Go Cloud or Go Home: Why Cybersecurity Needs to Live in the Cloud

Hank Schless  00:09

Hi, everybody. Welcome back to Endpoint Enigma. I'm your host, Hank Schless. And today we are bringing the security talk up a level, we're gonna divide this conversation into the differences between on premise security solutions and cloud delivered ones. So to help us through these differences and the benefits of one versus the other, we're joined by Tom Davison. Tom is our senior director of international security engineering and has over 20 years of experience in the industry. So we're glad to have him. Welcome to the show. Tom.

‍

Tom Davison  00:40

Good to be here. Thanks for having me along.

‍

Hank Schless  00:42

Absolutely. So let's dive right into it. You know, we want to get you on here because of your extensive experience. So, actually, before we go into that, do you mind telling people a little bit about your experience in IT and security in the field for the last few years?

‍

Tom Davison  00:55

No problem. You’re making me feel quite old now. But it's my job. Yeah, I mean, I've been working for security vendors for about the last 15 years. So I came through network security endpoint. The last five years, I've been at Lookout focused on mobile. Prior to that I was working for organizations in their own infrastructure teams, operational teams, so I've kind of seen it from both sides. I’ve been on the vendor side much more recently. But I do have experience of sleeves rolled up in data centers back in the day.

‍

Hank Schless  01:27

It's great to have your perspective on all this. I think it'll be a really good conversation. So just kind of level set here. Can you just give the audience a quick overview of what is it on premise solution versus something that's cloud delivered?

‍

Tom Davison  01:41

Sure. So, I guess there's a couple of things to think about. One is the fact that we're talking about “delivered” and the other one is “hosting” in the cloud. And when people default to thinking of cloud, they typically start off by thinking of cloud storage. But of course, increasingly now, a lot more services are procured as a service, you know, software as a service, infrastructure as a service,  platform as a service, and so on. And so by definition, that's something that sits in and is delivered from the cloud. But if you go back, you know, when I first started that everything was on premise, because it had to be if it was a network appliance, like a firewall, where you literally sat the perimeter of the network, connecting out to the telco, the broadband provider, whatever it might be. Or if you are deploying an endpoint solution, most of the time all of those endpoints were in the office and were on premise, and you'd have the server there to manage that within the data center of the company. So I think there's been a couple of reasons why we've started to shift towards the cloud. One is that a lot of our endpoints are now actually in the cloud or out there on the public Internet, where we're typically not set within the confines of the corporate perimeter. But generally, we've seen the big trend of people moving services to the cloud and security is just one of them.

‍

Hank Schless  02:52

Yeah, absolutely. It's definitely an evolution that's taken place. And so a couple of these services that you know, you mentioned –– everyone's doing it, everyone from Microsoft doing your Office 365, Google with what's now called Workspace and also Slack, Zoom. What's the appeal of cloud based apps?

‍

Tom Davison  03:09

Sure, I think it's been a steady evolution. But now we're in a position where I don't think you could name an organization that doesn't use the cloud. And indeed, you know, when I joined Lookout, what struck me was how much most of our services were in the cloud, to the point where I actually thought virtually nothing on my laptop computer now –– everything is delivered in the cloud. So we've seen people move these services, these workloads to the cloud, for a few different reasons. I think the first one would be cost and efficiency. There, back in the day, if you were running email, you had to have someone that could manage that. If you had a website, you had to have someone that understood and that could maintain that. You had to have an awful lot of in-house skills. And then if you had lots of different locations, you had to start replicating that potentially, and then have, obviously, the space for the kit, for the hardware. You had to maintain that and everything else. So moving stuff to the cloud –– very appealing from not needing to study and maintain all the skills in-house, but also, deployment flexibility, you know, as you start to grow your business and want to have more capacity. Rather than having to drive out and rack up a server yourself or do the parts, plug it all in, you just you know, pick the phone up or click a few buttons, and that's delivered. So I think that's why we saw things move steadily in terms of workloads. And then on top of that, you start to get functionality benefits. So you start to see companies that put more of their R&D efforts into developing their cloud services, because it's also attractive for them, you know, for people selling software it's actually often makes sense to do that by cloud models, because they're in charge of the upgrades, the deployments and so on. They don't get this long tail of people stuck on older versions. So you start to get more functionality being ported into the cloud and released and, of course, you can take advantage of that really easily because you don't need to do your own change control, make your own software updates; all that's done for you by the vendor. So if you think about it, email is the simplest example. Having to maintain your own email server would be installing the operating system, it would be hardening it, it would be backing it up, probably having to have them for redundancy. It would be updating the latest software; it could be Microsoft, could be sent mail, or something else. But you'd have to keep that up to date, configure it. There's an awful lot of work there just to keep the email running. And then you compare that to something like Google Workspace or Office 365, where you just have to provision a user and their mailboxes there. And as new features develop, they just appear. And as your company grows, and you get 500 new users, 500 users is very simple.

‍

Hank Schless  05:39

Yeah, absolutely. I mean, it's definitely a lot more straightforward. One thing that I've noticed is that in those more traditional industries, things like government or finance or other industries where they spent decades building out an on premise infrastructure, you know, you're starting to see more progress of them moving a lot of services to the cloud. But generally speaking, seems like there's some people who think that it's still okay to have some stuff on premise. Why are those people hesitant to let go of those on prem solutions and make that migration to the cloud? Is it operational as a cost? I mean, what's the hesitation there?

‍

Tom Davison  06:15

One of the reasons I think people maybe were hesitant to move in the first place was just habit, was inertia, perhaps not understanding the cloud platforms. You have to understand these different degrees of cloud. There's, “I'm using platform in the cloud to be able to provision my own server, but I'm still gonna install and maintain that and install the software on top.” And then you go all the way up to software as a service, where you've probably just been given a web console, and everything else is done for you. So you'll have organizations adopting cloud at different levels. And I think a lot of the initial forays were into platforms so people could reduce the need to maintain their own data centers or maybe just to replicate things, if they're global companies. Sometimes it's easier just to rely on all of the replication and the scaling that cloud provider gives you, but still maintain the software on top. So I think that that was definitely where people moved to and took kind of baby steps there. I think you're talking about different skill sets. And when I talked about the fact you had to have a lot of in-house skills to run an email server back in the day, you could argue, actually, the same becomes true if you're running a cloud platform, because you've got AWS, Google Cloud, Microsoft Azure, and they've all got their own tool sets. They've all got their own things that you need to do to configure them correctly. And I think we're now at that point where there's plenty of skilled people out there. But that took time. And yeah, just generally companies being comfortable with using the cloud, being sure that they're going to get the right level of resiliency, the right uptime, being sure that when they're promised a backup that can be restored, within an hour, that's really the case. And that is better, or at least as good as what they already do. I think also you might find there's been a few companies that went to the cloud and have started to move a few things back in certain areas. So I think we should be careful about assuming everything will go to the cloud everywhere forever, I think there's still a case of uncertain things on premise. I think one of the challenges with cloud –– and I've witnessed this –– is that it's too easy to use, sometimes it's too easy to scale and expand. And so you get the sprawl. And most cloud providers are not stupid, they're charging you based on usage based on data that you've got up there. And the more you stick out there, the bigger your bill goes. So sometimes it's a reconciliation exercise to bring some of that back in house where it's more easily controlled. But I think on the whole, I wouldn't want to hazard a guess, a percentage, but I don't think you'll find a company that's not using cloud. And I think that percentage has probably steadily grown over the last 10 years, and will continue to do so.

‍

Hank Schless  08:39

Yeah, I'm sure it is. And would you say that there are definitely some things companies have that they just don't want accessible, whether it's for compliance, purpose served, something like that.

‍

Tom Davison  08:49

I think perhaps that would have been the case. But really, this, to my mind, at least; there's no reason why you can't secure a cloud in the right way to meet those requirements. We've got lots of regulations that we have to abide by, things like GDPR. There's all sorts of verticalized, industry specific regulations that apply. But it's really then just a case of making sure just as you would in your own data center, that the controls are in place. And I think that's one of the big changes in maturity that we've seen is that companies are better at knowing which questions to ask their cloud provider, to make sure that all of this is in place, that there's third parties out there that help with that. Things like the Cloud Security Alliance; we can go and you can download templates or questionnaires that you can send to your vendors and things like that. And then you get very specific clouds for a certain amount. So you might, you might choose to adopt a private cloud. So you're still using someone else's cloud infrastructure, but it's a bit more constrained. Or you might be using one of the special government clouds if you're in that area of the world. Some of the leading providers do provide special instances for certain customers that have been more highly secured or more highly certified. So I don't think it's so much about not being able to… I think it's just having to jump through a few more hoops, go for a few more hurdles to get there.

‍

Hank Schless  10:05

Yeah, that's totally fair. So we felt the fact that, you know, clouds can be more cost effective, unless you dumped all your data out there and then all of a sudden get an AWS bill for $15,000, more than you expected. But in terms of a security solution, have you seen any difference in how a cloud-based, cloud-delivered security solution compares to an on prem one? And not necessarily from, like, you should go get one or the other. But are they equivalent? And do you see any glaring differences between the two?

‍

Tom Davison  10:30

Yeah, that, well, that's, that's interesting. So we've been talking primarily up to this point about really cloud as a platform. And that's more about moving data around and making sure it's secured and you've got access to it. When you talk about cloud security, you need to differentiate between two things. So one of them would be security that's in the cloud to secure those workloads. So what I mean by that is, if you would have had all of your servers in a data center on premise, you'd have your own firewalls in there, around the edge IPs, whatever it might be. You might then move that to the cloud. So it may be, kind of, traditional security like that in the cloud. So you might virtualize that. So, a good example might be if you're using a hypervisor, you can do virtualized firewalling or access control and things like that. Plenty of companies have been through that journey, where they've been using virtualized elements of their security stack. And they might have unified management of that. So they may be managing physical devices and virtual devices all from the same place. That is a bit different to what, I think, what you're driving at, which is, when you have a full or a security solution — that actually when the cloud becomes a part of what you're delivering –– it becomes a part of the value proposition, if you like. And what I mean by that is when you start to get into big data and you start to get into machine learning, artificial intelligence and processing that you couldn't easily do on local systems. And I think that's the trend that we've really started to see in the last few years, particularly when you get into endpoint protection, because most of our endpoints are now not fixed. So even if it's a Windows laptop or a MacBook, people are often using tablets and laptops and things like that. And then of course, mobile phones, smartphones, which we operate, which are virtually never in the pro corporate perimeter. And if they are, they may not be on the corporate WiFi, they may be on 4G. 5G is going to accelerate that even more. So I think we've seen this thing where security's kind of followed the cloud. But it's still been operating in a very similar way to on premise security. And then there's security where I would suggest that you're actually taking advantage of the cloud. You're able to do things that you couldn't normally do without the cloud. And that's where it starts to get interesting. Yeah, absolutely.

‍

Hank Schless  12:40

So when it comes to actual investigation of security events, things like that, you know a lot of people like to talk about endpoint detection response, or EDR, as a way to investigate proactively and block sophisticated attacks. And a lot of times they get the data for that process through crowdsourced information, in the sense that they need a large amount of data to make it really effective. When it comes to securing the entire infrastructure, where do you see mobile playing a part for people who are working in something like a secured operation center? Where do you see mobile playing into that kind of investigation workflow?

‍

Tom Davison  13:15

Yeah, so a few acronyms are starting to creep in now, because we're security folks. So to media, we're talking about sort of incident response, and so on. So I suppose we're now at that point where we're talking about where security's moving to, which is, you know, people having their own security operation center or outsourcing that, having a managed service. They're talking about an endpoint detection and response kind of evolving from what I'd call traditional endpoint protection, often a kind of a consolidation. And I think cloud has definitely facilitated that. It's also added another layer of complexity, because on the one hand, it makes it very elastic and scalable, but we've now got workloads in lots of different places. So it was really much, much easier back in the day where you literally knew which of the servers in your data center in which racks had the critical stuff in and obviously, physically secure it. But you'd have all your logical security in place, when your data is flowing everywhere and replicating and things like that. That's another layer of complexity. So you start to build that in with some of the tools we talked about. But then when your users are driving interaction with that data through smartphones, that's an even bigger layer of complexity. And I think that's the bit that a lot of companies haven't solved. So I still think most of them haven't extended visibility to mobile devices in the way they have traditional endpoints.

‍

Hank Schless  14:31

Yep, so absolutely. So just to kind of wrap things up, bring it back to our original topic here. Where do you think it's all going? Do you think it's kind of reaching a plateau? Or do you think that there's, you know, in the next couple of years, do you see any, any big changes coming? Or do you think it's,  people are going to kind of continue doing the same as they are?

‍

Tom Davison  14:48

Well, I think physical security is obviously never going to go away completely, so that they'll always be a place for on premise. But I've seen a lot more development in terms of virtualized offerings of more traditional security platforms, also more investment in automation, orchestration API's, and things like that. So that helps that kind of dance between on prem cloud and being able to sort of allow your security to follow data and follow the risk. So I think the real game changer is the endpoints that we're using now. I think the fact that data is flowing all over the place, people have been saying it for a long time, but you've got you secure the data. And you assume everything's untrusted now and whether it's a corporate device or not, and you worry about the data, and you worry about their identity. And the other one you hear a lot these days is about the perimeter. Especially now, with the pandemic where we've all been working remotely, you have to start to really put the security around your user's identity, and then combine that with the device. So we've been talking at Lookout for a while about control, conditional access. And the idea being there is that yes, we know who you are. But we also got to look at the device, you're coming at that point in time. So I think this idea of everything by default, being untrusted, being able to be much more dynamic about the kind of security we apply, depending on where the user is, how they're working that day, what kind of data they're touching. And I think the other thing that is becoming clearer when things are all out and about and in the world and the cloud is security has to sit on the endpoint in some shape or form, you have to have something on the endpoint because being in the network path is just so challenging. And the more everything moves towards heavily encrypted connections and so on, the more the endpoint is really your only place where you can gather certain visit telemetry and understand what's going on. But of course, the more of that data you click the more you got to stick it somewhere. And the cloud is the obvious place that gives you the compute power to start to make sense of that data.

‍

Hank Schless  16:40

So Tom, thank you for joining us. A real pleasure as always. And I look forward to having you on here again, for everyone listening. Thank you for tuning in to this week's episode. And don't forget to check out blog.lookout.com for some more educational security content. And check us out on LinkedIn and Twitter, @Lookout on both of those. And thanks for taking the time to listen. Stay safe, and we'll see you next time.

‍