll start with the horrible one. I think the horrible one would be Han Solo. If you think about a CISO, especially in today’s world, you’ve got to be able to work with lots of different constituencies. You have to be very thorough, and you have to be very disciplined. And I think that Han Solo doesn’t work well with other people.

John Verry (51:24):

Doesn’t play nicely with others.

John Grange (51:27):

Yeah. And the types of skills and characteristics that allow you to have that hunk of junk complete the Kessel Run and I can’t remember how many parsecs I’m gonna make myself look really nerdy. That’s great, but that’s not necessarily the type of personality or type of characteristics that probably lend themselves to being a good CISO.

John Verry (51:48):

But he brings Chewbacca along for the ride. You got to give him a couple props there.

John Grange (51:53):

Yeah. Right hand man. Again, there’s probably a better kind of CloudOps person, or the type of person where you need somebody who will grind on a less than optimal kind of hardware situation or infrastructure situation and just make it work. So that’s probably better for Han Solo.

John Verry (52:08):

Sort of the MacGyver of DevSecOps.

John Grange (52:10):

Yeah, exactly. Love MacGyver. MacGyver would have been a good one. I didn’t think of MacGyver, The fictional character that I think would be an amazing CISO is Batman. And I say, Batman, because Batman is one of the founding members of the Justice League. So he was able to get big egos, was able to bring together this organization to have a goal of kind of protecting the world. But also CISOs are in this situation, where they’re very kind of influential, very critical, but a lot of times they don’t directly report to the CEO, or they’re sort of just outside or just adjacent to the C-suite. And Batman wasn’t an official member of Justice League for a long time, he was kind of a shadow member, but really pulling a lot of strings behind the scenes. So I thought that Batman would be a great fictional CISO.

John Verry (52:56):

When I heard Batman I thought you’re going tool belt, because he’s going to have something on his tool belt for every single mission.

John Grange (53:03):

I mean, we could really dig into this. I mean, that’s definitely-

John Verry (53:06):

And he looks great in tights. He’s going to be impressive in a boardroom.

John Grange (53:12):

Yeah, and he’s got the Wayne Enterprises boardroom experience.

John Verry (53:16):

That’s exactly right. The more we think about this, the more I think Batman is a good choice. All right man, well listen, this has been super fun. I appreciate you taking so much time to chat with us today. Thanks, again.

John Grange (53:28):

Awesome. I appreciate it. This was all fun.

John Verry (53:30):

I forgot to ask. How can people get in touch with you?

John Grange (53:32):

Oh, yeah. So you can get in touch with me on twitter @JMGange. And I don’t know if you have show notes or whatever. And you could put that in there. Or just reach out to me on LinkedIn, you can go to opscompass.com and check out what we’re doing. We have a free trial out there. Once your free trial’s up, you actually get perpetually the free version of our product, which is all the inventory and discovery and asset management stuff. So no risk at all. You can go sign up and get set up, see what we’re all about. If it’s not your thing, or you just forget about it’s no big deal, but you do have a great tool for asset management and inventory if you are going forward. So yeah, I think that’s it.

John Verry (54:12):

Awesome man. Thank you.

Narrator (Intro/Outro) (54:13):

You’ve been listening to the Virtual CISO Podcast. As you’ve probably figured out we really enjoy information security. So if there’s a question we haven’t yet answered, or you need some help, you can reach us at info at pivotpointsecurity.com and to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.