In this episode, Jeff Williams interviews Justin Somaini of Box.com. They discuss security implications from a consumer perspective, how security and the cloud environment work together, and revisit Bill Gates Trustworthy Computing memo from 2002.
3. JEFF WILLIAMS
“I saw you were quoted in an article titled, “The
New Cyber Threats Juice Pay for Security
Chiefs”. You said what we’re starting to see is
the introduction of new concepts that will
eventually change security. Tell us more about
what you were talking about.”
4. JUSTIN SOMAINI
“When we talk about the mobility and always-
on networking shift, what we’re starting to see
is content and transactions that security
practitioners are tasked to protect with
confidentiality, integrity, and availability.”
5. JUSTIN
“In other words, we’ve seen IT organizations’
skills move from maybe some internal
application architectural skills to vendor
management functions.”
6. JUSTIN
“It’s that whole evolution of security that we’re
going through, which we’ve gone through
many in the past. This is just the next iteration
of it.”
7. JEFF
“So you’re saying as we start seeing
organizations doing transactions that might be
entirely outside their infrastructure, …[that]
there could be whole transactions running that
never touch a traditional corporate
infrastructure.”
8. JUSTIN
“Absolutely! One-third of the workforce doesn’t
come into the network on a weekly basis...how
do you implement a monitoring or a detective
control structure? How do you manage and see
what’s going on, let alone be able to protect
and manage those environments?”
9. JUSTIN
“That’s one of the biggest shifts that we’re
undergoing and will continue to undergo, I
believe, for the next 10 years or so.”
10. JEFF
“What can security do to accelerate the process
of catching up to these new architectures? I
guess what I’m seeing is that there really hasn’t
been a lot of change in the way people practice
application security and even some kinds of
network security. So, what can we do to not be
so reactive?”
11. JUSTIN
“Well, there are probably a couple of different
things. In this model you have really three
different players:
• Cloud Players
• Security Practitioners
• Security Vendors
12.
13. JUSTIN
“When we look at the practitioner, again,
looking at some of those solutions, having an
open mind that from a security vendor
standpoint, applying pressure to the cloud
providers to make sure that they’re doing their
best to implement the basic controls that they
need.”
14. JEFF
“You mention logs. You know, I always think of
logs as sort of a very fuzzy way of getting
insight into what’s going on in a system or a
network from a security perspective. I’m
wondering if you see evolution…because right
now I sort of feel like the providers are doing
their thing and the enterprises are using the
services, but there’s really not a lot of
engagement, collaboration around security.”
15. JUSTIN
“I would completely agree, I mean, to a great
degree in a big, broad, brush stroke kind of
statement. I do think this is changing, but the
relationship between customer and provider
has been one of a transaction versus a living
partnership.”
16.
17. JUSTIN
“There are players, and I’m proud to say that I
think that we’re one of them [box.com], that
are really spearheading the open API
integration with our customers.”
18. JUSTIN
“This is not a detachable entity, this could
provider. But we can command, control,
interact, collect, we can have it be part of our
ecosystem even though it’s really a third-party
application in a great extent.”
19. JUSTIN
“It all comes back to a very basic, basic concept
of the cloud provider saying, “This is our role.
We are going to create a capability for our
customers to leverage our service more than
just the presentation layer that we’ve
historically done, but more from an API
platform one.”
20. JEFF
“I’ve worked with clients over the years that
have done similar things internally. They have
enterprise architecture, and in some ways it
operates like a cloud service. I think the
integration between the applications and that
infrastructure has always even been a
challenge, even within an organization.”
21. JUSTIN
“Back to the three parties: cloud provider,
security practitioner, and security vendor. If we
look at the cloud provider, one of the changes
in this whole transformation is the concept of
back office functions—security, compliance,
privacy—and really elevating them to what I
would call the front office.”
23. JUSTIN
“We’re going to identify solutions to security
problems of our customers, as opposed to just
simply getting a certification.”
24. JEFF WILLIAMS
“Traditionally, end user consumers haven’t
been very successful at demanding security
from web application providers.”
25. JEFF WILLIAMS
“Do you think there’s anything we can do to get
end user consumers to demand security better
so that we can sort of raise the water for all
boats?
26. JUSTIN
“I think from a business perspective you have
the power of the purse. There’s a huge
difference between consumers and enterprises
in that context.”
27. JUSTIN
“The conversation of security is dramatically
different that it was 15 years ago when I
started. We have a voice of government. We
have a voice of the consumer that is resonating
louder. We hae a voice of the advocates that
we’ve never really had before on the consumer
side.”
28. JEFF
I’m glad to hear that. I think it’s been a long
time coming….I think the key, though, is
getting consumers to actually demand better
security. I think we probably need to do some
work around figuring a way for them to
articulate that need better.”
29. JUSTIN
“Well, I think first and foremost in any process,
whether it’s agile or iterative development
cycles or a waterfall model, I can’t stress
enough education. The ability for us to educate
our developers on the basic controls that need
to be best practices…is so critically important.”
30. JUSTIN
“Within development…you really need to have
security be bled into the ecosystem to make
sure that the behavior, the concept, the belief
system is one that really encapsulates security
in each and every thought process…”
31. JUSTIN
“I would say the magic really on the back end is
how we approach it from a philosophical,
educational, and cultural standpoint with the
company as a whole.”
32. JEFF
“I think it’s interesting that you mentioned
training and your community of experts that
help spread the word. I think you’ve reinforced
that with that culture, the tools, the testing
processes you’ve put in place, and the support
that you’ve given developers.”
33. JUSTIN
“Some of the problems of security as a whole?
I’m never going to have enough money. I’m
never going to have enough people in order to
manage the company as a whole.”
34.
35. JEFF
“You mentioned internal transparency between
the various stakeholders in security. I noticed on
your website you’ve got a page that details a lot
of information about how you all do your
internal practices. Why do you expose that
externally? Not many companies do, so I’m
curious. Why?”
36.
37.
38. JUSTIN
“We enroll our customer in transparent
conversations so that they truly understand all
of the amazing things that we do to protect
their content.”
39. JUSTIN
We want them to walk away saying:
1. I have confidence they are doing the right things.
2. They’re going to include us in any sort of
situation as it goes along.
3. I can reach out to them for help and assistance if I
need it.
40. JEFF
“I’m wondering if you see that changing in the
future; Do you think websites in the future will
have a software facts label the way that your
cereal box has a nutrition facts label on it?”
41. JUSTIN
“I completely believe that this will become the
norm. I really do. It will take time. It’s a
maturation process.”
42. JEFF
“So you support people doing security testing
on your site on a policy of responsible
disclosure. How’s that working out?
43. JUSTIN
“The environment that we’ve had in the past
few years is very different. The research
community is more established. It’s more
proactive and supportive from a cloud-provider
side.”
44. JUSTIN
“I think it would be negligent
if we didn’t have a program in
place in order to receive,
operationalize, and
remediate those issues.
45. JEFF
“Last question. Looking forward, do you think
we can get to the point where there really is no
difference between the deployment of the
functionality and the deployment of the
security and the assurance all at once?”