SlideShare una empresa de Scribd logo

Episode 5 Justin Somaini of Box.com

Descargar como PPTX, PDF
Contrast Security
Contrast Security

In this episode, Jeff Williams interviews Justin Somaini of Box.com. They discuss security implications from a consumer perspective, how security and the cloud environment work together, and revisit Bill Gates Trustworthy Computing memo from 2002.

TecnologíaNoticias y política
1 de 49
THE SECURITY INFLUENCER’S CHANNEL HOSTED BY JEFF WILLIAMS CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Five: Justin Somaini from BOX.com
THE SECURITY INFLUENCER’S CHANNEL HOSTED BY JEFF WILLIAMS CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Five: Justin Somaini from BOX.com
JEFF WILLIAMS “I saw you were quoted in an article titled, “The New Cyber Threats Juice Pay for Security Chiefs”. You said what we’re starting to see is the introduction of new concepts that will eventually change security. Tell us more about what you were talking about.”
JUSTIN SOMAINI “When we talk about the mobility and always- on networking shift, what we’re starting to see is content and transactions that security practitioners are tasked to protect with confidentiality, integrity, and availability.”
JUSTIN “In other words, we’ve seen IT organizations’ skills move from maybe some internal application architectural skills to vendor management functions.”
JUSTIN “It’s that whole evolution of security that we’re going through, which we’ve gone through many in the past. This is just the next iteration of it.”
JEFF “So you’re saying as we start seeing organizations doing transactions that might be entirely outside their infrastructure, …[that] there could be whole transactions running that never touch a traditional corporate infrastructure.”
JUSTIN “Absolutely! One-third of the workforce doesn’t come into the network on a weekly basis...how do you implement a monitoring or a detective control structure? How do you manage and see what’s going on, let alone be able to protect and manage those environments?”
JUSTIN “That’s one of the biggest shifts that we’re undergoing and will continue to undergo, I believe, for the next 10 years or so.”
JEFF “What can security do to accelerate the process of catching up to these new architectures? I guess what I’m seeing is that there really hasn’t been a lot of change in the way people practice application security and even some kinds of network security. So, what can we do to not be so reactive?”
JUSTIN “Well, there are probably a couple of different things. In this model you have really three different players: • Cloud Players • Security Practitioners • Security Vendors
JUSTIN “When we look at the practitioner, again, looking at some of those solutions, having an open mind that from a security vendor standpoint, applying pressure to the cloud providers to make sure that they’re doing their best to implement the basic controls that they need.”
JEFF “You mention logs. You know, I always think of logs as sort of a very fuzzy way of getting insight into what’s going on in a system or a network from a security perspective. I’m wondering if you see evolution…because right now I sort of feel like the providers are doing their thing and the enterprises are using the services, but there’s really not a lot of engagement, collaboration around security.”
JUSTIN “I would completely agree, I mean, to a great degree in a big, broad, brush stroke kind of statement. I do think this is changing, but the relationship between customer and provider has been one of a transaction versus a living partnership.”
JUSTIN “There are players, and I’m proud to say that I think that we’re one of them [box.com], that are really spearheading the open API integration with our customers.”
JUSTIN “This is not a detachable entity, this could provider. But we can command, control, interact, collect, we can have it be part of our ecosystem even though it’s really a third-party application in a great extent.”
JUSTIN “It all comes back to a very basic, basic concept of the cloud provider saying, “This is our role. We are going to create a capability for our customers to leverage our service more than just the presentation layer that we’ve historically done, but more from an API platform one.”
JEFF “I’ve worked with clients over the years that have done similar things internally. They have enterprise architecture, and in some ways it operates like a cloud service. I think the integration between the applications and that infrastructure has always even been a challenge, even within an organization.”
JUSTIN “Back to the three parties: cloud provider, security practitioner, and security vendor. If we look at the cloud provider, one of the changes in this whole transformation is the concept of back office functions—security, compliance, privacy—and really elevating them to what I would call the front office.”
CLOUD PROVIDERS
JUSTIN “We’re going to identify solutions to security problems of our customers, as opposed to just simply getting a certification.”
JEFF WILLIAMS “Traditionally, end user consumers haven’t been very successful at demanding security from web application providers.”
JEFF WILLIAMS “Do you think there’s anything we can do to get end user consumers to demand security better so that we can sort of raise the water for all boats?
JUSTIN “I think from a business perspective you have the power of the purse. There’s a huge difference between consumers and enterprises in that context.”
JUSTIN “The conversation of security is dramatically different that it was 15 years ago when I started. We have a voice of government. We have a voice of the consumer that is resonating louder. We hae a voice of the advocates that we’ve never really had before on the consumer side.”
JEFF I’m glad to hear that. I think it’s been a long time coming….I think the key, though, is getting consumers to actually demand better security. I think we probably need to do some work around figuring a way for them to articulate that need better.”
JUSTIN “Well, I think first and foremost in any process, whether it’s agile or iterative development cycles or a waterfall model, I can’t stress enough education. The ability for us to educate our developers on the basic controls that need to be best practices…is so critically important.”
JUSTIN “Within development…you really need to have security be bled into the ecosystem to make sure that the behavior, the concept, the belief system is one that really encapsulates security in each and every thought process…”
JUSTIN “I would say the magic really on the back end is how we approach it from a philosophical, educational, and cultural standpoint with the company as a whole.”
JEFF “I think it’s interesting that you mentioned training and your community of experts that help spread the word. I think you’ve reinforced that with that culture, the tools, the testing processes you’ve put in place, and the support that you’ve given developers.”
JUSTIN “Some of the problems of security as a whole? I’m never going to have enough money. I’m never going to have enough people in order to manage the company as a whole.”
JEFF “You mentioned internal transparency between the various stakeholders in security. I noticed on your website you’ve got a page that details a lot of information about how you all do your internal practices. Why do you expose that externally? Not many companies do, so I’m curious. Why?”
JUSTIN “We enroll our customer in transparent conversations so that they truly understand all of the amazing things that we do to protect their content.”
JUSTIN We want them to walk away saying: 1. I have confidence they are doing the right things. 2. They’re going to include us in any sort of situation as it goes along. 3. I can reach out to them for help and assistance if I need it.
JEFF “I’m wondering if you see that changing in the future; Do you think websites in the future will have a software facts label the way that your cereal box has a nutrition facts label on it?”
JUSTIN “I completely believe that this will become the norm. I really do. It will take time. It’s a maturation process.”
JEFF “So you support people doing security testing on your site on a policy of responsible disclosure. How’s that working out?
JUSTIN “The environment that we’ve had in the past few years is very different. The research community is more established. It’s more proactive and supportive from a cloud-provider side.”
JUSTIN “I think it would be negligent if we didn’t have a program in place in order to receive, operationalize, and remediate those issues.
JEFF “Last question. Looking forward, do you think we can get to the point where there really is no difference between the deployment of the functionality and the deployment of the security and the assurance all at once?”
BILL GATES: TRUSTWORTHY COMPUTING MEMO
JEFF WILLIAMS WITH JUSTIN SOMAINI OF BOX.COM

Recomendados

Cloudinnovationl
CloudinnovationlCloudinnovationl
Cloudinnovationl
peter williams
 
Webroot countrywide casestudy
Webroot countrywide casestudyWebroot countrywide casestudy
Webroot countrywide casestudy
Paul Tompsett
 
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Dana Gardner
 
ECC Cloud and Security
ECC Cloud and SecurityECC Cloud and Security
ECC Cloud and Security
Erlach Computer Consulting
 
Compliance Guide for NFA-Registered Firms
Compliance Guide for NFA-Registered FirmsCompliance Guide for NFA-Registered Firms
Compliance Guide for NFA-Registered Firms
Actiance, Inc.
 
Why Your Company MUST Upgrade Windows XP, Office 2003 & Small Business Serve...
Why Your Company MUST Upgrade Windows XP, Office 2003 & Small Business Serve...Why Your Company MUST Upgrade Windows XP, Office 2003 & Small Business Serve...
Why Your Company MUST Upgrade Windows XP, Office 2003 & Small Business Serve...
Chad Massaker
 
What's New with vSphere 4
What's New with vSphere 4What's New with vSphere 4
What's New with vSphere 4
Champion Solutions Group
 
N-Able Summit AUS Finance
N-Able Summit AUS FinanceN-Able Summit AUS Finance
N-Able Summit AUS Finance
Dynamic Business Technologies
 

Recomendados

Cloudinnovationl
CloudinnovationlCloudinnovationl
Cloudinnovationl
peter williams
 
Webroot countrywide casestudy
Webroot countrywide casestudyWebroot countrywide casestudy
Webroot countrywide casestudy
Paul Tompsett
 
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Dana Gardner
 
ECC Cloud and Security
ECC Cloud and SecurityECC Cloud and Security
ECC Cloud and Security
Erlach Computer Consulting
 
Compliance Guide for NFA-Registered Firms
Compliance Guide for NFA-Registered FirmsCompliance Guide for NFA-Registered Firms
Compliance Guide for NFA-Registered Firms
Actiance, Inc.
 
Why Your Company MUST Upgrade Windows XP, Office 2003 & Small Business Serve...
Why Your Company MUST Upgrade Windows XP, Office 2003 & Small Business Serve...Why Your Company MUST Upgrade Windows XP, Office 2003 & Small Business Serve...
Why Your Company MUST Upgrade Windows XP, Office 2003 & Small Business Serve...
Chad Massaker
 
What's New with vSphere 4
What's New with vSphere 4What's New with vSphere 4
What's New with vSphere 4
Champion Solutions Group
 
N-Able Summit AUS Finance
N-Able Summit AUS FinanceN-Able Summit AUS Finance
N-Able Summit AUS Finance
Dynamic Business Technologies
 
InSync Website Portfolio
InSync Website PortfolioInSync Website Portfolio
InSync Website Portfolio
InSync Tech-Fin Solutions Ltd.
 
Arise EMEA - My Story Video Contest
Arise EMEA - My Story Video ContestArise EMEA - My Story Video Contest
Arise EMEA - My Story Video Contest
Arise International
 
Call Management Services Should be Part of Every Business Telephone System
Call Management Services Should be Part of Every Business Telephone SystemCall Management Services Should be Part of Every Business Telephone System
Call Management Services Should be Part of Every Business Telephone System
Mahindra Comviva
 
2014 Ecommerce Holiday Prep
2014 Ecommerce Holiday Prep2014 Ecommerce Holiday Prep
2014 Ecommerce Holiday Prep
Tenzing Managed IT Services
 
Managing supplier content and product information
Managing supplier content and product informationManaging supplier content and product information
Managing supplier content and product information
Enterworks Inc.
 
Fabasoft at go international.at (November 2010)
Fabasoft at go international.at (November 2010)Fabasoft at go international.at (November 2010)
Fabasoft at go international.at (November 2010)
Fabasoft eGov Suite
 
Product Engineering
Product EngineeringProduct Engineering
Product Engineering
Geometric Ltd.
 
The Rise of the Mobile Web
The Rise of the Mobile WebThe Rise of the Mobile Web
The Rise of the Mobile Web
ZSL Mobile
 
Infographic: 10 Jaw-dropping Skype for Business Stats
Infographic: 10 Jaw-dropping Skype for Business StatsInfographic: 10 Jaw-dropping Skype for Business Stats
Infographic: 10 Jaw-dropping Skype for Business Stats
Exinda
 
iBOS Solution - Incessant Business Operations Suite
iBOS Solution - Incessant Business Operations Suite iBOS Solution - Incessant Business Operations Suite
iBOS Solution - Incessant Business Operations Suite
Incessant Technologies Pvt Ltd
 
VideoPress
VideoPressVideoPress
VideoPress
Automattic
 
Security event presentation 3.4.2016-final
Security event presentation 3.4.2016-finalSecurity event presentation 3.4.2016-final
Security event presentation 3.4.2016-final
Cal Net Technology Group
 
Insperity Business Confidence Survey Q2 2015 [Infographic]
Insperity Business Confidence Survey Q2 2015 [Infographic]Insperity Business Confidence Survey Q2 2015 [Infographic]
Insperity Business Confidence Survey Q2 2015 [Infographic]
Insperity
 
Grace Under Pressure
Grace Under PressureGrace Under Pressure
Grace Under Pressure
Vanguard
 
Agile - Scrum
Agile - ScrumAgile - Scrum
Agile - Scrum
Samir Chitkara
 
Major project final
Major project finalMajor project final
Major project final
University of Petroleum and Energy Studies
 
Episode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber SolutionsEpisode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber Solutions
Contrast Security
 
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Dana Gardner
 
Table of Experts: Insights into Cyber Security
Table of Experts: Insights into Cyber SecurityTable of Experts: Insights into Cyber Security
Table of Experts: Insights into Cyber Security
Aaron Lancaster
 
DevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in HeavenDevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in Heaven
Dana Gardner
 
IT Security - TestArmy
IT Security - TestArmy IT Security - TestArmy
IT Security - TestArmy
TestArmy
 
Cybersecurity the new metrics
Cybersecurity the new metricsCybersecurity the new metrics
Cybersecurity the new metrics
Abhishek Sood
 

Más contenido relacionado

Destacado

Destacado (16)

InSync Website Portfolio
InSync Website PortfolioInSync Website Portfolio
InSync Website Portfolio
 
Arise EMEA - My Story Video Contest
Arise EMEA - My Story Video ContestArise EMEA - My Story Video Contest
Arise EMEA - My Story Video Contest
 
Call Management Services Should be Part of Every Business Telephone System
Call Management Services Should be Part of Every Business Telephone SystemCall Management Services Should be Part of Every Business Telephone System
Call Management Services Should be Part of Every Business Telephone System
 
2014 Ecommerce Holiday Prep
2014 Ecommerce Holiday Prep2014 Ecommerce Holiday Prep
2014 Ecommerce Holiday Prep
 
Managing supplier content and product information
Managing supplier content and product informationManaging supplier content and product information
Managing supplier content and product information
 
Fabasoft at go international.at (November 2010)
Fabasoft at go international.at (November 2010)Fabasoft at go international.at (November 2010)
Fabasoft at go international.at (November 2010)
 
Product Engineering
Product EngineeringProduct Engineering
Product Engineering
 
The Rise of the Mobile Web
The Rise of the Mobile WebThe Rise of the Mobile Web
The Rise of the Mobile Web
 
Infographic: 10 Jaw-dropping Skype for Business Stats
Infographic: 10 Jaw-dropping Skype for Business StatsInfographic: 10 Jaw-dropping Skype for Business Stats
Infographic: 10 Jaw-dropping Skype for Business Stats
 
iBOS Solution - Incessant Business Operations Suite
iBOS Solution - Incessant Business Operations Suite iBOS Solution - Incessant Business Operations Suite
iBOS Solution - Incessant Business Operations Suite
 
VideoPress
VideoPressVideoPress
VideoPress
 
Security event presentation 3.4.2016-final
Security event presentation 3.4.2016-finalSecurity event presentation 3.4.2016-final
Security event presentation 3.4.2016-final
 
Insperity Business Confidence Survey Q2 2015 [Infographic]
Insperity Business Confidence Survey Q2 2015 [Infographic]Insperity Business Confidence Survey Q2 2015 [Infographic]
Insperity Business Confidence Survey Q2 2015 [Infographic]
 
Grace Under Pressure
Grace Under PressureGrace Under Pressure
Grace Under Pressure
 
Agile - Scrum
Agile - ScrumAgile - Scrum
Agile - Scrum
 
Major project final
Major project finalMajor project final
Major project final
 

Similar a Episode 5 Justin Somaini of Box.com

Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & Executives
Tripwire
 
Our Previous Edition Post event synopsis
Our Previous Edition Post event synopsisOur Previous Edition Post event synopsis
Our Previous Edition Post event synopsis
Vasuki Kashyap
 
Contrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nationContrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nation
David Neville
 

Similar a Episode 5 Justin Somaini of Box.com (20)

Episode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber SolutionsEpisode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber Solutions
 
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
 
Table of Experts: Insights into Cyber Security
Table of Experts: Insights into Cyber SecurityTable of Experts: Insights into Cyber Security
Table of Experts: Insights into Cyber Security
 
DevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in HeavenDevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in Heaven
 
IT Security - TestArmy
IT Security - TestArmy IT Security - TestArmy
IT Security - TestArmy
 
Cybersecurity the new metrics
Cybersecurity the new metricsCybersecurity the new metrics
Cybersecurity the new metrics
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & Executives
 
Episode Four: Wayne Jackson of Sonatype
Episode Four: Wayne Jackson of SonatypeEpisode Four: Wayne Jackson of Sonatype
Episode Four: Wayne Jackson of Sonatype
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
 
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
 
Security Snake Oil Cycle 2019
Security Snake Oil Cycle 2019Security Snake Oil Cycle 2019
Security Snake Oil Cycle 2019
 
ICISS Newsletter Sept 14
ICISS Newsletter Sept 14ICISS Newsletter Sept 14
ICISS Newsletter Sept 14
 
Our Previous Edition Post event synopsis
Our Previous Edition Post event synopsisOur Previous Edition Post event synopsis
Our Previous Edition Post event synopsis
 
Episode 3: Andrew Hay of OpenDNS
Episode 3: Andrew Hay of OpenDNSEpisode 3: Andrew Hay of OpenDNS
Episode 3: Andrew Hay of OpenDNS
 
49 Common App Transfer Essay Examples Image - A
49 Common App Transfer Essay Examples Image - A49 Common App Transfer Essay Examples Image - A
49 Common App Transfer Essay Examples Image - A
 
Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness ...
Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness ...Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness ...
Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness ...
 
88 privacy breaches (sample book) 15 apr
88 privacy breaches (sample book) 15 apr88 privacy breaches (sample book) 15 apr
88 privacy breaches (sample book) 15 apr
 
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
 
Contrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nationContrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nation
 

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 

Último (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

Episode 5 Justin Somaini of Box.com

  • 1. THE SECURITY INFLUENCER’S CHANNEL HOSTED BY JEFF WILLIAMS CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Five: Justin Somaini from BOX.com
  • 2. THE SECURITY INFLUENCER’S CHANNEL HOSTED BY JEFF WILLIAMS CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Five: Justin Somaini from BOX.com
  • 3. JEFF WILLIAMS “I saw you were quoted in an article titled, “The New Cyber Threats Juice Pay for Security Chiefs”. You said what we’re starting to see is the introduction of new concepts that will eventually change security. Tell us more about what you were talking about.”
  • 4. JUSTIN SOMAINI “When we talk about the mobility and always- on networking shift, what we’re starting to see is content and transactions that security practitioners are tasked to protect with confidentiality, integrity, and availability.”
  • 5. JUSTIN “In other words, we’ve seen IT organizations’ skills move from maybe some internal application architectural skills to vendor management functions.”
  • 6. JUSTIN “It’s that whole evolution of security that we’re going through, which we’ve gone through many in the past. This is just the next iteration of it.”
  • 7. JEFF “So you’re saying as we start seeing organizations doing transactions that might be entirely outside their infrastructure, …[that] there could be whole transactions running that never touch a traditional corporate infrastructure.”
  • 8. JUSTIN “Absolutely! One-third of the workforce doesn’t come into the network on a weekly basis...how do you implement a monitoring or a detective control structure? How do you manage and see what’s going on, let alone be able to protect and manage those environments?”
  • 9. JUSTIN “That’s one of the biggest shifts that we’re undergoing and will continue to undergo, I believe, for the next 10 years or so.”
  • 10. JEFF “What can security do to accelerate the process of catching up to these new architectures? I guess what I’m seeing is that there really hasn’t been a lot of change in the way people practice application security and even some kinds of network security. So, what can we do to not be so reactive?”
  • 11. JUSTIN “Well, there are probably a couple of different things. In this model you have really three different players: • Cloud Players • Security Practitioners • Security Vendors
  • 12.
  • 13. JUSTIN “When we look at the practitioner, again, looking at some of those solutions, having an open mind that from a security vendor standpoint, applying pressure to the cloud providers to make sure that they’re doing their best to implement the basic controls that they need.”
  • 14. JEFF “You mention logs. You know, I always think of logs as sort of a very fuzzy way of getting insight into what’s going on in a system or a network from a security perspective. I’m wondering if you see evolution…because right now I sort of feel like the providers are doing their thing and the enterprises are using the services, but there’s really not a lot of engagement, collaboration around security.”
  • 15. JUSTIN “I would completely agree, I mean, to a great degree in a big, broad, brush stroke kind of statement. I do think this is changing, but the relationship between customer and provider has been one of a transaction versus a living partnership.”
  • 16.
  • 17. JUSTIN “There are players, and I’m proud to say that I think that we’re one of them [box.com], that are really spearheading the open API integration with our customers.”
  • 18. JUSTIN “This is not a detachable entity, this could provider. But we can command, control, interact, collect, we can have it be part of our ecosystem even though it’s really a third-party application in a great extent.”
  • 19. JUSTIN “It all comes back to a very basic, basic concept of the cloud provider saying, “This is our role. We are going to create a capability for our customers to leverage our service more than just the presentation layer that we’ve historically done, but more from an API platform one.”
  • 20. JEFF “I’ve worked with clients over the years that have done similar things internally. They have enterprise architecture, and in some ways it operates like a cloud service. I think the integration between the applications and that infrastructure has always even been a challenge, even within an organization.”
  • 21. JUSTIN “Back to the three parties: cloud provider, security practitioner, and security vendor. If we look at the cloud provider, one of the changes in this whole transformation is the concept of back office functions—security, compliance, privacy—and really elevating them to what I would call the front office.”
  • 23. JUSTIN “We’re going to identify solutions to security problems of our customers, as opposed to just simply getting a certification.”
  • 24. JEFF WILLIAMS “Traditionally, end user consumers haven’t been very successful at demanding security from web application providers.”
  • 25. JEFF WILLIAMS “Do you think there’s anything we can do to get end user consumers to demand security better so that we can sort of raise the water for all boats?
  • 26. JUSTIN “I think from a business perspective you have the power of the purse. There’s a huge difference between consumers and enterprises in that context.”
  • 27. JUSTIN “The conversation of security is dramatically different that it was 15 years ago when I started. We have a voice of government. We have a voice of the consumer that is resonating louder. We hae a voice of the advocates that we’ve never really had before on the consumer side.”
  • 28. JEFF I’m glad to hear that. I think it’s been a long time coming….I think the key, though, is getting consumers to actually demand better security. I think we probably need to do some work around figuring a way for them to articulate that need better.”
  • 29. JUSTIN “Well, I think first and foremost in any process, whether it’s agile or iterative development cycles or a waterfall model, I can’t stress enough education. The ability for us to educate our developers on the basic controls that need to be best practices…is so critically important.”
  • 30. JUSTIN “Within development…you really need to have security be bled into the ecosystem to make sure that the behavior, the concept, the belief system is one that really encapsulates security in each and every thought process…”
  • 31. JUSTIN “I would say the magic really on the back end is how we approach it from a philosophical, educational, and cultural standpoint with the company as a whole.”
  • 32. JEFF “I think it’s interesting that you mentioned training and your community of experts that help spread the word. I think you’ve reinforced that with that culture, the tools, the testing processes you’ve put in place, and the support that you’ve given developers.”
  • 33. JUSTIN “Some of the problems of security as a whole? I’m never going to have enough money. I’m never going to have enough people in order to manage the company as a whole.”
  • 34.
  • 35. JEFF “You mentioned internal transparency between the various stakeholders in security. I noticed on your website you’ve got a page that details a lot of information about how you all do your internal practices. Why do you expose that externally? Not many companies do, so I’m curious. Why?”
  • 36.
  • 37.
  • 38. JUSTIN “We enroll our customer in transparent conversations so that they truly understand all of the amazing things that we do to protect their content.”
  • 39. JUSTIN We want them to walk away saying: 1. I have confidence they are doing the right things. 2. They’re going to include us in any sort of situation as it goes along. 3. I can reach out to them for help and assistance if I need it.
  • 40. JEFF “I’m wondering if you see that changing in the future; Do you think websites in the future will have a software facts label the way that your cereal box has a nutrition facts label on it?”
  • 41. JUSTIN “I completely believe that this will become the norm. I really do. It will take time. It’s a maturation process.”
  • 42. JEFF “So you support people doing security testing on your site on a policy of responsible disclosure. How’s that working out?
  • 43. JUSTIN “The environment that we’ve had in the past few years is very different. The research community is more established. It’s more proactive and supportive from a cloud-provider side.”
  • 44. JUSTIN “I think it would be negligent if we didn’t have a program in place in order to receive, operationalize, and remediate those issues.
  • 45. JEFF “Last question. Looking forward, do you think we can get to the point where there really is no difference between the deployment of the functionality and the deployment of the security and the assurance all at once?”
  • 46.
  • 48.