Up next in 10
Cloud Show with Magnus Recording ft. Niclas Madsen Ep. 24
1K views
May 1, 2024
Join this live session with Magnus Mårtensson ft.Niclas M on a new episode of The Cloud Show with Magnus Mårtensson on April 24, at 01:05 PM (EST). The show is about cloud leadership and all the important questions relating to cloud projects. Certainly, many matters when a company is going to and wants to be successful in the cloud, are about technology. However, there are many additional matters, adjacent to technology, that we also need to tend to regarding business strategy, human resources, organizational change, planning for a technical cloud approach, and many more questions. These conversations are critical for a healthy cloud and for a swift and accurate cloud approach. GUEST SPEAKER Niclas M. is deeply passionate about the field of IT-security, especially cyber security, with a particular focus on cloud security and security strategy. I enjoy tackling complex problems, whether it involves getting my hands dirty in the technical details, implementing security policies, or designing secure architecture, or creating strategies for compliance or protecting business critical assets. 📺 CSharp TV - Dev Streaming Destination http://csharp.tv 🌎 C# Corner - Community of Software and Data Developers https://www.c-sharpcorner.com #CSharpTV #csharpcorner #TheCloudShow #CSharp #Interview
View Video Transcript
0:00
Hello everyone and welcome again to the Cloud Show
0:05
Today we have a very, very burning and important topic for the cloud
0:10
We're going to talk about security with a Microsoft Security MVP. And he knows everything about security specifically and he works as the CISO
0:20
the chief information security officer for insurance and pension in Denmark. And we're going to talk about the need or how to
0:30
balance the need for a rapid cloud adoption, because that's what we want. We want to have cloud
0:35
as much as possible, fast as possible, while we are maintaining a robust security measure
0:41
around everything so that we can't sacrifice security for the speed of cloud, but we really
0:48
also want the speed of cloud. This is going to be such a great talk together with the star
0:54
of the Cloud Show tonight, and it's going to be Nicholas Madsen. Well, hello there, Nicholas
1:10
Hello. Nice to see you and nice to talk to you. Welcome to the Cloud Show
1:16
Thank you very much. Thank you for having me. Absolutely. Our pleasure, indeed
1:21
So here we are, just two guys who know a little bit about the Cloud talking about security
1:27
Right? Indeed. And you just started recently right as the CISO of the insurance and pension Denmark
1:38
Yes, that's correct. Coming from security consulting background, so I've been in the security for quite some years
1:45
And yeah, now I'm on the other side of the table. Right
1:49
Well, congratulations to jumping over to being the buyer of consultancy services
1:56
Thank you. So insurance and pension Denmark. briefly what's the size of this huge in terms of people it's not so huge but in terms of the
2:08
society impact in Denmark it's quite huge we have some very big solutions that like every
2:16
time you want to have a car for example repaired at a yeah workshop somewhere it goes through our
2:23
system and you know all the yeah all the insurance companies are integrated into that and so you could you
2:29
you could say that if our systems were not running this, then everything would be your pen and papers
2:36
So yeah, it's a very, we have digitalized a lot of the insurance solutions here in Denmark
2:41
That's just, of course, one of the things we do. And pension. And pension as well
2:47
This is insurance and pension. Usually those two goes together, right? We host a very big, yeah, pension solution here in Denmark
2:57
so people can actually check how much pension they have. It's like a consolidating platform
3:04
So is this classed as, sorry, but is this then classed as sort of a national security
3:09
or national interest level, like things that... Yeah, I would rather not talk too much about these things
3:18
But yeah, it is we do have some sensitive data. Because I've been working at one point I worked with Enigina in Denmark
3:27
right, who take care of the energy grid in Denmark. And that's, of course, national critical infrastructure, obviously
3:33
because if that would fail, it would be very dark and very cold in the households of Denmark, right
3:39
Yes. I wouldn't, I mean, obviously it's not the same because, you know
3:44
the society goes on, even though you cannot check your pension, then you might be able to log into your bank or your pension provider directly and check it there, right
3:54
And as I also said, you can get your vehicle fixed. It will just take significantly longer and be more troublesome
4:04
But yeah, so this is not a, it's not a power grid going down, but it's definitely going to be a much more difficult to do, yeah, daily business with the, with insurance and pension companies
4:24
I lost you, Magnus. You muted yourself. You're dealing with people
4:34
You're dealing with information about people, about citizens of Denmark, right? And that's terrible, right
4:43
If something bad was to happen with that, that would be a disaster
4:51
Yeah, it will. like with any other financial service company, you definitely do not want to have your data leaked
5:01
All right. Well, so let's dig into it. So we need to, like you said, when we talked about this episode
5:10
you said, okay, well, the thing is everybody wants all the Azure
5:13
all the, you know, so fast. But they have to keep a tab on sort of the security of things
5:20
So tell us about this space. of security in the light of cloud agility, if you will
5:28
Yeah it very tricky right Because it is really about finding the right balance for this rapid cloud adoption as we said here And as a former consultant I have seen it
5:39
I have helped navigate in it. And, you know, more companies, they move to the cloud to speed up the go-to market
5:46
the whole innovation around their business. And really with the goal to drive up revenue as fast as possible
5:53
and it cannot go fast enough. We can see it with the Gen
5:58
You know, people they don't really care about the privacy in it
6:04
It's just we just need to have it ASAP. We actually need to have AI yesterday, right
6:10
They don't think about the security concerns with it. With that said, I would like to emphasize something that I often have seen as a consultant
6:18
that is very important to understand the shared responsibility model for the cloud service
6:24
providers, right? And this might sound very trivial, very basic, but I have seen a lot of people who tend to forget
6:34
the responsibility that the CSP had and the responsibility you have as a client or a customer
6:41
And that leads to gaps. And those gaps are usually where it's non-recoverable if you get attacked, right
6:49
So I think that it's a very important point here. And, you know, just for the people who does not know what the responsibility model is
6:59
the shared responsibility model, you have SaaS, infrastructure as a service. Yeah, also on-prem, you control everything yourself, right
7:07
Whereas in SaaS, it's a cloud service provider, pass, it's sort of a shift
7:13
where it is a little bit mixed. And infrastructure as a service, it's more or less just the data, right
7:18
But in all of the scenarios, data is something that you as a customer
7:23
customer is responsible for. It will never, ever be the cloud security or the cloud service
7:29
providers responsibility. It's very important to that to be in mind. Yeah, absolutely. And I think
7:36
that that is something that is, you know, people don't, or users of cloud, they don't necessarily
7:45
understand how much they need to take that responsibility and assume that part of the
7:52
equation. But like you're saying here with AI, how it can lead to a scenario where you just
7:59
have to have it so fast because everyone else has it or our competitors already has something
8:04
AI and we have to have AI now as well. Yeah. So it doesn't matter, just get it done, get it done
8:09
really quickly. And you're saying that this can then lead to a scenario where you just don't take
8:16
the, assume the right appropriate level of responsibility in relation. Yeah. Exactly. I mean
8:22
People tend to be more risk, yeah, adverse in this space. I mean, if you look back at Cloud, just look a few years back, right
8:32
Moving to the Cloud was completely no-go. It was like, what are you doing
8:37
Cloud, it's super dangerous. We cannot have that. We have overcome that challenge now
8:42
Obviously, we do have some legal issues still within the, you know, the USA with FISA and so forth
8:48
But it is what it is. But now with AI, nobody's questioning
8:52
this anymore, right? People are just jumping on the bandwagon. And it's sort of that we are missing
8:58
this step where we actually looking at what's inside this black box that AI, for example
9:06
is consuming. Usually nobody knows what's inside this little black box that we are feeding our
9:11
data into, but we love the outcome of it, right? So we have this. We put something in
9:17
something happens, it's magic, and we get an output that we like. Okay, great. And
9:22
This is, yeah, I think that that's a big concern, at least for me in our company, right
9:30
because we do have a lot of sensitive data. So people just going nuts on the chat GPT or co-pilot and whatnot is not something that we like too much
9:42
And we are definitely looking into the different countermeasures on this. Okay
9:47
So, tell me. Yeah, just to final, I said, sorry, because we do like JNAI
9:52
and it comes with a lot of positive things. It just needs to be run and executed in a controlled manner, right
9:59
And that could be, for example, using purview, having your data loss prevention in place
10:06
stuff like that. So definitely want to say, Jet or Gen AI, it's here to come or to be, and we love it
10:14
It just needs to be implemented in a controlled way. Right. And that is sort of the essence, the core of it, right
10:21
that how do you or what what steps and measures is it that you have to focus on to to really look in the right place for security and and get it done fast and appropriately in this context so what is what is it that you do you're talking about purview and things yeah so i actually want to take maybe a step back because not just for AI but for the cloud in general i would say you are access control or your identity and access management that is the key
10:51
We often, if you look also a little bit back before the cloud, network and the network
10:57
parameters was sort of like that's our first line of defense. Now everything is complete open mind We run in public endpoints at least some of us or you can have your private link and your private endpoints But now it has shifted into identities being sort of the first pyramid of defense
11:16
Now we all rely on our bag models, road-based access control. So this is super important. You need to have that in place
11:24
And the same goes with if you implement a co-pilot or something like that
11:27
if people have more permissions than what they should have, then suddenly they can start to do some prompt engineering that you do not want them to do, right
11:36
And they can suddenly see documents that they should not see. So, yeah, this is super important
11:43
So you have to have your access model correctly applied on the, you know
11:48
the people who have access to the right data. You have access to this and this group has access to that and various things
11:55
And you know about that, right? the least privileged model or need to know basis, call it what you want
12:01
The fact is that, you know, we often see that it has been over implemented because it's just
12:09
convenient, right? If people can just in Azure, for example, just be owner or if you have a, I don't know
12:15
like a network guy who is domain admin, well, they can do everything. So it's convenient
12:19
They don't have any bloggers, right? Yeah, yeah. They can implement whatever they want
12:24
And then there's there's the malicious, you know, employee or the disgruntled employee, but there's also human error and mistakes
12:32
Definitely. You can accidentally do the wrong thing there. And if you don't have then, you know, the right policies in place, for example, in your Azure
12:39
you might inadvertently open a port to the wrong place or something and, you know, have a hole
12:45
Yeah. I have seen the, I've also seen things for people they elevate just into, you know
12:50
contributor, but they do it on a too high level. It could be on like a management group level
12:54
And then they run some power show script. that was supposed to clean up stuff
12:58
But they didn't really realize which subscription they were working on. And then, oops, suddenly they deleted things that they should not delete, right
13:08
So again, how is really about the sure. How do you ensure the right access at the right level at the right time
13:16
That is super difficult, right? But if we stick to Azure for now, then you can obviously use PIM
13:22
privileged identity management. That is something that we do recommend. In general, everything where you have permissions to change things, I would say put it in Pimp
13:34
So you don't have what we call standing access. Standing access is really that you just log into your actual portal and you can do stuff
13:40
You can have standing access on reader roles, but I would say every
13:45
every role is where you can change something in the portal, then that should be through PIM
13:51
Right. So then when when a person needs to make changes in one place
13:56
they should activate the access in that place only and not for everything
14:03
Exactly. They should do it in granular, right? They might have access on a root group level or intermediate root group
14:10
But if they just need to change something on subscription X, then they should activate the role on subscription X, not on the management group
14:19
That's really great advice. And I couldn't agree more. I've been looking at PIMS solutions myself
14:25
and I find it highly, highly valuable to remove human error, the risk of actually running the wrong thing or the wrong place
14:33
It's like, oops, I thought I chose that database and I chose this database
14:37
And who, hopefully you have a backup. Exactly. Back to the disaster recovery plan
14:45
No, but I also think another thing that is super important, right? Now we talk a little bit about the Pfizer and the USA laying somewhere and maybe learning
14:53
but encrypting your data, right, that is something. that you know both in transit but also at rest is something that is super important as well and
15:02
obviously when you are in the cloud you can have the everything is sort of encrypted by or it is not sort of it is encrypted by default by
15:11
for example Microsoft but it is also managed the encryption keys are managed by Microsoft or the other cloud service
15:18
and it's not good and whatnot and this is where again if you want the ultimate control of
15:25
of your data, you need to also be in control of the encryption key
15:30
And this is where Microsoft used the term customer managed keys. And so I definitely recommend if you do have sensitive data like we do
15:40
then use customer manage keys because it is best practice. It's not just at Microsoft best practice, it is cloud security alliance
15:49
best practice. So yeah, it's coming from industry experts. It's not just me
15:55
You are an industry expert on this topic as such, but you're right
16:01
So I understand you're correct is that you ensure to not only use the service built-in
16:08
encryption and in transit encryption at rest, but also take control of your own keys and have
16:16
them managed by yourself instead. Exactly, exactly. And this is not for all companies
16:23
I'm also going to say that right now because it is a lot of administrative overhead
16:28
It is a lot of cost involved in that. You might want to look into the solution as a key vault managed HSM It a bit more hardened Not a bit it a lot more hardened right than a normal Azure Key World or an Escher Key World premium But this will require a lot more administrative work to deal with it
16:52
But it is also a lot more secure. So it is, for example, Sam, Proof and whatnot
16:57
So that's a whole lot of discussion. Right, but it's an important discussion
17:01
So when you really have the high. highest security level requirements. That overhead is not optional, but then you need to do it as well and as fast and as good as possible to make your business still, you know, move, even though you are always very secure
17:22
Definitely. So I would say that at least start with Azure Keywall Premium because you do get, you know, HHSN back keys there
17:30
So that's at least a good start. It's only, you have Phipps 140-2, level 2 compliant, whereas HSM will give you level 3
17:40
which is sort of the highest compliance. I think you also have a level 4, and that is not applicable here
17:47
So, yeah, definitely aim for that. If you can, if you do have the resources, talk to your manager
17:53
If you do have sensitive data in the cloud. Yeah, this is the best practice from an industry point of view
17:59
And how do you work to make, I mean, you're the CISO, you know, but how do you work to make people who are not security experts understand what the heck you are about and why you require resources to do things
18:15
This is, yeah, this is obviously an issue for all companies, I think, but you have the old saying, people processes technology
18:24
I don't know if you have heard it, maybe you have, but it's always about the people first
18:28
train your people, make people aware of what you're doing. Do not flip it around
18:32
Do not start with the tech. The tech is last, right? The people is first, always
18:39
So people, educate people, come in, do your processes around it, then figure out your tech afterwards
18:45
I love that. Because it doesn't matter if you're using Splunk, Sentinel, Elastic Stack, is sane
18:52
Right? That's not what we want to start. We want to start with our people. So that's super important
18:58
And how do you educate them? That can be in many different ways, right
19:02
But you need to ensure that you give people the training that they need
19:07
And that can be that you look at the, first of course, look at the skill sets of the individuals
19:13
So if somebody is super good at networking, don't make that guy do identities, right
19:18
Make you do networking. Make him access the network training that Microsoft have, that other people, all the cloud service providers they have
19:28
So utilize people's individual strength. I think that is super important. And also if they have an interest in learning, of course
19:37
I mean, yeah, encourage a learning environment. I think that is at least what I do
19:43
Never just put people in a box and then say, stay there
19:48
I mean, if people that want to grow and you have, let's say, the network guy
19:52
but he wants to learn about identity, encourage that journey because we need more hands
19:57
everybody needs more hands and the more people who can help with different things
20:01
that is that is just so spot on and i love that it's wonderful to hear a sea level person
20:09
that's something important as important as as an insurance and pension company in
20:15
in denmark really focusing in on the skills and the learning and and that part because
20:21
otherwise we're not going to we're not going to get to the goal with just thinking we can do tech it's not
20:26
going to happen. Exactly. It is definitely very, very important. I would also say another thing that
20:33
is something that people they talk about and they might not do that regularly, but it is, you know
20:40
security assessments and audits. It's super boring, right? At least it sounds like that, but it is
20:45
very helpful in identifying potential vulnerabilities. And it also often gives you measures on how you can
20:55
address them also in a proactive matter. And you do have automated tool for some of these things
21:00
right? That can even, you know, both for when you are developing code. So you have the static
21:07
application security testing, but even on runtime environments, you can do the dynamic application
21:12
security testing, you know, sort of doing the black box testing. That would be like if you looked
21:17
at our system now, then you would be looking at, you know, a black box. And this is also how
21:22
we test, right, from outside in. But we also do. do the inside-out approach. So I think that you can combine those two, it's very important
21:31
Absolutely. Brilliant. Well, so definitely look into those benchmarks and tests and
21:39
and checkups of your security as well. Wonderful. Thank you so much, Nicholas, for being on
21:46
the Cloud Show tonight. It's been a true pleasure to talk with an expert about security in the
21:53
cloud. Appreciate having you with us. Yeah, thank you very much for having me. And yeah, feel free
21:59
to connect on LinkedIn if any of you guys have any questions. So I'm here to help. Wonderful
22:04
Thank you, Nicholas. And thank you guests for watching this episode of the Cloud Show
#Computer Security
#Consulting
#Management
#Public Safety
#Security Products & Services