podcasts Market Intelligence /marketintelligence/en/news-insights/podcasts/next-in-tech-episode-151 content esgSubNav
In This List

Next in Tech | Episode 151: Network Security in Cloud


Banking Essentials Newsletter: June 12th Edition


S&P 500 Q4 2023 Sector Earnings & Revenue Data


Next in Tech | Episode 171: Concerns About Fraud Drive AI Investment


Street Talk | Episode 127: The 'knife fight' for deposits could spur more bank deals

Listen: Next in Tech | Episode 151: Network Security in Cloud

Security in cloud-based infrastructure has different possibilities, but enterprises don’t always leverage cloud’s potential to improve security footing, particularly in networking. Quint Van Deman, senior principal within the office of the CISO at Amazon Web Services joins host Eric Hanselman to look at what can be done better to improve cloud security posture. There’s a lot more telemetry available and enterprises have to step beyond on-premises thinking to put it to work effectively.

Subscribe to Next in Tech

Next in Tech - Episode 151 Network Security in Cloud

Table of Contents 

Call Participants.............................................................................................................. 3

Call Participants


Eric Hanselman

Quint Van Deman

Eric Hanselman

Welcome to Next in Tech, an S&P Global Market Intelligence podcast with a world of emerging tech leads. I'm your host, Eric Hanselman, Chief Analyst for Technology, Media and Telecom at S&P Global Market Intelligence. And today, we're going to be discussing cloud network security. And to do that, with me is Quint Van Deman, who's Senior Principal in the office of the CISO at AWS Security. Quint, welcome to the podcast.

Quint Van Deman

Thanks, Eric. Appreciate you having me on today.

Eric Hanselman

Well, it's great to have you here. As some background, we had a great conversation at re:Invent about the issues around network security and cloud and some of the challenges that are there. And I wanted to bring this back to our listeners to give them a view on some of those thoughts.

I thought you had some great insights in terms of sort of what this -- what have we gotten to in terms of capabilities. I think, broadly, enterprises seem to be doing better at adapting the cloud security techniques for workloads. And I don't know whether or not that's just the process of a little more running time, a little easier transition.

But some of them seem to be stuck at being able to master some of the better capabilities that are available in cloud and wind up replicating a lot of the legacy capabilities, patterns they've been using in network security when they make it to cloud.

And I wanted to get your thoughts on really the challenges they're facing. Why is it that there aren't more that are leveraging? What are, I think, certainly much more capable detailed capabilities when we get into looking at issues around network security when moving into cloud environment?

Quint Van Deman

Yes, yes. Eric, thanks. I think that's a great sort of question to kick us off with today. As I go around, I talk with customers, I really see two forces sort of pulling them towards those more legacy patterns, right? And I would reasonably label them as consistency and familiarity that it's not that those things are -- there's not a right or wrong here, but those forces can really cause folks to skew the way they're looking at things.

I think our Amazon CTO Werner Vogels put it very well, when he did his keynote at re:Invent when he cited Grace Hopper basically said that the most dangerous phrase in the English language is we've always done it this way. I just see a ton of that.

Eric Hanselman

Well -- and hey, to your point, it's familiar. It's what people have been doing. It's what -- they know that it works. And especially in security and in networking, in particular, we're relatively risk-averse.

Quint Van Deman

Yes, absolutely. And when I think that -- again, it's not right or wrong. Familiarity in many ways is a good thing. But what that perhaps sometimes makes us shy away from is there are some ways that we can just fundamentally rethink networking and connectivity in AWS. My sort of favorite go-to example right now is a service that we launched last year called VPC Lattice.

And I won't bore you with the details, but it took something that was very familiar. Most people would think of it as like a service mesh type technology, but totally rethought it from the ground up in a way that sort of could only be done in the cloud, only be done in one of these environments where you've got all these substrate networks and different primitives to play with.

But it brings with it some just amazing security implications, like 443 or whatever your service port, just not listening on the network. From a security point of view, that's radically -- less radical, and it's an amazing reduction in surface area, but it feels really different.

And I think that tension is what a lot of folks are still struggling with Do I go with the ways that are not necessarily fully optimized for an environment like AWS, but are more familiar, they are what I've been doing for a long time? Or do I get a little closer to the best of what's possible, but I got to pull myself out of my comfort zone a little bit to do so?

Eric Hanselman

And I guess, in some ways, it's a matter of getting comfortable with a different way to be able to tackle problems. Now to your point, I think one of the big advantages we get in the cloud, you've got so much more telemetry, you've got all these capabilities that can give you much greater visibility and situational awareness in a cloud world, I think there is that natural tendency to just sort of extend the things that we knew and bring them into the world of this new environment.

Cloud is different enough. Why don't I just migrate those over and go from there? But I'm an IPS guy from way back, very much focused on deep and detailed analysis of what's on the wire as, again, the wire winds up being the source of truth of the fiber. And isn't that a great way to understand in deep and detailed analysis? We've been doing deep packet analysis forever. Isn't that the way that we've got to do it?

I think the challenge we face for many is thinking about what that change looks like and really how organizations can think about that change, how they can move that forward. The big advantage is that we do have all of this telemetry that the environment grows off.

And I guess, on some level, we've had this kind of thing. This is new to cloud. In virtualized environments, we've had similar kinds of telemetry. And yet, there still seems to be that stumbling block of getting to a point of understanding how to leverage the telemetry and maybe take a step beyond what is that sort of the DPI focus and having detailed analysis of the individual bits be the critical focus of everything that you're really putting in place from a security perspective.

Quint Van Deman

Yes, absolutely. I think two thoughts really come to my mind there in that area. One is that as you mentioned, there's just a lot more natural telemetry. We've got sort of the VPC flow logs because you're very familiar with the NetFlow of old, but you've got CloudTrail, CloudWatch, DNS query logs, a whole bunch of more telemetry, and we haven't even sort of gotten up into application, observability and other things.

But in addition to sort of just the greater volume of telemetry, I think one of the things that AWS and the cloud is doing really well is thinking about how you can make sense of the security picture across those sources in a way that was sort of always promised but never really maybe delivered before.

One of the areas that we've been working really hard not only just within AWS, but within the community at large is standardizing some of those, I'm going to say, as grunt work as that sounds, just to make it so that you can really start to ask questions across those various silos.

So we were part of the group that formed the Open Cybersecurity Schema Framework, a standardized logging format and framework for being able to get multiple sources of logs, all going to the same place. So all this magical machine learning can -- and just either sort of pattern matching can iterate over them, stream together sequences events in a much better and easier fashion.

Eric Hanselman

Well, that's really the challenge forever in security is maintaining enough context. And I think particularly in networking, we've always had the problem of having to intuit a lot of context, but yet an environment in which we actually can build in some of that context, and we can ensure that it's shared across the various vantage points in our environment, we've got some ways of actually doing this a whole lot better.

Quint Van Deman

Yes, absolutely. And part of that context, stuff like identity, identity is the type of security control that really will uplift everything, whether you do a strong MFA with good hardware backed security keys or sort of whatever meets your proper assurance bar there.

Those types of things propagated across on-prem, across the different cloud environments you're using is absolutely the type of context that we see as sort of foundational to be able to do the more elaborate types of authorization and other security types of questions that you might want to ask on top of. So yes, I would absolutely agree that getting that shared context is really key to the sort of giving the next level of things.

Eric Hanselman

Well, you mentioned flow information, and this is sort of that next stage where we're getting to. Being able to actually put flow information to work, we've had NetFlow forever. The problem though, historically was, one, there was that I think sort of knee-jerk resistance of just understanding what those flow dynamics are isn't enough. I need to actually look into the guts of the packet to understand it.

But also I think, realistically, we've come from environments -- legacy environments, in which getting flow data was sometimes typically expensive, not always reliable. A lot of times, you're putting a burden on the routing and switching infrastructure to go generate NetFlow to be able to get that. And I wonder whether or not there's just a bit of an overhang there and there's that view of flow data isn't enough.

But yet, I think we get to a position where there is so much more we can do if we've got the ability to take the rest of the context that we had to intuit historically and actually bring that together, we've now got a lot more to work with.

Quint Van Deman

We do, but I also want to maybe put up a slightly different bit of a thought in your mind. Part of the reason why security had to hang on things like deep packet inspection is that was the only bump in the wire. That was the only enforcement point you really had. Security was generally -- you'd go to a meeting with spreadsheets and [ visuals ], and that would be what was approved, but got actually built. Did it match that? Who knows? Did it drift from there? Who knows? And that -- it is sort of a wholly different area than maybe where you were going.

But to me, that's really a key part of what also allows us to move away from sort of this just pure reliance on classic technologies is now we can just inspect the running environment and react to the running configuration in a way that we're able to address any risks that are out there before they start spewing concerning network traffic. And I think that is another just big mind shift that we can get ahead of a lot more problems than we might -- maybe used to be able to.

Eric Hanselman

I think that's a really important point, which is, you'd alluded to the challenges that we've typically faced with silos, which were that you have -- had AppSec people, you had network security people. Everybody was in their own environment.

And because, in a lot of cases, it was hard to integrate the information we had in those different spheres, it was difficult to actually start to correlate sufficiently to be able to do that, but now we've got the ability to understand that and in ways that can bring all of that information together, so that we can now triangulate any particular problem from so many different angles. It does mean, though, that we've got to get security teams that are working across what are those legacy barriers.

Quint Van Deman

Yes, absolutely. And I was just talking to one of our customers about this yesterday. So we started maybe a slightly different problem space, but I think it hits at the same fundamental challenges that you're after. As we talked about -- we are starting to talk about how various AWS and partner systems are really good at identifying and prioritizing things that need attention in your AWS environment, there's lots of good options out there.

But when we just got down, the meat of the conversation that I want to get to is how are those things being actioned. And for that customer, their state -- current state of maturity, they were still fairly old school. It was alerts and it was humans manually executing things.

And that's just sort of, in this day and age, just too slow, but it's also constrained by that high judgment human capacity, which is, at least the way we look at it, one of the scarcest commodities around. The cloud has lots and lots of computers. What we don't have is high judgment decision-making in space. And so there's a big part of the sauce that is how we think about securing the cloud as a hyperscaler that really zones in on that.

And then we try to clearly use automation and sort of taking all of the great intelligence that comes out of years' worth of information in security experience, combined across disciplines or otherwise, and think about how we can automate away the sort of the standard, the known bad and the known good, so we can really highly focus that critical resource, this high judgment humans on the parts of the problem that, really, just the gray area that will for -- some for good foreseeable future points that still require that human judgment to get to the best outcomes.

Eric Hanselman

We haven't actually uttered the word generative AI yet well. But -- well -- but to your point, it's also an area -- both networking and security are areas in which when we take a look at our end user data, and there are areas that have always lagged in terms of leveraging automation.

And again, it's -- the example, the site is at [indiscernible] (00:13:32) "from years and years ago" about how compute and networks scale differently compute. You're doing one atomic action multiple times in networks, you're doing one action that scan -- spans across a whole range of different systems.

So a single network change affects lots of things. A single compute instance change tends to only affect that -- an individual instance. As one of those drivers of why networking and security teams are typically risk averse -- more risk averse, I guess, than other teams, but it really is that shift to automation, that's the key part of ensuring that you can actually start to manage at cloud scale.

Because -- and whether or not that's cloud scale or infrastructure scale broadly, that's really that transition, I think, that organizations have to step up into in order to be able to get to that level. Scaling operations were never going to produce enough skilled hands to be able to handle that.

I think if there's anything that history has taught us is that our needs are always going to outstrip the number of skilled people that we've got, and we need to ensure that we, to your point, reserve those keen human minds for those things that they're really best at.

Quint Van Deman

Yes, I couldn't agree more. And I think what -- in the sort of the earlier days of the cloud, there were, I don't know if you want to call them, folks who just had a naturally good aptitude or the deep passion or had more of a desire to sort of go get it, but there were a plethora of folks out there that had this sort of natural generalist background, combined with -- they didn't have to be some amazing object-oriented 12 levels of indirection Java programmer. But they needed to bang out some procedural Python code and maybe understand some data structures in JSON.

As the journey to the cloud has moved forward sort of through the industry, seems like a lot of those people have gotten gobbled up. And what we're really seeing our customers be successful with now is the move away from thinking about that purely being a skill set that exists only between the two years of one human being and more thinking about it being the capabilities that a team brings to the table.

So when we pair up someone with 10, 20, 30 or more years of informational -- information security experience, combined with a relatively early career new hire that spin, doing a bunch of data science or other related work, really makes a really effective combination. And I think these things that folks get hung up on that it's going to somehow be threatening to the old KG veteran or daunting to that early career folks, it just doesn't play out that way.

The two sides of that coin really make each other more powerful, and they learn a ton from each other, right. The old veteran is really making the next innovations in their career. And at the same time, you're sort of training up, you're building from within the security professionals that you're going to need for the next generation of your business. And I really think it works great together.

Eric Hanselman

Well, in terms of, yes, that skilling up path, it is one of the things also that I think we're in a day and an age in which the capabilities that we've got in cloud environments also help to facilitate that. There are certain areas in which, hey, you need a deep understanding of exactly what's going on. You need an understanding of the environment, the history of who built it, where did it come from, what's it trying to do.

And yet, one of the great things about cloud environments is that we've got constant innovation because there aren't those legacy roadblocks in terms of rolling out new capabilities, tweaking up capabilities that we've got and being able to expand and manage. Those are all areas that it's -- you've got to be able to also be aware of and keep up with what's next, what's happening. And those are things -- that balance can really start to bring to the table.

It's an interesting idea in terms of how organizations should really think about this, which, one of the things I want to talk about is when we start thinking about what that journey looks like, some of this is skills development, some of this is moving forward.

But there, I think, is also that tension of ensuring that we've got an operational posture that is going to work for all of the infrastructure that an environment has to be able to go take what they've got in their existing environments, what they've got in cloud environments, what they're doing, wherever they happen to be leveraging infrastructure and actually bring that all together.

And some of that is ensuring that your teams that have the knowledge of your on-prem environments or whatever you're flinging, colo, are also collaborating, working well with the teams and your cloud environments. When we think about that, one of the challenges often is spanning that gap because if the organization hasn't really kept up to ensure that knowledge and the tooling is comparable across that, it can present some challenges.

That's one of those things that, I think, that should be sort of first step in terms of moving forward is understanding how to actually ensure you do that because, in a lot of cases, it's bringing together all of the resources at your disposal, and that very much my mind seems to be that conversation of bringing the old and the new together.

Quint Van Deman

It is. So I agree with you. But I also want to take a little bit of what hopefully won't sound like a self-serving or bias perspective, but it probably will be at least a little bit edgy. So you can keep me honest. At some point, at least in my opinion, it gets awfully hard to retrofit modern top-notch enterprise information security into an on-prem environment that's been rusted in place for years and years.

And when you try to do so, really, the returns diminish very quickly. And so maybe, I think this is a case -- a great example of where folks can over-index on consistency. Maybe instead -- and again, I want to -- I recognize my bias here, but maybe those are places where we ought to cordon things off, do some reasonable efforts to make sure that we still have gaping holes.

But maybe we ought to be better applying that same energy rather than trying to retrofit something on to something where it's really square peg, round hole. Maybe we should work to migrate that system into the cloud, where you either get the security uplift along the way in part or in full.

Or you -- at a minimum, you get to an environment where those evolutions are far more natural because the primitives exist. And so again, I'll sort of self-censor it there because I don't want to make it sound like just a pure move to the cloud is going to solve all of a customer's tech deck -- or tech debt. It Is just not the way we think about it.

But I do think there is something to the concept of just being willing to accept that there are diminishing returns, and we try to make everything feel consistency, either because we're going to drag down the environment that's capable of something better or we're going to spend just undue cycles trying to force something that we're really fighting against the tide.

Eric Hanselman

Well, that's an interesting point. And if you've got an existing environment that is stable and functional and sufficiently secure, in a lot of ways, also, I guess, you make that point that being able to haul it up is actually going to be relatively resource intensive.

And especially when you think about what your environment is that you're working with in terms of satisfying regulators and auditors, you probably also spend a fair amount of work ensuring that your auditors are happy with what that environment looks like and to have to really span across both those, I think that's a little bit more of a challenge. But Interesting point.

And it does speak to, I guess, one of the thoughts that I wanted to maybe close on is what is it that organizations should really be considering is really address all the benefit they could be getting out of cloud security, what are some of those directions that need to head in, what are some of the fundamentals that they really need to focus on to really level up their security game.

Quint Van Deman

Yes. It's a great question, Eric. And I think we avoided the generative AI buzz word. But I think the one...

Eric Hanselman

Yes. We've got to touch on it at least once, I think, in every podcast.

Quint Van Deman

But the buzzword that I do think it nicely summarizes for me what I hope that most organizations focus on in this coming year, it can be reasonably wrapped up under the banner of zero trust. It's this great evolution where we're bringing all of these sort of classic security problems from identity management, vulnerability management, posture management, endpoint management, you name it management. And we're getting them to actually finally work better together and actually be aware of one another.

And again, it is a little buzz worthy. Generally, Amazon actually is fairly allergic to sort of buzzword things. But I really do think that that's a great way to sort of sum up the types of evolutions that folks need to be making in security. And as long as they approach it in sort of an incremental better every day, don't get sort of stuck on start in a way, which is a little bit of the hazard of zero trust, I think that's a great way to sort of summarize where I hope folks are going.

Just getting information flowing across the silos better, making better decisions, making more granular and more reactive decisions just really for me summarizes where I hope folks are going, or at least looking to shape their priorities.

Eric Hanselman

Well, it's -- zero trust is one of those things that we bring up over and over again. It is a broad and nebulous topic, but the fundamentals are so important. And I think your point about ensuring that you get information flowing across silos is that other big piece of it. And as is so often the case, don't let the perfect be the enemy of the good. Just keep moving forward. I think words to live by and hopefully secure by.

Quint Van Deman

Could not agree more, could not agree more.

Eric Hanselman

Well, thank you, Quint. This has been great. Appreciate you being on the podcast.

Quint Van Deman

Thanks for having me, Eric. This was a super fun experience.

Eric Hanselman

And thanks to our audience for staying with us. And that is it for this episode of Next in Tech. I want to thank our production team, including Caroline Wright and Kaitlin Buckley on the marketing and events team and our agency partner, the One Nine Nine.

Please keep in mind that statements made by persons who are not S&P Global Market Intelligence employees represent their own views and not necessarily the views of S&P Global Market Intelligence. Join us for our next episode where we're going to be talking about cyber insurance tech, an interesting topic where we're bringing together economics and security together. I hope you'll join us then because there is always something next in tech.

Copyright © 2024 by S&P Global Market Intelligence, a division of S&P Global Inc. All rights reserved.

These materials have been prepared solely for information purposes based upon information generally available to the public and from sources believed to be reliable. No content (including index data, ratings, credit-related analyses and data, research, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of S&P Global Market Intelligence or its affiliates (collectively, S&P Global). The Content shall not be used for any unlawful or unauthorized purposes. S&P Global and any third-party providers, (collectively S&P Global Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Global Parties are not responsible for any errors or omissions, regardless of the cause, for the results obtained from the use of the Content. THE CONTENT IS PROVIDED ON "AS IS" BASIS. S&P GLOBAL PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT'S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Global Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages. S&P Global Market Intelligence's opinions, quotes and credit-related and other analyses are statements of opinion as of the date they are expressed and not statements of fact or recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P Global Market Intelligence may provide index data. Direct investment in an index is not possible. Exposure to an asset class represented by an index is available through investable instruments based on that index. S&P Global Market Intelligence assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P Global Market Intelligence does not act as a fiduciary or an investment advisor except where registered as such. S&P Global keeps certain activities of its divisions separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain divisions of S&P Global may have information that is not available to other S&P Global divisions. S&P Global has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.

S&P Global may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P Global reserves the right to disseminate its opinions and analyses. S&P Global's public ratings and analyses are made available on its Web sites, www.standardandpoors.com  (free of charge), and www.ratingsdirect.com  and www.globalcreditportal.com (subscription), and may be distributed through other means, including via S&P Global publications and third-party redistributors. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees.

© 2024 S&P Global Market Intelligence.

No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor's Financial Services LLC or its affiliates (collectively, S&P).