Cybersecurity: Cloud security challenges and opportunities with Jiong Liu

00:00:00:00 - 00:00:29:29

Narrator

Cybersecurity is one of the most important and most complex aspects of modern business. Ransomware and other cyber attacks are skyrocketing. Millions of security jobs remain vacant, and in the age of AI, new opportunities and threats are growing quickly. In this special series from Navigating forward security and business Experts from launch Consulting explore the evolving landscape of cybersecurity across industries. Along with a slate of distinguished guests, will discuss how organizations can build healthy habits and practices that promote cyber resilience for the long haul. Join us as we uncover what businesses need to do now to prepare for what's coming next. This is Navigating Forward the Cybersecurity Series.

00:00:49:03 - 00:01:23:01

Mike Halstead

Welcome to Navigating Forward’s cybersecurity series, where we dive deep into the intricate world of cybersecurity and come out with the knowledge you need to move your business forward. I'm your host, Mike Halstead. Today, I will be exploring a critical topic that affects businesses, organizations, individuals alike. The importance of cloud security with the rapid advancement of technology. Cloud computing has become an integral part of our lives, from storing our personal data to hosting mission critical applications for businesses called off those offers unparalleled convenience and scalability.

00:01:23:04 - 00:01:41:05

Mike Halstead

However, as with any digital platform, security concerns are paramount. Today, we will embark on a journey to uncover white cloud. Security should be a top priority for individuals, and business will explore the potential risk and vulnerabilities that exist in cloud. Discuss the proactive measures you can take to mitigate those risks.

00:01:41:05 - 00:01:52:19

Mike Halstead

I'm delighted to be joined by our special guests, Jiong Lui, senior director of Product Marketing at Wiz and my partner, Roshan Soni, Managing Director for Cloud and Software Engineering at Launch Consulting Group.

00:01:52:19 - 00:02:01:23

Mike Halstead

First, a little bit of myself. I lead the cybersecurity sector at Launch Consulting right to launch. I had a long career at an investment bank with the last 11 years being a cybersecurity executive.

00:02:01:23 - 00:02:06:11

Unknown

Electro in the world, trying a new food and drink and meeting with my industry peers. Roshan, quick introduction on yourself

00:02:08:03 - 00:02:23:18

Roshan Soni  

Thanks, Mike. As Mike mentioned, I currently lead our cloud and software engineering capabilities at launch. I spent the last 20 or so years in the technology space working a lot of hands on within cloud data and applications. And whatever time I have, I spend with my family, a lot of yard work, mostly just around the house

00:02:29:21 - 00:02:30:14

Unknown

Thanks Roshan and Jiong, our special guests that little bit on your background any passions you want to share with us

00:02:34:21 - 00:02:58:22

Jiong Lui  

Thanks for having me. So I'm Jiong Lui I’, Product Marketing at Wiz. I'm really passionate about helping organizations realize the benefits of the cloud in a very secure manner. So currently leading up messaging, positioning, product launches, all that good stuff at with. And actually prior to that was over at Okta. Also helping organizations adopt cloud securely as well.

00:02:58:22 - 00:03:12:21

Unknown

And Mike, similar to you, I in my free time love traveling and in particular enjoying the local delights and food wise and drink wise in the international destinations. I go to.

00:03:12:21 - 00:03:31:20

Mike Halstead

For sure – I had to add the drink side of is because that is also important. So, the cyber threat landscape is constantly changing on a very frequent basis. What would you say that kind of recent trend of the cloud space and why we should be concerned about those?

00:02:33:21:21 - 00:03:58:03

Jiong Lui  

Yeah, so as you mentioned, the cloud is constantly evolving and actually our research team put together a report recently on some of the top trends that they were seeing, specifically around the threats that they see in the cloud and they came up with for, you know, really notable trends and high profile kind of attack patterns that we saw recently.

00:03:58:03 - 00:04:30:01

Jiong Lui  

So the first one was really around API security. You may recall last year there was a pretty large scale breach over at Optus, amongst others, where it was really just a, you know, misconfigured or API endpoint that didn't require authentication, right? An attacker took advantage of and ultimately ended up stealing thousands of their customers records. And this is something that, you know, we see pretty frequently in the news.

00:04:30:03 - 00:04:50:18

Jiong Lui  

You know, even in my active days, this was something that we saw as well because you had a lot of developers there moving super fast. You know, they want to expose APIs because that's how you move faster. That's how they're building modern applications. But it really is just a very simple mistake, honestly, that can be taken advantage of and exposed.

00:04:50:18 - 00:05:19:27

Jiong Lui  

Really, the crown jewels in an organization. The second big threat that our research teams surface was really the lapses like attacks that we saw as well. Right. This hit a ton of really high profile organizations last year, Samsung, India, Cloudflare, Microsoft, amongst others. And, you know, it's not like this was a very, very advanced band of attackers potentially.

00:05:19:27 - 00:05:52:13

Jiong Lui  

Right. The rumors are this is probably some teenagers that are out there, but they attacked a lot of these these big companies And, you know, some of the commonalities that we saw across there was it really was an initial compromise of a user. And once they had taken over that user's identity, they were able to actually escalate their privileges into other parts of the environment and find additional information that they would then extricated.

00:05:52:15 - 00:06:18:26

Jiong Lui  

And so, you know, some of the learnings that we have from that is in some ways you have to assume initial access, right? And from there, what else can that person get into? And so again, you know, simple, simple mistake that ultimately led to a much larger outcome. The third cloud threat that we saw is, again, something that we hear about in the news almost on a weekly basis at this point.

00:06:18:26 - 00:06:46:16

Jiong Lui  

Right. Data exposure. And it's kind of surprising that it continues to be such a common path that we see. Right. Like and again, it's not like small companies that that are subject to this. There's Microsoft recently exposed to under 50 million customer records. I think Amazon also exposed a ton of different records for everyone that was using their video services.

00:06:46:18 - 00:07:33:07

Jiong Lui  

These are really large organizations and it really just highlights the fact that this is a very difficult attack pattern to actually stop because finding them is actually pretty difficult. And the velocity of attacks that organizations are going through is really at an unprecedented velocity. And again, our research team found that, you know, just if you have a a bucket that is out there in the wild and it might have records, customer records in it, if it's exposed and if it's referenced in a GitHub repo from the time of exposure to the time that it's actually, you know, discovered by an attacker is really only 7 hours on average.

00:07:33:14 - 00:08:02:12

Jiong Lui  

So the speed at which some of these risks are being taken advantage of is also really, really unprecedented. And then the fourth one that our research team highlighted was really the supply chain risk. I think we all remember Soloway Mines, which is kind of one flavor of the supply chain risk where around identity based. But there's also a lot of, you know, software based ones as well that we're starting to increasingly see.

00:08:02:14 - 00:08:33:18

Jiong Lui  

And so when I think about, you know, these these risks that are out there, what's notable right, is they often times are really, really difficult to spot in an organization because of a couple of different factors. One is it's no longer just, hey, I found an exposed asset and I'm going to, you know, exfiltrate that data and then, you know, publish it to the world.

00:08:33:20 - 00:08:58:07

Jiong Lui  

They're getting increasingly complex in terms of the how they are exploit it. So oftentimes it's some sort of initial access and then there's oftentimes lateral movement or privilege escalation where an attacker is able to actually break out of that initial point of entry and get to the crown jewels. Right. So we saw that, you know, with lapses, it wasn't just about that initial identity.

00:08:58:07 - 00:09:26:05

Jiong Lui  

It was the privilege escalation then to something else. We see that in the news all the time. A lot of the data exposure, it's actually difficult to detect because, you know, they might exploit some vulnerability on a machine, but then they move laterally within the environment. Right. They're able to figure out how do we break out of this virtual machine or this application that we found our way into and find things that are actually really, really important in the environment elsewhere?

00:09:26:07 - 00:09:49:03

Jiong Lui  

So could be like crown jewels, like your customer data could be an admin identity that really has, you know, keys to the kingdom. And I think it's because of the complexity of this sort of attack pad. That is why these things are so scary and so hard to find because, you know, you might be talking about like different layers of your cloud environment as well.

00:09:49:10 - 00:10:07:21

Jiong Lui  

And so a lot of the tooling that we have in place today is not necessarily equipped to look for, you know, these these complex attacks, ones that take advantage of multiple layers of the cloud and, you know, where the entry point is very different than the end state.

00:10:07:21 - 00:10:29:12

Mike Halstead

Great. Yeah, that that's it's, it's interesting how a lot of these are similar type attacks from the past right pre cloud and you know following kind of the whole security hygiene but it's also the complexity that the cloud creates as you said, the multiple layers in how you know, the bad actors are following technology, which is the cloud. So now that's that, you know, obviously a new attack area for them. Roshan, want to get on to that?

00:10:36:22 - 00:10:48:21

Roshan Soni

Yeah, definitely. No, it was interesting the 7 hours really call me because you you have the cloud, which is so easy to stand up in configure, but it's very tough to stand up and could figure securely. Right. And so you have it organizations, startups, all sorts of people trying to stand up their own cloud instance. And then -

00:10:59:26 - 00:11:04:26

Roshan Soni

- if they do it the right way, then you know, within their. Okay, but like if they have something misconfigured within 7 hours they leave for the day. I mean it's, it's going to be attack, right. Crazy to think about that stat right there because it's just so quick.

00:11:14:16 - 00:11:47:07

Jiong Lui  

Yeah, and yeah, in the first example right, the API security one, it really is just that one error, right. Someone misconfigured one configuration setting and it left the API exposed like they probably did not intend to do that. Certainly. Hopefully did not intend to do that. So it really underscores the fact that, you know, the attack surface is growing super rapidly and it's not just the controls that you might have had when you were, you know, more on the on prem world.

00:11:47:07 - 00:12:14:14

Jiong Lui  

They, they dissipate because anyone could make that configuration in error and really also at any point in time because even if you look at our cloud providers, they're constantly releasing more and more functionality. EBA Yeah, I like I was reading in the in the news recently that I think eight of us now has like over 10,000 configurations that you can do by API. And so it's really just a single one that can lead to one of these breaches.

00:12:20:10 - 00:12:40:14

Mike Halstead

Yeah, for sure. So, talking about the attack surface was still a segue into that a little deeper. And so many firms are on their migration during the cloud. You know, some are further ahead than others. What are the different types of cloud environments? And and, you know, what do you see as the pros and cons to running in each of those environments? This is more from a kind of a security perspective.

00:12:40:14 - 00:12:58:29

Jiong Lui  

Yeah. So, we see organizations sort of like at every stage of their cloud journey, there's organizations that are earlier on where they're really just in that migration standpoint and they're just even thinking about, you know what, what do I have? Where do I want to move it to?

00:12:58:29 - 00:13:25:08

Jiong Lui  

Do I want to just do some sort of like lift and shift, for example, or do I want to refactor the app and build a cloud natively? And we see a mix of that, right? And oftentimes it depends on and you know, what is the what is the application in question, right? If it's super important and critical to your business, you can't have any downtime associated with it.

00:13:25:10 - 00:14:03:25

Jiong Lui  

You know, choosing the less disruptive path is oftentimes going to be the easiest path to getting that application to the cloud versus if you have something that is, let's say you have an innovation team that is focused on. Right, they can leapfrog into cloud, native approaches, things that leverage containers or Kubernetes ease or serverless approaches. And yeah, it's actually is talking to a Gartner analyst a week ago and he said you know pretty much every customer he talks to now at this point has some form of Kubernetes in their environment.

00:14:03:28 - 00:14:40:25

Jiong Lui  

So, it is oftentimes really a mixture of different things and that, again, becomes even more complex for organizations to manage from a security standpoint, because you have these environments that are heterogeneous, right? And you want to encourage that as a security team. You don't want to be the person that says, no, you can't adopt containers because that's a surefire way that someone is going to go top containers and say, you'd rather be the, the good cop there and help them along with within help to educate them from a security standpoint.

00:14:40:25 - 00:14:47:08

Roshan Soni

It’s the innovation, right? If they can’t innovate then how are you going to grow? You have to give them their freedom.

00:14:47:08 - 00:15:04:04

Jiong Lui  

And it's even worse than that, right. It's not that it's not that they're going to stop because you said no as a security team. Right? They're going to do it no matter what. It's either you can either get on board with then and help put guardrails around it or you're kind of cut out of the equation

00:15:04:04 - 00:15:24:25

Mike Halstead

Because I was like there's, there's not one size fits all right I understand it correctly. And so it's a case by case basis. You know, depending where they're at in the like maturity, where they are, what data are they putting out, what are they hoping to get out of it? And you know, what type of a platform and even cloud provider that they would use.

00:15:24:25 - 00:15:46:20

Jiong Lui  

Exactly. There's so many different flavors of Kubernetes nowadays. And in many ways, Cuba disease is kind of like its own cloud within a cloud at this stage. And so it becomes more difficult for security to really understand all of these things, or because they're not necessarily developers themselves. So you need to bring on people with different skill sets.

00:15:46:20 - 00:15:58:23

Jiong Lui  

And historically speaking, you know, from a security standpoint, oftentimes when devs bring on these new tools that help them move faster, you had to then explore a different

00:15:58:23 - 00:16:09:29

Jiong Lui  

tool for it as well, right? Like if okay, now we have a containerized environment, we need to go investigate some container security tools. Now we have serverless all throughout our environment.

00:16:10:01 - 00:16:35:06

Jiong Lui  

We now need to go investigate another serverless technology to help us secure those environments. And so then that just adds to the complexity of what security teams have to manage. And and this also leads to greater attack surface as well, because, you know, the the risks in a containerized environment are oftentimes not just contained within the containerized environment itself.

00:16:35:06 - 00:17:00:08

Jiong Lui  

Right? It could be it could you could have a container could have a secret in it, for example, that actually has a key to your RWC cloud, right. To a different environment. And so you're starting to see these different like cross cloud or cross cloud layer risks that crop up as well. Again, it's just more that a security person has to learn about and be prepared for.

00:17:00:08 - 00:17:10:26

Mike Halstead

So this this next question is a bit loaded but it's really around how does a firm know the extent of data that's in the cloud and when when should they be concerned about it?

00:17:10:26 - 00:17:42:21

Jiong Lui  

That's definitely quite the loaded question. I think. I think the obvious answer is they should always be concerned about it. I mean, in many ways, you know, we've had all of these different eras of, you know, shadow i.t in the past decade or two and it really is shadow data. Now that is one of the top concerns up organizations because it's so simple, right, to replicate a database or to move data from one place to another.

00:17:42:23 - 00:18:09:02

Jiong Lui  

And again, like it's not necessarily the case that a developer is trying to skirt the rules, but if they want to go test out a new database service that AWB has just released, like they had that power on their own, like, yes, it's cool, it's new, I want to go test it out. And oh, I happened to have this data lying around over here in this other application that I own.

00:18:09:08 - 00:18:35:06

Jiong Lui  

So let me just try it with this new service. And all of this is now done without, you know, some sort of centralized control in many organizations. And as a result, you just see, you know, data multiplying all over the place. And oftentimes, you know, you don't have a single team that therefore has that visibility all over the place.

00:18:35:09 - 00:19:10:21

Jiong Lui  

So it's definitely a huge problem for organizations and it's also a huge problem in the sense that it spans team. Right? Like security teams might be concerned. Dev teams might be concerned. You also have a lot of data teams that are concerned about this, both from a security standpoint and also from a privacy standpoint. And so because you have all these different teams, you have different responsibilities and roles and different lines that you might have drawn in the stands, it becomes an even harder problem to say this is a problem and you this team owns it.

00:19:10:21 - 00:19:37:26

Mike Halstead

yeah it's it's, it's interesting how easy it is right not only from your own personal device but in a business environment and it to put put data out there and not really even know it right and without doing proper third party due diligence that oh by the way you may have some of your company's data sitting in the cloud called unprotected or you know, just it's creates a huge dilemma.

00:19:37:26 - 00:20:09:21

Jiong Lui  

Exactly it's just a proliferation of data that could be really anywhere in your environments. And in many ways, it's similar to the problem that we talked about earlier with just overall cloud cyberthreats that we're seeing where the attack surface is just growing. You know, on one hand, it might be because in our cloud providers are giving us so many options around misconfigurations that we could do that here. This is another one of just, you know, there's the resources themselves, right? We can proliferate on our own

00:20:09:21 - 00:20:29:05

Jiong Lui  

and there is a category that is starting to emerge. It's called the Data Security Posture Management Space or DSP, and that we've been seeing and it's very nice that I think Gartner says maybe in the next three years 20% of organizations will adopt it.

00:20:29:07 - 00:20:54:08

Jiong Lui  

But the goal of it is is really to sort of address this problem head on around where is your shadow, where's your shadow data, how do we identify it? And not just, you know, identify that it's out there, but also classify it, right? Like, is this PII, is this or PCI? You know, is because that's the more sensitive data that you should be worried about.

00:20:54:08 - 00:21:03:15

Roshan Soni

You know, a lot of our clients, if we're starting our data initiative or our data governance project with them, our first question will be, well, do you have documentation now?

00:21:03:17 - 00:21:22:27

Roshan Soni

And so they have stuff that's out there where this one person has it, we're working on it and they're the ones to go to if, if they if you need access to that data and that database. And so you have things like that that are all over the place, even on that and on the cloud and it's, it's just that massive area.

00:21:22:28 - 00:21:30:05

Roshan Soni

No one's walking through it and looking at things. Right. It's, it's something he has to manage. It really usually helps her.

00:21:30:05 - 00:21:53:16

Jiong Lui  

It reminds me of this this customer we talked to years ago where they had this one developer who had his own machine and he had like all sorts of things on it, like keys to everything, right? Admin account access. He had customer data on it and it's not like he was doing it to be shady.

00:21:53:19 - 00:22:10:07

Jiong Lui  

It was just for his own personal use. So like, Hey, I want to use this whenever I build applications and test them and come to them. And but the thing is, he would actually turn off the box whenever he was not using it, right? So, you know, in his mind he was like, Oh, this is how I make it safe, right?

00:22:10:09 - 00:22:28:27

Jiong Lui  

I turn it off when I don't use it, but it's still out there. And so what was interesting was their their traditional security tools didn't catch it because it's only looking for things that were on. So that was that an existing kind of loophole that we saw.

00:22:28:27 - 00:22:55:06

Mike Halstead

So you touched on it a little bit more thing anyway the data security posture something that that's in existence and going to be more probably mandated down the road but with with the tech surface, with the amount of configurations with, you know, the multilayer that we've spoken about and number of attacks that are happening, what are what are the best practices for securing the cloud environments?

00:22:55:06 - 00:23:00:09

Jiong Lui  

Yeah, so there's a few different things, right? And they happen at kind of different altitudes.

00:23:00:09 - 00:23:32:08

Jiong Lui  

I would say, you know, one of the best practices that we're really starting to see form out there is recognizing the fact that securing a cloud environment cannot be only the responsibility of a security team. Right. Because the cloud is so decentralized that ownership is sort of all over the place. You have to have security champions across your organization and you really have to think about cloud security as, you know, a team sport that spans security.

00:23:32:08 - 00:24:03:24

Jiong Lui  

Your dev teams, your DevOps teams, they have to work hand in hand to understand and control risks across the pipeline. And, you know, I was at a meeting, the ad at RSA not too long ago, and what was interesting was I was talking to a few different CISOs and they put it so well. They said Our cloud security program, our goal is it's a product within our organization that we really want the developers to use, right?

00:24:03:24 - 00:24:35:06

Jiong Lui  

And so I thought that was such a good way of putting it, because your dads are your frontline, right? They're the ones that are making the choices around, you know, the the types of infrastructure that you're bringing in, as well as all of the technologies that you're running in your cloud as well. And so if you can educate them, if you can bring them in as part of an extended member of your security team, that I think is one of the key best practices that organizations can have.

00:24:35:09 - 00:24:58:06

Jiong Lui  

Now, maybe taking it a step, you know, deeper into like, well, how do you actually do that? Because, you know, dads are not security people. They have their own tools, they have their own processes. They they don't do security every hour of the day. You know, some of the key things that we're seeing is, number one, is the visibility.

00:24:58:08 - 00:25:28:11

Jiong Lui  

Oftentimes security teams talk about things in a very different way than a development team, and they process things in a very different way as well. Right. Security teams have all sorts of different alerts that they're looking at and triaging and risks that they're managing, whereas devs are just, you know, they're trying to move back. And so one of the key things is establishing a shared understanding of the cloud environment and not talking about it in a lot of like jargon terms that a deb might not understand.

00:25:28:18 - 00:26:04:22

Jiong Lui  

Right? Here's a virtual machine, here's, you know, who has access to that resource. You know, here's what that role also gives you access to. Is it publicly exposed? You know, so making it a lot more simple and normalized. And again, just having this same understanding of visibility across the entire environment. And that visibility has to be unconditional because if a DES, you know, spins up a new Kubernetes environment or new Kubernetes cluster, they can't you can't rely on them to tell the security team for the security team to have visibility.

00:26:04:29 - 00:26:37:27

Jiong Lui  

Right. Like, you just have to know as it's brought online. And that's that type of, you know, visibility without having to bother anyone, I think is super critical in the cloud. The second thing that, you know, we've seen a lot is and organizations oftentimes, you know, they want to embark on a shift left strategy. You know, I mean, obviously that's, you know, a key goal because fixing things earlier in the pipeline is obviously much less costly than it is later on.

00:26:38:00 - 00:27:02:11

Jiong Lui  

But it's hard to do that if you don't already have that relationship between your security and Deb teams. And like if if they're not friends as a dev, like, why would you ever let security fail one of your builds? Right? And so I think one of the key things is you really have to develop that trust. You have to develop that partnership first.

00:27:02:18 - 00:27:20:20

Jiong Lui  

And we see that happening best at actually starting in the production environment. Like if we can work through that together, understand the critical arrests, work through them and understand what policies we should put in place there. It's a lot easier then to shift that left versus just starting what

00:27:20:20 - 00:27:29:29

Mike Halstead

Makes sense. There's been a lot of discussion lately around we'll call the air movement. Do you see as the challenges that air presents in the cloud security space?

00:27:29:29 - 00:27:59:28

Jiong Lui  

Yeah, there's a few different challenges, right? I think one is, you know what else does a cloud security team now have to worry about? And then the second is how does it empower kind of like how they they run their program on a day to day basis. So on the first one, I think the biggest challenge, of course, is that people are putting a lot of data in linked to these these Jenney AI platforms.

00:27:59:28 - 00:28:28:21

Jiong Lui  

And you don't necessarily have control again over what data they're putting into it. It's it's really actually an extension of the problem we just talked about recently around the shadow data, right? Like, hey, here's this cool new tool that's going to help me so much in my day to day job. Like, yes, of course I'm going to go use it and of course I'm going to give it information that helps me to do my job because, you know, I may not know, Oh, this was like PII data.

00:28:28:21 - 00:28:44:20

Jiong Lui  

Like if I'm a, you know, a dev, like, I may not even know what PI stands right by identifiable information and I may not know, even like all of the privacy regulations for why this is problematic, for why feeding it into an AI

00:28:44:20 - 00:28:50:02

Jiong Lui  

And so I think that adds on just more layers of complexity, more things that you have to worry about.

00:28:50:02 - 00:29:18:21

Jiong Lui  

It's just a greater attack surface that we have to worry about. And then on the second side, you know, in many ways, like AI and ML have been around for quite a long time, there are some great tools that are out there that leverage it within the technology. One of the things that, you know, we found as as we were exploring AI, AI and ML, and especially as we were thinking about how we built our platform, is that

00:29:18:21 - 00:30:19:07

Jiong Lui  

if we use AI frequently or ML animal in, in a solution for cloud security to showcase like, hey, this is a risk in your environment, it can be tricky when you're trying to build that trust, especially between the security and development teams, because it feels like a black box in a way, right? The explanatory factor is harder when you use AML in that in that particular format. And we found that, you know, especially to get that trust and make sure that we are all seeing the same information and having the same takeaways from it is actually a lot easier for us to go with a heuristics based approach saying, Hey, we think or this is a critical risk in your environment because we can show you that this container is actually publicly exposed to the Internet and it has a critical exploitable network vulnerability that is on it.

00:30:19:09 - 00:30:41:13

Jiong Lui  

And also, hey, this machine has a secret key that is on it that it would allow you to then move laterally in the environment. Right. So being like very factual about, hey, this is why we found something and why it is is in fact a problem was very important for us, especially in order to get that adoption outside of just the security team

00:30:41:13 - 00:30:56:15

Mike Hallstead

And it goes back to the is still always important to get a baseline right there. You know use an air or not you still still need that baseline. So then you can see your deltas and changes and address those.

00:30:56:15 - 00:31:03:18

Roshan Soni

back to our previous conversation around data. I mean you have developer just trying to play around with chat that comes up right.

00:31:03:23 - 00:31:23:22

Roshan Soni

If anyone's seen that interface you just start typing text in there, but you want to see what it can do with data and copy and paste it from something right in front of you. And hey, maybe you exposed some client data or maybe expose, you know, you know any new forms of API, whether it just be a name or address or something like that.

00:31:23:22 - 00:31:33:10

Roshan Soni

So stuff like that just opens things up and now it's part of the model and we have no idea what we know, what that data are behind the scenes, right?

00:31:33:10 - 00:31:53:21

Jiong Lui  

Yeah, absolutely. And I think, you know, I heard this analogy the other day and I think it kind of sums it up well as you know, what we're doing here, especially with the cloud and all of the advancements that are happening is we're building we're moving from like, you know, horse drawn carriage to a car now to like a train and maybe a plane.

00:31:53:23 - 00:32:16:11

Jiong Lui  

Right. And AOL all allows us to unlock new capability, easily allows us to unlock new business models and allows us just to move a lot faster. And we can't have security. Just be like, oh, no, we're not going to, you know, make these like transformation process in our business. It's it's more about like, oh, no, you need seatbelts, right?

00:32:16:11 - 00:32:24:21

Jiong Lui  

And you need your air bag, right? Like what are the those security controls that we can put in to make moving faster, safer for all of us.

00:32:24:21 - 00:32:36:13

Mike Halstead

So one last question for you, Jiong, and I'd love to find out a little bit around how with products and the capabilities that that you guys have and how it helps the cloud,

00:32:36:13 - 00:32:51:11

Jiong Lui  

Yeah. So Wiz, is a cloud security platform. We've actually only been around for about three years now. And, you know, we're we're very lucky in that we had a founding team that came from Microsoft.

00:32:51:11 - 00:33:16:09

Jiong Lui  

Right. They were building all of the internal and external security products for Microsoft. And they saw firsthand the challenges of cloud and securing the cloud that we've been talking over the course of today. And they recognized that, hey, this complexity, this growing attack surface, the fact that we really need to bring together more than just security teams, but also the Deb teams, right.

00:33:16:09 - 00:33:44:17

Jiong Lui  

Everyone that building in the cloud together to secure it, they realize we need an approach that really simplifies cloud security and and takes a platform approach to it. So if you look at traditional tools that are out there, right, they looked at risks in silos and they looked at parts of the infrastructure in silos as well. So container security had its own tool server list, security had its own tool and so on.

00:33:44:24 - 00:34:14:22

Jiong Lui  

And you had, you know, vulnerability management tools that only looked at vulnerabilities. You had CSP tools that really just looked at configuration issues. You had Kim tools that which only looked at identity and it didn't give you that full picture of what an attack path into your cloud environment would actually look like and therefore didn't allow you to really prioritize what was going to be the most important for your security teams to address quickly.

00:34:14:29 - 00:34:43:21

Jiong Lui  

And so that's really what we're does is we have this agent list approach to scanning your cloud environment and it allows us to build essentially a security architecture graph of the entire environment that serves as that foundational visibility for everyone that builds and secures the cloud. And from there that we map on the different risk factors all in that same platform and allows us to prioritize those attack paths.

00:34:43:24 - 00:35:12:09

Jiong Lui  

And beyond just that, it also allows you to map who owns the infrastructure onto that as well. So if you do find an attack power into the cloud, that's that leads to, let's say, sensitive data. You know, actually which stab team is responsible for that part of the infrastructure. And so you can surface it directly to them in a timely manner, show them all of the evidence in the context for why it is an issue.

00:35:12:14 - 00:35:21:08

Jiong Lui  

And that allows them to take action quickly. Right. It empowers them to and to resolve those issues in a self-service manner.

00:35:21:08 - 00:35:30:22

Mike Halstead

Excellent. Just thought, well, I do know that that RSA, you had a quite busy booth and it was either the interest in the technology or the fact is the Wizard of Oz or both.

00:35:30:22 - 00:35:32:03

Jiong Lui  

Yes, hopefully both.

00:35:32:03 - 00:35:47:14

Mike Halstead

Great. Well, thanks. And thanks, Jiong, thanksRoshan. And thanks, everyone, for joining us. Today's episode of Navigating for the Cyber Scary Series. Come back next week to get pointers for next steps on your cyber roadmap. I will be talking about security compliance and why that is important.

00:35:47:14 - 00:36:01:12

Mike Halstead

Just a reminder that cyber security is 80% good habits and hygiene. But to start improving your health, you need a baseline to learn more how to develop your organization's future state of cyber security. Go to Launchconsulting.com forward slash cyber. Thank you everyone.

‍