Cloud Control: Q&A with Ken Toler on Bridging Code and Security in the Future of Cloud Responsibilities

April 30, 2024

Want weekly newsletters featuring interviews with security and cloud leaders delivered right to your inbox? Sign up for Cloud Control here.

Bridging Code and Security in the Future of Cloud Responsibilities

We're back with Cloud Control!

I’m thrilled to bring you the latest Cloud Control interview with Ken Toler, Founder & Managing Principal Consultant at Asgard Security, and a true expert in cloud security. Ken's diving into how coding is becoming more crucial in our security strategies, especially as we push into an era where everything runs as code. He's got some great insights on the challenges this brings and how we can turn them into opportunities for better security practices. Whether you're deep in the trenches or overseeing strategies from above, there's plenty in this chat to help you understand and adapt to these changes. So, let's get into it and see how we can all make security a seamless part of our development processes👇

Question 1 💭

Ken, it’s great to have you on. Being in the security startup environment, tell us what significant trends or challenges you see emerging. What’re you focused on?

Generally, I am seeing a growing challenge understanding the shared responsibilities we all have in cloud computing and it’s a crucial and often talked about topic. In the past there was a clear delineation of responsibilities within an organization and as startups and small organizations begin with more modern workloads there is a push to an everything-as-code and automation paradigm. While that streamlines a lot of the infrastructure, it contributes to a dilution in security knowledge and there is a noticeable decline in hands-on expertise with fundamental security practices such as secure network architecture concepts like appropriate isolation and subnetting.

Answer 1 🎯

Generally, I am seeing a growing challenge understanding the shared responsibilities we all have in cloud computing and it’s a crucial and often talked about topic. In the past there was a clear delineation of responsibilities within an organization and as startups and small organizations begin with more modern workloads there is a push to an everything-as-code and automation paradigm. While that streamlines a lot of the infrastructure, it contributes to a dilution in security knowledge and there is a noticeable decline in hands-on expertise with fundamental security practices such as secure network architecture concepts like appropriate isolation and subnetting. Rapid innovation often takes precedence over stringent security measures which can lead to overlooked best practices like this isolation and environment separation. I think that ultimately increases risk. My focus is always on integrating security practices into organizations through education on fundamentals and transferring those fundamental concepts into modern workloads. I think that we are at a crossroads where security can be a value-add to the speed of development as long as we think about it in that way. We don’t have to be the add-on we’ve traditionally been shoe horned into.

Question 2 💭

As someone deeply involved in the security community through organizations like OWASP, AWS Loft, and NYSEC, how have you seen the dialogue and priorities within these communities evolve - especially with the rapid advancements in cloud and application security? Can you share an insight or story that particularly struck you?

Answer 2 🎯

The security landscape is seeing this incredible shift as disciplines like AppSec, infrastructure security, and cloud security overlap and share methodologies. I think this is driven primarily by our new common language of code. We’ve often debated whether or not security professionals need to learn how to code, and the fight against learning code is something I see less and less often because it’s increasingly obvious that comfort levels are rising and it's becoming this common language among security engineers. That growing comfort with code is pivotal, allowing our industry to adapt. Despite all of that, I think there’s a noticeable lag in the adoption of effective security practices in these new ‘as-code’ environments that stems from cultural resistance, skills gaps, and rapid change. We’ve been doing security in application development for a long time, there’s no reason we can’t apply those lessons to infrastructure as code, policy as code, and whatever else as code. I think the dialogue is often crowded with buzzwords like shift left, right, up, and down with AI which while catchy can hide the real work needed to implement those concepts effectively.

Question 3 💭

You've described yourself as a "tinkerer" who enjoys breaking, building, and reassembling for a living. Can you share a particularly memorable challenge you faced while tinkering with cloud or application security, and what it taught you?

Answer 3 🎯

Of course! My fundamental approach to security is with an eye towards curiosity and understanding systems by building, breaking, and rebuilding them whether that’s in my day to day life around the house to my wife’s chagrin or in my work. It goes beyond problem solving because it’s about diving deep into what makes something tick so that you can find vulnerabilities and root causes to issues. One of my most memorable challenges involved a terraform deployment while I was building an application from documentation. While setting it up I found that the local-exec execution was executing with root access that seemed like a pretty dangerous oversight. Following that line there wasn’t much to take over the server with full access to an AWS organization, but questioning that failure and pushing into it is what can help to lead to stronger systems rather than accepting the status quo. I believe you should approach every project like a handyman with a readiness to fix and improvise to uncover hidden issues audits will inevitably miss, and it’s not even something you have to be a security engineer to do.

...DevSecOps isn't just about bridging the gaps between development, security, and operations teams, it's about extending this collaborative spirit to encompass all departments involved in the product life cycle.

Question 4 💭

The concept of DevSecOps can vary widely in interpretation. Through your lens, how have you navigated these varied understandings to uncover core practices that genuinely enhance security and development?

Answer 4 🎯

I love the concept of DevSecOps because like many security terms it’s overloaded, buzzy, loved, hated, and misunderstood, for me, DevSecOps isn't just about bridging the gaps between development, security, and operations teams, it's about extending this collaborative spirit to encompass all departments involved in the product life cycle. This includes involving non-technical teams such as marketing, customer support, and design, which are often overlooked in traditional security discussions. It’s crucial to recognize that our "customers' ' aren't just the end-users but also the internal stakeholders who interact with our systems daily, it’s essential that we are considering their needs and experiences, we can implement security measures that support rather than disrupt daily business activities. This approach not only enhances security but also builds a culture where every employee feels responsible for and knowledgeable about the role they play in robust security. At its heart, DevSecOps is about inclusivity. It’s about breaking down the barriers that traditionally separate technical and non-technical teams within an organization. By involving everyone from product managers to sales teams in the security process, we create more resilient and thoughtful security strategies. This inclusivity ensures that security solutions are not only technically sound but also enhance user experience and align with business objectives.

Question 5 💭

When you're bridging that gap between security and product engineering, I'm sure you run into a few raised eyebrows. What's a common myth or misunderstanding you often encounter? How do you tackle it to get everyone on the same page, without stepping on toes?

Answer 5 🎯

Security integration can certainly bring on skepticism and often does, and one of the most common retorts is that integration will inevitably slow down the development process. That misconception usually stems from this view that security is restrictive rather than an enabling component of product development. I think it really comes from this idea that security is a requirement and this general aversion to anything that we MUST do or have to do. I think many product engineers still see security as a series of gates that complicate development and testing which isn’t totally unfounded, but that idea doesn’t account for the evolution of security practices and tools that enable rather than inhibit development speed if implemented correctly. I typically present concrete examples where security in early stages prevents significant delays and costs that would have resulted from addressing things after the fact. Real work demonstrable examples are key to proving the point in the same way that demonstrating an exploit says much more than talking about a vulnerability. Beyond vulnerabilities, some security functions like automatic secret rotation, point in time access, and code completion can make engineering lives easier by providing them with what they need when they need it without much intervention. Ultimately we need to build our relationships and implementations with a measure of empathy and understanding how other people work.

Question 6 💭

Security is often seen as a hurdle, but it really can help to push the limits. Can you think of a time when early security engagement in a project opened up new avenues or solutions that wouldn’t have been considered otherwise?

Answer 6 🎯

I love this question, although I'm generally cautious about using compliance as the primary motivator for security initiatives, a recent engagement highlighted its potential to unlock new avenues for collaboration. In this particular scenario, the company implemented a compliance automation tool that inadvertently became a bridge among various teams like IT, engineering, compliance, legal, and procurement. Typically, these departments operate in different ways with different methodologies and have limited interaction and understanding of each other's challenges and perspectives. This time with the engineering team, the automation tool offered a fresh viewpoint on compliance that translated legal and regulatory requirements into engineering challenges. This shift in perspective transformed compliance from an obligation to spreadsheets and turned it into an actionable set of tasks that felt similar to bug fixes or vulnerability management. Viewing compliance through an engineering lens helped demystify it and integrate it into their daily workflow, making the necessary changes more palatable and actionable.

Question 7 💭

As cloud technologies continue to evolve at a breakneck pace, what strategies do you recommend for staying ahead of the curve in terms of security best practices?

Answer 7 🎯

I think the answer here is to keep your mind open and remember that what worked in your last engagement isn’t necessarily the answer to every engagement. Allow yourself the flexibility to evolve and most importantly listen to people and their challenges. I’m a firm believer in innovation coming from listening to challenges and coming up with mutually beneficial solutions where no one has to give up what they want or need. I think we too often get stuck in frameworks, methods, procedures, and rigid standards where innovation is stifled. This isn’t to say it can’t go completely the other way and crash and burn, and I’m certainly not advocating for a free-for-all, but finding harmony is incredibly important across teams. Notice, I’m not saying balance. We’re not teetering on the edge of too much or too little, we’re ensuring that we’re all able to move fast and freely while being considerate of each others’ challenges. That may seem extremely philosophical, but if you begin with that mindset I think you’ll find yourself iterating on and innovating security best practices every day.

Question 8 💭

Blockchain technology has been a hot topic for a while, especially concerning security. How do you approach blockchain security? What unique challenges does it present compared to more traditional security concerns?

Blockchain or more accurately the web3 ecosystems treat security not as an afterthought but as an integral part of its culture. This commitment is evident in the rigorous encryption practices and consensus algorithms that define the technology as well as this attachment to auditing projects as table stakes.

Answer 8 🎯

What excites me most about this domain is its intrinsic emphasis on security as a foundational element. Blockchain or more accurately the web3 ecosystems treat security not as an afterthought but as an integral part of its culture. This commitment is evident in the rigorous encryption practices and consensus algorithms that define the technology as well as this attachment to auditing projects as table stakes. Naturally without any governing body, particularly around the standardized measurement of security, there are persistent challenges that plague all of these projects. This issue isn't unique to blockchain or web3 and it mirrors longstanding difficulties we’ve faced across various tech sectors over the past two decades. Finding reliable and universally accepted metrics to gauge security effectiveness remains a constant problem, making it difficult to assess and communicate the robustness of blockchain platforms. I think that blockchain is part of this timeline evolving technological paradigms, the latest of which is “AI” or LLMs, but we’ve seen these patterns in SaaS, Cloud, Agile methodologies, DevOps, you name the buzzword . Each of these technologies introduces unique challenges and opportunities, with blockchain standing out for its potential to redefine how we think about decentralized systems and community-driven incentives. One of my absolute favorite aspects of blockchain is this ongoing effort to harmonize security practices across organizations, projects, libraries, and even individual contributors within the ecosystem. These efforts are critical in a field that operates without centralized governance, making collaborative and consensus-driven security practices not just beneficial but necessary. This challenge is immense, yet it offers a fertile ground for innovation in how security can be managed collaboratively across the globe or in organizations. I think that blockchain and more specifically web3 organizations push the boundaries of what is possible in collaborative security.

Question 9 💭

With the increasing complexity of cloud environments, what are your go-to tools or methodologies for ensuring that security is not just an afterthought but a foundational aspect of cloud architecture?

Answer 9 🎯

I find immense value in self-assessment frameworks that do not necessarily require formal certification. Tools like the NIST Cybersecurity Framework (CSF) and the OWASP Software Assurance Maturity Model (SAMM) are awesome because they provide structured guidance and best practices that help organizations assess and improve their security posture without the burdensome overhead of formal certification processes. It’s no surprise that one of the critical strategies I advocate for is involvement early in the design phase of cloud projects. Integrating security from the beginning is far more effective than trying to retrofit it into an existing architecture, but we’ve all heard that story time and time again. Modern cloud environments are dynamic, with changes occurring at the pace of a pull request which demands that security measures are not only robust but also flexible enough to adapt to continuous modifications. Use your application security skills! Create secure pipelines and infrastructure which are secured by design and by default because these practices we’ve been innovating on for a decade ensure that security is a foundational element of the infrastructure. Continuous monitoring and the ability to respond quickly to changes are certainly necessary, but if you can’t remediate and repair at the speed you build you’re in for a bad time.

Question 10 💭

Looking ahead, what emerging trends or technologies do you believe will significantly influence the landscape of cloud and application security in the next few years? And how should professionals in our field prepare to meet these upcoming challenges?

Answer 10 🎯

I do think AI is going to influence our applications but not in the way it’s being marketed today. There are a ton of ethical and operational concerns coming alongside innovations and I don’t think we’re truly evaluating the impact of how it’s going to affect us. It’s really hard to predict, but the best way I think you can prepare is a call back to a question we talked about earlier in building, breaking, and repairing. Get your hands into the buzz of what people are talking about. Use it, break it, figure out how to make it do things it’s not supposed to do and help contribute to making it better. Always approach innovation cautiously, skeptically, and with a beginners mind and a willingness to learn. I think whatever innovations come, that will better prepare security professionals for staying at the very least WITH the curve if not ahead of it.