Show Notes: On today’s show we talk with Babu Chimata about Cloud Technology, Dev Ops and Security in a Cloud Environment. He emphasizes the importance of a security-first architecture and the need to consider security from development to deployment. Babu explains that the cloud can be more secure than traditional implementations if proper security controls and processes are in place. He also highlights the role of DevSecOps and the shift left approach in cloud security. Babu mentions the use of cloud native application protection platforms and the significance of vulnerability management and workload protection. He concludes by stating that the security of cloud platforms depends on how they are implemented and used.
Topics Covered:
cloud technology, security, cloud integration, security-first architecture, DevSecOps, shift left, vulnerability management, workload protection
Takeaways
Cloud integration with security is essential and requires a security-first architecture.
Proper security controls and processes are necessary for a secure cloud implementation.
DevSecOps and the shift left approach play a crucial role in cloud security.
Vulnerability management and workload protection are key aspects of cloud security.
Sound Bites
“Security is pretty much ingrained right from development to deployment.”
“The cloud gives us a Swiss Army Knife kind of tool set.”
“The shift left approach pushes responsibility towards the development phase.”
Chapters
00:00 – Introduction and Weather
01:53 – The Importance of Security in Cloud Architecture
03:36 – DevSecOps and the Shift Left Approach
05:56 – The Role of Monitoring Tools in Cloud Security
08:25 – Designing Secure Applications in the Cloud
11:12 – Security Offerings of Different Cloud Providers
13:50 – Conclusion
Autogenerated Transcript
Kelly (00:00.654)
One and we are live with Babu Chamata. Babu, how are you?
Babu Chimata (00:06.068)
How are you? Good afternoon Kelly. It’s a beautiful day here in Minnesota. I’m in Wisconsin. Outside of Hudson, Wisconsin. We’ve had two beautiful sunny days in a while. Yep. We’re at 70 actually. We’re not too far off. Warm and beautiful day.
Kelly (00:09.326)
It’s a beautiful day here in Minnesota. I’m in Wisconsin and outside of Hudson, Wisconsin, but we’ve had two beautiful sunny days in a row.
Kelly (00:23.406)
I feel lucky this time of year I get to look outside and my wife keeps gardens and so I have very beautiful flowers that are on different trees and shrubs and coming out of the ground so I have a great view into flowers. It’s very calming on some of the work days.
Babu Chimata (00:41.876)
very cool.
Babu Chimata (00:46.932)
That is, this is the perfect time to be in Minnesota. Are you in Minnesota right now or not? Yeah. Yeah, yeah. Yeah. Do you get any planting? Do you have anything like that in your house? We had to start getting, we had to start the planting from this week. So it takes us a few weeks, vegetable gardens and flower beds and, yep.
Kelly (00:50.766)
Are you are you in Minnesota right now or not?
Yeah. Do you get any planting? Do you have anything like that outside of your house?
Kelly (01:15.374)
Nice, nice. So for many years, you have been a leader in cloud technology, and is your in you’ve been at Blue Cross for the last two or three years and prior to that at Zurich Insurance, are you known as a cloud engineer? What is what is your title when you’re out at these places?
Babu Chimata (01:17.524)
So for many years you have been a leader in technology. Is your…
Babu Chimata (01:31.764)
Primarily it’s the cloud architecture or cloud architecture or cloud specialist and for Blue Cross actually it’s being cloud and security architecture and implementation.
Kelly (01:56.59)
Okay. In how much is the cloud integrated into the security work today? Is it because development happens and ends up in the cloud that it’s a key part of the security plan these days is how the cloud DevOps or cloud development is done and deployed?
Babu Chimata (02:22.068)
Actually, all of it, all of the items that actually you talked about, because maybe if you think of it as like, you know, the development largely happens, can happen on the cloud. The applications are deployed actually into the cloud. So once they’re deployed, the applications run in the cloud. The data is in the cloud.
You know, so that makes it very essential, like, you know, to have a security -first architecture. So security is pretty much, like, you know, ingrained right from the aspect of actually development to all the way up to deployment.
and running the workloads and protecting the workloads once actually they are in the cloud. The architecture, how we architect them and like, you know, because they, it becomes very essential is because many of these applications are also on the cloud. So the applications, how we architect them, how we integrate them and how we…
build the security layers like for the infrastructure, for the data, and for governance, all of those layers like, you know, so it’s multi -fold or different layers of the same security architectural components.
Kelly (04:07.918)
It’s interesting. This talk of security. I remember 10 years ago, working with many healthcare organizations and they were completely set against going to the cloud because they were very worried about the security of taking your applications and your data in putting them in the cloud. And it almost feels to me like in today’s world, people feel like the cloud is inherently more secure than
Babu Chimata (04:11.668)
security. I remember 10 years ago working with many healthcare organizations and they were completely set against going to the cloud because they were very worried about the security of taking your applications and your data and putting them in the cloud. It almost feels to me like in today’s world, people feel like the cloud is inherently more secure than the field on the front. Is it?
Kelly (04:38.03)
the old on-prem. Is it inherently more secure or less secure than on-prem in your opinion, Babu?
Babu Chimata (04:50.836)
I think my opinion is like, it largely depends on the architecture and the security principles that are applied. But what the cloud gives is that, you know, it essentially gives us like the Swiss Army Knife kind of tool set, and it’s up to us to design and implement. And if we implement it right, with proper security controls in place and proper processes in place,
It is actually going to be far more secure than traditional implementations. But at the same time, if I don’t care for the security controls as much, then if I’m going to take whatever actually it is out of the box or the default controls in place, then I may be leaving doors open. So it is really…
That is where actually the cloud security or the aspects of the cloud security play a pivotal role is because the security has to be thought of right from the get -go. It is not just actually deploying something in the cloud and running it. There is this component of, you know, we use the DevOps, right? DevOps is that, you know,
Developers are coding, they’re getting built and they’re pushed into the deployment environments that could be cloud or that could be on-prem. But with cloud coming in, the DevSecOps is important. So that is one facet of the security. In the DevSecOps, there is a security component in the DevOps. And…
That is where actually we check the infrastructure. What infrastructure are we going to build? What kind of code is going in? Are they secure? Is the security configuration like, you know, or the infrastructure security is complying to the policies actually that were designed like, you know, for an organization? And all of those actually goes into the DevSecOps, which…
Babu Chimata (07:15.252)
Generally in the security world, it’s also refers to as the shift left, meaning I’m pushing a lot of responsibility towards the left, which is the for the on the where the development is happening or at the time of development. I’m not going to wait until the development is complete and the code is pushed. Then I go figure out there is something wrong. Like in here, right? Some there is a vulnerability that we need to address.
or there are infrastructure components that are actually misconfigured. If you remember, Kelly, many of the data breaches that happened over the last few years, I think even there are a couple cases that were actually in the news that they were actually the root cause for some of them is how the buckets, the storage buckets were configured.
Kelly (08:07.31)
Thank you.
Babu Chimata (08:14.772)
they’re misconfigured. So if somebody doesn’t notice like, you know, how those buckets actually were configured that like, you know, then they’re prone to threats from the, like, you know, we are, we are keeping it exposed. So this is where, you know, the shift left, for example, that is, you know, when, when some development team or developers are trying to build,
storage buckets, the controls are in place that a bucket would be created based on the policies or the compliance requirements that are set by an organization, then enforced. So there is no way actually a developer would be able to go create a bucket of their choice, right? They have to comply to those standards. Once the bucket is implemented, say like in the cloud,
or a bucket or infrastructure resource, then there is a security posture that is actually managed so that like if somebody to monitor that no one else is going and tinkering with that. So if somebody tinkers with it or updated those permissions or the policies, they’re going to be monitored and they’re going to be like, you know, alerted. They’re going to be remediated.
So, I mean, like, you know, this is how, like, you know, so the same case of, like, you know, so can those data breaches be, could have been secured if an organization has a pretty, you know, well documented or like, you know, controls and regulations in place? Yes, I think, you know, so there are actually tools, like, you know, that is where we hear the word CNET, cloud native application protection platforms.
That’s where they help. And that is what actually these days when we talk about cloud security is how do we use like, you know, the CNAP kind of solutions and implement them from shift lab from at the time of development to the deployment and after deploying, how do we monitor and protect the workload workloads and
Babu Chimata (10:44.628)
Even after deploying, let’s say I deployed an application, right, today actually I think like, you know, everything is okay, right? Like everything looks fine and rosy, but after a few months we might figure out like, you know, some of the components that I’m using, they’re vulnerable. So they found, because that’s what happens, like in a lot of the software libraries, like, you know, the developers use is that the vulnerabilities would be discovered at a later date.
you know, some other time. And how do we manage them? First of all, detecting, you know, I am using a library reacts 1 .2 and six months down the road, I found the vulnerability saying that like this 1 .2 version has a vulnerability that needs to be addressed. So I need some kind of monitoring tools to figure out that like, you know,
Hey, in my environment, there is an application that is using this 1 .2 library. Log4j was an example, like in a couple years back. And if so, then how do we go patch it? How do I upgrade it? How do I remediate it? And that gets into the vulnerability management. Workload protection, vulnerability management. The vulnerabilities can happen within the application or within the OSes.
So because when we again, going back to your earlier question about, you know, when we use the word cloud security as a general container, it is everything. You know, if the development is happening there, like the responsibility protecting and trying to detect any issues like early actually becomes the responsibility. Like, you know, the sooner we detect.
the less prone we are. And also the sooner we detect the cost of ownership is also going to be reduced. So, yeah, that’s where the DevOps, DevSecOps and the shift left comes into play.
Kelly (12:52.238)
Makes sense.
Kelly (13:02.222)
Is there, do any of the three primary leaders in cloud technology, do they have a leg up when it comes to the security side or is there AI that’s being developed by one of the three that is helping discover vulnerabilities? Maybe all of them are working on AI in that regard, but when you say that the most secure cloud platform is…
Babu Chimata (13:02.58)
Is there, do any of –
Kelly (13:29.646)
Microsoft Azure, clearly the most secure or is AWS or are they all have their own vulnerabilities?
Babu Chimata (13:35.7)
I think, I mean, just taking out of the box.
You know all of them By nature they give us a good tool set It’s up to us to go and implement them Meaning how I use it away both the Google Azure and AWS they all have tool sets I Have to go use it if I for example
If I’m creating a storage account that is publicly exposed as an organization or as a team, I can’t blame actually the cloud provider for it. It is me actually that opened that created it. Now, are there actually tools like, you know, that can actually, you know, check those such kind of things? It doesn’t happen, meaning I could go create
an EC2, you know, and run it and have a public IP. Or I could create a bucket, S3 bucket or an Azure storage account and expose them publicly. But if there are tools or if my organization’s mandate is like there shouldn’t be any resource that should be publicly exposed, then somebody has to go monitor them. And the cloud providers good.
could give some tools actually to monitor them. But it’s up to us to use it. And this is where like, you know, there are actually the third party actually vendors like the Paul Alta Networks is one of them. They have an integrated suite of tools actually that makes it a little bit easy. But…
Kelly (15:15.822)
Right.
Babu Chimata (15:36.116)
that has to be accounted as part of the application design and architecture itself. And it has to be from the ground up.
Kelly (15:44.974)
Perfect. No, you did. You did. You absolutely did. And it makes sense that they all are focused on security, but you have to use what’s provided. So that answer was exactly the answer to what I was looking for there. Well, Babu Chamada, thank you so much. You are a wealth of information, and it’s always on a personal level. It’s always wonderful to see your face and to talk to you. Thank you so much for your time.
Babu Chimata (15:44.98)
So I don’t know if I answered your question. It is…
Babu Chimata (16:03.828)
Well, Bablu Chumara, thank you so much. You are a wealth of information and it’s always on a personal level. It’s always wonderful to talk to your face and to talk to you. Thank you so much for your time. Thank you, Kelly. For everyone else out there, you’re a lot from the bottom of my heart. Thank you, Kelly. Appreciate it.
Kelly (16:15.918)
And for everyone else out there, you’re watching the Vodcast.