Part 1 of 3
Part of an occasional series interviewing top security practitioners and leaders about their experiences
In today’s computing environment—with organizations operating at lightning speeds on go-to-market strategies, business development, and innovation—one would be hard pressed to find a company that isn’t running at least a portion of its critical services in the cloud. Starting nearly a decade ago, business leaders realized that moving data center operations into cloud provider environments could save bundles of money, leading to the use of public, private, hybrid, and multi-cloud services.
Doing so, however, does not come without its challenges and concerns (chief among them, lack of visibility and control). Because many traditional network security tools are either inefficient or ineffective in cloud environments, many a security architect has lost sleep over how to ensure the security of the data and/or applications the organization places “in the cloud.”
One such former network architect and engineer has lived this conundrum. In fact, the first day he started as a Senior Enterprise Cloud Architect at Netflix in 2009, Rob Fry was shown the company’s on-premises data center and told, “Get rid of that. Move everything to the cloud.” Fry recalls the stress he immediately felt: “in those days there were no best practices for cloud migration.” Drawing on his previous experience as a server and security engineer, Fry and team innovated. They found ways to overcome the challenges of secure migration; of authentication, authorization, and networking; they built tools in the cloud that helped combat loss of control and visibility.
Over the years, as Fry grew his capabilities, he watched the cloud space chart a similar course and become ubiquitous. Arriving at today, while the security features cloud providers offer have improved significantly, gaps remain. Edgewise spoke with Fry, who has worked with and advised a number of successful security startups since moving on from Netflix, to learn how he’s dealt with the challenges of innovation and security in a technology environment with massive scale and complexity.
Room to innovate
Overseeing an infrastructure that is operating thousands of servers is a burden on any architecture team. Moving those servers—all or in part—to the cloud takes patience and innovation. The innovation part, Fry said, is key because “most commercial security products are designed and built for specific use cases. Scale and complexity typically are not present,” meaning that architects in those situations need to adapt ready-built products to their networks or develop new tools from scratch, all of which takes time, money, and skill.
Further, not all parts of the network can be treated equally; enterprise and customer-facing environments differ from test environments differ from production environments. When dealing with networks like those at Yahoo or Netflix, the need to think “outside the box” and innovate are, “not desirable; it’s a requirement,” said Fry. Though a security architect may be primarily concerned about security features and controls, the business is primarily concerned about availability and uptime. This leaves the architect in the middle of a balancing act in which they must invent solutions that satisfy both ends of the spectrum and allow teams to adapt quickly when called upon to make changes that affect products, market trends, or customer needs.
For Fry, learning to be adaptive and innovative at Netflix led to a stint at StackRox, a secure container company out of Silicon Valley. Over the last few years, containers have become a go-to tool for developers because they allow developers to build and deploy software in a secure way. The adoption of containers has been massive, in large part because of how they help organizations roll out new products and features more quickly, contributing to the organization’s top-line revenue, Fry explained.
Similarly, the cloud is providing all kinds of opportunities for organizations, and it’s incumbent upon technology teams to find innovations that propel the business forward rather than hinder its agility. While the lack of layer 2 controls in the cloud means that security teams are operating blind when it comes to how software and applications communicate between segments, the security team must have some level of trust in the provider yet develop ways to maintain the integrity and confidentiality of the workload.
No rest for the weary
As is to be expected when dealing with a large and complex environment—whether it’s an internal network or oversight of cloud services and the associated confidentiality, integrity, and availability of the data/software—Fry said the number one thing that kept him up at night was trying to identify “what you’ve missed.”
Managing an environment at scale means constantly looking at the services running and trying to figure out which is doing what, whether controls need to be tuned, and how to measure risk. Operational complexity, he said, is the biggest cause for concern because there are so many places where things could go wrong.
In a risk-tolerant company like Netflix, Fry points out, there is freedom to innovate and push boundaries—and even make a few mistakes. On the other side of the coin are risk-averse industries, like banking and healthcare, where companies’ reputations hinder on privacy and protection of sensitive customer data. For them, the safer solution is to watch, wait, and adopt proven tools and techniques. Technology innovation is much more calculated because the balance between speed and agility and security is on much more of an even keel. That said, financial services and healthcare companies are keen on applications and services that improve customer/patient outcomes. Whether it’s a new health monitoring app or a simple way to pay for goods and services, businesses must focus on the user demands of ease of use and accessibility.
For these reasons, system architects and engineers need to be evaluating or developing tools that ensure software and applications are communicating properly and securely, whether it’s to and from the network/cloud to the end user, or simply within the network/cloud itself. Placing controls alongside the data/software rather than the environment in which it’s running allows security personnel to better monitor and measure the health of the network and provide a more reliable risk assessment to the business—that’s value added to the business, and the promise of better sleep at night for the security organization.