Sign-up for the latest Lookout news and threat research
Organizations are making big decisions to implement cloud solutions to boost collaboration and gain competitive advantage. But many aren’t prepared to handle the risks that cloud services introduce. In this episode of Security Soapbox, host Hank Schless talks shop with Faz Sadikali, Founder of Cloud Insights, on how to build secure workstreams and level up IT to reap the benefits of the cloud while ensuring data remains secure.
Hank Schless 00:09
Hi, everyone, and welcome to security soapbox. I'm your host, Hank Schluss. And today we're going to talk about all things cloud security. As we all know, life in the cloud is generally better. That goes for productivity, cost savings, flexible working. But even with all the benefits, a lot of organizations really aren't prepared to handle the risks that all these cloud services have introduced. With your data residing across dozens, or maybe even hundreds of cloud apps, and all of your users connecting from endpoints and networks that are out of your control, especially with hybrid work these days, the security environment is becoming far more complex than it ever has been. So today, I'm really excited to be joined by Fez, Southern Cali founder and managing technology lead at Cloud insights. Now, I'll let first say hi in a second, but give him the credit where credit's due prior to founding cloud insights in 2019, FAS was the SAS Global Security lead within Accenture's cloud practice. It brings a wealth of experience in working with enterprise clients and teams to deliver digital transformation as well as cloud cybersecurity. When he isn't here discussing cloud innovation and security. He also enjoys playing guitar and tennis, I can do one of those things. And I tell you, it's not the musical one. So FAS, thank you so much for joining us. Welcome to the show.
Faz Sadikali 01:28
Thanks, hey, I really appreciate as inviting me too. Happy to be here.
Hank Schless 01:33
Awesome. Well, let's get rolling. So today, we're going to get into really a focus on it modernization thinking about how organizations can transition from using those legacy systems that you know, are near and dear to many of our hearts, and moving up into the future with cloud services. And you know, really how security digital transformation fits into all of this. So I'm gonna start off just broad questions about you. Foz, can you tell the audience a little bit about yourself, and really how you kind of got into security and where you are today?
Faz Sadikali 02:02
Absolutely, yeah, I've spent the last 22 years involved in transformations. And within the last 15 years, on Cloud transformations on how do we utilize the flexibility, the benefits of the cloud and that value. And that wasn't an easy one. For many years, it was quite difficult to get large scale enterprise clients thinking about the perimeter being broader than behind the firewall, right within a topology of things that you control as an enterprise. And so an exciting journey in within the cloud security space. Really, I got started with a large scale client, Wells Fargo global client, they wanted to leverage the benefits and the power of the cloud. But the investment bankers wanted to be on the beach in Bermuda, and wanted to access data and couldn't do it or be sitting in a client meeting and access on their computer access the data and have a parlay with the customer can do that. And so my experience with security related to the cloud really started in that position and kind of fell in love with how we can leverage the power of the cloud, but fortify all the transmission and applications that move in terms of the cloud. So happy to be here. I love to guitar and tennis. One thing that in terms of my kids, that I've been doing, that has been taking a lot of times have been showing them how to build fires, you know, and there's an art to that as well, right? How do you fortify and really make a successful fire. And so that's been an ongoing thing for the last month or two really been trying to show the young ones that
Hank Schless 03:43
providing metaphorical advice and life lessons wherever you can. So that's really cool. It's funny, you talk about the investment bankers at Wells Fargo wanting to access their data from anywhere because that's exactly what my father did for about 30 years. At Wells Fargo. I'm sure he unknowingly benefited from your work considering, you know, sometimes he calls me an asset to print a PDF for the 30th time and in the last two months, but aside from all that, so it's cool, because I gotta imagine that over the course of those 22 years, especially the last 15, like you mentioned, that this idea of digital transformation is sort of come to be right, it was a very new thing. It's still sort of, in my opinion, at least the term itself, even though it may have been a practice for a long time may still be pretty new to some people and really understanding what it means. So you know, I think in the last few years, obviously, with people going into a hybrid work model, this has become even a bigger deal than usual. And part of that is really modernizing it practices. This is part of what you're touching on before. So from that perspective, what do you think, in your experience, seeing it kind of globally, what do you think organizations and teams are doing correctly right now?
Faz Sadikali 04:52
I think it modernization is, is a tough thing. It's not an exact science. There's an art to it. And I think You know, a lot of organizations are taking apps that are stale and pushing them over, or they're modernizing them, or they're building straight apps directly in the cloud. Many are leveraging SaaS based ServiceNow, sales forces, etc, to leverage the capability of that. And so I think enterprises are there. 15 years ago, we were thinking about cloud in the sense of very basic level of functionality, very basic CRM components, or CRM functionality. They weren't thinking around where they are now, which is the end to end lifecycle of a customer journey, right from origination through to support. And now they're thinking complexity of pricing and math and configure price quoting and a lot of the complexity because of the power of computing that's increased, that has got there. So I think organizations have been starting to deconstruct really well saying, hey, how do we sunset or we pre trade things in that modernization into the cloud, and leverage more cloud based frameworks with a cloud first strategy. And I think that's really driving customer satisfaction, productivity, sales uptick, right? These are things that are fundamental to the enabler of tech, you know, when I look at this client that I work with large scale, high tech firm, he successfully went through a three year transformation across all BTUs. And one of the things that they focused on are really critical about was top down bottom up. So one of the things that I see organizations really starting to get right is, how do we look at things in a more fabricated way people process data and tech, and start to look at those components, and then leverage cloud frameworks. Whereas before, what I was seeing, was a lot of clients thinking the silver bullet was the tack. And it's not, you have to look at processes, you have to look at data as existence propagates throughout your topology inside or outside networks. They're there and out. So I think that's what it's getting. Right?
Hank Schless 07:08
Yeah, it's interesting, because I think you're right that people think well, I'll just put in this piece of technology, and they'll magically fix everything or whatever it may be in the acknowledgement of like you said, those four things, right data, people process and technology, and sort of almost a system of checks and balances amongst the for over a long period of time. That's the other thing. You mentioned that even this high tech client you're working with, I assume pretty advanced in the way that they think about things and their processes. took three years, a lot of people think well, I'll just snap my fingers and put this one thing in place. And off we go. So talking about those key factors of modernization kind of in digital transformation, what aren't organizations they hate about what do you think, are some of the things that are unintentionally or maybe even intentionally being looked over? And is there any of that kind of related to risks within the cloud?
Faz Sadikali 07:57
I mean, I think threading back to what you said in terms of people process deed attack, I think one thing is the change component to change in terms of adoption, I think it's something that is an ongoing struggle, where limited uptake is in terms of the adoption of whatever the modernization that you're trying to do. So definitely, that's one, I think the second getting back to security is absolutely the security embedded component of being bolted on to that modernization program. Looking at the regulation of data, the how does this work stream involves security aspect, really D limit cloud services in terms of risk, and you're still putting your data in the hands of a third party provider. And so discovering the sensitive pieces of information that are existing in your ServiceNow stock, or your Hana staff to ensure compliance very important, ensuring visibility and control over data being uploaded, downloaded and shared, kind of is critical, providing zero trust across that ServiceNow piece or any modules from any device or any location to ensure security related elements. These are aspects of them getting into the data, piece of DLP, data loss prevention and how you access data. These are just examples of security risks that exist across the perimeter line that's now shattered. That world is shattered from an enterprise a global enterprise or Enterprise State. We exist in this perimeter LIS world where we have to authenticate, verify, verify, verify, and that doesn't exist behind the firewall anymore. Right? I like how you
Hank Schless 09:51
say that the perimeter is shattered. You know, some people are saying, well, it's disappearing. It's sort of going away. It's like no, it's completely gone. Like this thing isn't a million pieces on the ground. You know, even For the resistors, the ones who didn't want to acknowledge it for the last few years, it's become inevitable that you have to just adjust the way that you look at. You look at security, the way you look at the way data moves to your point with DLP, understanding all of that you can't protect data now without acknowledging the fact that is going absolutely everywhere. So yeah, I like the way you put that. Now, one thing that I realized you talk about in your blog is you talk about a secure work stream. And that's a term I hadn't heard before. So could you maybe give us a little bit more into what that means in you know, maybe how an organization would go about building one.
Faz Sadikali 10:42
I think bolting on security workstream, to be thin, doesn't need to be large, into the aspect of the modernization program, from a top down perspective, in your PMO. Office, in architecture, landscape of the modernization program, etc, is critical. And I think that secure workstream applies all kinds of controls to look at all those pieces that we just spoke about. How do we look at data in terms of sensitive pieces at the lowest level, it's where is your most sensitive pieces of data? If I take an example, let's take that I've worked with a large scale global financial services firm, based in New York, we took their data attributes from 10,000, attributes, standard custom, and those attributes could be date, amount, holdings, client name, you took that and went through a series of exercise across their CRM and their modernization program, which included sales and support, intertwined in terms of campaign management origination, their SFA, the funnel, and then their support. And we got it down to 50. But that was hard work around legal compliance, right? business teams, tech teams, so I think, bolting on security elements and then focusing on what is regulations? What is the DLP where data may be lost? And then how do we start to apply controls and start to map that data and that data journey across the blueprint of ops in that journey, and then apply controls is a starting point. That's how you start. And that's the evolution.
Hank Schless 12:32
Right, and so you grow from there. And I think it can apply to so many things, because there's sort of this temptation by a lot of a lot of people in the security world in the Data Protection world, to try to make things sound more complex in order to basically sound smarter about it. And one thing that we hear a lot now is talking about consolidation, sort of simplifying things, bringing, bringing more, doing more with maybe fewer solutions, or in this case, you know, protecting your apply encryption policies with a cross, maybe fewer attributes, but the ones that are really important, the ones that you have to really focus on and, and I think the same philosophy goes for something like zero trust, where people are out there saying, Oh, my gosh, there are all these things you need to do for zero trust, when really you can simplify it down to a handful of business objectives, tech objectives, People objectives, and then sort of customize that to what works best for your organization. So I think it's an interesting metaphor between the two. Okay, so you've got this secure work stream, you've got your strategy in place, but obviously, you need to have the controls in place for execution. And one of the is, as much as I hate going through buzzwords, sometimes it's impossible to avoid security services. That's right. SSE, coined by Gartner separating out from from sase, probably a year or so ago. How do you see something like SSC, coming into play for maybe some of the organizations that you work with to be able to hit those major aspects of modernization in this kind of digital transformation process?
Faz Sadikali 14:10
Yeah, I think enterprise clients need to be looking at simplification. They need to be reducing the number of vendors and really looking at the ones that can provide the most or least holistic pieces of items related to the topology. And I think simplification will drive the embedded value from those providers, right to look at how they can deploy the right SSC capability. You know, the foundation of all of this is zero trust and it's multi tiered. So, tier one, having a great analytical console to look at policy, notifications, leveraging elements of AI, etc. These are very important In terms of analytics and notifications when you need it when you want it and then applying those some automated meaning to your to to that is the security, data security side Threat Protection pieces. And then tier three is Caz, B cloud security access brokers ETL, a, SVG for the website. But SSE is critical piece of that entire tool chest. And I think organizations are thinking, so that secure workstream part of that is critical, is bolting onto that capability is thinking about that in investing early in the cycle for less pain later. There's pain, the pain will be much later than an operational moment. That's the point of the modernization is capital Smith. So it's critical.
Hank Schless 15:54
The question that we talked about a lot internally, externally sort of everywhere, but as is the case with your technology, and your frameworks? How do you think SSC will evolve, let's say, the next three to five years,
Faz Sadikali 16:08
there's gonna be further consolidation in the market. I mean, that's inevitable. And I think the ones that are out there that have great functionality, great capability to drive less confusion in terms of what they offer on Cloud, etc. You know, the current status is 10 to 15% of current organizations use SSE effectively, I think what's going to happen is there's going to be a massive Upshot, over the next number of years, with the amount of data breaches, ransomware, hacking, et cetera, they're only getting more sophisticated, leveraging all kinds of core capability, AI, etc. They're only getting more sophisticated. So SSC, is a critical part of that, to fortify that journey that is going to continue to the cloud. But fortify it, not just at rest, needs to be in transmission. This means the background, there needs to be a flow and a propagation and SSE provide that. So I think we're gonna see that evolution continue with more organizations taking it up and evolving the baseline capability, right, to not just be 1/10 of functionality being used, but maybe eight or nine points out of 10.
Hank Schless 17:22
Right. And, I mean, we see it now, you know, talk about something recent with this whole situation over Uber, not to bash on Uber at all, this is just a these kinds of things, unfortunately, can sort of happen to anyone, and you look at and there's been so much that's come out about it, which I think is good, you know, people can learn from situations like this. And you just look at the steps the kill chain, that this attacker who was apparently 18 years old, used, you know, it was social engineering, to get into a VPN to then jump to another service to kind of then move laterally. And then all of a sudden, they have access to the internal Uber domain. And, to your point, like, it's getting more complex. And then on top of that, it's becoming more accessible. And it being the ability to execute these data breaches, you know, things like ransomware, as a service, all of that is becoming far more accessible. So it's sort of a scary mix of more complex capability, in addition to more accessibility to people who may want to these kinds of things. So we're kind of coming up on time here. Foz, sort of wrap things up, what would you say would be kind of biggest takeaway, right? How can people reap the benefits of cloud while also ensuring that their data is secure?
Faz Sadikali 18:34
Yeah, what procedures, right policies in place, these are critical pieces, and the security workstream, being bolted on to that piece to looking at top down bottom up procedures, data regulations related to the modernization, but taking it in pieces, knowing that it's a journey, that's an investment on the organization side, to get there. An example of that is a lot of clients want to leverage AI, the core basis of AI is data. So data prediction requires the right level of data visibility. So I think we're going to see continued focus on data, we're gonna see clients leveraging more and more SSC based solutions that are robust, but you don't really need this massive team, as I've said, just need the right visibility to it. And I think with that bolted on capability, the right tooling, clients will be successful in the monetization.
Hank Schless 19:34
Right? So again, it's all about protecting the data. But I like your approach here where it seems that it's all about efficiency. It's a quality over quantity approach to doing this, right, securing your data, making sure it's safe and keeping up with the modern benefits of running in the cloud. All right. Well, I think that's our time here. Thank you so much for joining us really appreciate it. They want to learn more, where can people find you or maybe your blog or your site or something like that?
Faz Sadikali 19:57
Yeah, just on LinkedIn, people can find me Out insights.co Definitely check out on LinkedIn. Look me up. But yeah, thanks. Thanks for having me appreciate the time and always love doing this.
Hank Schless 20:10
Yeah, it's always fun. I mean, of course, it's been a pleasure having you. So for the listeners if you'd like to know more about modernizing it, and a little bit more about fuzzers approach he did write an article about this, which you can find on lookout.com/blog. Be sure to follow look out on LinkedIn and Twitter. Thank you all for joining in and we'll talk to you next time.