VMware sponsored this podcast.
Alex Delgado, a security engineer at the Gremlin chaos testing service, points to the disconnect many enterprises have. It’s not that the developers aren’t building with the newest technologies like Kubernetes and microservices. It’s just that security and compliance haven’t even heard of these things. And it’s increasing risk.
“You can’t secure something that you don’t know how it works,” he said, on this episode of The New Stack Makers, where Delgado reflects on his past at a security and defense enterprise and his present at scale-up Gremlin. He began his career in customer support and then remediation of customer concerns. That put him in an interesting but often frustrating position as he moved into security, which had him throwing code over the wall that was released maybe three months down the line.
But here is where Delgado learned that managing security risks against business objectives best comes from understanding customer pain. And it comes from understanding how to communicate those risks, even to the Luddites of us. Of course this can be a challenge, as he points out during our interview that much of this is qualitative decision making, a balance act of questions like:
- What is the business trying to achieve?
- Why is it important to mitigate that risk?
- What’s the cost of mitigating that risk?
- How important is that risk to business objectives?
Delgado says these questions have remained while the entire approach to security has evolved alongside the tech. At his first employer, like many running on monolithic architectures, security was defined as protecting against root access with perimeter firewall barriers. Since you implicitly trust all devices and people behind that barrier around your network, data isn’t a primary concern.
It’s quite the opposite with modern cloud-backed distributed systems, run by distributed teams, connecting to numerous external services. Delgado recommends corporate environments run a cloud access security barrier or Cloud Access Security Broker (CASB) to monitor how their traffic and data are running in the cloud. He thinks they’ll be surprised to discover hundreds and even thousands of requests running through those cloud resources, making level three security just not enough.
In this new Zero Trust world, everyone and everything must now be authorized to access any segmented part, which is often a microservice or miniservice behind a service mesh. And with each access, the identify of who is accessing what data and the integrity of that data is authenticated before that access is authorized.
Delgado says role-based access control or RBAC, as was recently upgraded in the Gremlin system, is essential. It allows even non-IT people to be involved in security practices because everyone has the basic skills to assign roles and access levels — but only people given authority can make those decisions. And everyone in a company has a stake in its security.
Delgado worries that security teams, particularly for more compliant industries with older architectures and hierarchies, have become stagnant. He references Square’s Mobile Security Lead Dino Dai Zovi’s talk at August’s Black Hat information security event, which argues that “Every Security Team is a Software Team Now.”
Like the rest of tech teams, Delgado says security is shifting distinctly left. In fact, at Gremlin, there’s at least one security engineer embedded within each team.
In this Edition:
Why don’t you tell us more about your cybersecurity journey?
5:48: How does managing risk work in both distributed teams and in legacy systems?
10:19: How do you then segment? A lot of zero trust comes down to segmentation. How do you decide that, especially in a complicated system, how do you then map that out to business goals?
11:47: So let’s talk about role-based access control. You just set that up at Gremlin. Can you tell us a bit more about that and how it works?
16:07: What do you think is the main security concern facing companies these days?
23:54: What is one thing that our listeners can do to help someone get a leg up in the tech industry?