Bridging Code and Security in the Future of Cloud Responsibilities with Ken Toler of Asgard Security

We're back with Cloud Control!

I’m thrilled to bring you the latest Cloud Control interview with Ken Toler, Founder & Managing Principal Consultant at Asgard Security, and a true expert in cloud security. Ken's diving into how coding is becoming more crucial in our security strategies, especially as we push into an era where everything runs as code. He's got some great insights on the challenges this brings and how we can turn them into opportunities for better security practices. Whether you're deep in the trenches or overseeing strategies from above, there's plenty in this chat to help you understand and adapt to these changes. So, let's get into it and see how we can all make security a seamless part of our development processes👇

P.S. Was this email forwarded to you? If so, sign up to receive Cloud Control interviews delivered to your email each week here.

Question 1 💭

Ken, it’s great to have you on. Being in the security startup environment, tell us what significant trends or challenges you see emerging. What’re you focused on?

Answer 1 🎯

Generally, I am seeing a growing challenge understanding the shared responsibilities we all have in cloud computing and it’s a crucial and often talked about topic. In the past there was a clear delineation of responsibilities within an organization and as startups and small organizations begin with more modern workloads there is a push to an everything-as-code and automation paradigm. While that streamlines a lot of the infrastructure, it contributes to a dilution in security knowledge and there is a noticeable decline in hands-on expertise with fundamental security practices such as secure network architecture concepts like appropriate isolation and subnetting. Rapid innovation often takes precedence over stringent security measures which can lead to overlooked best practices like this isolation and environment separation. I think that ultimately increases risk. My focus is always on integrating security practices into organizations through education on fundamentals and transferring those fundamental concepts into modern workloads. I think that we are at a crossroads where security can be a value-add to the speed of development as long as we think about it in that way. We don’t have to be the add-on we’ve traditionally been shoe horned into.

Question 2 💭

As someone deeply involved in the security community through organizations like OWASP, AWS Loft, and NYSEC, how have you seen the dialogue and priorities within these communities evolve - especially with the rapid advancements in cloud and application security? Can you share an insight or story that particularly struck you?

Answer 2 🎯

The security landscape is seeing this incredible shift as disciplines like AppSec, infrastructure security, and cloud security overlap and share methodologies. I think this is driven primarily by our new common language of code. We’ve often debated whether or not security professionals need to learn how to code, and the fight against learning code is something I see less and less often because it’s increasingly obvious that comfort levels are rising and it's becoming this common language among security engineers. That growing comfort with code is pivotal, allowing our industry to adapt. Despite all of that, I think there’s a noticeable lag in the adoption of effective security practices in these new ‘as-code’ environments that stems from cultural resistance, skills gaps, and rapid change. We’ve been doing security in application development for a long time, there’s no reason we can’t apply those lessons to infrastructure as code, policy as code, and whatever else as code. I think the dialogue is often crowded with buzzwords like shift left, right, up, and down with AI which while catchy can hide the real work needed to implement those concepts effectively.

Question 3 💭

You've described yourself as a "tinkerer" who enjoys breaking, building, and reassembling for a living. Can you share a particularly memorable challenge you faced while tinkering with cloud or application security, and what it taught you?

Answer 3 🎯

Of course! My fundamental approach to security is with an eye towards curiosity and understanding systems by building, breaking, and rebuilding them whether that’s in my day to day life around the house to my wife’s chagrin or in my work. It goes beyond problem solving because it’s about diving deep into what makes something tick so that you can find vulnerabilities and root causes to issues. One of my most memorable challenges involved a terraform deployment while I was building an application from documentation. While setting it up I found that the local-exec execution was executing with root access that seemed like a pretty dangerous oversight. Following that line there wasn’t much to take over the server with full access to an AWS organization, but questioning that failure and pushing into it is what can help to lead to stronger systems rather than accepting the status quo. I believe you should approach every project like a handyman with a readiness to fix and improvise to uncover hidden issues audits will inevitably miss, and it’s not even something you have to be a security engineer to do.

Question 4 💭

The concept of DevSecOps can vary widely in interpretation. Through your lens, how have you navigated these varied understandings to uncover core practices that genuinely enhance security and development?

Answer 4 🎯

I love the concept of DevSecOps because like many security terms it’s overloaded, buzzy, loved, hated, and misunderstood, for me, DevSecOps isn't just about bridging the gaps between development, security, and operations teams, it's about extending this collaborative spirit to encompass all departments involved in the product life cycle. This includes involving non-technical teams such as marketing, customer support, and design, which are often overlooked in traditional security discussions. It’s crucial to recognize that our "customers' ' aren't just the end-users but also the internal stakeholders who interact with our systems daily, it’s essential that we are considering their needs and experiences, we can implement security measures that support rather than disrupt daily business activities. This approach not only enhances security but also builds a culture where every employee feels responsible for and knowledgeable about the role they play in robust security. At its heart, DevSecOps is about inclusivity. It’s about breaking down the barriers that traditionally separate technical and non-technical teams within an organization. By involving everyone from product managers to sales teams in the security process, we create more resilient and thoughtful security strategies. This inclusivity ensures that security solutions are not only technically sound but also enhance user experience and align with business objectives.

Question 5 💭

When you're bridging that gap between security and product engineering, I'm sure you run into a few raised eyebrows. What's a common myth or misunderstanding you often encounter? How do you tackle it to get everyone on the same page, without stepping on toes?

Answer 5 🎯

Security integration can certainly bring on skepticism and often does, and one of the most common retorts is that integration will inevitably slow down the development process. That misconception usually stems from this view that security is restrictive rather than an enabling component of product development. I think it really comes from this idea that security is a requirement and this general aversion to anything that we MUST do or have to do. I think many product engineers still see security as a series of gates that complicate development and testing which isn’t totally unfounded, but that idea doesn’t account for the evolution of security practices and tools that enable rather than inhibit development speed if implemented correctly. I typically present concrete examples where security in early stages prevents significant delays and costs that would have resulted from addressing things after the fact. Real work demonstrable examples are key to proving the point in the same way that demonstrating an exploit says much more than talking about a vulnerability. Beyond vulnerabilities, some security functions like automatic secret rotation, point in time access, and code completion can make engineering lives easier by providing them with what they need when they need it without much intervention. Ultimately we need to build our relationships and implementations with a measure of empathy and understanding how other people work.

Read the Full Q&A on Gomboc.ai

What’s New at Gomboc

In the magical land of Silicon Valley, where dreams and code converge, a tale is about to unfold…Imagine a sunny day in the Valley, with Kubernetes on the horizon, ready to set sail into production waters. But, as fate would have it, chaos ensues, and our beloved character, Streamline Willie, finds himself in the midst of a cloud conundrum 🚢💻

Watch Mickey as he goes on a rollercoaster of tech shenanigans, only to be saved by Gomboc 💪

Latest AWS and Azure Updates You Don’t Want to Miss

1. AWS Systems Manager Parameter Store now supports cross-account sharing

2. Generate AWS CloudFormation templates and AWS CDK apps for existing AWS resources in minutes

3. AWS free tier now includes 750 hours of free public IPv4 addresses, as charges for public IPv4 begin

4. Azure Red Hat OpenShift April 2024 updates

5. General availability: Extensible key management using Azure Key Vault for SQL Server on Linux

Top Articles and Resources of the Week

Articles

1. Standard Chartered CEO on why cybersecurity has become a 'disproportionately huge topic' at board meetings

2. Microsoft “doubling down” on cybersecurity

3. Generative AI is a dual concern for cybersecurity industry — and will drive increased labor demand

4. M&A action is gaining momentum, are your cloud security leaders prepared?

5. Cloud sector rejects proposed know-your-customer EO

Resources

1. Federal Cyber Defense Skilling Academy: CISA’s Cyber Defense Skilling Academy provides federal employees an opportunity to focus on professional growth through an intense, full-time, three-month accelerated training program.‍

2. The Workforce Framework for Cybersecurity (NICE Framework): Learn more about the NICE Framework Categories, Work Roles, Competencies, and Task, Knowledge, and Skill (TKS) statements as well as the relationships between those elements in this downloadable PDF.‍

3. Workforce Management Guidebook - Cybersecurity is Everyone's Job: A publication that talks about cybersecurity from every business function and aspect of an organization’s operation. It is written for a general audience who may not be knowledgeable about cybersecurity and can be read as a complete guide or by each business function as standalone guides.

4. 7 Popular Cloud Security Certifications for 2024: This article provides a comprehensive overview of the top cloud security certifications for 2024, essential for professionals seeking to enhance their skills and career prospects in the rapidly evolving cloud security landscape.

5. Cybrary.it: A platform for cybersecurity professionals at all levels, featuring free courses, certification training, and hands-on virtual labs designed to prepare users for the latest threats and vulnerabilities, making it a valuable resource for anyone looking to start or advance their cybersecurity career.