Cloud Misconfiguration Causes Breaches—How to Avoid it Vice President of Cloud One – Conformity

Transcript

Andrew Stevens [00:09] Hi folks, my name’s Andrew Stevens with Trend Micro. I want to welcome you to our webinar today on cloud misconfigurations and how they can cause breaches; and even better still how to avoid it. With me here today is Aaron Ansari. Aaron is a Vice President here at Trend Micro and he comes to us from the recent acquisition of Cloud Conformity, that Trend Micro acquired. And previous to Trend Micro and Cloud Conforming, Aaron served as the Chief Security Architect at BMW financial services overseeing the development and application of security policy standards and guidelines. He also managed application compliance across BMW and served as a subject expert ensuring key vendors and partners maintain their BMW practices. Aaron’s also built his OPSEC portfolio with prior roles at JPMorgan Chase, Cardinal Health & Huntington banks. So, welcome Aaron, and I will turn it over to you.

Aaron Ansari [01:13] Thanks Andrew, much appreciated. I appreciate the history of my pedigree and hopefully that for the audience lets you know that you know I feel your pain and have been in your shoes a time or two and have seen some of the things that we’ll be talking about today. It’s my hope and my pleasure actually to be here. But it’s my hope that you get value out of this, I know we’re recording this I’m hopeful you’re able to share it with other resources on your team that aren’t able to make it. And we do have a question or chat window available for you to go in and enter any questions or comments that you have as we’re going over this, so please make this as interactive as possible. 

Aaron Ansari [01:53] So the title of the presentation right we’re going to talk about breaches and how to avoid them misconfigurations. Right and without necessarily naming who or what has happened in the industry, I’m sure you as security professionals and practitioners have seen what’s been happening in the space and some of the big and heavy news stories that have come out of the past year or so. It’s no secret though that there’s an increase in your burgeoning cloud market that’s happening. If you look at the major cloud providers, and I’m going limit this year to North America, if you look at the major cloud providers acrossthe industry the names that pop up, AWS, Azure, GCP right. The gross that’s extreme experienced in these markets from a prediction standpoint is massive, right. Odds are that at your company today, where you’re sitting, you know, two, three, five years ago you didn’t have a cloud project, you didn’t have a huge presence in the cloud. \Maybe there’s some shadow IT organization that went out and bought an AWS presence or maybe there’s some rogue business unit that went out and did something on its own. But buying large as an IS or IT practice you were maintaining an infrastructure or presence within your own four walls or within a co-load location. It’s not the case anymore, right, in these major companies and these major organizations we’re seeing huge growth and huge profits from those growth with presence and customers within the cloud. You can see here from some of the stats that are quoted by Gartner, a 22 percent growth as it relates to AWS. Containers going up going up by 35 percent. The cloud market in 2022 increasing to 331.2 billion with a B dollars at a growth rate of 16.1%. That’s only going to continue right these organizations and the growth that is moving over to the cloud is constant, it is consistent. It is something that your business, if it hasn’t experienced that yet today, will be doing as part of a project coming up in 2021 guarantee. And what you see is part of that is the cloud providers giving an increased level of services. Right, an increased level of technology and increased in the delivery of the content delivery that they’re going to give to their customers. So, if you highlight here in AWS you see the number of services increasing almost a hundred percent year-over-year. Specifically, from 2018-2019. If you were at re:Invent, you saw the launch of many, many new services that were part of AWS and that’s to meet the demand that’s coming from the customers, right. They’ve got a huge set of customers that are ranging from cloud native customers to ones that are just beginning their migration. And the need to increase the complexity and the service delivery to their customers is huge. So you see that that these cloud providers are responding by giving an increased level of quality from a service standpoint to their customers.

Aaron Ansari [05:00] Well, what does that do for you and how does your company react right? So the expertise, the schooling, the education, that you had, that the people that you’re hiring now for positions that you’ve got. Odds are they didn’t cover, you know, cloud security, cloud architecture, in school, right. So the experience level and the expertise of the employees and the staff that that you’ve got at your organization tends to be a little bit behind from a learning curve standpoint as it relates to cloud. Compound that with security, right, security is just getting into main practices in educational environments, right, let alone cloud. You compound those two things and you find that there’s a steep learning curve. When I was at one of the financial services companies that I worked at one of my themes for the year was: the year security is no longer an afterthought. And I worked hard to do almost like a marketing campaign to make security not an afterthought on projects and with people in development practice. Sadly, today that that still could be a campaign that you could you could have in 2020 for whatever career or whatever job you’re in, you know, make 2020 the year that security isn’t an afterthought. And you’ll still sort of have that so what do you do when you combine that right? You get an increasing set of level of complexity that’s coming from the service provider. The cloud service provider with new services and new functionality being launched monthly. Even with decreasing level of expertise or at least static level of expertise, may be that level of expertise is zero, but a decreasing level of expertise that’s coming in from a technologist’s standpoint. What ends up happening, right, and let me throw one other aspect in there, and that’s budgets right. Budgets don’t tend to go up very much. So, the ability to hire a third party or the ability to get somebody else to come in who does have expertise to it, who might have the level of experience that’s needed for the projects that you’re working on tends to be limited. What do you get? Well, you get a recipe for misconfiguration right, you get a recipe for misunderstandings, you get a recipe for having potentially what could be a security incident or a gaffe at least on your company’s part. And so what we did is we went through and started to look at what we’re getting, what people are seeing. I’m going to mid last year as it relates to a misconfiguration standpoint. And by the way these misconfigurations are all well covered within the the Cloud One Conformity platform. But, point behind it is we’re seeing a level of misconfiguration that’s consistently happening from customer to customer. Right, so that level of expertise as it relates to storage, as it relates to key management or key infrastructure, as it relates to validation of users identity and access management is consistent. Right so there’s a gap, there’s a, and I know I’d argue that it’s actually a wide gap between the expertise and what’s happening within our customer base and the configurations and the cloud posture that’s being done there.

Aaron Ansari [08:18] With respect the teams that are that are trying to do the work right, there’s an increase in agility right, there’s an increase to speed, there’s an increase to go to market. Odds are you’re sitting in your cubicle, your office now and you’re no longer in an iterative or a sort of waterfall application delivery model. Right you’re in – you’re not in – in a waterfall, you’re into more of an agile environment. You’ve got stand-ups, you’ve got scrum masters, you have build coordinators, you’ve got releases that are happening daily, weekly, monthly, not quarterly or even annually or semi. Right so your need to execute and to deliver upon product as it relates to going to market, and as it relates to your business delivering content have gone up. Right and so you couple that on top of this, and you’ve got the velocity that’s tied to application delivery, that’s coming here and you know, you really got a recipe for disaster. What now, you know, I’m not sitting here preaching gloom and doom or flood, right. Obviously when I say you have a recipe for disaster, I’m saying you have an opportunity there to work on the management and the posture management that you have around that. So, what we’ve done at Trend is we actually released a report based on years of research, and more in particular based on, you know, last year of data and research across our customer base. Very, very large organization with thousands of customers across the world so a great pool of data and a nice relationship with our customers to be able to meet with. So, we actually, we will produce the report, if you haven’t seen it I’m sure we can make the report available to you, or you can just, you know, search the Trend 2020 forecast report and we found a couple of things. One with this misconfiguration with the lack of knowledge that’s we’re finding, that attackers are certainly fine finding a way to take advantage of weaknesses. Two, the service framework that’s being built up right is unfortunately right for misconfiguration because of the reasons that we said. Which introduces some vulnerabilities as well as a vulnerable code that could be released as part of that. This obviously compounds everything and gets to the point where there are in addition to the infrastructure standpoint application or container level components that tend to be tied to various security concerns related to the allottee application works. So, this might not be any different from the static or dynamic code analysis that you that you were doing in your development practices 5-10 years ago. You still have to do you know the development and analysis of code and peer review and security reviews of code that’s going out there. You’re just having less visibility into it, you don’t have that visibility into how or when an environment is spun up. If you’re in a service install that it’s one up for a couple of days and the development team spin something up, you know, Monday through Wednesday, and spins it back down. Odds are from a security and visibility standpoint you either, one, didn’t know that it was ever spun up or spun down or, two, by the time you did know, were unable to respond to whatever happened within that environment, whatever happened with that data. And unfortunately the people that are paying attention to these things, right, the news agencies and federal agencies. So here we have a list of kind of a compilation of various ranges and finds the unit of currency here is in US dollars. But the point remains the same right. We’ve got millions of fines that are being leveraged from a, in this case GDPR standpoint, but from, obviously the European, but you know California coming out with the CCPA right. That’s the industry, I’ll say the governments are moving towards mandating and protecting data. So, back when I was in my roles, one of the things that I had from a hammer standpoint was, well you know, Aaron why do we need to do this? Why do we need to add this tax to the security tax to this project that we’re doing that taking payments for Rolls-Royce customers? Gee, I don’t know. The hammer that I would be able to use is, well look you know, they’re federal, they’re global, there are standards that we have to do from a compliance and framework standpoint that’ll mandate that we have to protect and that we have to do that. 

Aaron Ansari [12:47] So, what’s come out of that right, we’ve got this industry, got increasing cloud with organizations and entities that are migrating to the cloud at an increasing rate. We’ve got development environments that are moving at a high speed velocity that need to respond a business and respond to customer needs. We’ve got these shadow IT and, sort of presence that’s popping up and down in the cloud. What do we have to do and how and what is the space or the organization that’s the label that’s responding to that? And what you’ll hear, what you’ll see commonly, this cloud security posture management (CPSM). So CSPM, right we’re big fan of acronyms, this isn’t a three-letter acronym, this is a four-letter acronym. So it might be a little bit different to you get used to adding an additional character there. But this is a cloud security posture management. It’s being recognized by Gartner and the basics of it are the sum of what I’ve been talking about here, right. The workloads, the environment, require configuration controls, visibility into those workloads and into that environment. You have to be in a position as a security professional, as a cloud security architect, as a cloud architect to understand what’s happening. Gone are the days where you knew about an application that was being built, you know six, eight months before it was being built because you found out about a server that was coming from Dell or HP. You knew about the hardening processes that the networking was going to do, you knew about the middleware stack that was going to be put, and you knew about the application, you know, is going to be doing development on top of that. All of that is done now with the click of a mouse in a matter of seconds and a completely frictionless sort of environment install. So, this field or kind of what we’re going to be talking about in particular, wraps up very well within the CSPM for cloud security posture management sort of work.

Aaron Ansari [14:41] So we’re going to go, I’m going to pass this back over to Andrew when I asked him a couple of questions. I’m going to take the feedback and talk a little bit about that and I’m going to go into a little bit more detail on this. 

Andrew Stevens [14:52]  Thanks very much Aaron great overview of kind of what’s going on in the industry and some of the challenges here. So yeah, we just wanted to get a couple, a feeling for what you guys are seeing in your environment in your organizations. So I’ve pushed a question there to you right now, you can look at that on your screen as it comes up I’m just going to read it to you. So the first one here is what are your biggest pain points around cloud services? And so there is a couple of options there. Ensuring the security of the workloads. Creating and implementing business aligned security strategies. Establishing actionable performance and risk metrics. Implementing effective data protection. Managing identities. Managing incident response. Maturing your vulnerability management capabilities. Or creating and rolling out high impact security training. So that you can just give us an idea and Aaron will kind of comment on that a little bit and then we have one more polling question before we get into, Aaron is going to talk a little bit more about some of the solutions available in the market. And I would also after you’re done, answering these, this polling question if you do have questions, please use the Q&A widget to ask your questions and we’ll be sure to answer those at the time, at the end, we’ve reserved some time to answer questions live and we’ll try to get to some of them in the chat with, or sorry the Q&A widget, as well. So, there we go, let’s see what we’ve got for answers on this. Aaron are you seeing it?

Aaron Ansari [16:54] Yes I am seeing that. This is pretty much in alignment with what we’re seeing in the industry as well, and what surprises me a little bit is the implementation of effective data protection. So, you know, I’ll tell you in 2006 I worked to implement a DLP program at the organization that I was at. In 2019, I was told it was finally implemented. So I was hoping that this problem, kind of was taken care of. But, you know, what was great about about this problem in particular, you know tagging and some of the some of the, the services that are offered via the database functionality from the cloud service providers actually help effectively build this into it and obviously our solution and platform helps mitigate this, to a certain extent as well. So, this this aligns very well obviously, ensuring the security of cloud workloads is huge and sort of the leader there. Tying, incident responder, IR, as part of that, is a good one. And, one that we will certainly be speaking to as well. I think we have one more set of questions coming in as part of this. And this aligns well with the answers that you just take that though, we said that we had this problem here. What are you doing about it.

Andrew Stevens [18:15] Yeah, exactly. So, next poll question here was, what are you doing about visibility in your cloud services? so four options there, no visibility, limited, visibility using existing cloud service provider’s tool, they’re using an existing cloud security posture management tool. So yeah give us a sense there of that and Aaron will comment on that in just a second here give everybody a second to make sure they filled in their responses. Okay let’s, let’s see here. A lot of people using existing cloud service provider tools.

Aaron Ansari [19:01] Yep, almost half the audience using the CSP service tool, which is great. We certainly recommend that as a first step right. If you’ve got you know limited or no visibility into it that. It’s nice to see 20% are, you know, sort of adopting a CSP and that’s higher than we’re seeing from an industry average we’re finding it closer to about half that actually 10% of the people with whom we speak, have a CSPM tool or solution in place. But, you know, good to see that of this audience, we’ve got a much more advanced sort of group people. But this speaks well to sort of what we’re saying, you as your audience, as this audience have gotten the message right, you see the problem, you’ve identified the gap, and you’re looking for some answers, and some of those answers are provided by that by the cloud service providers themselves, which is good. Right. So the good news about the Cloud One platform is that we actually already ingest, all the data that’s provided by the cloud providers right. So we call them CSP, cloud security providers or cloud solution providers depending on how you like that TLA. But they provide either a sort of a base level set right, there’s Security Center, there’s Security Hub there’s some other security services that are part of the platform itself. But what you need to understand, one, is the shared responsibility model that’s provided, that’s part of the delivery that the cloud provider’s giving you. If you don’t know what the shared responsibility model is, you should look it up all the cloud providers have a shared responsibility model as part of their delivery. But then, two, for the most part, and we went back and forth and asking the question. Unfortunately, we don’t have a lot of time but I wanted to ask a question about, are you in a multi cloud environment. And for the most part what you’re finding is either for risk mitigation reasons, business continuity, disaster recovery, in a multi cloud environment in an organization, or because of the expertise that’s available as part of the cloud example you know people think that machine learning and artificial intelligence in GCP is, you know, strong whell house. An example, you might be an AWS consumer but Amazon might compete with your organization as a business. You don’t want to put money or a lot of dollars into AWS. Another example is, as part of your Microsoft license you might have some sort of agreement that allows you to get Azure services right so multi cloud is is another feature functionality that’s there and when you start to have to rely on multiple console, multiple dashboards, multiple functionalities to get the information or the data tend to be a problem, and two, leveraging that cloud provider as part of you know the person that’s giving you that thumbs up. Like if you’re letting the service provider tell you that everything’s good odds are every single time you ask them they’re going to tell you that everything’s good. Right. So what we come up with as a solution set is Cloud One. 

Aaron Ansari [22:01] Cloud One is a, you see the six components of this, I’ll call them a wedge. It’s a multi layered, multifaceted view of your cloud environment and it covers the, if you think back to the OSI model right that all the way down and up the stack right from the hardware from the network component, all the way up to the application delivery component of thing. It covers you in all those pieces and parts of the components that you would have as part of your application. And the beauty of it is in one place, right, so here’s a single dashboard. It’s aggregated data. Completely exhaustive and covers, each of the aspects of what you’re looking at, and gives you that visibility, and the capacity to have the insight in a single environment. And so if we talk about some of the pieces and components of this and I’m going to be respectful of time here so I’m going to go a little bit quickly through this because obviously I want to focus on on the Conformity component of it. But we’ve got everything from workload container, host security, to actual security for the images that are part of the container as part of our Deep Security Smart Check product, some of the people on the phone here are likely Deep Security customers have seen this in the past couple of years so we were able to get this and integrate it into part of the Cloud One platform. Which has been a huge benefit for our customers and something that has been positively responded for certain, as well as the Immunol product which is another component that we have separately, that was a couple of years ago. So you can see how tying this all together right and having the ability and the capacity to look at the entire stack and the entire layers of your model from everything from the workload, to the container the application, the storage of the data right we talked about DLP, we talked about data classification as being one of the problems they’re having the ability to actually scan the cloud storage services. Obviously Conformity is something that we’re going to go through in depth. So, I will cover that here, but even down to that network component. The Cloud One strategy really put it all in one place.

Aaron Ansari [24:17] Obviously, I am a little biased but I’m a trend employee here, but I argue that it is the most advanced cloud visibility solution and security services platform for you in your cloud today, and I would challenge you to look at that. So we’re actually going to look at the Conformity component of it. And we’re going to talk about, you know, kind of, why and how we, as what was formerly Cloud Conformity, now part of Trend Micro Cloud One Conformity, is here and what we do. And what we do is specifically give you that visibility into the infrastructure of your Cloud. Right, so when somebody spins up an environment on an account in a serverless capacity for temporary amount of time, we are able to give you that visibility into what’s happening. And in addition to that, we’re able to provide you with an analysis of what is happening within that environment. Right, so we can say, hey, somebody is in this environment, they logged in with this account, and they set up this environment. And by the way they didn’t configure things correctly, right, so they had an s3 bucket over here, they have an RDS instance over here. It’s been sitting idle since they spun it up, and we’re able to sit there and do the analysis of it, and also offer you the ability to fix, and remediate any findings that we have, again, in that single one stop shop. Places visibility to run and do the check of those analysis and run that analysis of your environment, in real time, right in fractions of a second, right and continually. One of the other things that’s important about the way that we do this, is that we’re doing this constantly. It’s one thing to be able to come in and say okay you know I did a scan of the environment this week, pre build or post build. This is where we are, this is our posture, this is how things going. Here Mr. Auditor, here Mrs. Compliance Officer, here’s where things stand. By the time you’ve printed  that document or sent that PDF, the environment’s changed, right, we’re in that agile, that complete high velocity build mentality. And there’s a lot that’s happening right the services been released.  

Aaron Ansari [26:32] So when we do from a from a Conformity standpoint, is that we provide a check, and it is a huge library of checks. I mean if you haven’t seen our knowledge base yet, please go out and check our knowledgebase because we actually provide you with a step by step guide on how to find and remediate the things that I’m going to be talking about here. So, we give you the capacity to get to, you know, remediation and even sort of that self healing sort of model, with what we’re finding and we also overlay certain frameworks and certain components on top of that to do that. We understand the build processes and the way that you kind of do your development or pipelines, and the way that your team kind of builds and so we build capacity by template scanning. We build in capacity to integrate via API you don’t actually have to log into the UI to look at this. And so we’ll give you the data via programming interface so that we can have the data in a consumable fashion. And we map back to the best practices of the cloud providers, that’s the beauty of this right. So, I told you that we ingest the data, the services or components that are provided by the cloud providers and that’s true right. For 40% of you go through and you’re using GuardDuty, Macies, those are the things, you’re using the Security Hub components of the tenants and best practices of architecture with Azure. So we consume that data. We bring it in. It’s a great starting point. And then we’ve mapped back to the actual components of it. So if you, you know, are sitting there and you’re like, you know we, we practice you know, the well architected framework, we pack your practice the four tenets of Azure Security, I can actually tell you how you map back to those and how you map back to the control pieces of that. So it’s very, very, it’s meant to be very helpful. It’s meant to be very visible, and it’s meant to be something that helps shows you that. Now I’m going to show you a brief demonstration of the platform here. There’s a little bit of a lag, that happens, you know, call it the Wi Fi connection call it the widget, the plugin that’s helping share this screen, this isn’t just like a zoom or WebEx or something, dealing with the 300 and some odd people we have a platform that does this. So, I’m gonna go through and show this to you but if there is a lag or if you’re not necessarily seeing what I’m seeing. Wait just a little bit the audio should be synced that’s what’s happening so you shouldn’t see or have too much of a delay but what I’m sharing right now is actually the platform.

Aaron Ansari [29:05] Now, so you can see a multi cloud environment here right, I’ve got AWS and Azure components. I’m going to focus on just one of these, AWS. What you can see is an overall level of compliance tied back to those five pillars of the well architected framework. We’re gonna see I’m 64% compliant, as it relates to how well architected framework works. Now beyond that right, we go and cover beyond just the well architected framework, or that four tenets of security, best Practice security architecture. So we’ve got some other components and other features that we have. So you can actually go through here and check, you know, how things are happening as it relates that framework right, you can instantly, imagine, adding an account. Configuring the account via our CloudFormation template, within half an hour, I’ll say 35 minutes. It takes about four minutes to run that first initial scan, going and being able to say, look, this is where we stand as it relates to the well-architected framework, this is where we where we stand as it relates to NIST 800-53 fourth revision. Tied specifically back to the control and allowing you to go and look at a specific instance on what’s happening within that environment. So here I can see the controllers AC-2 account management, and here I can see in my global master account, I’ve got a compliance issue that ties to a failure that would show that I have failed that control. Right, so do an audit as it relates to this, I would see that pop up. We have a couple other frameworks that are available that aren’t necessarily tied to these tabs right. So we’ve got HIPPA, got GDPR, PCI those sorts of things. We want to service our customers by the industry that they’re in and these are the industries that we’re seeing moving to cloud and adopting from this nature. So you’re able to with the click of a mouse, with a low level of time and investment, see how things are happening in your environment almost immediately. Right, so see this breadcrumb trail and looking at extreme high and very high findings that are failures in my environment. And I can see okay on this account, I’ve got 10 checks, I’ve got an S3 bucket that has default encryption turned off. Oh, you know what, this is actually a public website, so let’s let’s do this as an exception to this, because we want our public website to be unencrypted. Or, oh, you know what, this is very important. Not only is this high, this is extreme. This is a super, super huge finding that we need to mitigate right away, will entice them on remediation that part of that to that. So, configurability visibility. 

Andrew Stevens [31:50] Sorry, getting a few comments here that people can see your demo. Oh, maybe they can now. Yeah, okay,

Aaron Ansari [32:07] Yeah like I said there’s about a 14-15 second lag. 

Andrew Stevens [32:12] Okay. Sounds good. Let’s keep going then, sorry about that.

Aaron Ansari [32:16] No worries, and I’ll say that I’m certainly willing to sit down with you and go through this, you know, one on one. And so, if there’s a level of interest that’s popping up here, at least the level of interest enough to have a conversation, obviously it’s my job to help cultivate that level of interest. So as we’re demonstrating this, if you want to see more, if you’re on the website looking for knowledge base right now, and are like, oh I need to see how this works, or how this configuration is done, please, please reach out to us, we will certainly walking through it. So, as I was saying like configurability, right, visibility, some sort of other ability is how and why we built this, and the name of the game. Meant to be consumable, it’s meant to be digestible, it’s meant to be something that you can process through. And it’s meant to be via the methodology that you need to do it, so I’ll actually demonstrate some of the communication or configuration settings that we’ve got here and hopefully you’ll see it, I’ll pause on the screen for a long time so that it does catch up. But let’s say you’re doing, you know, development in a snow or Service Now Environment or perhaps more akin to the DevOps teams that are here, JIRA right. So you’re doing development in your environment, you’ve got bill coordinators that sit all over the country, you know, somebody in Tennessee somebody in New York, somebody in California. Build coordinators that are in Seattle and Texas that are doing this, and you’ve got developers that are augmenting and kind of helping deliver this project or this product that you’re working on. The way that we work, and the way that we operate, is we’ll integrate with your team. So let’s say developer builds something and promote it to the environment in that arm, we’re connected right, we see the account that the developer has done the work in, the build that was completed, promoted to a specific environment, we scan that environment in real time, and we push back a bunch of finding. We’ll push those findings back to the development team by the integration to JIRA so that the build coordinator can track those bugs, right, track as bugs. And as the features are closed and complete, those bugs, or those fixes are remediated. And so we don’t have to see them again, so we’ll conduct a scan and verify that those bugs have been fixed. And now that’s all integrated into the way that your build process takes place. So you as a security architect, or you as a cloud architect administrator, never necessarily even saw this has happened, other than to get a report the next day or later that evening or however you have it configured, that simply say, Hey, this scan was done in this environment. We found all the findings. We permitted it by the build coordination process the build coordinator did their job, the developer did their job. All this is fixed. You didn’t do any, you didn’t get involved, there’s no ticketing that was done by your, you know, process or your sort of workflow, and this is happening 24/7 365 right. So not tied to a person. It’s tied to your process. And we can integrate this into your pipeline in your environment such that all of this is automated, right, new accounts get created, automatically scanned by us. New instance gets promoted, they’re automatically scanned, added to the process, scanned from a baseline and compliance standard sort of thing. Is able to go through and give you those remediation components, and findings, via whatever process that you kind of have set up within your practice. 

Aaron Ansari [35:48] So I’m going to stop sharing hopefully you’re able to see that communications and components slide, obviously there’s a lot more that we can go on here, but hopefully you were able to see that. Again I will completely reiterate to you, it’s my job to help you understand this so please reach out to us and we will gladly show you this one on one and actually tie it back to your environment as part of proof of concept to show your own data. Kind of, wrapping this up and giving you a little bit of summary of how and what the Conformity component of Cloud One is and was built right. 520 checks against the top 60+ of AWS services. 80+ checks against the top 10+ Azure services. Whose numbers are only going up as we practice what we preach and we certainly are agile, we certainly run our tool against our own environment, and we certainly imagine new services and new features come out and are demanded from our customers, we promote and build those, and offer those up to our environment. So 600 some odd checks. Remediation guides for each of those checks. Cost evaluation, very hot, so when you talk about the investment that you’re putting from a monetary standpoint into this, you compare it to you know, I’ve gotten the comment like well you know I could hire your developers in India to do this, my feedback is sure you could. One, you have no idea how to manage developers in India, that’s fine, that’s neither here nor there. Two, the developer in India don’t work 24/7 and even if they do have coverage that is 24/7, it is not 365, it’s not nearly as automated, not built into the process and you’ll have all sorts of communication issues with it. So having that ability to get high value out of something is very much one of the practices, or the core competencies of how we built this.  

Aaron Ansari [37:36] Real time monitoring right we’re able to go and see things that are happening with your environments within fractions of a second right. As soon as that happens, we’re able to give you feedback and tell you what happened, how that matched back to what needs to be done and what you need to do that. Total integrations with your existing build processes, complete level of enhancement that’s coming to additional integrations that are out there right. So as our customers get more, well as we get more customers and as our customers get more advanced and new technologies come out there from start-up in San Francisco, to start-up in Israel, that has this new practice that you’re following, we’re able to respond, give you, at least a base level of integration here by assist log out or just some level of functionality that you’re able to see that. Right. And so to wrap it all up right, it is automated. Your ability to go through and see and map back to your architecture. It is able to be part of your existing processes, right, so not coming and just saying, you know, I’m not adding that security tax or adding the security, you know, speed bump or hurdle to the project in the way that you might normally have been considered to be looked at in previous rates, right. I’m just part of your development process, I am part of your bugs, part of the build, part of your features. So I’m building that kind of into your culture, not necessarily making this an attack. And you’re actually able to put in the security practices and checks that they’re needed to safely and securely kind of promote and build this. And so as I said, we’ve got, you know showcase this to you in a limited, tight, tight time window here, but we certainly want you to see this we certainly want you to experience it. We certainly want to be part of it and help grow and develop make this as feature rich and as functional for you and your peers in this audience as well as in your field. So we do have a demonstration that’s available to you. And, or hopefully, I’ve said it three times now, hopefully you’ve got another tab up right that’s looking at the knowledge base right now, and looking at the rules that we’ve got in there. Maybe you’re sitting there, racking your head against the wall about something with guardrail or something with RDS, and we got the solution, literally right there for you to consume and able to be answered for what you’ve been working on, what you’re going through. Obviously that trial is something that I spoke to, but definitely something that we want to engage with you on. So that’s my time I appreciate very much appreciate your time and want to be very respectful of it. You know we have questions that have been popping up and I’ll pass it over back to Andrew and Jamie. Andrew, Jamie. Thank you very much. You’ve been very, very wonderful, and thank you for setting this up. Thank you, as an audience for attending very humbled, very happy to be here.

Andrew Stevens [40:26] Yeah, thanks again Aaron. Yeah, let’s go through some of the questions we figured we’d do a number of them live we’ve been trying to get to them as, as we go along here as well. But one of the questions that came up is what kind of reporting is, is available for the Conformity piece, the Cloud One Conformity.

Aaron Ansari [40:49] Sure. Good question. So, in addition to just having a PDF generated report, that filter view that I showcase to you, can be sent to other administrators within the dashboard. If you’ve got other people with whom you’d like to share the data and the findings that you have, you’re able to do that from the dashboard. You can set up an email that can actually send the findings or links to the findings to someone in your organization. Or you can do the integration to, you know, some of the ticketing and process features. So we’ve got export ability by a PDF, we’ve got emails, and we’ve got kind of a workflow within the toolset, in and of itself, just to share reports and data. 

Andrew Stevens [41:30] Also, a question whether this can be used on more than AWS. I think you gave a number of AWS examples there you also talked about Azure a little bit. Just speak it to that a little bit more maybe. 

Aaron Ansari [41:48] Sure yeah, so multi cloud, yes. So AWS and Azure is covered right now, we’ve got GCP on the roadmap and more than just being on the roadmap in the process of being developed, which is going to be launched in the second half of this year. So definitely want to cover the major players within the market that I had kind of on that first slide right, the three most major players. So, AWS, Azure, Yes. GCP is on its way. We’ll be here and we’re certainly always looking for beta customers to be helping us as part of that. So, you know, if you’re a Google person, or in a Google environment you want to help us develop and make this, we’d love to be as responsible as possible here to your needs.

Andrew Stevens [42:34] Okay. There was a question on, is it on the roadmap for Teams integration in the communication settings?

Aaron Ansari [42:44] Very, very astute question. And yes, it absolutely is. Obviously, as we increased the Microsoft or the Azure features and components in addition to the rules and the scanning that we’re doing. We are going to have Teams integration too. Remember we want to fit into your build process right. If you are in Azure environment, or in Office, or in a Microsoft environment, we know that you’re going to have Teams as part of that. So, very much so. Yeah.

Andrew Stevens [43:11] Okay, another question here. How quick is it to implement the Cloud One Conformity and do some testing with it in my environment?  

Aaron Ansari [43:25] About 45 minutes. We like to say an hour, right. So, a majority of that time is tied to the sort of administrative things that you’ll have to do to get your accounts in order, to run the templates to connect the accounts. Once your account or accounts are connected, the scan runs in 15 minutes and the recording features are available in just three or four minutes after that. So, typically it’s about an hour.

Andrew Stevens [43:53] Okay, great. Actually I see we’ve got a couple of questions about Teams so that was a popular one there. Whether this is a you know Saas offering, I mean I think you kind of touched on that. Definitely a Saas based service makes it really quick and easy for people to implement it and test with it. Right. Correct, yeah. Yeah. Okay. We’re actually kind of wrapping our time here we said we wanted to kind of keep this to 45 minutes is kind of a key time so if there was any questions that didn’t get answered, at this point, through the Q&A tab we will make sure to follow up on those. But, again, thank you very much for attending. Thank you, Aaron for presenting and educating us on this. You will see in just a second here, a browser window that’s going to pop up, that will take you to our actual knowledge base, the Cloud One Conformity knowledge base where all of that information on, you know, the how or what our rules look at, and the information that’s available there. The recording link. So this has been recorded we will send that out via email to all of the attendees today. I just would also remind you that we, this is kind of a series of webinars that we’re doing right now we have another one coming on February 20 where we’re going to take a deep dive into kind of cloud native application security and cloud native application development how we provide security and what kinds of things are going on in that, that industry as well so if you want to link to that right now. That’ll be in the resources widget, or there’s information that will come in a follow up email so again thank you very much for your time and thank you again Aaron.

Aaron Ansari [46:05] You’re welcome. And real quick, just another shout out. Thank you to Amanda, I forgot to mention you earlier, but thank you very much for all you did. And thank you everyone else.

Read More HERE