HOW TO JUMP INTO THE CLOUD SECURITY SPACE, HOW TO IMPROVE PROCESSES & THE FUTURE OF CLOUD SECURITY

Mike Laramie (00:00):
Hi, you’re listening and watching another episode of Cloud N Clear podcast. Thanks for joining the show. My name’s Mike Laramie. I’m the associate CTO for security here at SADA.

(00:25):
And today’s guest has been the forefront of Simpson security and data privacy research for over 20 years across Microsoft, Google, and Apple. He was the founding CTO of a company called Green Border whose technology would later become acquired by Google and become the core of sandboxing technology in the Chrome browser.

(00:39):
He has over 100 academic articles published and almost 14,000 citations on Google Scholar, and most recently, he joined Lacework back in 2021 as their chief architect to help us run a new era of cloud security.

(00:51):
Thank you for joining us on the Cloud N Clear podcast, Ulfar Erlingsson.

(00:54):
So we’d like to start a show by giving our listeners an opportunity to get to know our guest. I know we covered a bit in that introduction there, but is there anything you’d like to add about your background for our listeners to get to know you?

Ulfar Erlingsson (01:02):
First of all, thanks Mike for letting me be here. It’s always great to chat with you.

(01:08):
So I’d say that I’ve been trying to push the state of the art in computer security for my entire career, and I’ve actually managed to have some success in getting things into production. There are things in Windows like Address Space Layout Randomization that I helped get in there. There’s even stuff at the lowest level of hardware architectures that restrict bad control flow that I helped get in there.

(01:40):
But at the same time, I’ve been very distraught by how security seems to be continually getting worse. And there are some positive notes such as I feel that the security on our smartphones is actually pretty good. But in the areas where I’ve been doing most of my work, which is personal computing and server side computing, it really has felt like we’ve been running really hard and sliding backwards all the time.

(02:14):
And that’s actually why I’m at Lacework right now as opposed to working at the large organizations because I think at Lacework we have a chance of actually improving things a little bit.

Mike Laramie (02:27):
The things that jumped out at me when I was at Lacework with you prior to being here at SADA is that you had a “Why I’m here,” post on the Lacework site when you joined, and in there you stated like a lot of people who work in security, I got into it by accident, and that really hit home with me because it’s one of those things where it was you take an interest in a few things and you make a comments in a meeting and all of a sudden, you’re now the security guy and you’re moving forward with that in your career, which is cool.

(02:50):
Thinking back on how you got into the security space, is there any information, one or two quick pieces of advice you’d give to folks who want to make that jump into into classic security?

Ulfar Erlingsson (02:59):
What I’ve found throughout my career is it really is motivating when you make things very concrete and it helps clarify a lot of the ambiguity of an ambitious notion, like, “Let’s harden our enterprise.” What does that even mean?

(03:22):
I remember when I was really getting into security early on, I was teaching a course or helping teach a course on security at Cornell, and we had an assignment that I had to create of how can you actually use the UNIX file system access control methods to achieve a particular purpose? And the purpose was something simple. You have a folder where users can submit a suggestion box type thing and the suggestions are supposed to be you, but you can’t read everybody else’s suggestions. And so you can only write to it, but you can’t overwrite the things that are already there.

(04:07):
And those types of start with a concrete problem, try to figure out how to solve that using the primitives of say AWS identities or S3 buckets and so on, and try to see it like, “This particular use case, can I actually set it up. For some notion of secure actually is secure, that the right things only the right things can happen.

(04:36):
And I think that those types of diving deep and just doing things really help you, A, get hands-on experience with the concepts and with the techniques, but also help you contextualize the higher level ideas of like, “Hey, what is, for instance, a lot of people confuse authentication and authorization, but if you set up some concrete things and you have some users that can assume some roles and then you actually authorize those roles to do certain things, those ideas get very concrete in your mind.

(05:13):
It’s the roles that are authorized, they can do things, but the identities that get authenticated the, they are not really authorized to do anything, but they can assume the roles. So I would suggest doing that going deep. And then I would suggest also not being bedazzled by the jargon, there is way too much jargon in the security space.

(05:44):
Really, security is about three extremely simple things, and we can put that in the context of a house. You need to close all the windows and doors so bad guys or critters don’t get in, except for the ones that you’re going to use.

(06:01):
So you have to actually have locks and keys for the ones that you’re going to use.

(06:05):
The other ones you actually want to shutter and lock as tight as you can, but the ones that you’re going to use, you’re going to have locks and keys and then you have to authorize and authenticate people so that the first thing is shuttering the windows and doors is usually called attack surface reduction, that is making things as simple as possible.

(06:29):
When I was working on Windows XP Service Pack 2, really all we did was turn on the firewall, which is shuttering certain windows and doors that were opened by default and XP and never really should have been.

(06:43):
So then the second thing of keys and doors with locks and so on, is this authorization and authentication cloud identity and access management or entitlement management is usually stuff that’s talked there.

(07:02):
So these are the two things that actually make you secure. They’re only these two things that make you secure, and so it’s not all that hard and everything fits into one of these two buckets really, whether it be micro segmentation, which is a way of shuttering doors and windows to role-based access control, which is keys and so on now.

(07:24):
But then you have to realize that bad things will still happen. And so you have this third pillar which is basically investigations, response, forensics and so on. Those are the things that happen after the first two things have failed, and there’s a whole bunch of jargon and keywords in that, but it’s all, ‘Let’s try to figure out what happened. How can we actually deal with that? How can we close some more doors and windows to prevent it from happening and change our keys and locks and so on to prevent it from happen again?”

(07:59):
But mostly it’s an investigative thing.

(08:02):
And so keeping some very high level, simple view of security in mind I think is very useful when trying to look at all this other stuff.

Mike Laramie (08:12):
That’s an excellent point because I think you’re spot on there. At the end of day, every new technology or pillar of cloud security comes back to those three fundamentals. Who’s doing what, why are they doing it, and do they need to not be able to do it again? That’s a really good point.

(08:28):
Building on that and getting a little bit more into some more of the core topic of the conversation today, so here at SADA are excited to have Lacework, both as a SADA customer as well as part of our SaaS alliance program. And I want to give our listeners a little more background on the company, but I’m interested in your words, what is Lacework? If somebody came in and was like, “Hey, I saw your logo on the street. That looks really slick. What does Lacework do? What’s your elevator pitch there?”

Ulfar Erlingsson (08:54):
One way of pitching Lacework is security is hard, and we know security is hard because things have been getting worse all the time, and so all companies are being compromised and whatnot. We have this OpenSSL thing right now that the world is worried about is going to… So security is hard, but lots of organizations have actually achieved some measure of success in having a team that can deal with security.

(09:25):
But the cloud is different, so it’s a real different challenge for those teams, and the cloud is actually harder than the business enterprise security team computing because the cloud is constantly changing. By that I mean the cloud service providers, the SaaS providers, the open source software that you’re relying on, all of these things are changing whether you like it or not. At least in the enterprise, you could control your own stability.

(09:57):
And so all of these changes in the cloud and the fact that the cloud is different, it’s simply different technologies and so on, mean that you can’t take your existing techniques, your existing technologies, your existing processes into the cloud.

(10:11):
So you have to have a partner, somebody who’s helping you to do that. We think Lacework is the best partner for actually doing security in the cloud. And we think Lacework and our platform, our polygraph data platform, is the best approach to securing the cloud, because unlike traditional security and what has happened in the security industry, the vendors, they’ve really focused on the antivirus model of doing security where they’re selling lists of known bad things and techniques to detect whether those known bad things are happening.

(10:52):
We’re actually focusing on helping our customers do good stuff. We learn what they’re trying to do in the cloud. We learn what normal looks for each specific customer because each of their environments is unique, and we try to help them maintain and update that environment in a healthy way that allows them to be agile, that doesn’t make the security team a blocker, but rather a partner with DevOps of updating and improving their environments.

(11:28):
You can call that anomaly detection, you can call it radical attack surface reduction because we pretty much put a trip wire on anything that you are not doing already.

(11:41):
But this approach of focusing on what the customer really wants to be doing, it’s a more business and value centric approach to security, and it really, really works. So we have almost 1,000 customers now at Lacework, and we know that this technique really brings a lot of value and is easier for teams to deal with in a multitude of ways, not just in terms of the everyday cadence of having fewer things that you need to handle, fewer alerts and so on, but also in the operational sense of being able to hire people into the security team that you can train quickly to do the right type of work and the relationship between the security team and the rest of the organization.

(12:27):
And that was not an elevator pitch, by the way, as you…

Mike Laramie (12:31):
No, no. I forget the phrase, but it was like if you need me to write five pages on this, I can do it in 30 seconds. If you need me to write one page on this, I need five months or something like that.

Ulfar Erlingsson (12:39):
Yes, exactly.

Mike Laramie (12:41):
No. So what rings true there for me is you’ve written multiple articles and various talks over the years about that idea that security needs to take that data driven approach versus a rules-based approach. Learn what the expected behavior is as opposed to trying to guess what the most malicious behavior looks like, or by the time that you can write a rule to detect that it’s already too late.

(13:05):
There was one particular article you wrote on the Lacework website back in July, 2021 that we’ll link to in the show notes about an analogy using a shepherd trying to protect his flock. And I use that on countless calls.

(13:18):
The idea that Lacework was taking that approach, was that something that really drew you to Lacework or was there something else above and beyond that that drove you to join the company?

Ulfar Erlingsson (13:26):
There were really two things that drove me to the company and one of them is exactly what you’re saying here. I’ve been a huge advocate of using data to try to harden and reduce attack surface, do that first job of shuttering all the doors and windows that don’t need to be open, because that’s what I’ve seen be incredibly effective at improving security in the real world.

(13:53):
That’s the basis of my company. That was the sandboxing technology for Google Chrome. It’s what we did in Windows very effectively. We did a tremendous amount of that at Google when hardening Google post 2009, 2010.

(14:10):
Shuttering doors and windows that should not be used is a really fundamentally powerful security technique that eliminates lots of possibilities from attackers, but you have to know which ones to shutter and which ones are not being used actively, but you should be able to use data for that.

(14:31):
And that’s always been my intuition and a lot of that, there are two examples that struck at me. One of them was early on when I was working at Microsoft, the Windows Solitaire game actually had all of these so-called known DLLs loaded into the game by default, which means that actually the Windows Solitaire game could at all times be a web server, or a remote access tool, or any number of other things because all of the code to doing that was already linked into the address base of the Solitaire game.

(15:11):
Now, in normal operations, clearly the Solitaire game is not downloading things off a torrent, but it could. But why should you let it given the fact that we have so much information that the Solitaire game should be a local only on this machine interacting via the mouse mostly with the user?

(15:34):
So that always felt like somehow we should be able to just delete that functionality or somehow put it into hibernation or suspension inside the Solitaire game. Even though it’s there, it shouldn’t be used or you shouldn’t allow it to be used.

(15:50):
And soon after I joined Google, there was a second instance, which I think may be similar to the OpenSSL vulnerability we’re going to see tomorrow. We’re going to get the details on that, November 1st was Heartbleed.

(16:07):
So Hartley came out soon after I joined Google. And what struck me there was Heartbleed was this huge problem that affected the entire world, but it was because of an extremely dusty corner in the OpenSSL stack, it was a heartbeat message that basically nobody had ever sent to anybody for any reason. Certainly, Google had never received or responded to such messages, but it was there in the stack. Google Could respond to such messages because we were using the full library, but why hadn’t we learned from our use cases that, “Hey, actually nobody’s sending us these messages and we shouldn’t be responding to them or our servers should not want to provide that functionality even though it’s baked into the library.”

(16:58):
And so at Google I tried for a long time to use those data-driven techniques to find windows and doors to shutter, things that are in the house but really shouldn’t be used. Just because they’re in the house doesn’t mean that anybody is using those functionalities. And if you leave them open, then bad things can happen.

(17:19):
And frankly, I didn’t succeed and I didn’t succeed because often with data-driven techniques, there is this initial chicken and egg problem of how do you get enough data to build something that’s good? Because if you don’t have anything good, then it’s really hard to convince people to give you data, especially if it costs a lot or it’s really difficult or so on.

(17:46):
So when I saw that Lacework had basically solved this chicken and egg problem, so they had customers that were happy, had over 100 customers when I joined, and they were getting all of the necessary data to do a really good job, and by all accounts they were doing a good job and this approach to security, figuring out what are all the things that should not be happening, and making sure that security teams were alerted if they ever happened.

(18:14):
So that was half of why I joined, this excitement of finally I get to be part of moving security forward in this data driven way that I’ve been passionate about and I totally think is the right thing.

(18:30):
The other aspect actually is money and because I want to really have impact in the world and when I joined Lacework had just gotten $500 million in funding and I saw that, “Hey, here’s a company with an actual opportunity to change how security works. There is a significant chance that they’re well funded enough to be able to succeed on this mission of changing the way the security industry is supporting their customers.”

(19:01):
And so I came here really because of the type of impact that Lacework is trying to do is what I wanted to do, but also the chance of being able to have that impact, is something that I’m extremely excited about. And I’d love to finish my career having helped move security to a better place, to a place maybe more similar to what we can do on our phones these years.

Mike Laramie (19:27):
That’s awesome. And just a right opportunity at the right time. It’s just…

Ulfar Erlingsson (19:32):
Exactly. And I had a fantastic gig at Apple where I was in charge of privacy technologies, and Apple is fanatical about privacy, so it was also an impactful job, but still I left that team in good hands and I think that I can do better for the world being here at Lacework than there.

Mike Laramie (19:58):
Excellent. Quick side question, because you mentioned something in that answer that really caught my ear and the idea around parts… I saw the talk that you gave about Solitaire and I had no idea that it had a complete network stack in it and that I just started cracking up laughing about it because that wasn’t something that we considered back in the Windows 3.11 days, but nowadays, that would’ve been taken advantage of immediately.

(20:22):
So for things like that where you have these code practices or this code being written that is maybe importing stuff that it doesn’t necessarily need, do you see the industry moving towards that type of analysis where you’re saying, “Hey, we’ve watched this application run for a while and you’ve never used this part of the code base?” Should you look at shedding that? Is something that you think we’ll see in the near future?

Ulfar Erlingsson (20:48):
I think it has to be, and Lacework is going to spearhead that movement.

(20:54):
The reason I think it has to be is that no code is written from scratch anymore. It’s all a composition of these huge libraries and huge underlying stacks, and if you do not restrict things, if you do not project out or constrain executions in some way, then you’re going to have to pay the price of the entire stack.

(21:26):
So let’s take you’re trying to serve out some static webpages and you’re using a LAMP stack for this, but because of it’s a LAMP stack, then you’re going to have some interpretable stuff. You’re going to have like Pearl, or Python, or PHP or something that’s right in there, but you’re just trying to serve out some static webpages.

(21:45):
Well guess what? Now you’re paying the price of all of the possible complexities of configuration of Pearl, Python and so on and what might possibly happen there.

(21:57):
We’re talking hundreds of millions lines of code that you are using potentially to do this very simple thing that really is being accomplished by a tiny sliver of a fraction of the code base.

(22:13):
And so software is going to be full of bugs for a long time moving forward. And even when software won’t have bugs, there’ll be logic bugs and configuration bugs, and so on because humans will still be involved.

(22:30):
It’s impossible that the industry will be able to pay for all of that complexity, for all of that surface area because thinking of it in as a attack surface area when only doing a tiny sliver.

(22:51):
So we can take actually this into the cloud. So AWS launches 2000 new services and features and functionalities every year, GCP and we’re partnering with SADA and so on, is slightly less, like 1000.

(23:07):
But imagine if every single customer had to be an expert in securing all 1000 things, even if all they did was host a WordPress site on GCP.

(23:21):
And that’s clearly just not a realistic scenario. It can’t possibly be the case, but that’s what we’re doing with software these days. We’re actually making everybody pay for all of its potential problems and power, while you’re only getting the benefits of a tiny fraction.

Mike Laramie (23:41):
That’s great insight there.

(23:44):
Insight coming out of Lacework, one of the things that I enjoyed reading is there’s a periodic release from the Lacework Lab teams called the Cloud Threat Report and have the most recent addition in there outlined something that dovetails nicely into that conversation where teams are beginning to find novel ways to automate the initial stages of these zero day exploits so that they can create these attacks at scale and have more impact even though the CBU or the exploit was just released.

(24:15):
So some of the core at tenets of the latest report available on the Lacework website is the increased feed from exposure to compromise and the focus on virtualization, fixed structure, core networking vulnerabilities. And then still, even though it feels like we went through countless iterations of fixes for it, continued Log4j exploitation.

(24:38):
Which of those items that the Lacework Labs team focused on, are you seeing the most out in the field or within Lacework, and any great stories around how customers have dealt with these?

Ulfar Erlingsson (24:51):
Well, I think our polygraph approach to security is helping customers catch a lot of these things as they’re being actively exploited.

(25:04):
If you take Log4j, there is such a long tail of getting rid of things and then you get rid of it all, and then you realize, “Oh my god, there was a release that happened here and actually it pulled in an old version of Log4j and it’s doing it in a way where the static code scanning stuff and so on or the disk scanning doesn’t catch it.”

(25:25):
So these things keep popping up. It’s like whack-a-mole.

(25:28):
And what’s cool about the polygraph data platform is that we will actually catch the exploits pretty much right away and we can do that even if there is various variants and so on, because we focus on the changed behavior, not like these patterns in the input data and so on that caused that changed behavior.

(25:51):
So we have a lot of success stories for customers with both new problems that are popping up but also these long tail problems.

(25:59):
The one anecdote that I’ll say that is pretty cool right now is with this OpenSSL thing that will come tomorrow, is how we can actually proactively help customers prep for an upcoming vulnerability fix. So we have basically our entire customer code base because of some things we released at the end of last week. We have our entire customer code base already aware of where they need to go and fix vulnerabilities and OpenSSL.

(26:35):
So they have their finger on the trigger. As soon as the new version shows up, they can actually roll it out to existing environments.

(26:45):
And that’s through a combination of things, not just scanning images and repositories and so on, but also scanning active processes that may have loaded the OpenSSL library from a non-standard place, etc, etc. So a really thorough inventory that allows them to then prep their remediation scripts and so on in anticipation of the fixed version of the software.

(27:15):
And I think that’s one of the coolest because of the visibility. The polygraph data platform is based on this really pervasive visibility of all of the static artifacts like the passenger manifests of who’s getting on the airplane, but also on visibility and absolutely everything that happens on the airplane itself.

(27:37):
So we can really more pervasively inventory those places that need to get fixed.

Mike Laramie (27:43):
I saw that. I saw there was a release about that or a preview of the release about that, and for me, that was a really unique thing that Lacework was capable was saying, “Hey, here are these libraries and here’s where they are and here’s where they’re communicating. And search for this and the platform and we’ll tell you where you need to go. Prioritize your remediations.”

(28:04):
And I think that that’s a super powerful part of the Lacework tool that sometimes gets overlooked, is that ability to help prioritize the remediation efforts when there is something like this.

Ulfar Erlingsson (28:14):
In this type of workflow for security teams, it’s all about prioritization. There’s always going to be more of these vulnerable things or these small issues and different parts of the organization, at least if the organization is not of a tiny size. And so figuring out which ones do you really need to fix or which ones are just some libraries that are sitting on the disks, but they’re not even loaded into memory, so there is no urgency of actually going and fixing them.

(28:49):
Those are the things that our customers ask for the most.

Mike Laramie (28:52):
Excellent.

(28:54):
Putting it to the third party space, another recent announcement out of Lacework is coming out of Google Cloud Next, is, an integration that was launched with Google’s Chronicle security offering. Can you share that listeners like a little more background on Chronicle and the integration and why Lacework targeted that coming out of Next?

Ulfar Erlingsson (29:13):
Chronicle is a really interesting effort by Google, and I was actually there in the Google security team when Chronicle started, and the founders of Chronicle technical founders, Mike and Shapor were colleagues of mine that I knew very well.

(29:30):
And it really was an effort to up the security game of Google’s customers by taking the lessons and techniques that the Google security team had developed, and helping customers make use of those as best practices.

(29:47):
And in many ways, it’s an effort that mirrors Lacework’s mission, although the techniques they used were quite different, more traditional techniques. And right now after Chronicle has been integrated into mainline Google Cloud offerings, really what it does really well that we can integrate with is give context to all of these things that you might need to do.

(30:19):
In Lacework, we do a good job giving an overview of your environment and what things you might need to pay attention to. But with Chronicle, we can pair that up with the full context of the rest of Google security tools and offerings, and the techniques that are embedded into the Chronicle platform.

Mike Laramie (30:39):
Excellent. Any other announcements our customers should be looking forward to from Lacework that you can talk about now?

Ulfar Erlingsson (30:46):
That’s a great question.

(30:48):
Well, I think you’ll continue to see us investing in our site scanning approach to visibility. So one thing that has been very popular with especially larger and more complicated organizations that have great difficulty integrating with CICD pipelines, basically where the complexity of operations is so high that very few things that improve security can be done with ease. This notion of scanning the hard disks, of site scanning, taking snapshots and looking at what’s there, has been very popular in recent years.

(31:30):
Lacework has already launched, and we’ve announced this, our site scanning functionality. And we are really proud of how we do that. It’s extremely lightweight. It runs completely in the customer’s environment. So the code from Lacework runs as the customer actually and is even built to the customer in their environment.

(31:56):
Lacework never has to mount or see any snapshots that might contain our customer’s customer data, like any PII and so on. So you don’t have to worry about the entitlements that you’re giving lacework for this functionality because you literally give us none.

(32:13):
So you do run some code, and the code is extremely lightweight. We can actually do this out of serverless Fargate instances without creating any easy two machines that mount volumes and so on, which is definitely a huge advanced and state-of-the-art compared to our competitors.

(32:32):
And we’ve already launched vulnerabilities, secrets and other things, but you’ll see a succession of more things coming very soon that improve, give some KIM-like functionality and more prioritization back to this notion of one of the things you really want is prioritization.

(32:54):
So we don’t think side scanning is the only way to get visibility and it should, but it’s an interesting and important part of your suite of techniques you might want to use for visibility, especially in those hard to reach, hard to manage, or hard to organize workloads.

Mike Laramie (33:16):
That makes sense. Make it easier to meet the customer where they’re at in their security journey.

Ulfar Erlingsson (33:20):
Yeah, exactly.

(33:22):
And we have a number of efforts that we’re having there, say installing and configuring things so that you can actually get our agent and agentless offerings fully into your environment without having to integrate in a particular way into the deployment process, which in many organizations, the deployment process is a baroque custom thing. It’s not like everybody’s using really state-of-the-art Terraform or CloudFormation. And so exactly meeting the customer where they are at reducing time to value, increasing velocity.

Mike Laramie (34:10):
Absolutely. Pivoting towards the business side of it, just real quick, as I mentioned earlier, we’re super excited to have Lacework as a customer and as part of our Alliances Program.

(34:22):
What were some of the contributing factors that drove Lacework to choosing SADA, and what are you most looking forward to in our partnership?

Ulfar Erlingsson (34:29):
I think there’s a couple of things here. We always love to work with partners, especially when those partners bring added value to our joint customers. And SADA is really our key partner in the DCP space other than Google itself. So really meeting our customers through SADA, bringing awareness to Lacework and what we can actually do through knowledgeable partners. You worked at Lacework. You know what we can do. You know that we can be a win-win for customers.

(35:11):
And we need to get that word out from not only ourselves and through marketing and so on, but also through reliable, trustworthy partners that have an established relationship with customers.

(35:29):
The way I look at our partnership here, it’s just bringing that new avenue for a customer win by having us collaborate as two arms of the support network for that customer.

(35:47):
And I really think of this as a customer support story. Running in the cloud and running securely in the cloud is hard and companies need help. None of our customers can afford to do what we did at Google, which is hire thousands of the world’s best security people and spend unlimited amount of money and have an unlimited mandate to stop things and so on. Customers need help and it’s great to have partners helping us help our customers.

(36:17):
And that’s our recurring theme here as well at SADA. one of our core tenants in within the company is to make our customers rave. Let’s bring our expertise and the best of breed tools that we can find out in the industry and make sure that they’re doing what’s best for their posture and their program.

(36:33):
So super excited to see the partnership grow with Lacework. Obviously, I enjoyed working with y’all.

(36:42):
We were so sorry to see you go, but you’re still in the family. We’re still…

Mike Laramie (36:46):
Like I said, I wasn’t going far.

(36:51):
With that said, Ulfar, thank you so much for taking time. I know we’re running up against the clock here, but we always like to close our show out with future predictions, and we sprinkled it through a little bit throughout the conversation. But as a summary, where do you see the security conversation heading in the coming years, or the coming year? Let’s just focus on one at a time at this rate.

Ulfar Erlingsson (37:10):
Well, I think in the coming year it’ll be a transition year, I think, as we now have an increased number of large organizations that are being forced to move into the cloud and being forced to adapt to this new reality of constant churn and constant change. And so I think that one has been called drift management and so on, in the past and so on, those aspects of the dynamicism and potential for unexpected changes is going to become a primary topic of conversation.

(37:53):
And the security industry is super happy with buzzwords, so there’ll probably be a buzzword around that and they’ll probably hype it up as this new thing and so on.

(38:04):
But it’s really, there is a fundamental problem with change management and just visibility into what might be changing and is that change okay or not, that I know our customers are struggling with, and I know especially for larger organization where the number of changes that might be happening any given day is tremendous and most of them are going to be benign, and intended and so on, but how do you actually discriminate between the two?

(38:31):
So I think that fundamental problem I think will become a hot topic in the next year. And it may be that it’ll be tied to things like supply chain risk with open source software and so on. So I don’t know exactly how it’ll surface.

(38:52):
Or for instance, SaaS posture management is becoming a hot topic and so on, but I think it’s all about dealing with configurations, change, what actually is happening in your environment, and how is that different from what happened yesterday or for what’s happening in similar customers as you in other environments.

Mike Laramie (39:19):
Great point. I can’t wait to see what the acronym is going to be for drift detection, but I think you’re spot on there. And then you touched on something there that I actually hadn’t thought about because everybody thinks about drift detection with things like Terraform or CloudFormation, what’s the state of my cloud infrastructure. But there hasn’t really been a focus on drift from the software bill of materials versus what’s currently running.

Ulfar Erlingsson (39:41):
Right.

Mike Laramie (39:42):
That’s spot on. Awesome.

(39:44):
Well, thank you again for your time. I really appreciate it and I want to thank our listeners for listening in with us. We’ll have some links in the show notes to some of the articles that we talked about that Ulfar has written over the past 20 plus years and can’t wait to see what the finished product looks like.

Ulfar Erlingsson (40:02):
Well, it’s a journey, so I don’t know if we’ll ever be finished, but we are a maturing platform, where we’re getting more functionality and more comprehensiveness all the time.

(40:12):
So as always, fantastic chatting with you, Mike, and next time we’ll have to do this over beers.

Mike Laramie (40:18):
I was going to say we’ll find a pub next time. We’ll do this in person. We’ll bring the equipment with us.

Ulfar Erlingsson (40:23):
Yes. Awesome. Cheers

Mike Laramie (40:24):
Awesome. Cheers. Thanks so much.

Narrator (40:27):
Thank you for listening to Cloud N Clear. Check the show notes for links to this week’s topics, and don’t forget to connect with us on Twitter @cloudnclear, and our website, SADA.com. Be sure to rate and review the show on your favorite podcast app.