Sign-up for the latest Lookout news and threat research
Organizations are making big decisions to implement cloud solutions to boost collaboration and gain competitive advantage. But many aren’t prepared to handle the risks that cloud services introduce. In this episode of Security Soapbox, host Hank Schless talks shop with Faz Sadikali, Founder of Cloud Insights, on how to build secure workstreams and level up IT to reap the benefits of the cloud while ensuring data remains secure.
Hank Schless 00:09
Hi, everyone, and welcome to Security Soapbox. I'm your host, Hank Schluss. And today we're going to talk about all things cloud security. As we all know, life in the cloud is generally better. That goes for productivity, cost savings, flexible working. But even with all the benefits, a lot of organizations really aren't prepared to handle the risks that all these cloud services have introduced. With your data residing across dozens or maybe even hundreds of cloud apps, and all of your users connecting from endpoints and networks that are out of your control, especially with hybrid work these days, the security environment is becoming far more complex than it ever has been. So today, I'm really excited to be joined by Faz Sadikali, founder and managing technology lead at Cloud insights. Now, I'll let Faz say “hi” in a second, but give him the credit where credit's due. Prior to founding Cloud Insights in 2019, Faz was the SAS global security lead within Accenture's cloud practice. He brings a wealth of experience in working with enterprise clients and teams to deliver digital transformation as well as cloud cybersecurity. When he isn't here discussing cloud innovation and security, he also enjoys playing guitar and tennis. I can do one of those things. And I tell you, it's not the musical one. So Faz, thank you so much for joining us. Welcome to the show.
Faz Sadikali 01:28
Thanks, hey, I really appreciate you inviting me, too. Happy to be here.
Hank Schless 01:33
Awesome. Well, let's get rolling. So today, we're going to get into really a focus on IT modernization, thinking about how organizations can transition from using those legacy systems that you know are near and dear to many of our hearts and moving up into the future with cloud services. And you know, really, how security digital transformation fits into all of this. So I'm gonna start off, just broad questions about you. Faz, can you tell the audience a little bit about yourself, and really how you kind of got into security and where you are today?
Faz Sadikali 02:02
Absolutely, yeah, I've spent the last 22 years involved in transformations, and within the last 15 years on cloud transformations, on how do we utilize the flexibility, the benefits of the cloud and that value. And that wasn't an easy one. For many years, it was quite difficult to get large scale enterprise clients thinking about the perimeter being broader than behind the firewall –– right? –– within a topology of things that you control as an enterprise. And so an exciting journey within the cloud security space. Really, I got started with a large-scale client, Wells Fargo global client; they wanted to leverage the benefits and the power of the cloud. But the investment bankers wanted to be on the beach in Bermuda, and wanted to access data and couldn't do it or be sitting in a client meeting, and access on their computer, access the data, and have a parlay with the customer. And so my experience with security related to the cloud really started in that position and I kind of fell in love with how we can leverage the power of the cloud, but fortify all the transmission and applications that move in terms of the cloud. So happy to be here. I love guitar and tennis. One thing that, in terms of my kids, that I've been doing, that has been taking a lot of time, has been showing them how to build fires, you know, and there's an art to that as well, right? How do you fortify and really make a successful fire? And so that's been an ongoing thing for the last month or two.
Hank Schless 03:43
Really been trying to show the young ones, providing metaphorical advice and life lessons wherever you can. So that's really cool. It's funny, you talk about the investment bankers at Wells Fargo wanting to access their data from anywhere because that's exactly what my father did for about 30 years. At Wells Fargo. I'm sure he unknowingly benefited from your work considering, you know, sometimes he calls me and asks to print a PDF for the 30th time in the last two months. But aside from all that, it's cool, because I gotta imagine that over the course of those 22 years, especially the last 15, like you mentioned, that this idea of digital transformation has sort of come to be, right? It was a very new thing. It's still sort of, in my opinion, at least the term itself, even though it may have been a practice for a long time. May still be pretty new to some people and really understanding what it means. So you know, I think in the last few years, obviously, with people going into a hybrid work model, this has become even a bigger deal than usual. And part of that is really modernizing its practices. This is part of what you're touching on before. So from that perspective, what do you think, in your experience, seeing it kind of globally, what do you think organizations and teams are doing correctly right now?
Faz Sadikali 04:52
I think IT modernization is a tough thing. It's not an exact science. There's an art to it. And I think, you know, a lot of organizations are taking apps that are stale and pushing them over, or they're modernizing them, or they're building straight apps directly in the cloud. Many are leveraging SaaS based ServiceNow, Salesforce, etc. to leverage the capability of that. And so I think enterprises are there. Fifteen years ago, we were thinking about cloud in the sense of a very basic level of functionality, very basic CRM components or CRM functionality. They weren't thinking around where they are now, which is the end-to-end lifecycle of a customer journey –– right? –– from origination through to support. And now they're thinking complexity of pricing and math and configure price quoting and a lot of the complexity because of the power of computing that's increased, that has got there. So I think organizations have been starting to deconstruct really well, saying, “Hey, how do we sunset or do we pre-trade things in that modernization into the cloud and leverage more cloud based frameworks with a cloud-first strategy?” And I think that's really driving customer satisfaction, productivity, sales uptick, right? These are things that are fundamental to the enabler of tech, you know, when I look at this client that I work with –– large scale, high tech firm –– he successfully went through a three year transformation across all BTUs. And one of the things that they focused on, are really critical about, was top-down, bottom-up. So one of the things that I see organizations really starting to get –– right? –– is how do we look at things in a more fabricated way? People process data and tech, and start to look at those components, and then leverage cloud frameworks. Whereas before, what I was seeing was a lot of clients thinking the silver bullet was the tack. And it's not, you have to look at processes, you have to look at data, its existence propagates throughout your topology inside or outside networks. They're there now. So I think that's what it's getting. Right?
Hank Schless 07:08
Yeah, it's interesting, because I think you're right that people think, “Well, I'll just put in this piece of technology, and they'll magically fix everything,” or whatever it may be, in the acknowledgement of like you said, those four things: right data, people, process and technology, and sort of almost a system of checks and balances amongst them for a long period of time. That's the other thing. You mentioned that even this high tech client you're working with, I assume pretty advanced in the way that they think about things and their processes. Took three years. A lot of people think well, I'll just snap my fingers and put this one thing in place and off we go. So, talking about those key factors of modernization, kind of in digital transformation, what aren't organizations… they hate about… What do you think are some of the things that are unintentionally or maybe even intentionally being looked over? And is there any of that kind of related to risks within the cloud?
Faz Sadikali 07:57
I mean, I think, threading back to what you said in terms of people, process, data, and tech. I think one thing is the change component –– to change in terms of adoption. I think it's something that is an ongoing struggle, where limited uptake is in terms of the adoption of whatever the modernization that you're trying to do. So definitely, that's one. I think the second, getting back to security, is absolutely the security embedded component of being bolted on to that modernization program. Looking at the regulation of data, the how-does-this-work stream, involves the security aspect, really the limit of cloud services in terms of risk, and you're still putting your data in the hands of a third party provider. And so discovering the sensitive pieces of information that are existing in your ServiceNow stack, or your HANA stack to ensure compliance –– very important, ensuring visibility and control over data being uploaded, downloaded and shared, kind of is critical, providing zero trust across that ServiceNow piece or any modules from any device or any location to ensure security related elements. These are aspects of them getting into the data, the piece of DLP, data loss prevention, and how you access data. These are just examples of security risks that exist across the perimeter line that's now shattered. That world is shattered from an enterprise, a global enterprise, or enterprise state. We exist in this perimeter LIS world where we have to authenticate, verify, verify, verify, and that doesn't exist behind the firewall anymore. Right?
Hank Schless 09:51
I like how you say that the perimeter is shattered. You know, some people are saying, well, it's disappearing. It's sort of going away. It's like, no, it's completely gone. Like this thing is in a million pieces on the ground. You know, even for the resistors, the ones who didn't want to acknowledge it for the last few years, it's become inevitable that you have to just adjust the way that you look at it. You look at security the way you look at the way data moves to your point with DLP. Understanding all of that, you can't protect data now without acknowledging the fact that it’s going absolutely everywhere. So yeah, I like the way you put that. Now, one thing that I realized you talk about in your blog is you talk about a secure work stream. And that's a term I hadn't heard before. So could you maybe give us a little bit more into what that means in, you know, maybe how an organization would go about building one.
Faz Sadikali 10:42
I think bolting on security workstream; to be thin, doesn't need to be large; into the aspect of the modernization program, from a top down perspective, in your PMO. In architecture, landscape of the modernization program, etc, is critical. And I think that secure workstream applies all kinds of controls to look at all those pieces that we just spoke about. How do we look at data in terms of sensitive pieces at the lowest level. It’s, where is your most sensitive pieces of data? If I take an example, let's take that I've worked with a large scale global financial services firm, based in New York. We took their data attributes from 10,000 attributes –– standard, custom –– and those attributes could be “date,” “amount,” “holdings,” “client name.” You took that and went through a series of exercises across their CRM and their modernization program, which included sales and support, intertwined in terms of campaign management origination, their SFA, the funnel, and then their support. And we got it down to 50. But that was hard work around legal compliance –– right? –– business teams, tech teams. So I think bolting on security elements and then focusing on what is regulations. What is the DLP where data may be lost? And then how do we start to apply controls and start to map that data and that data journey across the blueprint of ops in that journey, and then apply controls is a starting point. That's how you start. And that's the evolution.
Hank Schless 12:32
Right, and so you grow from there. And I think it can apply to so many things, because there's sort of this temptation by a lot of a lot of people in the security world, in the data protection world, to try to make things sound more complex in order to basically sound smarter about it. And one thing that we hear a lot now is talking about consolidation, sort of simplifying things, bringing more, doing more with maybe fewer solutions or, in this case, you know, protecting your encryption policies with –– across –– maybe fewer attributes, but the ones that are really important, the ones that you have to really focus on and, and I think the same philosophy goes for something like zero trust, where people are out there saying, “Oh, my gosh, there are all these things you need to do for zero trust,” when really you can simplify it down to a handful of business objectives, tech objectives, people objectives, and then sort of customize that to what works best for your organization. So I think it's an interesting metaphor between the two. Okay, so you've got this secure work stream, you've got your strategy in place, but obviously, you need to have the controls in place for execution. And as much as I hate going through buzzwords, sometimes it's impossible to avoid security services. That's right. SSE, coined by Gartner, separating out from SASE, probably a year or so ago. How do you see something like SSE coming into play for maybe some of the organizations that you work with to be able to hit those major aspects of modernization in this kind of digital transformation process?
Faz Sadikali 14:10
Yeah, I think enterprise clients need to be looking at simplification. They need to be reducing the number of vendors and really looking at the ones that can provide the most or least holistic pieces of items related to the topology. And I think simplification will drive the embedded value from those providers, right, to look at how they can deploy the right SSE capability. You know, the foundation of all of this is zero trust and it's multi-tiered. So, tier one, having a great analytical console to look at policy, notifications, leveraging elements of AI, etc. These are very important In terms of analytics and notifications when you need it, when you want it and then applying those some automated meanings to your security, data security side threat protection pieces. And then tier three is Caz, B cloud security access brokers ETL, a, SVG for the website. But SSE is a critical piece of that entire tool chest. And I think organizations are thinking, so that secure workstream part of that is critical, is bolting onto that capability, is thinking about that in investing early in the cycle for less pain later. There's pain. The pain will be much later than an operational moment. That's the point of the modernization... So it's critical.
Hank Schless 15:54
The question that we talked about a lot internally, externally –– sort of everywhere –– was the case with your technology and your frameworks. How do you think SSE will evolve, let's say, the next three to five years?
Faz Sadikali 16:08
There's gonna be further consolidation in the market. I mean, that's inevitable. And I think the ones that are out there that have great functionality, great capability to drive less confusion in terms of what they offer on cloud, etc. You know, the current status is, 10 to 15% of current organizations use SSE effectively. I think what's going to happen is there's going to be a massive upshot over the next number of years, with the amount of data breaches, ransomware, hacking, et cetera, they're only getting more sophisticated, leveraging all kinds of core capability, AI, etc. They're only getting more sophisticated. So SSE, is a critical part of that, to fortify that journey that is going to continue to the cloud. But fortify it, not just at rest –– needs to be in transmission. This means the background; there needs to be a flow and a propagation, and SSE provide that. So I think we're gonna see that evolution continue with more organizations taking it up and evolving the baseline capability, right, to not just be 1/10 of functionality being used, but maybe eight or nine points out of 10.
Hank Schless 17:22
Right. And, I mean, we see it now, you know. Talk about something recent with this whole situation over Uber. Not to bash on Uber at all. This is just one of these kinds of things, unfortunately, can sort of happen to anyone. And you look at it and there's been so much that's come out about it, which I think is good, you know, people can learn from situations like this. And you just look at the steps of the kill chain that this attacker, who was apparently 18 years old, used, you know. It was social engineering, to get into a VPN, to then jump to another service to kind of then move laterally. And then all of a sudden, they have access to the internal Uber domain. And to your point, like, it's getting more complex. And then on top of that, it's becoming more accessible. And it being the ability to execute these data breaches, you know, things like ransomware, as a service, all of that is becoming far more accessible. So it's sort of a scary mix of more complex capability, in addition to more accessibility to people who may want to do these kinds of things. So we're kind of coming up on time here. Faz, sort of wrap things up. What would you say would be kind of biggest takeaway, right? How can people reap the benefits of cloud while also ensuring that their data is secure?
Faz Sadikali 18:34
Yeah, what procedures, right? Policies in place? These are critical pieces. And the security workstream, being bolted on to that piece, to looking at top-down/bottom-up procedures, data regulations related to the modernization. But taking it in pieces, knowing that it's a journey, that it’s an investment on the organization side to get there. An example of that is a lot of clients want to leverage AI. The core basis of AI is data. So data prediction requires the right level of data visibility. So I think we're going to see continued focus on data, we're gonna see clients leveraging more and more SSE based solutions that are robust, but you don't really need this massive team, as I've said, just need the right visibility to it. And I think with that bolted on capability, the right tooling, clients will be successful in the monetization.
Hank Schless 19:34
Right? So again, it's all about protecting the data. But I like your approach here, where it seems that it's all about efficiency. It's a quality over quantity approach to doing this, right? Securing your data, making sure it's safe and keeping up with the modern benefits of running in the cloud. All right. Well, I think that's our time here. Thank you so much for joining us. I really appreciate it. They want to learn more, where can people find you or maybe your blog or your site or something like that?
Faz Sadikali 19:57
Yeah, just on LinkedIn… definitely check me out on LinkedIn. Look me up. But yeah, thanks. Thanks for having me. Appreciate the time and always love doing this.
Hank Schless 20:10
Yeah, it's always fun. I mean, of course, it's been a pleasure having you. So, for the listeners, if you'd like to know more about modernizing IT and a little bit more about Faz’s approach, he did write an article about this, which you can find on lookout.com/blog. Be sure to follow Lookout on LinkedIn and Twitter. Thank you all for joining in and we'll talk to you next time.