Cybersecurity Talk about Cloud Security
In this episode, we’re going to be talking about cloud security. If you want to get more knowledge in this subject, you should definitely listen to what kind of interesting stuff we’re going to be talking about today. Before we start a couple of words for the introduction of Andy. I’m pretty sure you know him because he’s speaking at different types of conferences, SpiceWorld, Microsoft Ignite, TechEd and many other international conferences.
Andy Malone – cloud security consultant who loves sci-fi
Paula J:
Andy Malone is a world-class speaker, consultant and instructor. You also wrote a book right?
Andy Malone:
I did. The Seventh Day.
Paula J:
Oh cool.
Andy Malone:
It’s not a tech book.
Paula J:
It’s not a tech book. Okay.
Andy Malone:
No, it’s a geeky, sci-fi thriller.
Paula J:
Hopefully with a lot of action.
Andy Malone:
Oh, lots of action.
Paula J:
You should definitely go check on it.
Andy Malone:
Sequel this year.
Paula J:
Oh, that’s cool. Okay. It’s moving forward. That’s great. Andy is also doing a lot of Tweeting, yes?
Andy Malone:
@AndyMalone, check it out.
Paula J:
What do you usually Tweet about?
Andy Malone:
Oh everything, security mostly. A lot of security, maybe the odd advert for my book as well.
Paula J:
Okay.
Andy Malone:
Generally security.
Paula J:
Security news and so on, so definitely check out Andy’s Twitter. Well, if you’re ready, I’m ready.
Andy Malone:
Bring it on.
Paula J:
Okay perfect. I’ve got a couple of disturbing questions for you today.
Andy Malone:
Disturbing, okay.
I would never put into the cloud such data as…
Paula J:
Yeah, are you ready? Okay good. The first question is, what kind of data you will never put into the cloud?
Andy Malone:
You know this is an open-ended question. It really depends on the type of business that you are. If you’re a financial company, there may be legal or compliance constraints, meaning that you’ve got to keep your data in a specific area. I think a lot of companies that going down that road, you need to maybe think about hybrid solutions. You might find that certain data you’ll put in the cloud and other data you’ll maybe want to keep on premises. It really depends on the type of business. What we’re seeing is a real shift in the industry at the moment.
Last year the new European Union directive came out. According to this directive, the cloud companies are under orders to actually store their data in a specific way in a specific location. Companies like Microsoft, Google, and so on, have created regional data centers.
Dublin, Amsterdam, and so on that cover parts of Europe. But now what we’re seeing is specific data centers. For example in Germany and also in the UK that are trying to tap into the government healthcare, financial markets of those particular countries. I think once these come into each individual country, I think we’ll see a lot more companies kind of progressing into the cloud.
I think if we have this conversation maybe in a year or two many companies who want to be compliant, will be moving into those localized data centers.
We all use the cloud
Paula J:
Sometimes it’s interesting when we hear companies saying that we’ll never put my data into the cloud but they are actually using Gmail for example.
Andy Malone:
Everybody is using the cloud, Facebook, or whatever. We all use the cloud.
Paula J:
We all put information that sometimes we are not even aware of, yes?
Andy Malone:
That’s right.
Paula J:
We’ve got all the personal data in the cloud and then we are saying we don’t want to use the cloud.
Andy Malone:
Yeah.
Paula J:
Well, maybe we should rethink our strategy a little bit.
Do you think everything will move to the cloud? Music in the cloud vs. vinyl
Andy Malone:
People often ask me: do you think everything will move to the cloud? You look at music and vinyl, the biggest climb in technology at the moment is the return of vinyl. People want to have something physical. The question is, will everything progress to the cloud or will it come back? I think because of the low cost of storage, I think we will always have a hybrid type.
Paula J:
Retro cars are always trendy, yeah?
Andy Malone:
Absolutely, absolutely.
Current trends in the cloud security
Paula J:
Okay. Cool. What are the current trends in cloud security? Is there something special that we should pay attention to?
Andy Malone:
I would say, many of the vendors are now starting to look beyond passwords. I know that you focus a lot on passwords and hacking passwords. That’s definitely a weakness area in the cloud. What we’re seeing is a number of the big vendors coming together, a single identity. Rather than passwords, take the S off and just have a single password.
I think identity and authentication management is a big change. Things like multi-factor authentication, really making a big move forward. I think that’s good. Also, with things like multi-factor authentication, it’s making it easier for people. Rather than having to put in a text message in or answer an email, or listen to a voice, it’s a simple thing now like putting a fingerprint on a phone or something and that will authenticate you. Both Microsoft and Google do that for example. I think that means multi-factor authentication, and also things like location awareness as well.
I think that’s excellent.
Paula J:
Okay.
Andy Malone:
If you’re signing in from here in Oslo today, but then in an hour’s time you’re suddenly signing in from New York, that’s not right. Something is not right there. The cloud is becoming more intelligent and I think it’s becoming safer as well for folks.
What about Azure?
Paula J:
Do you see Azure being changed from a security perspective in time?
Andy Malone:
Absolutely. A lot of it is coming from not necessarily the industry. A lot of it is coming from governance as well. There’s a bigger push for the cloud businesses to be compliant, legally compliant. I think a lot of the tech is pushing that. One thing I would say is a lot of companies like Google and Microsoft, I would say the one issue that they’re doing is their products like Azure that pushing out features every week, so many features coming out.
Paula J:
Actually yesterday there was a change that surprised everybody because, you were speaking about Azure, and you got all your demos ready, it was quite interesting.
Andy Malone:
Blink and it changes.
Paula J:
It was just like changed.
Andy Malone:
Oh, it was crazy.
Paula J:
Then you wake up and ops, I have to change my stuff. Yeah.
Security features should be included in Azure without extra payment
Andy Malone:
I would say that the one thing that they’re doing is they’re making the mistake of bundling security features as features. Yes? The problem with that is that you’re going to get some businesses that don’t have those features because they’re not paying the extra. I think they should separate the security features. Everybody get the security features and the regular features of the product.
Paula J:
More like an option to choose from?
Andy Malone:
I think everybody should get security.
Paula J:
Okay.
Andy Malone:
I don’t think that that should be made a sellable feature. I think that everybody.
Paula J:
It should be built in and so forth.
Andy Malone:
I think so. Yeah.
Paula J:
I think it’s a very good approach. That’s what Microsoft is doing with the newest Windows 10 and all the security features that are on board with that.
Andy Malone:
Exactly.
Paula J:
It’s together with the enterprise so you kind of like pay for it, but on the other hand, when you already have an enterprise, it’s all built in.
Andy Malone:
Sure, sure.
Paula J:
Absolutely. What about situations when you’ve got a cloud user already. Is there something that this person or organization can do to increase the security in the cloud?
Andy Malone:
Multi-factor authentication and also I would say encryption as well.
Paula J:
Okay.
What kind of encryption do you use?
Andy Malone:
You know, encryption is an interesting thing. One of the problems with cryptography at the moment is that the industry, I mean Microsoft are as guilty as everybody else. They say, oh we encrypt. It’s very confusing what kind of encryption do you use? Is it data at rest encryption? Is it data in transit? Remember, the big thing about all cloud vendors is that they really use one primary encryption mechanism and that’s SSL. Everything is over the trust, assuming the SSL doesn’t break. Okay? If SSL broke, then you basically have potential keys to the kingdom. Good advice would be to perhaps have some kind of utility that would encrypt your data locally, and then send it to the cloud already encrypted.
Paula J:
Yeah.
Andy Malone:
I like that idea.
Paula J:
That you are able to always get it back on site when you need it.
Andy Malone:
Yeah, and multi-factor authentication.
Paula J:
Okay.
Andy Malone:
That would definitely improve.
Paula J:
What about disk encryption within the virtual machines. There’s also.
Andy Malone:
Totally.
Paula J:
Yeah? Okay.
Andy Malone:
In Microsoft, I forget the name of it, the Windows server 2016.
Paula J:
The shielded VMs.
Andy Malone:
Yes, shielded VMs, absolutely fantastic. The idea is that even as a cloud administrator, you should not be able to gain access to a user’s data.
Virtual TPM – the thing that changed the landscape of the security in 2016
Paula J:
Absolutely. I don’t know if you will agree with me, but in my opinion, if we could mention something cool in security from last year, I would name it as the virtual TPM.
Andy Malone:
Totally. Totally.
Paula J:
That changes the security landscape so much. Both on-premise and both in the cloud and where ever you want to use it, you are always able to increase the security, relying on the TPM.
Andy Malone:
Absolutely.
What would you advice to someone who wants to start working in the cloud security?
Paula J:
That’s kind of something cool. Okay great. Thank you. Now, it’s time for soft questions if you are ready.
Andy Malone:
Okay.
Paula J:
The first question, if a kid is would look at you and he’s like: I want to do security. I want to be like this guy and I want to do this and that and that area. What would your advice? Maybe not a kiddo but a teenager, or a student. What would your advice for this person? What should this person know?
Andy Malone:
You know, this is kind of weird that you asked me this question because the other day, I was in a burger place. We all go to these burger places.
Paula J:
Yeah.
Andy Malone:
There’s this kid and he’s wiping tables. He was about 17.
Paula J:
Okay.
Andy Malone:
We’ve got talking.
Paula J:
Okay.
Andy Malone:
He says to me, “What do you do?” I say, “I’m in IT.” He says, “Oh I’d love to be in IT.”
Paula J:
Oh, that’s great.
Andy Malone:
I say, “Why are you cleaning tables.” He says, “I left school with nothing.”
Paula J:
Oh, no.
Andy Malone:
I say, “That doesn’t matter.”
Paula J:
Doesn’t it matter because your computers are everywhere yeah?
Learn from YouTube!
Andy Malone:
You can go to a book store. I said, “Do you have an interest in computers?” He says, “Yeah. Where do I start?” Get A plus, security plus, that type of certification and don’t let anybody tell you that you can’t do it. There are well structured paths. You don’t need to go to fancy schools. You can learn. YouTube for goodness’ sake. I mean, YouTube’s got some great learning content right up there. Once you get the basics, once you become familiar with the basics, then there are many, many kind of structured programs to go there. Absolutely, IT certification is definitely the way forward. It’s amazing how many people who have done fancy degrees at university that often say to me, “My IT certification is so much more valuable than that.”
Paula J:
It’s very practical, yeah?
Andy Malone:
Totally. The thing about IT certification as well, things like Microsoft certification, and so on, is it’s constantly evolving. You’re constantly being pushed. If you don’t push yourself, that’s the challenge. I think that’s the big draw to the industry.
Paula J:
Okay. That’s good to know. Are there any free resources that you could recommend for guys to get knowledge?
Andy Malone:
Oh, YouTube, I know that your website, you do lots of free videos and things like that.
>> Go to CQURE Academy YouTube <<
Paula J:
We do, we do. Microsoft Virtual Academy.
Andy Malone:
Absolutely. That’s a great resource.
Paula J:
It’s free.
Andy Malone:
Also, you’ve got things like hands on labs and free hands on labs and things.
Paula J:
Yeah.
Andy Malone:
Get hands on. Remember, a lot of these products like Windows server, Windows, you can download like six month versions of these for free, and you can work with the product and that’s the best way to learn.
Paula J:
Andy, what would be your recommendation for advanced guys? If someone is already a specialist in security and these guys want to, they don’t know what to do because they kind of feel like they have achieved everything from the knowledge perspective, but then new things are coming. Is there something right now that in your opinion is worth paying attention to that these guys should know?
The cloud industry is knowledge based
Andy Malone:
I think at the moment, the cloud industry is knowledge based.
Paula J:
Okay.
Andy Malone:
What does that mean? What is knowledge based mean? The cloud knows everything about you. You store your stuff in Azure, Google, Facebook. They know exactly who you are. I mean, of course, they would never look at your data, right?
Paula J:
For sure.
Andy Malone:
Should and could are two different things. The fact is that the companies know your data. I’ve worked in the Microsoft data center. I’ve been to the Microsoft data center. I’ve worked with the teams. If they wanted to, they could find your data. They could see the names of your files.
They could open your files.
What we’re now seeing, I think is something called zero knowledge systems. There are a number of companies that are starting to kind of emerge where you essentially just buy a block of data. You buy a terabyte of data and that’s all they see. They just see the block of data. They can’t see anything within that. I think this is quite exciting. It means that they don’t know the file structure. They don’t know the names of the files. They don’t know what type of files and this block of data, you encrypt it and you have the private key. If you lose the private key, it’s gone.
Paula J:
It’s gone.
Andy Malone:
An example of one of these products is SpideOak. SpiderOak is a complete zero knowledge based system. Now, whether it’s compliant with ISO20, that’s to the point. I suppose the unethical side of it is, you don’t know what’s being stored in there as well. There’s a for and against argument. It’s interesting that that is starting to emerge in the industry and I think professionals need to look at these and understand the benefits, the pros and cons of both types of system.
How to move to the cloud?
Paula J:
What if the company that is already quite well established wants to move their stuff to the cloud, what they should do?
Andy Malone:
Well, Azure and because we’re MVPs of course, looking at Azure. I would say Azure is actually one of the best.
Paula J:
Yeah it’s big.
Andy Malone:
The security compliance center. There’s a compliance area. You can put in the country that you’re in, the region, the business, and Microsoft actually show you the compliance documents, so they prove to you that you are compliant. If you’re stepping forward, let’s say you’ve got a customer and the customer wants to work with you and we need to be ISO 27,001, how do I know that I can keep that ISO 27,001 status. You can go to Microsoft and all the documentation is there. Its proves that they are compliant and I think that’s great for customers.
Paula J:
Azure has a nice possibility because it’s very scalable.
Andy Malone:
Totally. It’s elastic. That’s a great word.
Paula J:
Yeah, and at the same time, we have been experiencing in general over the past year, different types of denial of service attacks.
Andy Malone:
Sure.
Paula J:
If you put your, at least some part of your services in a cloud, if you are being attacked, then it’s just like, a couple of more dollars that you have to pay, but still, it’s an emergency situation. Then you are able to expand your services pretty much immediately. Then at some point, you’re going to be not vulnerable to denial of service.
On the other hand, if the whole internet is against you, even Azure will not help you.
Andy Malone:
Exactly.
Where to look for resources to learn about cloud security?
Paula J:
That’s another case. Okay. Are there any interesting resources for those guys to check on that you would recommend?
Andy Malone:
Yeah. As I said, documentation is everywhere. The virtual academy.
Paula J:
They should check out your sessions.
Andy Malone:
We do sessions at Ignite or SpiceWorld.
Paula J:
They are recorded to be found in the internet too?
Andy Malone:
There’s a lot there. Yeah. There’s a lot. Actually, on my Twitter page @AndyMalone, there is a link to my page at Microsoft, so you can go in and view those presentation.
Paula J:
You speak also on security. These kind of sessions can be also found?
Andy Malone:
Absolutely.
Paula J:
You guys can also check on that. Make sure that you do.
Andy Malone:
Again, you were talking about kids who wanted to learn. Great way. These videos are right there. You know?
Paula J:
They’re just free everywhere.
Andy Malone:
Go and have a learn.
Paula J:
Yeah. Absolutely. It’s very inspirational to be able to see someone talking about the future solutions. That’s what we’ve been discussing today, that cloud is out there. The cloud is definitely looking pretty much every day.
Andy Malone:
Every day.
Paula J:
If we don’t stay up to date, we’re going solve very quickly.
Andy Malone:
Yeah.
Paula J:
Just to summarize, in a couple of words, today we talked about:
- Different types of security.
- Tips that you should check in order to be more secure in the cloud.
- Which data we shouldn’t be putting in the cloud.
- What are the current regulations that could make companies to be more comfortable in case of putting data in the cloud, because within the certain countries. That’s what a lot of companies are demanding. I would never put my data in the cloud unless it’s in this country. That’s kind of like, developing that area.
- Azure security and the newest features.
So plenty of cool subjects.
As simple as this, if you guys have some questions to Andy or myself, within this interview you want to know more, then post your questions on the comment sections below. We will be watching you and waiting for you there.