Securing the Cloud with Josh Stella

The conversation covers:

• Josh’s role as CTO of Fugue, a leading cloud security and compliance provider for engineers.
• The difference between cloud security and data center security — and why old school approaches to security don’t work in the cloud.
• How engineers and security specialists can best communicate with business leaders about how to approach security, and how Fugue can help.
• Who should be the person in charge of setting up Fugue, running reports, and communicating results across an oragnization.
• The people who tend to lose their job when a cloud security breach occurs.
• Why cloud security requires organizational change, and how companies are adapting to prevent issues.
• The importance of upskilling employees and making sure they have the appropriate knowledge to solve cloud challenges.
• Why the cloud has the possibility to be more secure than a data center. Josh also talks about cloud perception, and why some are still viewing the cloud as scarier than the data center.
• What Joshn considers to be the most effective hacking strategies for cybercriminals.
• The relationship between security and compliance, and how organizations should approach that relationship.
• Why there is no such thing as a perfect security posture.

Links

• Fugue: https://www.fugue.co/
• Customer write-up on G2: https://www.g2.com/products/fugue/reviews/fugue-review-4269523
• Twitter: https://twitter.com/joshstella
• LinkedIn: https://www.linkedin.com/in/josh-stella-949a9711/
• Fugue Blog: https://www.fugue.co/blog
• Fugue Masterclass: https://resources.fugue.co/cloud-security-masterclass-registration
• Fugue Office Hours: https://resources.fugue.co/cloud-infrastructure-security-office-hours

Transcript

Emily: Hi everyone. I’m Emily Omier, your host, and my day job is helping companies position themselves in the cloud-native ecosystem so that their product’s value is obvious to end-users. I started this podcast because organizations embark on the cloud naive journey for business reasons, but in general, the industry doesn’t talk about them. Instead, we talk a lot about technical reasons. I’m hoping that with this podcast, we focus more on the business goals and business motivations that lead organizations to adopt cloud-native and Kubernetes. I hope you’ll join me.

Emily: Welcome to The Business of Cloud Native. I'm Emily Omier, your host, and today I'm chatting with Josh Stella. Josh, thanks so much for joining us.

Josh: Well, Emily, thanks so much for having me.

Emily: Of course. I always like to start the same. Can you just introduce yourself and your company, and tell me a little bit about what the company does, and then also what you do?

Josh: Sure. So, Fugue does cloud security for public cloud providers like AWS, and Azure, and Google. Prior to founding Fugue, I worked at AWS as a principal solutions architect primarily focused on national security; Department of Defense, and similar things. My background is I'm a programmer and I'm a software architect, and I've kind of lived between national security kinds of work and high tech in startups. And so what Fugue does is we’ll tell you all about the security posture of your cloud environments, and teach you where you have weaknesses that hackers can exploit; we help you close those, and then we can actually keep things from having those misconfigurations going forward. So, that's a little bit about us. If you're a developer, you can use our forever free developer version, and we work with a lot of enterprises folks like SAP, and big organizations, too.

Emily: So, were you involved with setting up the super-secret CIA cloud that AWS was involved in?

Josh: I was not personally. A very close colleague of mine was actually working very closely on that, but no, I was not directly involved in that.

Emily: Okay, you probably couldn't talk about it, even if you were so. [laughs].

Josh: No comment.

Emily: Anyway, I always like to ask also, what do you actually do? Like, you get up in the morning, presumably, you don't go to an office anymore, but—

Josh: Oh, true. True, yeah. Whether going to an office or not, my days are… so I started out founding the company with my co-founder, Andrew Wright. And for a while, I was the CEO when we were in the kind of R&D phase, but then I always intended to hire a really great CEO, which we did a couple of years ago, Phillip Merrick, and I became the CTO. And there are different kinds of CTO.

My main functions are, like, I get up in the morning, I go read the news about any breaches in Cloud that have happened, and then I try to recreate them whenever possible, if there's enough information, because the attack vectors on Cloud are completely different than in the data center, and are inobvious to folks. So, when you read about a breach, and you see that they use the identity and access management service almost like a network, to get to S3, that's really interesting and it's really important so that Fugue can protect our customers. So, I spent a fair amount of time doing that. I do work every day with the product team. Occasionally, I will weigh in fairly strongly on an engineering topic, but a lot of times our engineers are just very, very good and we've hired experts and all their areas so I work with them, but it's usually just to give advice and some guidance.

And I do a fair amount of writing, and I do a fair amount of teaching classes online: we have a masterclass series on Cloud security that has been very well received. And then the research I do into how cloud exploits are actually being done by recreating those in my own environments, I use those both in the classes and of course, Fugue as our product can then have protections built-in against them. So, I’d say that's a lot of what I do.

Emily: I wanted to ask a little bit more about this difference between cloud security and data center security. Can you go into that a little bit more? And then also, what do people miss in that difference?

Josh: Okay, so I'm going to start at the prosaic and kind of go to the sublime a little bit, but the most simple way to think about the difference is in the data center days, you really had a network perimeter. So, you've got a big pile of servers, they're racked and there are switches that that connect them together, and then there's this layer of security at the, kind of, perimeters of the network where the data center network connects to, whether it's the corporate network, or another data center, or the internet. And that kind of perimeter defense slash defense in-depth idea meant when you were talking about data center security, the primary things you were thinking about were, “What's happening on my netwo...