Hyperscale Security

To document all of the weird things we run into in cloud security, I long thought someone should be the "rachelbythebay" for secure cloud transformation...

Cloud Security is constant crisis management. Not in terms of panic, everything is on fire, but as a constant mode of being. Should a fire breaks out at your house, I bet you'd be in panic mode, as I sure would be. But for the Fire Department it is just another Tuesday. (literally)

I was reminded of that when I saw two separate reports of vulnerabilities of the cloud come out just today:

Told You So Doesn't Stop Us From Having To Deal With The Impact

These are great write ups with technical details, and you should read them. But since they're already fixed, they are largely like a weather report for a different continent.

Hurricanes or tornados way over there may make the news but don't affect you as much as the showers or snow you may be dealing with back home[^1]. Scientists and activists have warned us correctly for a long time about climate change and made recommendations that for reasons outside their control weren't followed. First responders nevertheless have to manage the local disasters where they occur and do what they can with the resources they have available to them.

Security professionals similarly have offered good advice for decades. Also here often lack of resources, commitment or willingness to face consequences meant their recommendations weren't followed. Yet those in the trenches try to make systems secure and respond to alerts to the best of their ability, while security operations deals with the fall-out with the capabilities they have.

Managing Cloud Turbulence

Cloud transformation only adds to this sense of crisis. We rush head-first into cloud platforms and new cloud-native technologies like Kubernetes, little of it secure-by-default. We give more autonomy to developers, while we're still figuring out how the secure these landscapes. Changes to the way we work, develop and deploy code, and adjust organizationally to cloud transformation only add to the turbulence.

We only manage this by realizing we are in a state of constant crisis and will continuously have to make difficult choices. This is what crisis management is for. When you rarely have an incident, you may have good playbooks, but when an incident happens nobody knows what to do. When incidents are routine, you get a rhythm and comfort level with them. You manage.

That doesn't make me less concerned about these vulnerabilities – we rely on the cloud provider for the security of the cloud in our own threat modeling and processes. I am concerned about the impact of climate change on communities around the world, as well.

However, we all first have to deal with the crisis in front of us and prioritize according to the impact on our organization for the things we have control over and can mitigate against. It won't do to stand on the side lines and say “I told you so”. We have to save what we can. Welcome to constant crisis management.

[^1]: I am in the greater Santa Cruz area, recently hammered by massive rain storms. While our little community is OK, thankfully, many areas have seen major flood damage and the risk of landslides continues. Extreme weather events are obviously on my mind.

cloud security posts without corporate approval @jaythvv@infosec.exchange

How does anyone think this works?

Sponsored/InMail: Hi, my name is XYZ, Co-Founder and CEO at ABC, dedicated to solving the big problems in cybersecurity. Here's a link to my calendar so you can schedule a 30 minutes demo

Cybersecurity vendors, please stop doing this. I get a couple of these per day on LinkedIn or email, and the only thing it does is get you remembered for all the wrong reasons. Cold contacts like this literally scream that you have no idea what you're doing.

We all have a lot of work to do, and if you are in the cybersecurity industry, I assume you are in it to make the world more secure. Therefore, allow me to share some insight from the other end, and hopefully you can spend your energy better.

We Study the Market

Large organizations with a significant security organization follow what is going on. Different teams will track different segments through the industry media, analyst briefings and reports, and what we hear our peers are using and their experience. We attend conferences, watch webinars and listen to podcasts. We get regular dedicated presentations from established strategic partners. We have partner teams and investment arms that survey what the cybersecurity industry is doing.

You don't have to contact us – certainly not over LinkedIn sponsored direct message! – we will contact you. For all of our new cloud security tooling, we reached out to the vendor. Two of them we talked to for use cases we identified them for that they weren't even selling the product on. One of them, we contacted when they just came out of stealth, after an analyst had talked them up during a briefing and got us interested.

If we don't contact you, it's because you are not a realistic candidate. (Sorry)

Do Your Research

During my consulting days, before every job, I looked up their website and searched around to get a sense of what the organization was doing. If you give me in the first contact the idea you don't know what we do, how big we are, or what challenges we may face, you have just shown me you wouldn't even do that.

There are ~3,000 people in our organization involved in security in some form or fashion. We operate cloud services with critical workloads for paying customers. Established vendors have seen their products fail in our landscape. We have spoken on security and DevOps conferences about the challenges we've faced that are an easy search away.

Are you sure you would even want us as a customer? Are you ready?

I Get How This Would Be Good For You, How Is It Good For Me?

I have been in the tech industry since the 90s. I totally get why it would be a fantastic opportunity for you to have a customer this size and name. The marketing potential alone would be excellent, wouldn't it?

Cool. But what is the problem you are solving for us, though? What remaining gap do you cover? Why would we replace an established vendor for you?

At Least Give Me A Reason To Be Interested

The effort may not be entirely wasted. It's always possible that you are doing something very cool and innovative. It is useful to have a product sheet and a tech paper that allows me to place you in a particular segment. That still likely won't lead to a follow-up, but if it is interesting, I will remember you. If I hear others mention you, I will ask them about you.

There is at least one company, though, that keeps contacting me and never seems able to explain what they do. That is all I remember about that company. I talk to others about them and their sales approach. Don't be that company...

But My Product Is Different!

You may genuinely believe you have a solution I should know about and your startup is different from the pack. It may well be! So, tell the world, get onto conference talks and podcasts, and release technical papers. Get the attention of the analyst firms.

But realize that a company our size has 18-24 month procurement cycles with multiple layers of approval. You'd get fully scrutinized for multi-year viability, likelihood of being sold to a larger company, level of funding, and all that for the duration of a multi-year contract. You would have to prove why you're better than a preferred vendor that has more resources than you. You could run out of runway chasing a whale, when you could be building the business fishing for cod.

If you're good and get traction, and solve problems for your customers, we will notice you. We will follow your progress. And if we think you could fit in our plans, we will give you a call.

Just writing this, I already thought of enough material for a future follow-up: how not to screw up your first meeting. Stay tuned!

cloud security posts without corporate approval @jaythvv@infosec.exchange

About a week ago, I was in a quarterly security review meeting with one of the business units, including the relative business leader and BISO. All of us have been in the tech industry for decades. We discussed the progress of the last quarter in the middle of rapid cloud migration. As an aside, we agreed the three of us that cloud transformation is the hardest thing we've done in 30 years.

Over the last 4 years I was deeply involved in cloud security during a rapid cloud transformation that is ongoing (arguably, it never ends). As cloud transformation reaches into business functions and processes you never foresaw and poses challenges you never thought you would have, it is a journey filled with absurd and crazy adventures.

Hyperscale Security

I ran a company-internal blog to document what we were going through as a running commentary, simply because I felt some sort of record needed to be kept. Increasingly, I thought those struggling through their own cloud transformation could benefit from such experiences. I have always liked the 'war story' posts on http://rachelbythebay.com/w/ and thought I might do the same. I even got the domain name – hyperscalesecurity.com – but for months hadn't figured out what platform or how to host...

Jerry from Infosec.Exchange to the rescue! Long live the Fediverse.

cloud security posts without corporate approval @jaythvv@infosec.exchange