The Cloud Security Landscape

Megan Nixon
Cloud Tech Journalist
Published:
Jul. 5, 2019
6 minute read

VMware Secure State becoming available from CloudHealth by VMware has created a powerful pairing that addresses the most pressing customer challenges around cloud visibility, cost, security, automation, and governance. This leads businesses to be able to take full advantage of all the cloud has to offer, enabling customers to visualize at-risk infrastructure, detect vulnerabilities and threats at real-time speed, and automate security and compliance across multiple clouds. 

This announcement gave us the opportunity to take some time and have Jason Needham, founder of VMware Secure State, join Joe Kinsella, founder of CloudHealth by VMware, to discuss where VMware Secure State evolved from, the cloud security landscape, and where they believe the industry is growing. Read the interview below.

 

Joe:  How has the security landscape evolved over the last few years?  Where does Secure State fit into that landscape?

Jason: I just read some analyst studies around security in the cloud and there are lots of different tools that providers have native security offerings and there is a lot of offerings out in the market.  And there is a lot of discussion around the shared responsibility model. But as the enterprise receives that, for them, what they’re faced with is a distributed responsibility model, because they now have many people making these changes.  And it was estimated that by the year 2023 that 99% of all cloud issues, cloud vulnerabilities, cloud security breaches are going to be done through or happen through misconfiguration.

And so it’s really this concept of the use of the cloud, that’s the fundamental place that you need to start.  And sometimes in the security industry, we focus a lot on threat prevention and threat hunt – on the threat hunting side and try to chase down what’s actually happening when we haven’t shored up the proactive or preventative steps that we can take to harden our environments.  So we need to pay attention to that preemptive side of the business which is making sure that we’re building on strong foundations in our cloud configuration.

Joe: What’s the pain point?  Like why are people buying?  

Jason: We are really driven by customers. I mentioned at the time, we were working on bringing together provisioning and policy enforcement and it was with that kind of DevOps lens that we wanted to try to help scale the security decisions in organizations that I guess came upon the finding that we had.  And that was when we tried to integrate security in real time, we went all the way back into the pipeline, we went all the way back in and said, how do we get this insight and information right into the deployer’s hands?

And what we found was is that the old approaches weren’t fast enough, they had a partial view of the world. And so if you’re going to provide cloud infrastructure checking and security, all the way down to the deployer, it’s a continuous change environment. So we needed to have a more holistic real-time view of what was going on.  And so it was really that drive for us to try to shift left these decisions and reduce the cost of security that drove us into this space.

Joe: How does an organization know that Secure State is right for them?

Jason:  I think if companies are dealing with a reasonable set of complexity in the cloud.  If you have over 10 cloud accounts, if you have a level of dynamism that in your infrastructure you’re changing, you’re rapidly deploying, if you have more than one team that’s working in the cloud, I think that those are the best customers that kind of feel the challenge.  They’ve seen it firsthand. I hear war stories from different executives that have woken up to this fact. And it can be as simple as like I mentioned before, a contractor coming in and unknowingly opening up the data bucket that they didn’t know it had other information on it.  So you can start very, very early in this journey, but generally, I find that organizations that have reached some level of some critical threshold, maybe 10,000, 20,000 a month in cloud spending, above 10 – five to 10 cloud accounts are where the pain threshold really starts to happen.

Joe:  Is it just the pace of change that is fundamentally changed?  Is that what has driven the need for a new product?

Jason:  I think it’s the pace of change, but it’s also how companies are attacking it.  I think they’re looking at this new model, this DevOps operating model, this cloud model and they’re saying the security team kind of on the outside looking in getting all these findings, getting all these issues, it doesn’t scale, it’s hard, the cost of enforcing that is difficult.  And oftentimes they don’t have the context for how an application is deployed. And so you really need to bring both sides together, the application and service team and DevOps owners have the context for what they’re trying to do and security teams have the context for what’s safe. And so it really is an organization-wide problem.

Joe:  Does that mean the pace of change and the decentralized management that’s occurring across an organization is exposing organizations to greater risk?

Jason:  Yeah, absolutely.  Yes. So I think it’s a combination of services can be directly exposed through configuration.  You can’t put them behind the firewall. The pace of change and ability to change things through infrastructures code and having things API accessible means that these changes could be made through a variety of methods very, very quickly and then the people and the teams that you’re scaling these infrastructures out to have the ability to do those things.  So it’s really a combination of how the cloud is built, the dynamism and the lateral spread of the control to all the parts of the different – to the different teams in your organization.

Joe:  In a decentralized distributed model, how does Secure State enable collaboration across all these different teams?

Jason:  For customers, there is still a desire to keep some central visibility, right.  And so we allow central visibility for cloud engineering and security teams throughout the platform.  But you can also create and organize assets into teams. So this could be a group of cloud accounts that maybe aligns with the business.  And so from that, we allow you to provide simplified views to target the policies or actions that you would take in that particular group of accounts, to delegate ownership down.

And so I guess the most fundamental way that this kind of comes out in the platform is that a team that’s in charge of a group of cloud accounts can decide that, for example, an open S3 bucket in these regions or this group of accounts.  It’s not an issue for them, because they’re doing a file sharing app. And they can suppress or ignore the findings along with that class of infrastructure. And that suppression can be accepted and understood from the security team while another team that may be a critical issue.  And so I think it’s enabling organizations to make those fine-grained decisions, but also to connect the workflow and the collaboration problem between these groups.

Joe:  So in many ways, it seems like the reason why many customers are going to the cloud is agility and innovation.  And you’re enabling them to maintain that agility and innovation while still do–applying proper do care around security?

Jason: The last thing you want to do is destroy the value of the cloud by creating some overarching command and control process, right.  You need to enable the teams to do what they do. But you have to provide some of the controls and insights to help organizations secure themselves.

To learn more about the relationship between VMware Secure State and CloudHealth by VMware, watch the video below.