RTInsights editor Joe McKendrick and Sumo Logic CTO and Co-Founder Christian Beedgen discuss the changing requirements for security in the age of digital transformation.
In this RTInsights Real-Time Talk podcast, Joe McKendrick, Industry Insights Editor at RTInsights, and Christian Beedgen, CTO and Co-Founder at Sumo Logic, discuss the security implications and challenges due to the push to digitally transform operations and the way applications are now developed. What is needed is to move beyond traditional security approaches and to focus on data-driven security that helps identify hidden issues and cuts through the complexity of securing modern applications.
About the Continuous Intelligence Insights Center:
From real-time fraud prevention to enhanced customer experience to dynamic energy load balancing, businesses of all types and sizes are realizing the benefits of Continuous Intelligence, helping them make decisions in real-time while events are happening.
Where do you begin? What are the key requirements? RTInsights’ Continuous Intelligence Insights center, sponsored by Sumo Logic, brings together the latest insights and advice on continuous intelligence to answer these questions and more.
See Also: Continuous Intelligence Insights
Read this podcast’s transcript:
McKendrick: Hello everyone. This is Joe McKendrick, an analyst with RTInsights, and welcome to our podcast on continuous intelligence. I am so pleased to have with us here again for the third podcast in our series, Christian Beedgen. He’s the chief technology officer and founder of Sumo Logic. And we’ve been having some great discussions. Welcome again. Great to see you again.
Beedgen: Thanks for having me.
McKendrick: Today, I’d love to speak with you about security. As you mentioned in the earlier podcast, your company sees 900 petabytes of data a day, so you folks really have to know security. Security’s been an issue, and it’s been a concern for decades now, since the days of the mainframes and the days of the early internet. Everybody’s always been worried about it, and it just seems to be security is getting more of a concern, more intense. Are we making progress at all in terms of delivering or ensuring security for our data and for our systems?
Beedgen: At the same time, the challenge is also making progress. It’s very similar in terms of what we talked about earlier about reliability. And to some degree, it is a race, and with security, often the bad guys are a little bit ahead. But I do think that there’s progress being made in terms of the general population, or folks in business, I guess, understanding just how crucial it is to have a cybersecurity program. And to not look at this as an afterthought or as insurance, but to be proactive about it.
We’ve talked a little bit about digital transformation and businesses becoming digital, and the pivotal importance of digital experience. And we talked about digital experience having many factors. Two of the ones that I’m involved in are reliability and security. If stuff is down, if your site is down, people will go somewhere else. We are only getting to the point of tying security back to a digital experience from the business outcome perspective. And then having to have the security, understanding the importance of cyber security for your digital experience and therefore for your competitiveness and success. And there are a couple of angles, stairs on the highest level where, what is the security impact on digital experience, trace it back down.
One way to look at it is that, first of all, there are a lot of compliance regulations that you need to adhere to. And that’s progress too. And I know you can be cynical about it and say, “Well, it’s more process, and more random forms to fill out, and what’s the EU parliament to do with putting together GDPR and all of this stuff.” And you look at the letter of it, and you say, “Oh, well, this particular paragraph is just full of it.” But the point is that they actually care and that the spirit is there. And then there are provisions to also use the forcing hand of the government system, which is something that we trade-off. We get our freedom, but we also get our government, and those two things need to balance each other out. That is definitely progress, and that’s why compliance in the wider sense is something that you have to do and that I think you should do, because it actually is going to mostly point you in the right direction, and it’s better than not doing it.
We process a lot of data that comes to our service, and that data comes. We are a custodian for customers of that data. And we went through a huge evolution there, starting all the way back in 2010, to figure out not just how to architect the system in such a way that we can intelligently talk about what the security controls are that we have in place, where encryption happens and all of this. You certainly want a technical view on that if you’re a customer. But also, to say, “Hey, this is not just a bunch of architects thinking big thoughts. This is actually implemented.”
I mean, just use government-level security compliance regulations. And that matters to us because we do believe that it’s not just basically check the box thing. It’s not just something that we have to do, just like paying taxes. We believe that the tax we pay will make better roads and all of that. In this case, it validates the processes that you have designed to keep stuff secure in your company. Or, at least they work better than if you don’t get them actually validated because sometimes checks and balances are always important. But why do you care other than, “Well, I get fined otherwise.” I do think there’s a moral obligation, especially now that we are living in this world where everything is SaaS-delivered.
You are, in many ways, the custodian of your customer’s data. It’s almost extreme, and we have locked data of all their systems. But if you leak credit card numbers, PII, and more, it can lead to identity theft. It can lead to all kinds of very, very unpleasant outcomes in the US, in a credit system. With PII, you can potentially destroy somebody’s credit score. That can have extremely unpleasant consequences. As somebody who builds systems and delivers them, there’s a moral obligation that you have to prevent that, first of all.
And then, of course, you have a business obligation as well, because if you don’t do this properly, you’re going to be out of business quickly. We’ve seen this over and over again.
McKendrick: Are there aspects of cyber security that perhaps aren’t getting enough attention? For example, we hear a lot about the hackers on the other side of the world who are constantly challenging our systems and going after personal information. But there are other types of threats, too, insider threats, for example, right?
Beedgen: I think we’ve come a long way, and I think it’s well understood now that most attack vectors come through potential compromise. Hackers are trying to target somebody that works for your company, trying to take over their account via phishing and stuff like that. I think just today, I don’t have the details, I’ve only seen what’s on Twitter, but there’s a large identity provider that is apparently having some problems where people claim that they were able to infiltrate internal systems via a contractor whose credentials got popped. That is, to some degree, an insider threat, but maybe it is mild. Originally, an insider threat meant somebody goes and downloads all the customer lists and stuff like that. And before leaving for the next victim, sells that data to China or something like that. Now, your employees are your attack vectors, but I think it’s fairly well understood at this point.
I think one of the things that has actually risen to the forefront in the last couple of years is what we call the software supply chain. That was maybe not really that well understood in the past. It is where software products that you consume and deploy are often built on top of other software products and open-source libraries. And versioning of those things is hard. You built your product, and you depend on a chain of libraries at a particular version, and then you need to always keep them up to date because their attack surface is large. People try to exploit them. It becomes known, an update gets published, and you need to pull that update in, but then your customer also needs to update.
It is even worse if you indirectly depend on this because that library that you pull in then depends on another set of libraries. And that chain can become very, very deep, literally sometimes thousands of libraries that any given enterprise product depends on. Just keeping track of all the stuff is very tricky with containers and Dockers. It is an equivalent of what’s in your Docker file and what gets pulled in for which version of what and which images are you running. I think there have been some very high-profile incidents over the last couple of years that have left doors wide open for bad guys to come in and wreak all sorts of havoc.
As I’ve said earlier, everything’s a house of cards. And no matter what you do, it’s very hard for you to understand the physics all the way down to the atom. In computing, it’s like it could be literally a firmware or microcode exploit on the CPU. You’re not going to be able to manage that, no matter how good you are at software development. That’s a very extreme example. The more realistic example is let’s say I’m in a Java ecosystem and I depend on an Apache package of some sort, and then that depends on three other packages. It’s very easy to miss something along the way. You have to have a big process in place to make sure that you get notified. That’s something that’s fairly new.
There are also cloud security issues. It’s very easy to leave S3 buckets open, and everybody can look at your data. The equivalent exists in Google and Microsoft as well. And then just basically API security. Because everything gets virtualized, automated, and subject to role-based access control. Then again, you are in a chain there, you have delegated authentication, and you have an identity provider in there. Those guys do probably one of the best jobs that you could possibly do in the world on this type of stuff, and you’re still not immune. So, it’s a hard problem.
McKendrick: As we discussed in an earlier podcast, everybody’s becoming a developer, or everybody needs to understand how this process works. And we have a wonderful situation, one sense where everything can be put together like Lego blocks, right? You have the software chain you talk about with the open-source libraries, cloud providers providing services, and the APIs. You have all these building blocks where you can just assemble your applications, but at the same time, they have these security vulnerabilities that may be lurking deep down within these building blocks.
Beedgen: Have you ever stepped on a Lego block? I mean, it’s very painful, right? So, and this happens even to people who know Lego, if I’m to stay in the metaphor, right? With great power comes great responsibility. We’ve talked about ridiculous non-functional requirements that pretty much every app that runs mission-critical revenue-generating stuff in a business undergoing digital transformation. You know that the requirements in worldwide 24/7 and all of that. We try to provide additional monitoring for security as well, and it’s something obviously that the product that we’re building does. And as your tooling and understanding of analytics and so forth, including predictive analytics to some degree, is getting better. But the challenge always the bar is always rising.
McKendrick: Christian, we’re running a long time, and I just want to get your thoughts. What should IT managers know? What should they do to address this?
Beedgen: I think what folks already know about security to a large degree is classic enterprise infrastructure security. What folks are probably still learning is just how incredibly important application security is. Applications are so exposed because they have to be because that is the digital transformation imperative. And the way that we’re building applications and delivering them worldwide is changing. So, there are new challenges.
McKendrick: Wonderful. Great thoughts. This wraps up our podcast series with Christian Beedgen. It’s been wonderful having you join us for this series. Again, Christian is the CTO of Sumo Logic. And we want to thank the folks at Sumo Logic for their partnership in this series as well. Christian, great speaking with you. Great learning from you. And I know our audience appreciates you being able to share your insights as well. Thank you very much for joining.
Christian Beedgen: Thanks for having me again.