Embed Size (px)
DESCRIPTION
In this episode, Jeff Williams interviews Justin Somaini of Box.com. They discuss security implications from a consumer perspective, how security and the cloud environment work together, and revisit Bill Gates Trustworthy Computing memo from 2002.
Citation preview
THE
SECURITY
INFLUENCER’S
CHANNEL
HOSTED BY JEFF WILLIAMS
CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY
Episode Five: Justin Somaini from BOX.com
THE
SECURITY
INFLUENCER’S
CHANNEL
HOSTED BY JEFF WILLIAMS
CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY
Episode Five: Justin Somaini from BOX.com
JEFF WILLIAMS
“I saw you were quoted in an article titled, “The New Cyber Threats Juice Pay for Security Chiefs”. You said what we’re starting to see is the introduction of new concepts that will eventually change security. Tell us more about what you were talking about.”
JUSTIN SOMAINI
“When we talk about the mobility and always-on networking shift, what we’re starting to see is content and transactions that security practitioners are tasked to protect with confidentiality, integrity, and availability.”
JUSTIN
“In other words, we’ve seen IT organizations’ skills move from maybe some internal application architectural skills to vendor management functions.”
JUSTIN
“It’s that whole evolution of security that we’re going through, which we’ve gone through many in the past. This is just the next iteration of it.”
JEFF
“So you’re saying as we start seeing organizations doing transactions that might be entirely outside their infrastructure, …[that] there could be whole transactions running that never touch a traditional corporate infrastructure.”
JUSTIN
“Absolutely! One-third of the workforce doesn’t come into the network on a weekly basis...how do you implement a monitoring or a detective control structure? How do you manage and see what’s going on, let alone be able to protect and manage those environments?”
JUSTIN
“That’s one of the biggest shifts that we’re undergoing and will continue to undergo, I believe, for the next 10 years or so.”
JEFF
“What can security do to accelerate the process of catching up to these new architectures? I guess what I’m seeing is that there really hasn’t been a lot of change in the way people practice application security and even some kinds of network security. So, what can we do to not be so reactive?”
JUSTIN
“Well, there are probably a couple of different things. In this model you have really three different players:
• Cloud Players
• Security Practitioners
• Security Vendors
JUSTIN
“When we look at the practitioner, again, looking at some of those solutions, having an open mind that from a security vendor standpoint, applying pressure to the cloud providers to make sure that they’re doing their best to implement the basic controls that they need.”
JEFF
“You mention logs. You know, I always think of logs as sort of a very fuzzy way of getting insight into what’s going on in a system or a network from a security perspective. I’m wondering if you see evolution…because right now I sort of feel like the providers are doing their thing and the enterprises are using the services, but there’s really not a lot of engagement, collaboration around security.”
JUSTIN
“I would completely agree, I mean, to a great degree in a big, broad, brush stroke kind of statement. I do think this is changing, but the relationship between customer and provider has been one of a transaction versus a living partnership.”
JUSTIN
“There are players, and I’m proud to say that I think that we’re one of them [box.com], that are really spearheading the open API integration with our customers.”
JUSTIN
“This is not a detachable entity, this could provider. But we can command, control, interact, collect, we can have it be part of our ecosystem even though it’s really a third-party application in a great extent.”
JUSTIN
“It all comes back to a very basic, basic concept of the cloud provider saying, “This is our role. We are going to create a capability for our customers to leverage our service more than just the presentation layer that we’ve historically done, but more from an API platform one.”
JEFF
“I’ve worked with clients over the years that have done similar things internally. They have enterprise architecture, and in some ways it operates like a cloud service. I think the integration between the applications and that infrastructure has always even been a challenge, even within an organization.”
JUSTIN
“Back to the three parties: cloud provider, security practitioner, and security vendor. If we look at the cloud provider, one of the changes in this whole transformation is the concept of back office functions—security, compliance, privacy—and really elevating them to what I would call the front office.”
CLOUD PROVIDERS
JUSTIN
“We’re going to identify solutions to security problems of our customers, as opposed to just simply getting a certification.”
JEFF WILLIAMS
“Traditionally, end user consumers haven’t been very successful at demanding security from web application providers.”
JEFF WILLIAMS
“Do you think there’s anything we can do to get end user consumers to demand security better so that we can sort of raise the water for all boats?
JUSTIN
“I think from a business perspective you have the power of the purse. There’s a huge difference between consumers and enterprises in that context.”
JUSTIN
“The conversation of security is dramatically different that it was 15 years ago when I started. We have a voice of government. We have a voice of the consumer that is resonating louder. We hae a voice of the advocates that we’ve never really had before on the consumer side.”
JEFF
I’m glad to hear that. I think it’s been a long time coming….I think the key, though, is getting consumers to actually demand better security. I think we probably need to do some work around figuring a way for them to articulate that need better.”
JUSTIN
“Well, I think first and foremost in any process, whether it’s agile or iterative development cycles or a waterfall model, I can’t stress enough education. The ability for us to educate our developers on the basic controls that need to be best practices…is so critically important.”
JUSTIN
“Within development…you really need to have security be bled into the ecosystem to make sure that the behavior, the concept, the belief system is one that really encapsulates security in each and every thought process…”
JUSTIN
“I would say the magic really on the back end is how we approach it from a philosophical, educational, and cultural standpoint with the company as a whole.”
JEFF
“I think it’s interesting that you mentioned training and your community of experts that help spread the word. I think you’ve reinforced that with that culture, the tools, the testing processes you’ve put in place, and the support that you’ve given developers.”
JUSTIN
“Some of the problems of security as a whole? I’m never going to have enough money. I’m never going to have enough people in order to manage the company as a whole.”
JEFF
“You mentioned internal transparency between the various stakeholders in security. I noticed on your website you’ve got a page that details a lot of information about how you all do your internal practices. Why do you expose that externally? Not many companies do, so I’m curious. Why?”
JUSTIN
“We enroll our customer in transparent conversations so that they truly understand all of the amazing things that we do to protect their content.”
JUSTIN
We want them to walk away saying:
1. I have confidence they are doing the right things.
2. They’re going to include us in any sort of situation as it goes along.
3. I can reach out to them for help and assistance if I need it.
JEFF
“I’m wondering if you see that changing in the future; Do you think websites in the future will have a software facts label the way that your cereal box has a nutrition facts label on it?”
JUSTIN
“I completely believe that this will become the norm. I really do. It will take time. It’s a maturation process.”
JEFF
“So you support people doing security testing on your site on a policy of responsible disclosure. How’s that working out?
JUSTIN
“The environment that we’ve had in the past few years is very different. The research community is more established. It’s more proactive and supportive from a cloud-provider side.”
JUSTIN
“I think it would be negligent if we didn’t have a program in place in order to receive, operationalize, and remediate those issues.
JEFF
“Last question. Looking forward, do you think we can get to the point where there really is no difference between the deployment of the functionality and the deployment of the security and the assurance all at once?”
BILL GATES:
TRUSTWORTHY
COMPUTING
MEMO
JEFF WILLIAMS
WITH
JUSTIN SOMAINI
OF
BOX.COM
