10월 19, 2023
EP 38 – Why Cloud Security Doesn’t Taste Like Chicken
Today’s guest is Charles Chu, CyberArk’s General Manager of Cloud Security, who’s spent more than a decade at the forefront of cloud security. Chu joins host David Puner for a conversation that delves into secure cloud access and the concept of zero standing privileges (ZSP), a dynamic approach to securing identities in multi-cloud environments. Chu sheds light on the complexities of cloud security, emphasizing the need for tailored solutions to protect against evolving cyber threats. Don’t miss this insightful conversation that demystifies cloud security and redefines safeguarding digital assets – and answers the pivotal question: Why doesn’t cloud security taste like chicken?
You’re listening to the Trust Issues podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in identity security.
[00:00:23.010] – David Puner
Hello, and welcome to another episode of Trust Issues. Today’s episode calls for 100% chance of cloud. Organizations view cloud computing as a fresh start, a way, among other things, to leave inefficiencies behind and supercharge innovation, collaboration, and cost savings. But identity and privileged access management practices that worked in traditional environments won’t fly here and must evolve to address new environments, roles, and circumstances.
[00:00:54.460] – David Puner
But that doesn’t mean planning for every possible cybersecurity scenario. That’s impossible. Instead, it’s about finding a practical and intelligent way to limit access across your cloud estate to protect what matters most. That brings us to today’s guest, Charles Chu, who’s CyberArk’s General Manager of Cloud Security and speaks intelligently about all things cloud security and makes a compelling case for Zero Standing Privileges. As you’ll hear, Charles has been on the cloud forefront for the past decade or so, and he came over to CyberArk from AWS about a year ago.
[00:01:32.460] – David Puner
We take a dive into cloud security access, talking about the concept of Zero Standing Privileges as a holistic context-driven approach for securing identities in multi-cloud environments, among lots of other things. Like, he explains why cloud security does not taste like chicken.
[00:01:51.410] – David Puner
Here’s my conversation with Charles Chu. Thanks for pulling it down or streaming it from the cloud.
[00:02:00.800] – David Puner
Charles Chu, welcome to the podcast.
[00:02:03.690] – Charles Chu
Thank you. Great to be here.
[00:02:05.460] – David Puner
You are CyberArk’s General Manager of Cloud Security, and you’ve been with the company, looks like just around a year, at this point when we’re recording, which is in the beginning of October. Is that all right?
[00:02:18.020] – Charles Chu
Yeah, that’s right. Been here since September of 2022.
[00:02:23.510] – David Puner
As Cyberarks General Manager of Cloud Security, what do you do and what led you to this current role? What did you do before CyberArk?
[00:02:32.380] – Charles Chu
Well, Matt, our CEO may argue that I don’t do much, but I lead a cross-functional team within CyberArk that spans go-to-market marketing, sales, product, engineering. There’s a group of folks that will report to me, and we’re collectively responsible for the success of CyberArk and bringing cloud identity security to our customers. That’s what we do.
[00:03:02.130] – Charles Chu
Prior to joining here, I was at AWS for a number of years working with what AWS calls the customer segments of digital native businesses. Sort of like the Uber’s Grubhub folks of the world, born and always have been in the cloud, as well as ISVs; independent software vendors, software companies just like CyberArk, whether they be entirely cloud-based or more traditional software companies who are moving to the cloud.
[00:03:35.300] – Charles Chu
Before AWS, I spent the bulk of my professional career either building software, leading product management and engineering teams, or hopefully faking building software reasonably well. That’s my background and how I got to be here.
[00:03:53.620] – David Puner
How long have you been focused on cloud, and when did you know cloud was really going to be a big thing?
[00:03:59.960] – Charles Chu
Probably for the last decade or so, something like that. I think the arc of my journey is maybe similar to a lot of other people’s journeys or roughly parallels the industry as well. Maybe a dozen years ago, I was at IBM at the time working with our commerce software back in the day and thinking about how we move that commerce stack. At the time, IBM had number one market share in commerce software, was the backbone of folks like Target and Staples.
[00:04:38.720] – Charles Chu
We were thinking about how to move that entire stack to the cloud, what we would call today something like lift and shift. What’s the fastest way I can take advantage of the elastic properties of the cloud, and then from there transitioning to building entire SaaS microservices-based architecture. Whether it was at IBM or at Brightcove, which was one of the original online video streaming companies, transitioning into that real world of everything is decomposed into a microservice.
[00:05:20.700] – Charles Chu
Along the way, in leadership positions, you had to start to really think about, what’s most efficient here? What makes the most sense? Is it to throw more labor at it? Is it to throw more software at it? Quite frankly, I embarrassingly admit that some of the mistakes I made are common mistakes that we talk about at CyberArk, about what you shouldn’t do when it comes to security in the cloud.
[00:05:54.730] – Charles Chu
I completely empathize with a lot of our customers, almost all of our customers who say, “Yeah, security is great. I 100% want to be more secure, but by the way, I also want to move at the same speed, so you can’t slow me down either.” But we have to find the right tension point around how to do that without slowing down our customers who are moving to the cloud because they want increased velocity. We can’t be a friction against that.
[00:06:27.380] – David Puner
What shouldn’t you do when it comes to cloud security? I definitely want to get back to that soon, but I think in order to build the cloud story here, to better understand cloud security, it seems like an important place to start. Is the actual cloud itself, which we’ve, of course, already started to talk about. How is the cloud an opportunity for organizations? It may seem obvious, but I think it’s probably important to level set here at the top of the conversation.
[00:06:57.280] – Charles Chu
Many companies are multi-cloud. The big three are Amazon, Microsoft Azure, and Google Cloud Platform, GCP. Collectively, they have over 1,400 native services that they provide with, I think, slightly over 40,000 different access controls. That by itself is pretty daunting. If we think of the arc of maturity, one could reasonably argue public service number one was AWS’s storage service, now commonly called S3. One could say it’s the world’s biggest hard drive. Whatever you want to store, put it up there.
[00:07:55.600] – Charles Chu
From that humble beginning, the 1,400 today are this incredible array of applications, which I think some people may not actually understand. People still have this 2010 construct of, it’s IaaS, infrastructure as a service, or it’s PaaS, platform as a service, or it’s SaaS. The reality is, all three are mixed today. Very few people have an Is infrastructure as a service, where it is bare metal in the cloud and you’re responsible for scaling it 100%. That’s infrastructure as a service. It’s all a mix.
[00:08:47.620] – Charles Chu
I’ll give you a simple example. You can do a Google search and find a commercial workflow engine. Pretty straightforward. It’s a building block of an application. You can go to the GCP, Azure, or AWS console and you can rent a workflow engine. There’s no neon sign that says, “Hey, this is SaaS. This is a SaaS application.” There’s no neon sign that says, “This is an incredibly sophisticated machine learning engine.” Or more traditional techie tools like, “Hey, this is an ETL pipeline that you can now rent, or a CI/CD pipeline, or a Message Queuing engine.” I’ll stop.
[00:09:32.560] – Charles Chu
But I think you get the point. It’s incredibly complicated. It is an IS, a PaaS, and a SaaS all at the same time, which makes it all the more important. Because it’s not clear when you log to an Azure console, what is it? Is it a SaaS service or is it not? I think that’s one of the challenges facing our customers. Because anyone who can log in to a cloud console has access to those 1,400 services and whatever the N squared minus one is on that in terms of accommodation. It’s pretty sophisticated stuff.
[00:10:17.070] – David Puner
How does entitlement sprawl figure into that 1,400?
[00:10:24.080] – Charles Chu
In that type of environment, not only can you not define neatly, draw these boundaries of who should be able to do what, the old lines of, who’s an admin and who’s a user completely disappear. In that prior example, the most basic task someone can do is log into AWS and provision an S3 bucket and dump files there. On-prem world, it’s the equivalent of someone breaking into your data center, like wheeling a trolley with a rack on it, sticking hard drives into that rack, plugging ethernet cable into that rack, allowing them network access. If you think of what’s actually going on, that user is an admin and that admin is a user. That challenge is, when you talk about entitlements is, who’s allowed to do that and who’s not?
[00:11:35.960] – Charles Chu
Well, I guess everybody’s allowed to go do that. The way the CSPs work is, an identity is an identity. They don’t care if you’re a human being or a microservice or whatever you are. An identity is an identity. The entitlements are hard because you can’t tell a developer not to do their job. If you were my boss and I was a developer and I told you, “Hey, I want to take 10 people off to the side, a couple of scrum teams, and I want to go create a workflow service for us to use.” You’d probably look at me and say, “Why would you waste six months and 10 people to go do that?”
[00:12:25.400] – Charles Chu
Here’s how it loops back to your entitlement question. In order for me to do my job, you can’t limit my ability to scan the environment of what’s available and what all of the services are that I can explore and take advantage of. Because then you’re intrinsically limiting the value of the cloud in time and velocity to the company.
[00:12:55.870] – David Puner
Let’s shift over to the matrix for a moment. Earlier this year, you wrote a blog. The intro to the blog began with the movie, The Original Matrix, where… I’ll let you tell it, but it has to do with everything tasting like chicken. That led you to talking about the human tendency to equate new things to things we already know. All this is a long way of getting to, how is cloud security different from traditional security? What’s it all have to do with The Matrix and chicken? Why doesn’t cloud security taste like chicken?
[00:13:31.820] – Charles Chu
Well, the reference is to the movie The Matrix, the original Matrix, where a group of them are sitting in that really dungy, grimy kitchen, and they’re eating this oozy gray slop. What does it taste like? Well, it tastes like chicken. Everything tastes like chicken.
[00:13:52.340] – Charles Chu
Look, there’s a human tendency to try to re-cast every new thing in the context of something that we already know. Lots of friends who’ve grown up in the Western world. What does tofu taste like? Well, tofu kind of tastes like chicken. Whereas if you were going to ask my grandmother, who was born and raised in China, what’s tofu taste like, she’d look at you like, “Tofu tastes like Tofu, dude. Tofu doesn’t taste like chicken. Tofu tastes like tofu.” Because she learned it and interprets it for what it is.
[00:14:29.060] – Charles Chu
When we think about the cloud, it’s not helpful to always try to find something that you’re comfortable with. It’s more helpful to think of it as a blank slate. We just talked about 1,400 native services, everything from EC2 auto-scaling compute, to BigQuery, big data analytics, machine learning, AI, in the middle that you can rent and be using in literally seconds or minutes. There’s nothing like that on-prem. Just because you log in to an Azure console doesn’t mean you’re logging into a static version of Windows that you had 20 years ago.
[00:15:25.710] – Charles Chu
You can use like six well manicured Windows admin roles to go manage hundreds of Azure services that are getting updates daily, and tomorrow there may be three more. That type of dynamic environment really calls for something different. If I may, the way that we thought about it was, there’s an opportunity to improve on that. The way that we think that we’ve improved on that is with this concept of Zero Standing Privilege.
[00:16:06.670] – Charles Chu
Rather than having this dated concept of, I know who Charles Chu is, and Charles Chu has the set of privileges, entitlements, access, whatever you want to call it, I can look in the directory and I know Charles is there. But he’s allowed to do nothing, like literally Zero Standing Privileges. That is now possible in a cloud environment. It wasn’t possible in Linux or Windows or an ERP application or whatever. Now what we’re able to do is control the time that Charles has access, and depending on what he wants to do, and he’s approved to do it, be selective. For the next 60 minutes, he has super admin rights to go do something.
[00:17:01.090] – Charles Chu
But then at the end of that 60 minutes, we’re going to delete his entitlements completely from the system. If a bad actor were to steal his credentials, so what? Logs in, can’t see anything, not able to read, write, view anything.
[00:17:19.240] – David Puner
How does Zero Standing Privilege differ from just-in-time access or work in tandem with just-in-time access?
[00:17:29.080] – Charles Chu
It’s a form of just-in-time. Gartner has a nice piece on it. Think of three layers of a pyramid. At the bottom, there’s standing access. That’s basically what you and I have when we log in and check our email every day. Knows who we are, what we’re allowed to do, or not to do. That’s standing access. There’s this middle tier that is just-in-time. Just-in-time is, in a funny way, like this cool modern term for what CyberArk has been doing for years with PAM, privileged access management. I’m allowed to do a certain number of things for a fixed amount of time.
[00:18:14.360] – Charles Chu
But that ID still exists in the system. I just have very tightly-controlled access to use it, and when I use it, I only can use it for a certain amount of time. That’s just-in-time. That’s the second tier. The top tier of the pyramid is Zero Standing Privilege, which is on the fly. Not only will I provision privilege, it’s the combination of the standing access and the just-in-time. It’s on the fly, I will provision what this user is allowed to do, and at the end of that time, I will delete it. It’s the highest tier. You’re removing the standing access altogether and you’re also limiting the time that someone has to use those privileges.
[00:19:16.700] – David Puner
When you talk about that someone or that individual, obviously we’re talking about human identity and there’s obviously human identity and non-human identity. Lots of non-human identity, in fact.
[00:19:28.450] – Charles Chu
That’s right.
[00:19:31.180] – David Puner
We already talked a little bit about entitlements and entitlements sprawl, but how does identity figure into the cloud architecture challenge on a broad scale?
[00:19:43.220] – Charles Chu
Great question. I think people mix up a few things. I liken it to a car factory. The security model that you would have for the workers who come in every day to build the car is fundamentally different than the security model that you build into the car that rolls off the end of the production line.
[00:20:09.340] – Charles Chu
Obviously they meet in the factory. The car is in the factory, the people are in the factory. But how you think about securing the workers versus the cars that they’re building are very different. That’s sort of one piece of clarification there. Mostly what we’ve been talking about has been human identity. But securing the application or the systems that people have access to, that is typically done with secrets. Secrets are certificates, they’re X.509 certificates, tokens. There’s a myriad of different ways that one can think about a secret, including passwords for humans. Those are also secrets.
[00:20:56.400] – Charles Chu
Humans have lots of different circumstances that we need to deal with. We at CyberArk, we think about this in terms of, what do people actually need to do and how is it going to be used? Me as an individual, I may come in and you may give me pretty broad access, but a very limited constrained environment for me to do my job as a developer. You may say, “Dude, you can do and see a lot of stuff in pre-prod for 16 hours a day because you’re a hardworking guy. Go write fabulous code. Go make me faster by checking out the newest and coolest service available on GCP.” That could be a circumstance for my role.
[00:21:51.420] – Charles Chu
I could also have a role as the poor dude who’s on-call, as the on-call engineer over a weekend. If our consumer banking portal goes down or a movie stops streaming or whatever it is, like, the yogurt has hit the fan, I get paged, I come in, and now the circumstances changed. Now you’re like, it’s Christmas. People are withdrawing and depositing money, and we need to get our consumer banking portal up and running. Now I need to go in everywhere and debug and find where the problem is and go fix it. Now I have these expansive privileges in production to go do a bunch of things. That’s on the human side.
[00:22:42.690] – Charles Chu
In the world of the cloud, it’s incredibly low volume. There’s a fixed number of employees. Whether you have 10, or 1,000 or 10,000, it’s actually a relatively small number of people that you need to deal with. Now you compare that to the cloud, and whether it’s an application or a microservice, there is no change in circumstance that would say that my generic workflow engine should ever be allowed to go issue a credit for Charles Chu for $500.
[00:23:22.360] – Charles Chu
That access to that service, that condition will never change. Unlike a human who may, “Hey, David’s not well. I got to cover him for an afternoon, so now I need to be able to see and do the things that David can do for an afternoon.” Or someone’s on paternity. There’s lots of human circumstances and conditions that change. Not true in the non-human world. Things are very black and white. You’re either allowed to do something or you’re not allowed to do something. The scale is hugely different.
[00:23:57.450] – Charles Chu
People go to the cloud because it’s hugely elastic. You don’t have a fixed number of 1,000 employees just to pick a random number. You could have 100 VMs running, you could have 100,000. I had the pleasure of working with one of the larger financial institutions in the world, and they were telling me that their workloads shift between somewhere around 100,000 to a million on average. That’s their average range on a daily basis. They don’t have 100,000 employees and then a million employees and then back down again. That elastic scale is very unique to non-humans.
[00:24:45.540] – Charles Chu
Again, we can’t slow down our customers, whether it’s the humans or the workloads that they build. We can’t add security and be a bottleneck. Sorry, I rambled a bit. But the point here is, when we think about designing identity security and securing humans and non-humans, we would love to have build one thing and use it everywhere. As a software company, that would be fantastic. Any software company. But the requirements are just so vastly different that you really have to think about what you’re trying to do and what you’re trying to secure and to bring the right solution to the right situation.
[00:25:36.740] – David Puner
You essentially had me hooked at, “Yogurt hits the fan.” I don’t think I’ve ever heard that one before. Why is identity so often targeted in cloud attacks?
[00:25:49.800] – Charles Chu
Because it is the single richest asset that there is for an attacker. When an identity is compromised, typically the identity has access to a multitude of different systems and is allowed to do a whole heck of a lot. Not only that as the highest level, even at a low level. If you come in, in the case of a most recent breach, the initial penetration point was a low-level identity, and the person surfed around the DevOps environment and found a posting around the four internal DevOps gurus. Cool. Then they targeted one of the four of them and got the breach and gained access to the entire environment. That’s why identity is the richest thing. Because an API will only be allowed to do a limited number of things. A human will allow you to do a whole heck of a lot of more. It’s the single richest asset.
[00:27:07.850] – David Puner
I promised you that I would get back to what organizations should and shouldn’t do when it comes to cloud security. What should they do and what shouldn’t they do. You can take that in either order.
[00:27:19.830] – Charles Chu
It’s hard to work in absolutes. Shouldn’t is super easy. Shouldn’t do what I’ve done in the past with embedded credentials, in not thinking seriously about identity or application security. Shouldn’t is easy. I’m the prime example.
[00:27:37.490] – David Puner
What did you do to that?
[00:27:39.090] – Charles Chu
Dude, I think that’s like three more episodes of your podcast of those things. I think the should is take things progressively. Don’t think you have to do everything all at ones. We’ve touched on a range of different topics. One of our mantras is the Hippocratic Oath. When it comes to human access, you’ve got two problems. You’ve got standing access and your users are in many cases, wildly over-entitled. Because I know that person may do a wide range of different things, like we talked about. I’m a daily developer. Sometimes I’m the on-call engineer.
[00:28:32.600] – Charles Chu
It’s hard to figure out. Most companies just default to, “I’ll allow him to do everything.” We say, “Split those things apart.” Think of it in two ways. You can onboard everyone into one of the CyberArk’s products called Secure Cloud Access. That’s the thing that does the Zero Standing Privilege and provisions on the fly, privileges per session. You can bring everybody on board into that and immediately get the benefit of killing lateral movement, of enforcing and killing any embedded credentials. They may be over-entitled for the 60 minutes or the 8 hours a day that they’re logged in, but you’ve protected yourself from when they’re not logged in for that 23 hours a day or the 16 hours a day when they’re not logged in. You can get that benefit immediately without figuring out the perfect level of entitlement. That’s what we mean by the Hippocratic Oath. You’ve done no harm.
[00:29:55.700] – David Puner
I’m sure you see organizations in various stages here along their cloud journeys. How should organizations tackle cloud security? What should they do first and second, and third, really for that matter?
[00:30:09.900] – Charles Chu
I think about it in a couple of different ways. One is more of like this strategic staging, which is what we just talked about. Get Zero Standing Privilege implemented and then start doing the 80-20 rule of driving down your entitlement. That’s like a process perspective.
[00:30:33.140] – David Puner
What’s the 80-20 rule?
[00:30:34.750] – Charles Chu
The 80-20 rule is, “Hey, you haven’t used these entitlements in the last year.” That allows you to hack off huge chunks of entitlements without really getting into the much harder part of, what is it that you do? Even the stuff that you have used in the last year, should you really be allowed to do that? There’s a process and a staging.
[00:31:01.380] – Charles Chu
Then there’s also a perspective that’s related that is just reducing the surface area. We talked quite a bit using the persona of developers and DevOps people who are people outside of a traditional IT. We’re a software company, no bones about it. Our ratios are very typical for a software company. We have about 100 people in IT, and we have a little over 1,000 people in product. We’re actually a little rich on the product, because we’re a product company and we pride ourselves on that. But a 10:1 ratio is pretty typical.
[00:31:46.860] – Charles Chu
When I talk about the surface area, if you’re a CISO, you can inflict more security measures on your IT department. That gets you to 100 people. But we have over 1,000 people here at CyberArk who log in to a cloud provider every day to do their job. That’s what I mean by surface area.
[00:32:16.340] – Charles Chu
Think about covering the thousand people, especially if you’re in a role of traditional IT, adding more and more security levels of identity security to 100 people is a good thing. Don’t get me wrong, that is a good thing to go do. But think about, is that the first thing that you want to go do? Make sure that the hundred people are more secure, or think about reducing the surface area of the thousand people that you may not necessarily had to account for before.
[00:32:57.140] – David Puner
If there’s one misconception about cloud security you could clear up in this conversation, what would it be or what is it?
[00:33:06.900] – Charles Chu
I think the one misconception around cloud security is that it’s something that IT people can take care of. I think IT plays a crucial central role, but there are so many more people and identities to go think about. We’ve talked about developers, we’ve talked about DevOps people. We didn’t even talk about what we now call business admins. People outside of the IT department who sit in business functional lines.
[00:33:48.240] – Charles Chu
Like your entire HR department could have access to an ADP console or a workday console. Payroll is important. Employee records are important. Or new cloud identities, like your Salesforce admin. Not the salesperson who logs in every day, but whoever administers your Salesforce instance has access to your entire customer record and your revenue history. If you’re a public company, you can look in Salesforce, if you have high enough admin privileges, you can predict quarterly results. That’s a non-traditional IT function that are business admin roles. When you think about cloud and cloud security, think more broadly about all of the new identities outside of IT that now have access to the cloud.
[00:35:00.840] – David Puner
I think that’s a great place for us to wrap this one up. We’ve covered a lot when it comes to cloud security. Maybe 101, 102, little bit of 103, but there’s lots of these particular areas here that we could dive into more deeply. Charles Chu, thank you very much for coming onto the podcast, and we look forward to having you back in the near future. This is obviously a rapidly evolving space and there’s lots to talk about.
[00:35:27.860] – Charles Chu
This is great. Thank you for inviting me. Thank you for the opportunity.
[00:35:41.320] – David Puner
Thanks for listening to Trust Issues. If you like this episode, please check out our back catalog for more conversations with cyber defenders and protectors. Don’t miss new episodes. Make sure you’re following us wherever you get your podcasts.
[00:35:55.750] – David Puner
Let’s see, drop us a line if you feel so inclined. Questions, comments, suggestions which, come to think of it, are kind of like comments. Our email address is [email protected]. See you next time.