Episode 096: Cloud Security with Eric Kedrosky | CloudSkills.fm

With constant cloud innovation, the need for effective cloud security becomes more pertinent every day. Mike’s guest today is Eric Kedrosky, Director of Cloud Security Research and CISO for Sonrai Security, a company that helps businesses fortify their public cloud spaces. Eric has spent his career gathering a wealth of experience that has allowed him to become an expert in cloud security. Listen in to hear about the kinds of people that Eric is currently looking to hire!

In this episode, we talk about…

  • Eric’s journey to becoming a Director of Cloud Security
  • The uncomfortable feeling of moving to the cloud that everyone went through
  • Things that Sonrai is working on right now to better serve its customers
  • S3 bucket breaches are just the tip of the iceberg
  • Common patterns amongst today’s security breaches
  • Difficulties in covering the constantly-changing platforms
  • Advice for those that are entering security as a practitioner
  • Where certifications fall in cloud security
  • Desirable characteristics when hiring a Security Engineer
  • Educating others while understanding their perspective
  • Breaking down Sonrai's metadata platform
  • Advice for those learning cloud security

Resources from this episode:

Don’t forget to subscribe to our mailing list at cloudskills.io/subscribe for weekly updates, exclusive training, and advice on how to amplify your career.

Full Transcript:

Mike Pfeiffer:
Hi, everybody. Welcome back to another episode of CloudSkills.fm. I appreciate you tuning in as usual. Today’s episode is all about cloud security and a bunch of other stuff we’re going to talk about. I’m super excited. I got Eric Kedrosky on the call today for this podcast episode. Eric is actually a director of cloud security research and the CISO for Sonrai Security. Eric, how’s it going?

Eric Kedrosky:
How’s it going Mike, everybody out there?

Mike Pfeiffer:
It’s going good. I appreciate you being on the show. So obviously, cloud security is a big topic these days, and before we get into what you guys are working on over there and what you’re working on today, maybe you could share your background, how you got into the industry and how eventually ended up being a director of cloud security.

Eric Kedrosky:
Sure. Well, thanks, Mike. I guess, I started in the security field as I like to say back before it was cool. So right out of a computer engineering school, I was lucky enough to get a job as a junior analyst at a large enterprise. As soon as I got in that world, I knew it was for me. It was just really exciting and a lot going on. And back in those days, it was still very rudimentary. So as the years progressed, I tried to get experienced in a lot of different places and areas, which led me to leading IT teams and security teams.

Eric Kedrosky:
Then a couple of years ago, the company I was working with, we made the decision to make the shift to the cloud. That happened rather quickly. Actually, it happened within a single quarter. We went from almost being fully in a data center to fully in the cloud and trying to wrap your brain around that and your brain around security.

Eric Kedrosky:
So after leading some teams that were in environments that were fully in the cloud, I made the decision, I wanted to kind of get back into the business side of things and give back to the industry with the knowledge I had gained and help other organizations with the challenges that we’re seeing.

Mike Pfeiffer:
Very cool. It’s really interesting because when you think about what you just talked about really moving fast, getting into cloud and just a quarter or something like that, or even just talking about few years ago, that’s really early and really fast. So I’m sure there was a lot of learning along the way. Probably was a little chaotic. Maybe we could shine a light on that experience a little bit, because I think a lot of people who are listening are probably going through similar stuff.

Eric Kedrosky:
I mean, the first thing I would say was chaotic, definitely. I mean, you’re talking about a medium-sized enterprise that made a shift fairly quickly. And in that, there was a ton of learning. It’s a steep learning curve, but I think one of the things that we’ve learned in going through that and after we made the transition that the learning curve didn’t end, it continued to go and it was a big jump for myself and for my team and for the company to move to the cloud.

Eric Kedrosky:
So what we had to do is we had to work through that feeling of being uncomfortable for a while. And then as I talked to more peers in the industry and I talked to my own teams, I realized that everybody was going through this challenge. And then you fast to now, almost a decade later actually, the same conversations are happening.

Eric Kedrosky:
I talked to peers, I’ve talked to friends, I talked to our customers and it’s the same thing. So at the same time that this is happening, the clouds are growing ever bigger and ever more complex. So it feels like in this world, unlike the traditional data center world, that the learning curve just keeps going and going and going, and you have to stay on top of as best you can.

Mike Pfeiffer:
Yeah. I think that’s like the common theme of the conversations that happened lately is we really got to double down on the idea that this is an ever evolving thing. So it’s just like every day, we’re all learning stuff. It’s hard to walk in and be the ultimate expert because there’s so many freaking services on every platform. It’s insane. But at the other side of that coin, tons of opportunity, right? Like game-changing technology, lots of interesting projects.

Mike Pfeiffer:
So I’d love to hear a little bit more about Sonrai Security because I know that you guys are spanning multiple platforms. That’s probably something that you see a lot of interesting stuff out there. What do you guys actually… Obviously, it’s security focus, but what are some of the main things that you’re working on right now to serve your customers?

Eric Kedrosky:
So what Sonrai really does is first of all, it looks across all of the clouds. So we’re not limited to just one cloud. I mean, we can look at a specific cloud or we can take it in a holistic view. Really what we’re trying to do is help people that de-risk their cloud. Clouds are very, very complex. I need to give you an example. In customers that we see, an average customer has hundreds of accounts or hundreds of subscriptions. They can have hundreds or even sometimes thousands, depending on the size of the organization of roles and identities.

Eric Kedrosky:
Then some customers have millions of pieces of compute and resources out there. So there’s this complex mix of things. So one of the first things we’re trying to do is to eliminate all of those identity risks, to try to answer the question as what are my identities?

Eric Kedrosky:
What can they do? What are they doing? And should they be doing that? And then on the flip side of the coin, we look at sort of the data governance side of things. And one of the big questions that any security person asks when they go into a company is they say like, “Where’s all my data?” It’s a huge question. Data is the most coveted resource these days and you want to know where’s my data so you can protect it.

Eric Kedrosky:
You hear funny stories about walking in and getting up on the whiteboard and people showing you where they think it should be. You’re pulling out a reference diagram. But an actual of the trends, there’s a lot of organizations don’t know where their data is. It’s all over the place. So we help them first discover that data.

Eric Kedrosky:
But then the second thing is it’s one thing to find where your data is, but you have to know what it is. A very sensitive piece of data, you’ll apply different controls or different things to that of a priority that would probably be less than something that’s very low classification. So then we look at how we classify that data. What is that data? And then we start to look at that data identity governance relationships. So who can access my data truly access it.

Eric Kedrosky:
How do they do that? Can they do it? Have they done it? If they have done it, what did they do with it? And then the last piece around that data is we try to lock it down to make sure your most sensitive data or as we call your crown jewel data stays protected and monitored at all times. And if that data moves, we can help detect that as well.

Eric Kedrosky:
These things sound like, “Oh yeah, these are typical security things that we’ve done for years, but it’s amazing how incredibly complex this can be in the cloud sometimes.” The other thing we try to look at is, and I’ve been doing, like I said, security for my whole career. And it’s looking across all of your clouds, getting this holistic picture. You try to make it manageable. I mean, it’s one thing to have things going off and alerts getting fired. But if people are getting drowned in alerts, they’re never really looking at those alerts.

Eric Kedrosky:
If you’re not using sophisticated ways to get those alerts to the right teams, because really there’s not a single team that does anything anymore in the DevOps world. And if you’re not helping them via automation, then you’re not really helping your customers, you’re just another solution drowning them in workload. So we try to help with that as well.

Mike Pfeiffer:
That’s interesting because governance is such a challenge for so many customers and a couple of things that you mentioned there that I know I’ve seen personally, it’s just the sprawl and the lack of knowing the data that you have out there. It’s true. I’ve worked with several customers where we go in and they had good intentions trying to get going, to get up and running, but probably one of the challenges is for lot of customers is not really fully understanding these platforms because it’s new for most people. You’d get in there and next thing you know, a couple of months has gone by and now you’ve got this exposure because you’re not fully aware of how things work.

Mike Pfeiffer:
That kind of reminds me of a couple of years ago where people were leaking data out of Amazon S3. It just so easy to create an anonymous bucket, but it’s like you hang yourself in some of these security issues.

Eric Kedrosky:
I mean, what we’re seeing now is really like the S3 bucket breaches, well, you hear about them almost every single day, but it’s really the tip of the iceberg. I mean, with the complexity of the cloud, there’s a lot of hiddens and unknown unknowns in your environment that can expose you a lot worse because quite frankly, the cloud service providers make it hard for you to put a bucket on the internet anymore, right?

Eric Kedrosky:
You can’t just click a button and it’s there. They actually force you to go through steps to do that. But there’s these other ways that data can be exposed in ways that are new to people and then ways that data move in the cloud. You can’t just stick a DLP solution to the network choke point somewhere in your data center and watch all the data going through it anymore. So you’ve got to find these identifiers in different ways and think about it from different perspectives.

Mike Pfeiffer:
That’s a good point because that’s something that I think a lot of people don’t think about when you’re moving from on-prem into a cloud and now you’re giving up a little bit of control, maybe in less visibility than what you’re used to. And I agree completely. It’s a new game for a lot of companies, and it’ll be interesting to see how shake out. Is there any common issues or patterns you see your customers running into where now that everybody… You mentioned a second ago, buckets security is tightly controlled and it’s making it harder to open that stuff up? Do you guys see any common other patterns these days of people getting hit with stuff that maybe not be so obvious?

Eric Kedrosky:
I think the patterns are really that identity governance, right? It’s like there’s so many of them and what are they doing? And it’s compounded by the fact of it’s not just usually a single team building and maintaining these things anymore. Like the dev op model, you have a stack of people. So there’s multiple different teams doing multiple different things all at one time, multiple skill levels on each team, that kind of stuff.

Eric Kedrosky:
So you get into these scenarios where you start out with a great intention. I created this thing and not just a human identity like a person, but more of a non-human identity like a serverless function or a piece of computer, whatnot, where you created it, you tried to lock it down, that didn’t work. Just make it work, just make it work, and you start loosening the permissions. And that starts to create problems.

Eric Kedrosky:
But then you start stacking those problems together and all of a sudden the user, Mike can now get it on EC2 and all of a sudden you get to the most sensitive data. No one is even thinking that that is a path to get there. And if they are thinking, they don’t even know how to do that or how to look for that, I should say. So that’s definitely a pattern we’re seeing. And the other thing is just really where’s my data. Who has access to it? Where is it? They’re simple questions, but they’re really hard to answer.

Eric Kedrosky:
And that’s the pattern we’re seeing is when a piece of data pops up over there and you get the, “Oh, we didn’t know it was there.” And then the follow-on is usually… And we have no idea how it got there.

Mike Pfeiffer:
Those are usually the times where you get hit, where you just didn’t know, right? You get exposed and you realize you had a vulnerability the whole time. It goes back to a lot of the stories we’ve heard in the news over the last couple of years like the Equifax thing. And what was the most recent one? I don’t remember. There was a big one recently, a couple months ago, but almost always seems like there was something misunderstood or hidden and to your point which is…

Eric Kedrosky:
Those unknown unknowns as I like to call them, right?

Mike Pfeiffer:
Sorry to cut you off there. But I’m interested in the fact that you guys are covering all these different platforms. Is that hard to keep up with these folks as they’re iterating so fast? It seems like every week stuff’s changing.

Eric Kedrosky:
Well, the platforms are adding different services all the time, but fundamentally what they do in terms of resources and data stores and what have you, there’s a lot of basics that can get applied and IAM governance models. They usually don’t take that out and put a brand new one in. So a lot of those basic foundations that the cloud are set and we really work off of that. Of course, if there’s a new thing that comes out that we need to modernize for, we’ll definitely do that. But it’s really the fundamental things we’re working with to help their customers secure their cloud and lock down their data.

Mike Pfeiffer:
Okay. That makes sense. It kind of a pillar, right? I always tell people like usually if you’re brand new, I’m like compute, security, networking, and storage, or fundamental things, so that makes sense. It’s not like security is changing on a daily basis. It’s nice to see them though augmenting the platforms with complimentary security services, so they’re going deeper there. And that takes me into my next question. A lot of people are trying to find their role in this new world, right?

Mike Pfeiffer:
They’re coming over from some previous role and now they’re like, “What’s my niche going to be in cloud? Am I going to be a DevOps person or a security person?” So for the folks that are looking at security, because it’s a big need, do you have any tips on folks that might be going down the security road and as a practitioner?

Eric Kedrosky:
Well, I think the first thing is for anybody, whether you’re knew getting into the Intuit or rather you’ve been around for decades there’s a lot of stuff that’s analogous, right? Like a sysadmin in DevOps. I mean, sure. There’s pieces of a DevOps function, but there’s also pieces of a sysadmin function. So as you’re learning new things, there are spots you can step into. Now, your typical teams, a security person in the cloud while there’s a different knowledge base that you can learn and there’s plenty of material out there to learn, the fundamentals are the same.

Eric Kedrosky:
I mean, I like to make the joke. We’ve been talking about the same five, 10 things for 10, 20, 30 years in security. That hasn’t changed in the cloud. Those fundamentals haven’t changed. It’s just maybe the way you approach them that’s changed. It’s maybe how you implement or monitor or audit or control that’s changed. So for anybody out there, I would say just look at the fundamentals and see how the role that you’re doing now or where your skills are map into those types of roles in the cloud.

Eric Kedrosky:
I think for people getting into it the first time, it feels easier because it’s just new. I had a young employee that worked for me that had never seen a data center. He had never seen a server. He had no concept. It blew his mind. It was like the coolest thing on earth. And I was like, “Oh my God, get me out of the data center please.” Right?

Mike Pfeiffer:
Right.

Eric Kedrosky:
But what I really find is when I talk to people that have been doing this longer, and they’re thinking, “Oh my God, the data centers are transitioning to the cloud. There’s no place for me.” And this is what I really tell them like, “You have a ton of experience. You’re well-based in the fundamentals. There’s plenty of material out there to learn the cloud, just find those mappings and how you can fit in.” For the people that put in the effort to do that, I’ve seen a lot of great success. And some of my best employees have been people that have made that transition even late in their career.

Mike Pfeiffer:
That’s a really good point because a lot of times it’s just like finding something you already know and doing it a different way, a new name, but a slightly different approach in the cloud. That’s a really good point. You transfer your existing skills over. Do you like certifications? And do you recommend people follow that path?

Eric Kedrosky:
I like certifications and I don’t. Right? I like certifications because it’s a critical way of thinking. There’s a step you have to go through. You have to commit to doing that. So if I see somebody with a certification that shows that somebody made that commitment to do that. They put in the time, they’ve put in the effort. Most certifications these days, the barriers to entry are pretty high now.

Eric Kedrosky:
Especially some of the cloud certifications, they’re pretty high. They’re not a cakewalk to get. So that’s why I like them. In cases where I don’t like them, it’s like where someone thinks that’s the end all, be all, right? It’s like going to school for something. I like to say when I got my engineering degree, learning didn’t happen until the day I left school. So you have to keep on learning. So if you think that getting your certificate automatically makes you something, then it’s not.

Eric Kedrosky:
So that’s where I sit on the fence with certification. But if someone says to me, “Should I or shouldn’t I?” I always say, “Yes. What’s the harm in doing it? Go through the process. Show that you can do it. prove it to yourself first.”

Mike Pfeiffer:
Yeah, I agree. And there is that trick that some people play on themselves where they’re like, “Oh, I’m done learning and I just got the cert. Now I can coast.” So that’s a good reminder, definitely. It’s always a continuous learning thing. You mentioned your team a couple of times here. I’m curious for people that are listening, they’re looking for jobs at places and stuff. What are you looking for in a security engineer when you’re looking at a new hire and what’s interesting to you? What are you looking for in a skillset?

Eric Kedrosky:
Really these days I’m looking for someone with a broad base of experience. I think of my right hand in a previous company or my security engineer, he had experienced in a lot of different areas. It wasn’t just one spot. Now, could he go deep in all those areas? No, but I could find someone that could if I needed to, but they knew enough. So they’re very well-rounded and I find in this area, you need that.

Eric Kedrosky:
I also look for people that have some programming experience. I’m not looking for an all out developer, but if you’re a sysadmin that has a PowerShell experience or coding experience or scripting experience, I’m looking for that because that’s sort of the step into DevOps. And also times I look for skills outside of that. I had this awesome lady working for me who came from the audit side of things and wanted to get back into the operations.

Eric Kedrosky:
She brought a whole perspective there that the team was doing the hands-on work, got to learn more about that team as part of that group that shows up once a year and you got to work with them and then they go away with a bunch of findings that come back a bit later. So they gave a really great perspective. So that was that. So that’s what I look for more senior people.

Eric Kedrosky:
When I’m looking for newer people, it’s just experience and not so much formal, but it’s like, what have you been doing? Have you tried something. Are you volunteering over here? Have you written a piece of code over here? It doesn’t have to be perfect. It doesn’t have to be the absolute best thing in the world, but that these people are going out and trying to do these things.

Eric Kedrosky:
I think that’s fundamental. One of the things I also tend to look for is when someone is looking for a job is, “Do you understand what you’re getting into?” Not the technical side, but in technology we hear this all the time. You get so technologically focused. You’re working in a business. Have you taken the time to understand what your business does? Because if you understand what your business does, you’re probably going to better understand how they make decisions, and if you can understand that process, you can be better at being, not the security team that says no all the time, but the security team that says, “How do we get there?” So that’s another thing I definitely look for.

Mike Pfeiffer:
A lot of good advice there for everybody listening, especially I couldn’t underline any more. I agree totally that showcasing your interests and your passion for the technology is a great way to get on a hiring manager’s radar. It’s hard when somebody comes in on an interview and the haven’t looked at the company, they don’t understand the business to your point and they’re not really expressing their interest in technology. So simple things like having a GitHub profile and some repos like you mentioned, some code samples. It doesn’t have to be perfect, but just some points on the board.

Mike Pfeiffer:
The other thing that you said there that I really wanted to go back to was sometimes security people get a bad reputation because they’re the ones saying no all the time. Is that something that you guys work with your engineers on to get into more of a situation where… We hear this in DevOps like reducing the silos, being a little bit more cooperative between teams. Is that something that you guys have to actively work on these days? Because it seems like security is so paramount, right?

Eric Kedrosky:
It’s like any other relationship, Mike. I mean, really it’s a give and take on both sides. As I say, don’t become the group of no. Don’t be the naysayer. Don’t always be trying to hold things up. As you go into a situation, be open-minded. It’s never black and white, it’s actually always gray. So you got to get comfortable working in that grain. Just because the textbook says this is the way you do it, 99 times out of a hundred. It’s not the way that it’s going to happen. It’s going to happen somewhere. So getting comfortable with that.

Eric Kedrosky:
So on the security side, on that side of things, you have to get used to that. but it’s also a bit of training. You have to educate the business and the other people of what you’re trying to achieve, right? If they just see it as a thing that you’re pointing at, then they’re never going to come over to your side. You have to help them understand what your perspective is. But then you got to flip the coin. You got to understand their perspective as well, right?

Eric Kedrosky:
You have to understand, again, the business you’re working in how they make decisions, what the risk profile is. I mean, if your company is very risk adverse and you could probably have a program that could be different than a company that’s not at all. So you have to understand that. And then when you take it up to the business side of things, it’s trying to understand what security does and stepping back and say, “Okay, they aren’t the team of no and they have a job to do.”

Eric Kedrosky:
So don’t leave them until the 11th hour. Don’t make them the final gate in the process. Don’t say, "Hey, we’ve created this brand new application that we’re going to host PII in the cloud. And oh, by the way, we’re going to release it on Monday. And it’s Friday at noon. Can you maybe give it a review and give us your thoughts on it? And it’s the first time you’ve ever about it.

Eric Kedrosky:
So really fundamentally, it’s about both sides engaging and both sides engaging as early as possible. I know that sounds really, really cliche and we hear it all the time, but I think it’s paramount. It’s fundamental. It’s like any relationship like I said.

Mike Pfeiffer:
Yeah, I really like that. It’s like there’s a difference between knowing and then actually implementing and living it, right? A lot of people know that they should be doing it, but they don’t even try it once. So it’s a really good message to take home there. Circling back to Sonrai and the products and services that you guys have, is this like a SaaS platform? So I can just point this thing at my accounts that I got out there?

Eric Kedrosky:
It’s a platform that we host in the cloud, of course. And then what we do is we deploy like a collector in a customer’s environment. We collect metadata about their environment and then the collector can apply whether the controls we have within the product and then organize them into what we call swim lanes to get that automation and that workflow going from the DevOps perspective.

Eric Kedrosky:
Then the customers can also bring their own controls and bring those into the system. So what you really get is you take your controls from paper, something that you can actually look across your single cloud of all of your clouds from a single piece of glass, and really get a true accurate risk profile. And then really those difficult ones get to the what I like to call the effective permissions of your identities. What they can actually do? Are they doing it, et cetera. And then again, from the flip side, the data side, where is my data? What is my data? Is it moving? Who has access to it, et cetera?

Mike Pfeiffer:
Very cool. One of the things that I’ve been asking everybody lately, the last couple of episodes, especially for yourself have done so well in your career director of cloud security and CISO and things like that, what is, if you can pinpoint one or two things best career advice ever?

Eric Kedrosky:
Good security is based on good operations, first of all. I mean, from a technical perspective, clean operations leads to clean security. And then I just think from a personal development question, don’t be afraid to ask questions. Don’t be afraid to be stupid. Be vulnerable and ask any question. Even if you’re embarrassed, just ask the question. Because most times there’s probably somebody else in the room that has the same question and you’ll learn.

Eric Kedrosky:
By being vulnerable, other people will open up around you. Then you find that it sort of all just drops away. And then you can just share and collaborate. It’s always been in those where I’ve tend to excel, but not just individually. The team is like, “That was one of the best teams I ever worked on. We did this really amazing thing,” and it always comes back to sort of that point.

Mike Pfeiffer:
That’s really great advice, man. I love that. And that was a fast answer. Usually people are like pondering, but man, you’re just on it, and that’s awesome. Eric, this has been great, man. Where should we send people that are listening to this and maybe want to learn more about Sonrai Security or maybe they would just want to learn a little bit more about how to beef up on their cloud security skills? Any resources you want to send people to?

Eric Kedrosky:
Start with sonraisecurity.com. We offer a lot of blogs. We offer a lot of education. We offer a lot of webinars that we can go to. And the other thing is get involved in your community, whether it be a broader cloud security community or very local one or a group or whatever, just get involved in your local community. That’s always the best thing anybody can do. Find out who’s out there and learn from them. And then as you can, like I like to say, send the elevator back down and help those out that want to come up.

Mike Pfeiffer:
That is the best way I think we could end this one. Eric Kedrosky, thanks so much for being on the show, man. I appreciate it.

Eric Kedrosky:
Thanks, Mike.

Subscribe to the CloudSkills Weekly Newletter

Get exclusive access to special trainings, updates on industry trends, and tips on how to advance your career in the tech industry.