2.6 – Accelerating With Intrinsic Security

Jon Hyde: Hello, and welcome back to The Next Horizon, a Dell Technologies podcast. I’m John Hyde, and together we’ll explore the implications of several major emerging technologies for business, society and most importantly for you. We’re joined today by Vish Nandlall. Vish you lead strategy and ecosystems for John Rose and the office of CTO here at Dell Technologies. We’re here to talk about security today.

Jon Hyde: It’s that, all important topic a lot of our customers have, I think it’s top of mind for just about everybody and if it’s not, it should be. But the reality is people don’t tend to seriously consider and think about it until they’ve gotten pretty far down the design or even the implementation path for all of the technologies that they have. What do you think from your perspective? Is that a good idea, bad idea? Where’s the industry moving in that perspective?

Vish Nandlall: Yeah, I think we’re becoming more, more aware of security as an essential part of the IT tool kit. I think it’s been relegated in prior years to something you only think about when it makes headlines or something you think about when you make headlines. And, clearly it’s become now part of the regular hygiene of the enterprise landscape.

Vish Nandlall: I think recent events, especially during this COVID regime, I think has really accelerated people’s awareness of vulnerabilities as people have started to work from home. These issues, things like credential dumping have started to, really go on the rise, aided by a number of people who are sitting now outside of the corporate firewall. And we have situations like that, we need to start rethinking our strategies.

Jon Hyde: Yeah. There’s this idea of you have a security breach or risk that you need an appliance for that. That’s kind of gone out the window. Yes, there’s some perimeter security requirements that will always be in place maybe because of regulatory compliance or something along those lines. But the fact is we need to start thinking about how we build security, not just in the infrastructure, but it has to move with the application, it has to be part of the end point.

Jon Hyde: And that needs to work in concert together in ways that yes, they’re horizontal, but they also have verticality to them because security in depth is not just defined in the hardware layer, it’s also defined in the software layer.

Vish Nandlall: Yeah. I think that’s an important point that you raise. I think our historical model of security has always been perimeter based, let’s get an appliance, I have an IDS, a firewall system, and I can lock everyone out. I think where we’ve evolved to is, box led security, while it gives you something tangible to point at, to affirm that I’ve actually done something about security.

Vish Nandlall: What we’re finding is that, the types of attacks are much more nefarious, and that our approach to security, especially in the cloud era where perimeters are much more vulnerable given that they’re not hard, they extend into as a service applications, extending to your cloud, they extend to your normal workforce. We need to start rethinking our security from more of a decentralized perspective, which leads us of course, to this philosophical concept to zero trust.

Jon Hyde: Yeah, that is an interesting crux of the conversation. And along that line, you need to consider the risk. What is the level of risk? What is the amount of attention that we need to pay to these things? So as an example, how much risk is there in someone understanding what my address is versus somebody understanding my social security number, versus something like an autonomous vehicle? The levels of risk there are completely different. Yes security is applied across all three of those different types of paradigms.

Vish Nandlall: That’s right. Well, if we really start to double click on what does our trust means? It means that every element of my IT infrastructure, from compute applications are things that I’m not going to trust completely. And to your point, the way you secure each of those endpoints now needs to really think through what is the cost of an infiltration, an ex-filtration and we start rolling into these very basic concepts of things like least privilege.

Vish Nandlall: So to your point, we want to always limit the blast radius of any type of attack. And by limiting the blast radius down to the most granular object, for instance, data, and saying potentially that all my customer data is going to now be set in a security zone that only my financial auditors have access to, or potentially only certain people within my sales force have access to. You’re giving people the least amount of privilege to access the data such that they can still do their job, but not access anything else.

Vish Nandlall: And that’s, I think, the crux of where the philosophy of this is all moving to. Now, I think the issue with that is a lot of enterprises are simply unprepared for that probably with monitoring and that granular level of security control. And in some cases, the simple authentication frameworks are not extensible sufficiently to allow least privilege.

Vish Nandlall: And so now we get into an era of, we want to move to intrinsic security. We have extrinsic appliance-based security. We’ll want to move away from perimeter based models, which we already know and love, but I want to move towards our trust. So what we see is a perfect storm of digital transformation that needs to occur and all of the complexities that come with it.

Jon Hyde: Yeah, I love the idea of least privilege because it lets me as an individual, whether I’m a consumer or I’m an employee of a company, know that the data that I’m working with is being properly secured, and that there’s a level of trust that’s being put in into the business to be able to deal with that.

Jon Hyde: Because I think whether you’re thinking about your personal data or your corporate data, you need to understand that there’s a relationship and almost a contract between you and the business on how that data is going to be handled. And that’s a powerful thing for me to think about as an end-user in both of those circumstances.

Jon Hyde: I think from a corporate perspective, when you look at the idea of least privilege, it’s a scary thing because it’s a very fine line between making sure the employee or a user has enough information access, but not too much. And it’s very easy to fall below that line and all of a sudden they can’t do their job effectively and may not even realize it. And that’s one of the challenges that I’ve seen. I’m curious your thought on that.

Vish Nandlall: You’ve got it exactly. It’s now trying to understand what does someone need in order to do their job effectively, and being able to isolate the resources such that only those that they need to access are available to that particular user. If you, for instance, have a job to do data backups, you should only have access to the data backup software, you shouldn’t be allowed to install software.

Vish Nandlall: And clearly this is something that for some organizations, requires them to do some deep inspection in terms of, what is the role of that person? What are the different accounts that that person should hold? How do I credential them? What does my IT landscape look like, and what are the vulnerabilities associated with allowing someone more privilege or over-permissioned to a particular system?

Jon Hyde: Yeah, it’s an extension of the conversation around what does security actually get defined as a company? So in the old days you would just harden the data center and you were in good shape, because everything exists in the data center. In the past several years, we’ve seen data move outside of the data center on purpose for many reasons, whether it’s an edge device or series of edge systems, or it’s an end-user who is remote to the office that has data on their system.

Jon Hyde: The four walls of the data center have become very virtualized and are now extending well beyond the physical boundaries. That’s part of the challenge that we see and I think that’s one of the reasons why we see intrinsic security as such an important topic because we can deal with threats in a more persistent and pervasive way.

Jon Hyde: If we do that, we look at how we secure the endpoint. We look at how we secure the data center, and everything in between. There’s still challenges though, even in that construct, there’s still the physical access question, there’s access to individual systems, but there’s also user error and the idea of fishing and all the things that go along with that, that tend to give access to unintended consequences.

Jon Hyde: So what are the things that we’re doing there that can really help solve some of that for our customers?

Vish Nandlall: Yeah, you mentioned, the individual themselves as the attack vector and social engineering, as well as just preying upon the carelessness of the individual employee is, long been a particular vulnerability of most enterprises. In fact, one of the number one factors for most enterprises. Again, being able to, limit a particular users’ reach within the organization is important to get role-based access controls as a consequence of the zero trust design philosophy that helps that.

Vish Nandlall: But, there is other just hygiene things that need to occur, constant patching of your workplace in your environment. Being able to do simple things like ensuring when you set up security groups that you don’t leave containers unsecured, that you don’t leave your S3 instance, or any other type of storage volume open to the internet, which is obviously just a consequence of just quick planning and governance.

Vish Nandlall: So, when we try to do evaluations of different environments, you do have this fault line that sits across an IT organization that’s governed by good practice, where security is treated as something that needs to be reviewed, something that needs to be reviewed all the way down to the rules and to the user level versus organizations who largely operate in cloud-based environment, where things are all developer-driven, where the level of audit and control becomes a little less governed.

Vish Nandlall: And when you look at the difference between those two environments, it’s clear that there’s going to need to be some way of creating of a universal policy at a security level that allows twin governance in both unsecured public cloud environments, as well as well secured corporate environments in the private infrastructure.

Jon Hyde: Yeah, it’s something that I think every customer I talk to has top of mind for themselves, which is how do we start to think about this? But one of the most important things that they ask and we really try to answer is, what are they missing? What are the things that they are missing right now, that they could help themselves and their business and their customers with?

Vish Nandlall: Probably it is understanding the balloon-like effect that security presents. You can secure one end of it, but as you grasp that balloon and you squeeze down on it, the other bottleneck emerges. If you look at what’s happening today in the internet, we went from network-based security devices that were able to look at the incoming traffic and make determinations. Whether it’s, denial of service-based attacks or some other type of intercept attack that was seeking vulnerabilities on application.

Vish Nandlall: You’re able to screen for those to some extent within the network. Today, most network traffic is encrypted. And so that ability for you to screen at the network level, suddenly becomes highly disadvantaged when you can’t see the actual traffic itself. So what we’re seeing is that, the attacks now move to other layers. Balloons starts to bloom and, things like Kubernetes clusters now need to be looked at much more efficiently.

Vish Nandlall:

When you take a look at a container image, there’s nothing to say that your application itself, which isn’t something that’s governed entirely by the community’s cluster, could present a vulnerability, where you can get root access, or you can get access to certain resources via the container itself.

Vish Nandlall: This is the kind of thing where again, you want to limit blast radius. You need to take approaches both in terms of what are the network paths and the service mesh between one Kubernetes container and another, but you also want to look at what the privileges of that container are.

Vish Nandlall: So we apply, almost a analog philosophy that it’s not necessarily just a user who has certain access rights and permissions, it’s also an application, it’s also a container. These are the types of practices that are probably even more arcane as people start to use orchestration services like Kubernetes, and they move towards container based environments where they see, a lot of their security vulnerabilities starting to shift. And the attention now from the security domain needs to shift as well.

Jon Hyde: Yeah, it’s an overwhelming topic, right? I think there’s so much to it and I think that’s why it’s so top of mind for every customer that we talk to. I’m going to put you on the spot just a little bit. So I think most times we’re dealing with some sort of a brownfield install base, where we have to think about how we retrofit or really improve existing systems that may not be up to snuff based on the sophistication of what’s happening in the security market.

Jon Hyde: What’s your one piece of advice that you would give to a customer that has a lot of what I would call technical debt, and how they might begin to change the game for themselves when it comes to security?

Vish Nandlall: It’s a process as well as a set of techniques. And it starts with the process. It starts with identifying what are the things that you absolutely must secure. You may have applications that are legacy applications that don’t allow role-based access controls. You may have systems that need to be completely refactored, before you’re able to implement the visibility that’s required to implement something like zero trust.

Vish Nandlall: So the best thing to do is to find out what has the highest impact to your business? What if it was actual traded can create the greatest stressor to your business, it would be the greatest risk to your business. And to use that as the beachhead, use that as the system that you apply your resources to either modernize or to secure in the most advanced way possible.

Jon Hyde: That’s a law for a company to think about. But I think it’s something that they have to think about. I know that it’s always the, “Oh gosh, do we really have to take this on?” And the answer is, “Yeah, you do.” You can’t really continue to ignore it. The longer you ignore it, the worse it’s going to come, and I think it’s something that we’ll just continue to have to have as a conversation across the industry.

Jon Hyde: Vish I want to thank you very much for the time and your insights, and this has been incredibly valuable for me, I’m sure it has been for everybody else. So thanks for the time. And I look forward to talking again.

Vish Nandlall: Thanks a lot John.

Jon Hyde: For those of you who enjoyed this podcast, you can find it at www.DellTechnologies.com/nexthorizon, along with feature podcasts and other great content focused on emerging technologies. Thank you so much for listening and be sure to subscribe. Until next time, I’m John Hyde, and this is The Next Horizon.