VIEW TRANSCRIPT >

Transcript – Episode 8

Is Your Agency’s Data Secure in the Cloud?

Ron Welcome to the Geek Freaks Podcast, before we get started make sure to hit the subscribe button on Spotify, Apple Podcasts, Google Podcasts, Breaker, TuneIn, Castbox, Stitcher, YouTube, and other podcast listening platforms you may be tuning in from. On today’s episode of The Insurance Hot Seat we have CEO of Introspect Data, Patrick McClory and he will be talking to us about the security in the cloud and how to get to the cloud in a secured fashion.

(Intro music)

Today’s podcast guest is Patrick McClory with Introspect Data. He is the CEO and developer for them, how’s it going Patrick?

Patrick

Going great, how are you?

Ron

Not bad, can’t complain. The weather is changing here in Michigan and I really had to think about whether or not to put on a long or short sleeve shirt today. So, it’s changing.

Patrick

I’m not allowed to talk about where I live. I live in southern California. Generally, fairly, a little jealous of the weather we’ve got.

Ron

Yeah, you get 70’s and sunny no matter what’s going on here, we get 6ft of snow. It’s not fair. Let’s not talk about it.

Patrick

I grew up in Pittsburgh, so I feel for you.

Ron

Oh alright, yeah so, you’ve got a small taste. Well I guess not a small taste Pittsburg gets a good amount of snow too. But anyways, I want to jump in today. I appreciate your time. The whole premise of this again to kind of put it out there is to have those in-depth conversations. We have a lot of small-medium sized businesses that range anywhere from 5 to 300 people so we thought it would be advantageous to have a conversation wrapped around security and cloud and making that leap from an on-prem situation to a cloud-based situation. Whether it’s you know your AD or Azure, your AWS, even running customer apps and kind of what that looks like as far as security goes or the shifting in security and responsibility. So, we thought nobody better to talk about it than somebody that’s been doing it for years. So, if you want to give us a little bit about your background and how you got where you’re at, we’ll jump into it.

Patrick

Yeah, absolutely. Again Patrick McClory, I’m here as CEO of Introspect Data. It’s a pipe deal, machine learning, cloud-focused consultancy. We kind of come out of a number of organizations I’ve been a part of including a company called DualSpark that I co-founded that was sold to an MSP called DataPipe. I got to build large-scale, strategic platform for them, and I spent a lot of time helping their consulting organization. Working with them and their large-scale enterprise all the way down to their SMB customers in cloud. Prior to that, just to kind of round out the history I actually a part of the …. production service as well. So, I worked for the cloud, with the cloud, and around it. I have worked with a couple hundred customers in a variety of you know kind of vendor specific situations, written a number of industry articles everything from SMB and start-up to large -scale enterprise. So, you know the security question is always a fun one, where frankly you know things become a very contentious argument in organizations where they start to wrestle with moving to the cloud. The first concern is well are we going to be secure. And the easy answer is yes. The hard questions is how do we re-rationalize our policy, our sort of interpretation of our compliance needs, our security standards into the opportunities that the cloud offers. And often the case these organizations spend 10-15 years with the same basic policy structure with tools that came out in the virtualization era and as we sort of moved into this next phase with new techniques and capabilities throughout automation with new security structures it’s no longer kind of full stack responsibility, you have shared responsibility models which actually made it less Azure with Google Compute. You know you have to rethink all of the implementations to really do an efficient job of managing security and that doesn’t mean you throw policy out. Policy is usually pretty good, but it’s not how-to key that needs to be rethought. Sometimes a tooling question, sometimes it’s a posture question. Do we really trust, and can we trust the cloud for business and how do we verify that?

Ron

Sorry. And I think a lot of that get behind too because when small to medium sized businesses decide to make this push to the cloud, you know it’s a big scary monster to them, right. Because it’s a ton of the unknown and the major factor is how are we going to get it there, how is it going to work, is it going to work, and kind of the policies you are speaking about and the security posture and all that other stuff kind of comes second fiddle to it. And I think that is also bad for our industry and what we do, and it’s bad for businesses. But I understand how people…we have a couple web apps that we have, and security was the last thing we thought about. And we were already down the rabbits hole with getting stuff done and it’s like okay we need 2FA, we need separate databases, we need all this other fun stuff, so yeah it’s important, but I always feel like it’s left behind in some form or fashion.

Patrick

Well I mean let’s talk about it a little more abstractedly for a moment. At the end of the day if you read books like Gene Kim’s Phoenix Project and look at sort of the pro DevOps perspective, you know what you hear is a lot of organization’s saying security holds me back, security is the no group, they are always the people that say no and they never kind of move forward. The problem is the cloud and more specifically the API driven infrastructure movement, that ability to you know point-click and get a server, put a credit card in, get access and resources. Made it so that the time is alive for anything, the time it takes to acquire resources goes from months and weeks in a traditional set-up to where there’s time for security set aside instead of minutes and seconds where there’s no time to think. There’s not that natural sort of waiting period for security to consider the implications and I think that it’s a new way of working for security and security seems to embrace that automation focus and embrace that model because what they see is shadow I.T. and sort of businesses going off on their own creating the work to your point where security becomes a last thought. In my product development experience, I can tell you that in today’s world it is easier than ever to think about security first. To build security into your applications, in your infrastructure, as a first-class citizen in an automated, secure, consistent, and audible manner. And that’s not just for some random start-up, but you know high-level compliance from your standard PTIBF kind of stuff all the way to high end banking and national security kind of workflows. The automation is there it just requires that you look at it from more of an engineering perspective than a compliance and checklist perspective that’s more manual.

Ron

That’s no longer reactive now, right. It has to be proactive with the ways things ae going and the industry and how things are going for small to medium sized businesses. We were never considered a huge threat plane for security issues and all of a sudden, we are. And all of a sudden, the attacks are becoming more sophisticated and now the laxed ideology wrapped around some of these things are getting us in situations where nobody wants to be.

Patrick

Well and to that point I think that there’s a good bit of this where there’s a lot of fear and uncertainty and doubt related to security in the cloud that is pure marketing. I’m not saying there isn’t a concern or that there shouldn’t be thought put into this. But there are a lot of hardware vendors out there who have spun a lot of anti-cloud rederick that frankly just isn’t informed. So, part of this I like to sort of section off and say you know am I more secure or less secure in the cloud and I always say it depends how much effort do you want to put into it and are you going to follow…break from your current practices that you follow on-prem and kind of follow cloud better or best practices. If you do what you are doing in your data center in the cloud, certainly your security posture will not be as strong.

Ron

Yeah.

Patrick

But if you make the move and you really rethink how you approach even just some of the security basics, you’ll likely be more secure in the cloud with less effort and it may require some investment…time to get there, but the nature, the real answer is always a little more complex than the fear that we all naturally have. And I think none of us really like change, right. It’s ultimately a people problem because if nobody wants to change, but the benefits that exist, especially from a security perspective and kind of a new world here are just so obvious that they are really hard to ignore nowadays.

Ron

And I think we’ve seen a lot of the people being the issue when we are trying to do password policy changes even locally on-prem. You know, hey you have to change your password every 90 days. No, I don’t want to do that I like my passwords, or you have to have a complex password, well I like my password being hotdogs. Well know it has to be hotdogs10!. Well I don’t want to do that. Or even like when we rolled out 2-form factor to a number of our customers, that was extreme. There was a lot of pushback on it because know you are including your cellphone or a YubiKey. There’s more pieces and parts, but you know at the end of the day they are 10x more secure than they were with their password, so yeah it’s the people are going to have to be the ones you win over and unfortunately ease of use and security typically don’t go hand-in-hand.

Patrick

Well I think you just highlighted two really specific models and two kind of dimensions that this changes on. You’ve got the piece of it that to your point earlier the types of attacks are becoming more and more sophisticated and easily accessible. It is cheaper than ever for a malicious person on the web somewhere to grab a server and attack you just like it is easy for you to get a server and attach your stuff to. So, there’s that ease of access that lowers the bar to make it easier for malicious actors to go towards what would have been low-value targets, SMBs at the end of the day. But on the other side you’ve got people and their sort of frustration with the things that keep them safe and because the threat back there is more kind of targeted and easier to achieve for attackers, we have to do more at a people level, even minimally. To just sort of protect ourselves and I always like to try to simplify the argument because we can get really, as an engineer we can get really wrapped up in the details.

Ron

Yep.

Patrick

But ultimately, I’ve got two kids and it’s like telling my kids hey don’t cross the street, put your helmet on, be safe and none of us really like being told what to do, but when it comes to keeping ourselves and our company safe you know there are new rules that are just basics. YubiKeys are great they are cheap, they are easy to deal with, and they provide great hardware level 2FA. I got you know Google Authenticator on my phone, a YubiKey for a variety of services that we use and its sort of a non-starter for most of my work and for most of our clients that it’s sort of a given it’s how it works. As we get more complicated talking about security teams who really wrestle with cloud it becomes a question of what are we really trying to do and how do we really keep an eye on that, how do we achieve the same level of compliance with safety and security and that’s a similar conversation…more common and people don’t like change and we need to do what we can to protect against those new vectors and that common threat that is coming through front doors from whatever angle.

Ron

Yeah, they aren’t knocking anymore before they enter. They are just entering. And I mean everything is evolving and as they evolve, we have to evolve. And as a service provider I have to be able to provide those tools and those teaching points and it’s like you were saying it’s hard because nobody wants to sit down and have that conversation because nobody wants to be told that their password stinks.

Patrick

And like the helmet for my kids’ argument, you know there are simple ways to prevent it. Sometimes you have to make a mistake and feel the pain to really understand the changes necessary. I don’t want to turn this into a negative argument, but at the end of the day you know it really helps highlight the urgency behind it and you know data breaches at Capital One, and some continued concerns with other financial organizations that are struggling with this. It’s great to know we are all I this together and all sort of needing to make sense of this from one end of an industry to another. But, it’s a lot easier to learn from their mistakes than it is to have to feel the pain yourself and I think that on the one side I’m an ardent advocate for better security from end-to-end and in fact we do our latest product that we are currently building, I was very adamant and very specific early on that we would have not just good security all the way around holding our code, but that we would actually include everything from vulnerability detection and code security stands from day one in our build pipeline. It’s not an add-on, it’s not a second-class citizen, it is a critical part of our product development pipeline. And likewise it is a lot easier to start with these tools than it is to add it in, but it is the nature of the new world that we have to be more vigilant at all levels, but that’s not a bad thing either I think it’s good for all of us.

Ron

No, and I think everybody wins. It’s I get it, to go back to your point of marketing that the did a good job of scaring the pants off of everybody else and it’s great for security providers, but it’s also hard because now they are just getting pounded. Like consumers are just getting pounded with fear. Everything is driven by fear.

Patrick

Well they don’t know what to do. And that’s the hard thing is when I put my consulting hat on, I’m generally and at a market level I’m generally frustrated by the fear-based tactics that are used to sell security or used to kind of counterpoint the security of other system. I was watching Oracle and lot of things coming out of that are fuzzy and there is a lot of fear, uncertainty, and doubt being sold by different vendors that are trying to attack the security perspective of the competitors without really talking about product. And Amazon, Google, Microsoft, shoot even Oracle they all have a base-level of security capabilities that are going to be sort of merged and molded into whatever security posture you really need. There a very few use cases that they really can’t handle, national security being one of them. There are some … and military kind of components that are possible to achieve … deployed sort of standalone components and those are big organizations. Most of the SMbs that we are talking about are likely really concerned about basic sort of standard compliance remarks from HIPAA to PCI and I mean every one of these providers gives you direct insight on how to achieve that. So, really, it’s a question of do we want to think about it, kind of consider how we want to merge into this new world, or do we want to listen to the marketing and sort of let that take over. That’s a hard thing to push against because it is a loud voice in the market.

Ron

And that’s where you guys come in correct? That’s what you guys kind of do as far as consulting? I guess let’s talk about that for a minute before we get you off the horn here because that’s a huge value to a small business or even a large and medium sized business to a company that cares about their data first before they care about ya know the pretty things.

Patrick

Yeah, we do a lot of really deep, I don’t want to call it strategic work but a lot of what we do is very focused at two levels. It’s helping organizations rationalize and make sense of everything from security posture to cloud strategy to at the bottom level coaching them on actually how to go do it. I think it’s easy to sit around and say hey you should do this, you should use …, you should play around with the…, you should architect your applications to these three parts, it’s easy. And frankly, it’s something that Amazon will do in their organization. They have consultants that will come in and show you what a picture of your systems look like. But the hard part is actually partnering with the teams who are responsible for doing the network and not just showing them the ropes, but showing them the new way of working, the new approach. How do you take advantage of these new services and capabilities and you know how do you take a culture and team who have been focused on legacy delivery and help them become more opportunistic and help them become more focused on what the cloud can do for me and how can I balance cloud capabilities versus you know writing our own software versus open source, how do I bring this new world together and sort of paint the pictures by numbers instead of having to be Picasso every time you build something.

Ron

So, a more cloud zen is what we are trying to achieve is that perfect balance of security doing it yourself, finding out what fits. Because that’s a scary thing for small businesses oh I want to go to the cloud I just don’t know where to go, there are a lot of options.

Patrick

Yeah and we find that customers … we can do a quick touch base and help kind of paint the picture and do some coaching and guiding and that’s pretty low cost relatively, you know high value experience. On the other hand, you know we can parachute a person or two into that organization and kind of build that strategy on an executive level, build the software next to your teams and help restructure the higher approaching cloud hands-on and show you the ropes directly. That’s a little bit more high-touch, but our goal is to never sit in your office or come to you, even remotely, and be your go-to people forever. I really respect organizations who work in the managed services business. I’ve been in that world. I’ve spent a lot of time helping DataPipe build their automation suite for that kind of world. And it’s complicated. It’s a business that I don’t necessarily want to be in myself. I’m glad for organizations like yours that take that effort on, but I really want to coach these organizations so that they themselves can be successful in how they move forward. And a lot of them do partner with MSPs to help kind of keep an eye on the systems and kind of watch the shop as they keep moving forward. But you know the goal for me is to help the technical teams and at the business level the CTOs, CEOs, CFOs, really attach strategic value to technology and understand how they can leverage that for the growth of their business.

Ron

Perfect, that’s awesome. That was awesome. Really well said, I was going to try to sum it up, but you did it for me. No Patrick I appreciate your time today. Is there any way anyone listening today can get ahold of you via LinkedIn or Twitter or anything?

Patrick

Yeah so, IntrospectData.com is the easy way that is our website, it’s in the process of upgrading to a new platform fairly shortly, but it is out there you can reach us at, you can email me at Patrick@introspectdata.com and we are on LinkedIn and Twitter, we are everywhere. But we would love to connect with people even if it is just to say hi and stalk shop. Otherwise anything we can do to help we’re happy to chat.

Ron

Well I appreciate your time today Patrick. It’s a great conversation to have because I know it’s the big hairy elephant in the room that people are still not having that conversation wrapped around is going to the cloud and what it means to get there. I appreciate your time today and yeah thanks for listening everybody we will talk to ya soon. Thanks Patrick.