0:06: Hello everybody.

0:07: Thank you for attending the next episode of cracking the code episode 27.

0:12: I have Chris Bowen, clear data’s founder and co again here with Jim Ducharme.

0:16: Clear Data’s CTO.

0:18: They’re here to talk about commonly used cloud services and the risks of deploying and managing them incorrectly in the cloud.

0:24: So I will go ahead and remove myself from camera and allow them to have an engaging conversation.

0:30: Well, we’ll see how engaging it is, for sure.

0:34: Nice to, nice to be here everybody.

0:35: Thanks for joining GEM to a good conversation about this.

0:41: So tell us what are the in your opinion, in your, your data?

0:46: What are the most popular services that you have come across?

0:50: Let’s start with AWS.

0:52: Well, yeah, I, I think I’ll talk generically across all the cloud providers.

0:56: We’re seeing an evolution of, of cloud adoption from, you know, people years ago, lifting and shifting their on prem workloads to the cloud and a lot of V MS and, and ECs instances or, or compute instances and traditional databases like SQL server, things like that instances to evolving to leverage more container based ephemeral modern cloud technologies for compute.

1:21: So we’re seeing a lot more advancements in both container based deployments, ephemeral based instances like whether that’s Azure functions, Aws lambda, things like that.

1:33: As well as new types of data repository, either, you know, unstructured, unstructured data, you know, and, and data pipelines all the way now to obviously a lot of gen A I going on out there.

1:49: Particularly a lot of seeing a lot of playgrounds grow, going up.

1:54: Google Gemini vertex A I Azure’s open A I Amazon bedrock.

2:02: But we still see a lot of sage maker out there.

2:05: But, you know, I think, I think if I had to say I see a large move towards new types of data types of services and resources out there.

2:15: And just an evolution of how computer is done from large virtual machines now to container based and, and ephemeral type instances.

2:23: So for the, for the audience at home, let’s just come back to, to ground level for a second.

2:30: Tell us what ephemeral means.

2:33: And number two, tell us what a container is.

2:36: Is it something that you put on a ship?

2:38: Is it a T home in Texas?

2:41: Give the audience a little bit of color there.

2:43: So the way I like to talk about containers of ephemerals, I start with what we may all know, which is your computer, right?

2:48: And it’s this physical device that you’ve got, that’s got a screen and a keyboard and a processor, all that stuff and everything used to live on that all by itself and, and that’s where, where things live then came along the virtual machine which was providing an abstraction layer of the software that we all want to run from the hardware so that I could run a, a Macintosh on a Windows machine or a Windows machine on a Mac or a Linux machine.

3:13: But anyway, it was providing the virtual machine provided a software version of the hardware, laptop computer server that we all knew and loved.

3:23: So the virtual machine was everything that your computer has on it from the operating system all the way up to your application software containerization came in and said, well, wait a minute.

3:32: If I got all these virtual machines running out there, why do I if I got 50 virtual machines?

3:37: Why do I have to have 50 copies of the virtual of, of the, of the operating system?

3:41: So let’s make smaller containers and I think much like your cargo ship joke, right?

3:47: It’s similar to that where it’s like, OK, let’s have one big boat which is the operating system and put a bunch of small containers on it that contain our application code itself, right?

3:57: So now as a, as a developer, I’m developing my code knowing that it’s gonna run on somebody else’s infrastructure.

4:06: So essentially all these things are moving the infrastructure layer a way, right?

4:12: If, if you really want to go back in history, you remember building a computer, we used to have to decide whether we wanted a Hercules graphics card or you know, we, we had to know about what was inside the computer.

4:24: So this evolution all the way from to containers now is now all I got to worry about is the application code that I wanna run and I run it on a container service and that container service takes care of the operating system layer all the way down through the bare metal.

4:40: That is somewhere there’s still ac pu somewhere that managing is my application work in a container.

4:46: So that’s where the container is.

4:48: So now I can deploy my application code in this container many times and have my, have my application code running in a lot of places.

4:56: So now that we’ve had containers and I I can now deploy 50 containers which are just 50 little instances of my application.

5:04: Then you go wait a minute.

5:05: Why do I need those running all the time?

5:07: I only really want to run them when somebody needs them.

5:11: So this is where ephemeral instances come in where I just have a piece of code.

5:15: And the example I always use is a currency conversion algorithm.

5:19: I need to translate us dollars to rupees.

5:22: OK?

5:23: I’ll write a piece of code that knows how to do that and deploy it as an ephemeral instance.

5:29: But the only time that code actually lives that is when somebody says I need to do a conversion.

5:36: And so you would largely have an API call on one side that says, hey, I need, I need to do this function.

5:44: Another great example of ephemeral instances might be if, if you have Amazon, Alexa.

5:51: wait, hold on, make sure she doesn’t.

5:53: Yeah.

5:54: Yeah.

5:54: That thing running in your house.

5:55: Anytime you give it a command, that command goes up through to a, an AWS lambda function, which is an ephemeral instance to do what you asked it to do.

6:04: OK?

6:04: And then when it’s done doing what it does, it goes away.

6:08: So the evolution there is rather than have these big servers running in big data rooms running 24 7 needing cooling now too.

6:17: You’ve got code that runs that, that is born only when you ask it to do something and goes away when you don’t need it any, when it’s done doing what it’s doing.

6:27: And so if nobody’s asking it to do anything, there’s nothing running.

6:31: So that’s the evolution of compute.

6:33: And I love, I love all that, Jim.

6:34: Thank you.

6:35: Here’s the challenge for those of you who are saying, hey, what about logging?

6:41: What, you know, let’s talk about the ephemeral as it pops up before you can blink, it’s gone.

6:47: What what happened in that, in that container?

6:50: What happened in that ephemeral instance?

6:53: And that’s been a challenge from a, from a GRC, a government governance risk compliance perspective in terms of how you keep track of all that stuff.

7:00: It’s a, it’s a thing.

7:03: Well, the good news is because these things aren’t running again.

7:06: Think I’ll think the two extremes.

7:08: Right?

7:09: One is the data center that this, this hardware is running this stuff 24 7.

7:13: It’s always on to this ephemeral instance.

7:16: It’s only there when it’s doing something from an attacker perspective.

7:21: There’s not when there’s nothing running, there’s nothing to, to sort of crack into, right, to break into.

7:28: So that’s the good news.

7:30: The bad news is the way in which we make sure that our services and applications are secure.

7:38: Our typical paradigm has always been to scan stuff, right?

7:42: So we have vulnerability scanners, we’ve got intrusion detection scanners, we’ve got agents running all over the place.

7:49: Well, with the femoral instance is none of that stuff works.

7:52: You can’t do a virus scan on a system that doesn’t exist.

7:57: So, so we have to shift how we think about how we detect vulnerabilities, right?

8:04: And it goes back to not scanning the running instance anymore, but now you’ve got to scan the recipe if you will, right?

8:12: You’ve got to scan the code, or you have to figure out how to scan it in, in a, you know, run it so I can scan it but understand that that one instance is gonna be dead as soon as you are stopped using it.

8:26: So you have to think about the service in the case of containers, for example, the container system decides when to spin up a container and, and stop a container.

8:38: And so you really have to think about the the the image, the base image that it’s using to either spin up a container or an ephemeral instance to go.

8:48: If I spin up 50 of these things, they’re all just as vulnerable.

8:51: So how do I fix that root base image?

8:53: So the the good news is we’ve reduced the the plane of attack because we don’t have these systems running 24 7 that somebody can kind of crack into the the bad news is they can still be vulnerable.

9:06: And the way in which we detect vulnerabilities has to be, we have to rethink how we look at vulnerabilities.

9:12: We can’t just use the same old virus scanner we used 20 years ago on our Windows 2012 server, right?

9:19: So let’s talk about some of the risks associated with you mentioned, if we, if we screw up the deployment, what could possibly happen?

9:28: We, we’ve got things around the data loss, we’ve got mis configured settings.

9:33: Im These are alphabet soup of all kinds of risks.

9:39: Let’s unpack some of those.

9:40: Let’s talk about going back to your container dialogue for a second.

9:47: How can you screw that up, right.

9:49: So many ways one, you could, you could screw up the container itself so your application can still have vulnerability.

9:56: So when the application is running, again, this is not an ephemeral instance necessarily, but it could be a whole containerized application with a web service that or, or is hosting API S and those API S can still have vulnerabilities, cross site scripting issues, you know, you know, any sort of, of issues that you still have there.

10:18: But the other thing that that is now an attack vector is the actual container service itself, right?

10:24: So what if somebody gets is able to compromise the ship that’s holding all these containers right now of a sudden as an attacker, I can decide whether or not a container can start up or not.

10:38: I can, I can shut down a container.

10:40: I can, I can replace your container image with my container image.

10:46: I can change network settings so that I can access your application even though your application wasn’t designed that way.

10:54: So now there’s a whole new infrastructure layer that I have to worry about protecting that.

11:00: Right?

11:00: So again, back to my analogy of the old data center that used to have the physical security guard outside the door, making sure nobody could access the racks and machines.

11:10: We’ve now replaced that whole data center with these virtual machine infrastructures or container infrastructures that now are that management layer that’s, that needs new types of protections, right?

11:22: Who has the ability to bring up tear down workloads?

11:26: So there’s all new attack vectors there.

11:31: Yeah.

11:31: Good, good stuff, Jim.

11:33: let’s talk, let’s kind of shift, shift to a different topic for a second.

11:36: Recently, recently we talked, we saw a a headline from Wired that talks about how a hacker was charged with seeking to kill people using cyber attacks on hospitals.

11:52: The, the bad guys are still alive and well, they’re doing great.

11:56: They’re they’re busy.

11:58: What are you seeing in terms of, of leveraging a cloud service?

12:03: You know, how do you take a cloud service and apply it to a potential threat vector that, that may be related to a hacker, maybe to a ransomware actor, that kind of thing.

12:14: What are your thoughts on, on how to best do that?

12:19: I’ll say when I think about those, those types of cases, there’s two things that come to mind for me.

12:23: One, It goes back to the risk of misfigure, right?

12:26: You know, whether it’s ransomware, you know, any sort of control plane where the attacker can now take over, take over the operation of my application, right?

12:41: So the, the best example I think everybody’s familiar with is ransomware where all of a sudden you, you boot up your laptop and and you got to pay $10,000 to get back into your laptop, right?

12:52: That, that is something where, where the attacker has been able to, to take control of your machine much like in the cloud.

13:00: If, if an attacker can take, it can take control over your administration consoles over your container services over your virtual machine infrastructure or the ephemeral instance controller.

13:11: Now all of a sudden they can control which workloads go up and go down et cetera or like I said, replace the workload.

13:16: So, so that’s one which is a configuration management thing where I look at, you know, how are these things configured both permission wise network access wise as well as identity wise, right?

13:30: So for example, recently, we’ve put out a number of new what we call safeguards in the area of of infrastructure management around those three areas in particular.

13:39: So we look at things like and we have for a while on some of these but for like network access, right?

13:46: We warn customers around things like why is your container management service exposed to the public internet?

13:54: That that should do not do that, right?

13:56: That the the management layer should only be accessible internally not externally.

14:04: So that’s one example with identity.

14:06: we’re doing everything from making sure that you have proper access control as well as authentication capabilities.

14:12: It’s a strong authentication, for example, like having M fa right?

14:16: Th this sounds like no kidding.

14:18: You should have that.

14:19: But, you know, one of the recent biggest breaches that we’ve ever seen was a result of not having strong authentication control, right?

14:27: So, so that’s so there’s a number of identity controls that we have there.

14:31: You know, the last layer is even having we put out another safeguard that we put out is around administrative access, making sure that that your systems don’t just have one administrator account.

14:42: You say, well, wait a minute, the more administrator accounts I have is in that the more God account somebody could take over.

14:48: Well, sure, but the adverse is if you only have one administrator account and they take access to that, they’ve got 100% control, right?

14:57: You have no other administrator that can override the corrupted administrator, right?

15:03: So these are all the things that we look at from a configuration management, accessibility perspective on those services.

15:09: That’s number one, the other the other evolving threat vector that keeps me up at night right now, especially with the, with the surge in A I generative A I capabilities is using data to attack services.

15:26: OK.

15:26: So I actually wrote a blog about this years ago.

15:30: But I, but I it was, I think it was entitled something like data is the new attack vector.

15:35: And what we start to see is for a lot of these services, particularly the leveraging gen A I or some sort of a data ingest mechanism.

15:43: The Attackers rather than try to take over the infrastructure will start to feed it false data.

15:49: You know, we’ve seen attacks like this on the energy sector years ago.

15:53: or Attackers would try to feed into the system’s false information about pressure sensors and gas pipelines to fool the the gas system to think that the systems over pressurized.

16:06: So it would then automatically release pressure when in fact, there wasn’t an over pressurization.

16:12: Therefore, bringing the entire system down because it just depressurized the whole system.

16:16: Anyway, attacking these systems, data streams.

16:20: It is the next way that they will disrupt the applications right by making it think something is wrong or, or leading it astray, especially in generative A I imagine if you took a, you know, a chat bot that would help you bake cookies.

16:37: And I started to say that, you know, arsenic was a great ingredient for chocolate chip cookies.

16:43: And suddenly one day Betty Crocker’s J chat A I thing comes back and said you should put arsenic in your, in your chocolate chip cookies.

16:52: Not a good thing to do for those of you at home.

16:55: That’s, that’s not a good idea.

16:56: I, I did see, I saw that the cutest little A I play today and that was this little old British lady.

17:06: Super sweet.

17:07: She was programmed very specifically to waste the time of those scammers trying to get credit card data.

17:17: It was, it was the sweetest thing I’ve ever seen.

17:19: I, I, she could be my grandmother with a British accent and just the kindest, you know, and you could hear the scammer saying what, you know, bleep, bleep, bleep, get off my phone, stop, you know, and it was just a clever move.

17:34: So there’s a lot of plays on that, on that script, Jim.

17:41: Got you.

17:43: So anyway, that’s, that’s that’s interesting stuff when you think about data being used nefariously in, in a play like that.

17:56: So, we’re, we’re almost wrapped up here.

17:59: I, I do want to address a couple of things as we, as we term this episode.

18:07: And that is this week we, we had the tragic issue where the CEO for unitedhealth was killed.

18:16: Our condolences go out to the family members and the friends and those who work at unitedhealth.

18:22: And you know, it’s just we just have to continue to, to work to make health care better.

18:28: And and with that, thank you.

18:30: And thank you, Jim for your insights and let’s continue to protect the, the, the systems that, that allow our customers, our patients to, to have the care they need.

18:42: Absolutely.

18:43: Thanks Chris.

18:44: Thank you.

18:46: All right.

18:46: I’m gonna come back in here and interrupt you both.

18:48: Thank you so much for your insights so far.

18:50: What I’d like to do is close this out.

18:51: I have one final question for you both.

18:54: As we near the end of 2024 can I ask for a prediction from each of you?

18:58: I know you’re getting bombarded with a lot of prediction pieces now.

19:01: But I’d love a prediction.

19:03: We talked a lot about A I but in the, in the realm of healthcare cybersecurity would love your final thoughts.

19:10: Yeah.

19:10: So II I, I’ll go first.

19:12: I mean, I think Natalie to, to your point about A I when I think of 2025 that’s what’s keeping me up at night right now in a couple different things, a couple of different ways.

19:20: One is the pace of innovation that we’re seeing around A I.

19:24: How do we, how do we understand the effectiveness of these A I engines and, and keep them in check?

19:31: Right?

19:31: How do we look at the quality of these infrastructures that are being stood up?

19:36: So I’m spending my days looking at ways in which we can embrace the technology, but also at the same time, put some controls into place to help understand the efficacy of them.

19:48: you know, it it and, and so we can lean into it.

19:52: But at the same time, keep use the use different A I models to keep ourselves in check with getting multiple sources.

19:59: I often equate this to how, you know, with the recent presidential election I, I don’t care which side of the fence you fall on, but it all comes down to trust of information.

20:09: Right?

20:10: And where do you get your information from?

20:12: And, and if you only, if you only look at one source of information, you’re probably gonna end up with a strong bias.

20:19: So the analogy I always use is like, I don’t care whether it’s Fox News or MS NBC.

20:24: If you only listen to one, you’re only gonna get one side of the story.

20:28: And in me, in much the same way with gen A I, and we’re seeing the proliferation of large language, small language models, different A I infrastructures.

20:37: And they’re all leapfrogging each other so fast.

20:40: We need to find ways in which we can leverage multiple ones to make sure that we’ve got, a balanced view of the intelligence, the artificial intelligence that we’re trying to leverage to make us better.

20:54: And the second thing I would say on that is how do we, how do we not just take what A I says as fact, right?

21:04: We can’t forget there’s something still that we’re missing in artificial intelligence that exists in the human brain.

21:12: And I like to say my theory is that what A I lacks is skepticism, right?

21:19: And there’s some other elements of the human brain that, that I could tell you something that’s completely false.

21:26: And, and even though I could say it confidently, you might still go.

21:29: That doesn’t sound right.

21:30: , and A I is not there yet that, remember it’s getting a lot of sources of information and, and it’s doing the best job it can to make sense of it all.

21:41: But that doesn’t mean that it’s right.

21:44: So how do we make sure that we, we build processes around A I to make sure that we don’t lose that skepticism or that oversight of, of human oversight, even as imperfect as we are to go.

22:00: Wait a minute.

22:02: Let’s use it to help us accelerate, but it’s not yet ready to replace what we do.

22:09: That’s what I think about for 2025.

22:12: It’s a good one.

22:12: JM.

22:13: Thank you.

22:15: Well, I’m gonna answer two questions.

22:17: One is you previously said, what are you, what would you do with an extra hour every single day?

22:24: I would go back to my guitar lessons.

22:28: I just don’t have time to do it.

22:30: And II I like doing it.

22:33: I just don’t have time to do it.

22:34: That’s my first answer.

22:36: My second one is the prediction.

22:38: What is gonna happen in the next year?

22:41: These aren’t gonna be earth shattering predictions.

22:46: We’re gonna see A I, we’re gonna see those, those many different kinds of A I help transform our cyber defenses.

22:56: We, we’re gonna have to see that because we’re seeing the bad guys do exactly the same, but in the opposite way.

23:03: So we’re gonna see a lot of that.

23:04: We’re gonna see Cyber budgets continue to increase.

23:09: I, I don’t believe they’re going to increase dramatically, but I think they’re gonna have an uptick in the, in the budgetary process for Cyber.

23:19: And we’re gonna continue to see ransomware actors try to wreak havoc on, on the health system.

23:27: And, you know, we talked a little bit about the United Health issue just a few minutes ago.

23:34: We’re probably gonna see a lot more security start to follow some of the high profile executives that are making decisions that could potentially mean life or death to those who are needing some kind of an approval or not for insurance purposes.

23:52: Sad but true.

23:54: You’re right.

23:54: Absolutely.

23:56: Well, thank you both.

23:57: We have a lot of resources that we discussed today.

23:59: I’m gonna link some of them below, but cybersecurity is a team effort.

24:03: So anybody watching, we, we are here as clear data to support you in those efforts.

24:07: And thank you all for, for joining.

24:09: We’ll be back with a Safeguard factory kind of rendition and spin off from this.

24:13: So thank you both Jim and Chris for your time today and I will talk to you soon.

24:17: Thank you, Natalie.

24:18: Thanks, Natalie.