Modern Cloud Environments Demand a Fusion of New Security Architectures, Continuous Education and Educated Partnerships

Hey, everybody, and welcome back to the show. You know, as our IT centric community expands into different worlds and different different applications and having to have conversations between on prem and off prem and cloud. You know, there's so many questions that pop up from a challenges standpoint, an opportunity standpoint. And I today, I wanna try and provide a little bit more clarity specifically in that world of cloud centric ecosystems. And, you know, especially as we kinda step through a lot of different digital transformation, you know, opportunities, the cloud really continues to present itself as a unique opportunity because of scalability, opportunity, cost savings, and a lot of applications. But wanna step through some of those those best practices, those challenges, and maybe some of those ways to best roll out, cloud centric ecosystem. And to have that conversation today, I brought on somebody who's far more knowledgeable about these things than I am, which is the greatest guest in the world that you could possibly bring on. And that's Chris McHenry, VP of product management from Aviatrix. Chris, thanks so much for coming on the show today. Thanks, Ben. It's really good to be here. Well, Chris, I wanna kinda give you the floor here to to kick us off. I know that that, obviously, Aviatrix is doing some fantastic stuff from a a cloud solutions provider standpoint, especially from a a management and standpoint of of day to day activities. But I wanna ask, you know, some of our audience may not be quite familiar with who Aviatrix is. Who would you say that Aviatrix is, especially in relation to to kind of the cloud computing world? Yeah. Absolutely. So, you know, we've been it it's funny because we're we're not really that new of a company. We were born as cloud was kind of taking off, and I think one of the things that's really brought us into, more prominence over the last couple years is, a, you know, I I I have a really I believe that, you know, we've done a a really great job of continuing to innovate as the company has evolved. But but, b, you know, cloud has continued to just explode in relevance. And one of the things that we're finding is that, you know, customers are and and organizations, enterprises, our customers are, you know, kinda dabbled in the cloud maybe four or five years ago and have started to to to grow and and become you know, have more complex environments and more complex requirements. And and what's also really interesting is we see, different skill sets now becoming responsible for things that they may not have to your point, like, the the the most expertise in the application teams are now responsible for security and connectivity and, you know, a bunch of other things. Right? So so we live in that space. We were born as a company with the whole premise of, you know, how can I take some of those core traditional IT requirements, things like networking and network security and firewalling and the ability to to troubleshoot things and make sure that connectivity is resilient? Those things that were done maybe by the Ciscos of the world when they were on prem or the Palo Alto networks, and we wanna rethink how we do that for the cloud. So fundamentally, you know, we really live in that networking and network security space, primarily, in alignment and in partnership with a lot of the major cloud vendors, the AWSs, Azures, GCPs, even, you know, for for if you're bigger, older school enterprises, the Oracles and, you know, of the world. And and that's, you know, our goal is to rethink how organizations do networking and network security in the cloud in a way that is optimized from the ground up for the cloud and is simplified to help make sure that the cloud operators can effectively leverage our solutions. Well, you know, Chris, I I love that you even brought up some of those core distinctions. Right? Obviously, there's there's a school of thought that is very on prem centric. And if you need it in a fully insulated environment, you know, maybe that's where you might wanna go and and and leverage the cloud for some whether it's external or or, other opportunities. But, you know, I I think the conversation around the cloud, as you mentioned, has evolved pretty dramatically. Right? There's there's a different layer of security now maybe even than than five, ten years ago. There's a different set of applications, and you've got operations teams, and you've got IT teams, and access control and security teams trying to leverage these ecosystems, you know, in the same way. Right? So now it makes sense, especially as people are decentralized, to really explore a lot of those cloud solutions. You know, talk about some of the advantages specifically about maybe looking at a cloud centric ecosystem versus a holistic, maybe on prem solution. Yeah. Absolutely. I mean, you there's there's multiples. Right? But, I mean, one of the big things that changes when organizations go to the cloud is is is that decentralization that you you talked about beforehand. Right? I mean, I I I tend to think that, you know, organizations, oftentimes go to the cloud because the applications are requiring it. Right? Or there's optimization that can be had from the application teams or the developer teams or, you know, that that that kind of perspective. But we almost get there first before thinking about how do we effectively secure it or how do we effectively operationalize it or how do we effectively cost optimize it as well. Like, to your point, some ways cloud can be less expensive. I'm not investing in a lot of this physical infrastructure anymore, but there's also a lot of risk when you move into a consumption oriented, you know, model. Right? That that cost can get out of control. And if you don't do things right, you know, you're gonna end up with with a suboptimal environment that could cost you a lot of money. So, you know, when we think about looking at, solutions that were born in the cloud, it's really about, you know, working with, not necessarily fundamentally changing the way customers think about, you know, their IT infrastructure, to be perfectly honest. Right? I mean, especially in the case of network security, which is something that I'm incredibly passionate about, you know, it it used to be that you could secure your environment to your point in kind of this isolated way where you stick a firewall at the edge of your network and it's, you know, monitoring all your traffic and controlling, you know, how how people access the the real danger zone of the Internet. And now we get to the cloud, and it's like, oh, shoot. I don't have a wall that I can put this thing in front of, and so what do I do? And we're you know, there's there's several different options. You can you can try to force it. Right? You can go to some of those legacy vendors and and say, hey. Okay. Well, let me just replicate what I had on prem, but I'm gonna do it in software, or I can rethink it for the cloud in the same way that, you know, well architected frameworks in many of the clouds would advocate for refactoring or rearchitecting applications. We need to think about doing that with the infrastructure and our cybersecurity practices as well. Right? Doesn't necessarily mean we're changing the fundamentals. Still very important to be able to see what's going in and out of my organization and to be able to control that and to be able to defend against it. But, the mechanism or the architecture, the way that we implement it might be might be slightly different. And and the only way that you're really gonna be able to capture the full benefits of the cloud, the speed, the automation, the cost optimization is to really focus on doing maybe the same fundamental principles of implementing security, but doing it in a way that was really built for those new cloud operational models and cloud architectures. Well, I I think that's a great point too. Right? And, obviously, you mentioned cybersecurity, and, really, it's the lens of of our entire conversation today. You know, on prem is a little bit easier from a control standpoint. Right? And there's no denying that. Right? It's much easier for me to plug one cable in here and then plug it somewhere else. Right? I I have granular control over over where that network goes. And I think a lot of times when people think about cloud migrations and cloud centric, ecosystems, they think, look. My threat now is less, you know, a cyberattack I mean, not specifically a cyberattack. My my threat now is less and fire on-site or somebody breaking in in the middle of the night and stealing data, and it becomes more my largest threat now is that somebody gets their password social engineered. Right? What are some of those cybersecurity challenges specifically on the cloud that may differ a little bit from that on prem as well? Yeah. You know, the big thing that I'll say with cloud in general. Right? I mean, there's really two different categories, of of cloud consumption. Obviously, we have software as a service, and then we have kind of the infrastructure as a service realms. You know? And a lot of that when we think about security and really the responsibility that an organization has from an IT perspective is about where does that line fall. Right? And then when we talk about, you know, SaaS offerings, things like hosted email services and that kind of thing, absolutely. Password compromising, thinking about things like multifactor authentication, those are those are really critical because, again, it used to be you would like VPN into your network and that was your control point, and now we have to put the control point in the application. But I will say I think I think yes, absolutely one hundred percent still a massive problem engine, a problem. Social engineering is really challenging and it's a cat and mouse game. But, you know, there's continued innovation in that space with identity and access management and, you know, passwordless architectures and things along those lines that we should be thinking about. And a lot of people made significant improvements already with things like single sign on, and we saw multi again, multifactor authentication being being a really big, big thing four or five years ago continues to be one of the most important things you can do from a security perspective. But then then we have the infrastructure as a service, which is like I'm building this kind of software defined replica of the things that we use to physically rack and stack in our data centers. And, and that that has its own unique set of requirements. Right? So maybe not necessarily, about, passwords as much because the way that that gets interacted with is more IT centric or you're serving the application or it's applications talking to other applications in the environment and we need to focus on how do we, how do we secure those things. So two things that are really important to focus on. One, when you go to a cloud like an AWS, Azure, or or or GCP, your management framework is now on the Internet. So we gen we generally refer to this as, like, identity and access management and and, may not be passwords. It might be things like access keys and, credentials and and those kinds of things. So that that that's fundamentally important to predict. You know, your management interfaces have never been on the on the Internet before and now they are. So we need to think about, how how to appropriately secure that relatively similar concepts to what we would do with SaaS. But then we think about how do we secure those servers that we're deploying in the cloud and those applications that we're deploying in the cloud. And that that's where I really think, a lot of customers and a lot of enterprises, struggle a little bit because it's super, super easy to spin up an application in in one of those providers. And their target audience really is the developer. And so the developer is not necessarily a security expert. Things like immediately getting access to the Internet or immediately having a public website. And all of a sudden we don't have that same visibility and that same control that we had on premises. That doesn't mean that those same principles shouldn't apply. Right? If you go to organizations like MITRE as an example, and you look at their attack matrix, it they do have an attack matrix for cloud, but their standard attack matrix also is fully applicable for the applications, whether they're deployed on premise or whether they're deployed in the cloud. And so being able to do things like implement perimeter security controls are really, really important. So you might do it slightly differently. You're doing it in software. You know, some of the principles might change, and I think also sometimes the users might change. So driving simplicity in that is absolutely critical. And are in terms of in terms of creating adoption and ultimately getting the most, effective security posture. But, yeah, we need to break the problem down. Like, there's elements of, like, what do I do with SAS and what do I do with applications that sit directly on the Internet? And then there's there's how do I implement best practice security controls for the applications that I own and run even though they're running in somebody else's environment and software. You know, one of the things that really stood out, you know, about what you said is having different tiers or or rollout strategies for your cloud specific security. And and, you know, immediately, my mind goes to, oh, if I'm, you know, if I'm just an office that's trying to streamline some of my workflows and things like that, you know, I won't need the level of cybersecurity or access control that hospital would. Right? Because there's different compliance standards. There's different regulation standards. But, obviously, the the give and take with that aside from from the maybe making that migration to the cloud specifically on, hey. What what's appropriate for me to find that balance of, hey. I need this security, but I can't pay three hundred million dollars a year. I'm being dramatic, by the way. I can't I can't pay three hundred million dollars to make sure that my data is clear. You know? I mean, I'm I'm, in most cases, it's not a three hundred million dollar budget, but Yeah. There are there are those there are those people who do spend that. Yeah. Yeah. So, I mean, I I think really a lot of this has to do with where do you draw that line. Right? And and if you're in an organization where you don't have any expertise from a cybersecurity perspective, I mean, there's really two things I would look at. One is looking at services that have security built into them or where the the shared there's this concept in the cloud of the shared security model. Right? And it's who's responsible for what pieces of of cybersecurity. And you need to evaluate, like, where does that level of responsibility live. And if I don't have that level of expertise, we wanna move to solutions that have more built in security versus security that that you're responsible for. Now there are a lot of, I think, opportunities as well. There's a lot of organizations out there that do security outsourcing, but to your point, that's that's relatively expensive. I mean, I I'll tell you my fundamental belief here at Aviatrix is that, a lot of the foundational security principles that we that we that we did on premises, still persist in the cloud. You know, having the ability to have, like, a firewall as an example that that protects you, that has a good understanding from a vendor perspective of, you know, what is a threat, what is not a threat, having good hygiene around what is allowed in and out of the firewall. Those are still, like, really, really good practices and the kinds of things that really any organization can operationalize. The catch is the complexity of con concept the the the, you know, what is conceptually complex, for implementing those kinds of perimeter security controls in the cloud. And that's really where vendors like us come into play. It's building software that is simple, that is familiar, that they can provide those basic foundational security controls in a very cost effective way for really any understanding what am I responsible for based on the services that I'm using and and having a very clear understanding of that. And then if you if you have a use case, like you're developing your own application, so you're hosting your own applications and that responsibility lies more on you than it does on, you know, the cons the consumption of the that's the provider that's, you know, providing the application for you, then thinking about, okay. How do I take you know, I start from a first principles perspective, looking at things like MITRE ATT and CK make matrix, making sure that I have the same things I had on prem, like good antivirus, good visibility, good firewalling, good perimeter security control. Those are the places where I think, you know, oftentimes to be honest, a lot of people get stuck as they think, they get stuck in figuring out like what what do I do in this new world? And and the reality is you can take a lot of your a lot of your Historical skills and and principles and apply those in the cloud. You just need to you need to likely work with a vendor who understands cloud as as kind of the summary. I like to even mention those vendor relationships too. Right? And especially for, you know, what I would say the the small medium when I say small, I'm I'm probably talking ten ish million and above, small medium business that that has to have some sort of security posture and cloud posture, you know, it's very difficult, especially when you don't have the staffing staffing capabilities to hire specifically for those those applications. Right? You you might have somebody who's great with with, you know, you know, ISP management and somebody who's great at email security and all these other things. And but the challenge is, Chris, and this is what I wanna ask is, you know, when you talk about bringing that third party provider in, that typically for somebody is a pretty dramatic jump. Right? They they have acknowledged that they can't handle it on their own. But, you know, what specifically are those benefits of folks who maybe say, hey. You know what? I I don't have the expertise. I don't have the time. I don't have the budget. Why would I want to go with a third party provider, and what are some of the things I should look for in a provider? Yeah. I think there's a good, a good, just in general, element of core versus context. Right? What is core to your business versus versus what is context to your business? Right? And and what we do see, to be perfectly honest, in the market right now is there is a huge skill gap, especially in cloud and especially in the overlap between cloud, cloud connectivity, cloud security. Right? And so, whenever there's a skill gap I mean, obviously, if you're looking at building out that expertise in house, that's one thing. But if you can't hire for it, then that's an obvious reason to go look at a partner. Right? I do think there are two different kinds of partners. Right? You have out partners that you're gonna outsource, you know, labor to effectively, or, you know, managed security operation centers, things like that, or full security stacks. That's that's one one path to go. But the the other path to go is to look at partners in kind of the software space that allow you to, leverage transferable skills. Like, one of the things that I look at when we build our software is I really want to think about what the user experience is like. And so as an example, we we really strive to focus on simplicity and delivering powerful outcomes while making it easy to use. And we launched last year an embedded security component of our product really focused next generation firewalling. And as I was building that with my team, right, because we were designing it, one of the big things that I really wanted to drive is I wanted to make sure that it was easy for the two stakeholders that really matter here. One is the IT administrator that is used to using a traditional firewall, the one who's used to working with the Palo Alto or a Checkpoint or Fortinet or something along those lines. I wanted to make sure that it was familiar so you could log in and immediately understand, okay. I know how to use this thing. Right? That way we can you don't necessarily have to hire for new skill sets. We can take those existing skill sets and easily transfer them into the new environment. And then the second user of the system is is that app developer who doesn't really know much about security, but does know a lot about how to deploy things with code and that kind of thing. So making sure that that's really friendly for that particular user and that we align with some of the paradigms that the cloud, that the cloud offers so that, again, familiarity, I think, really and really helps with, with with allowing organizations to leverage existing skill sets, to to implement the, you know, the criteria that they ultimately want. And so in that secondary, path, it it's not necessarily about a services provider and team that I already have. You know, Chris, I could I could even envision some of our audience right now just trying to absorb all this information and trying to drink from a fire hose. I think a good question might be, you know, you've got people for the first time who, for one reason or another, are either trying to migrate from on prem to cloud or really are at the point where it makes sense for them to evaluate a larger data centric strategy or or or cybersecurity strategy on the cloud. Where do you recommend that people start once they've decided that, hey. Maybe there's a need there. Exactly. So I will tell you one thing. One thing that the clouds are are really good at is, they they've built these amazing marketplaces. Right? And the marketplaces are really designed to to help, users discover offerings that are in the space that allow them to achieve the objectives, but do it in a cloud centric way. So gives you the ability to kind of evaluate, you know, new potential offerings that might fill some gaps that that you don't know how to you knew how to fill on prem, but you don't necessarily know how to fill in the cloud. So I I recommend using the cloud cloud provider marketplaces as a as a really interesting source of research. That's a primary way that we do transactions with our software. But they said that, again, the second thing that I really strongly encourage customers to think about is go back to the fundamentals. Right? Use the resources that you have. You know, there there's amazing cybersecurity resources. There's amazing IT infrastructure resources. There's amazing certifications out there now. You know, the things that we did earlier in our careers and and you're getting Microsoft certifications and Cisco certifications, you know, obviously, it makes sense to get AWS certifications believer in empowering organizations through education. We have a program that we call ACE, which is the Aviatrix certified engineering program with, you know, associate professional and advanced level certifications. And so that that education piece can be really helpful to to to developing a strategy. And then, again, back to basics. Right? Figuring out how I how I cover the same kinda basic, you know, needs that we had on premises. It's like it's not like it fundamentally changes in cloud. You still need, you know, servers. You still need storage. You still need some sort of security. You still need some sort of networking. You need all the same things. It's about how do I how do I transfer that knowledge and apply it, in a similar way, but not necessarily thinking of this is fundamentally different than anything I've done before. Well, that's helpful. And and I know that there there are quite a few people out there who hear that and and are comforted by that. Right? It's it's intimidating at the very least to try and find, you know, the best provider, the best, you know, stack, the best cybersecurity plan, and things like that. And and working with folks like yourself, really to to the very least be a guide, is is wildly important, especially, you know, as the world changes pretty dramatically from a digital digital perspective every day. And, you know, I wanna kinda give you this last question. This is, you know, there's a lot of different places you could go with this, but but the world continues to evolve. Right? And and we've hit on that probably four hundred times already in this episode. But what would you say are maybe some of the the top two or three greatest risks that that, you know, people need to be mindful of, going into maybe the next five, ten years when it comes to their cybersecurity, posture? Man, that is an interesting question. I told you. It was a big question. Yeah. You know, you you you never know. I I I honestly, I'll say this. I work with far too many customers where I think that cloud has, you know, there's you look at your organization cybersecurity budgets, and and and it's it's obviously growing. And and figuring out how we can, have effective defense in a cost effective way, It has nothing to do with risk. It has nothing to do with the attackers. It has everything to do with our ability to, to to prioritize best practice security. Right? Is it has to be affordable. It has to be accessible. And so I do think that's gonna be one of the biggest challenges, and I see that as a a huge area for innovation. You know, the the interesting thing about, a lot of the disruption that we see in the software space right now is that, you know, at my phase from a from a company perspective, I'm not trying to squeeze as much revenue out of every single customer as I'm trying to get. I'm trying to disrupt. I'm trying to disrupt and allow you to have accessible cybersecurity software. So I think that that that balance between cost and security posture is something that a lot of organizations are already wrestling with and will continue to wrestle with. There is a trade off. There's a bad there is a point where if you're spending so much on cybersecurity, you might as well just buy insurance. Right? There's a ceiling. So so that finding finding ways to, to do that. And now I think there's an ethical responsibility that we have as well. Right? As as companies, as we have customer data, as we, you know, as a company, as we're servicing our own clients and need to think about business continuity, there's, there's this ethical and those are huge challenges. And then, you know, the last piece that I'll say is that, this is a never ending game, unfortunate unfortunately. Right? It's a never ending game, and you, you know, the the incentives for, attackers are continuing to grow. AI is making it way easier for novices to develop malware and to do social engineering attacks even if they don't have a good grasp, you know, on on the English language, right, which we're seeing. We're seeing much better authored phishing emails with the advent of things like chat GPT. So, you know, it's a never ending game, and you just you gotta keep fighting. And that that that having that perseverance and the continued curiosity to continuously evaluate and, reevaluate the the the strategy and the approach and and continue to educate, the rest of the organizations on the importance of security. That perseverance, honestly, is gonna be one of the biggest challenges that customers have. Chris, I love that you even brought up the idea of ethics and cybersecurity. We we probably have to get you on to have an entire conversation about that because that's the the underpinning of a lot of this, right, is is what ethical concerns and especially when you start talking about, financial loss and loss of care and all of these the it starts to get really wonky really, really quickly. But I'll tell you what, Chris. It was fantastic to have you on today and really set the table for a lot of folks who may not get to have this conversation all the time. So I appreciate you sharing your insight and coming on the show with us today. Yeah. My pleasure, Ben. Thanks for having me, and, would love to come back. Well, absolutely. We'd love to have you back on. And a giant thank you out, to those who are are listening and watching today. Be sure to like and subscribe. If you like what you saw, look. Send me an email. We gotta we gotta have Chris back on for sure. And, you know, the more emails that I could send him about his positive experience, I'm sure we'll, we'll be able to pretty easily get it back on. But thanks so much for tuning in to Pro AV today. We are excited to, to have, these conversations on the show and look forward to, to to serve in the industry, as we can con continue to go forward.