Cloudflare TV

🎂 Jon Green & Joe Sullivan Fireside Chat

Presented by Joe Sullivan, Jon Green
Originally aired on 

2020 marks Cloudflare’s 10th birthday. To celebrate this milestone, we are hosting a series of fireside chats with business and industry leaders all week long.

In this Cloudflare TV segment, Joe Sullivan will host a fireside chat with Jon Green, VP and Chief Technologist for Security at Aruba, a Hewlett Packard Enterprise company.

Watch more Fireside Chats 🎂

English
Birthday Week
Fireside Chat

Transcript (Beta)

Hi, everyone. This is Joe Sullivan. Happy Cloudflare birthday week. I'm here today with Jon Green.

Hey, Jon. Thanks for joining me. Do you want to take a minute to introduce yourself to the audience?

Yeah, I'm with Aruba, which is the networking piece of Hewlett Packard Enterprise.

I work in the CTO's office and do all sorts of security related things.

So from security vision of where we're going in the future to product security, the incident response team, our threat labs team, and I get federal certifications too.

So that's a lot of fun.

Okay. That's quite a wide range of security challenges on your plate. Well, my background is I'm the CSO here at Cloudflare.

I've been at the company for a little more than two years, and this is my third stop as a CSO.

So I'm quite familiar with the type of things you just described and looking forward to talking to you about them.

And one thing in particular is, just to jump right into it, is the whole concept of borderless security.

You work at a networking company. I work at a networking company.

What does borderless mean to you for real? Yeah. This is kind of a continuation of a term.

Some people would say Zero Trust networking or zero trust architecture.

It goes even back to the old Jericho forum where they talked about deprimerization.

And I think that's the idea is we don't have borders around our networks anymore and borders around even the way that we do work.

We're all sitting at home during a pandemic and still functioning for the most part, maybe less efficiently as we did in the office.

But that idea that where we do work doesn't really have the same borders that it used to because technology has made it possible to not have those borders anymore.

That's kind of how I would describe it.

And do you think we really have moved in the last five or so years to a more borderless world or is it just different kinds of borders?

I think it's different kinds of borders.

We look at one of the topics I talk about a lot these days is Zero Trust.

And because there are people that would say, hey, security of your internal network is obsolete.

We don't need that anymore because we're going to embrace this whole idea of Zero Trust.

And so let's just treat the internal network like a public Internet hotspot.

And we'll all jump on that and then access our cloud-based services and get our corporate data that way.

And reality is that works for a segment of the user base and for a segment of the application space.

But if your company wasn't formed in the last 10 years, you have all sorts of legacy that is still out there that does sit behind a border or a perimeter or a VPN gateway or whatever, however you want to describe that.

And then at the same time, you have new types of devices which represent different types of threats coming into the organization.

And the IoT world is kind of where I'm thinking television screens on the walls of your conference rooms.

And those have cameras in them.

They have microphones in them. Who are they talking to? What should they be doing?

And are they doing things that they shouldn't be doing? So new kinds of threats there that that thing sits behind the border or behind the perimeter, potentially, depending on how you've deployed that.

So I don't think the borders go away, but definitely they change in nature and are something we have to look at.

So it sounds like borderless is more just in the context of web applications and laptops, really?

It certainly flows most easily with that. I mean, if you have, and you know, working for Cloudflare, if you've got browser based applications connecting to web servers on the other side, that's sort of natural.

And devices like laptops can can do that and they can flow and move across different network boundaries.

You know, I can have a laptop that's connected to Wi -Fi.

I can plug it into a wired network. I can leave the building and have it switch over to LTE.

The security model and the access model for how I access that cloud based resources doesn't really change.

The device is accustomed to that sort of mobility happening now, which was not true 10 years ago.

And and yeah, it just it just works.

So I think it I think those types of devices and those types of applications certainly lend themselves the best to that type of an architecture.

So what what what do you see as the biggest risk then if if IoT is kind of the next wave?

How is how does this borderless world work with IoT or does it? Well, it depends on how much people are going to care about it.

You know, there was a really famous, I guess, infamous example of a casino that had its, you know, high roller database stolen.

And it was stolen through a Wi-Fi connected temperature sensor inside a fish tank in the in the casino.

Clearly, that was something that, you know, improper network segmentation was done there.

Improper access control was done there.

Somebody just said, Well, I got to put this thing on the Wi-Fi. So I'll just put it on whatever Wi-Fi have available.

And there happened to be a whole bunch of other stuff on that Wi-Fi or connected to that network.

You think about the target source hack, same idea, the HVAC control systems somehow had a pathway through into credit card systems.

And so as people realize those sorts of things, then I think they care about it.

But often it takes a high profile event like that taking place before people really sit up and pay attention and say, that thing I just attached to the network, really, it needs certain privileges, it needs to talk to the Internet, and maybe only a certain piece of the Internet and nothing else.

I always think that borderless means it's just a shift, or at least in some context, borderless, it means a shifting of areas of focus from like the edge of the network to maybe the edge of the application or the edge of the hardware, or the edge of the authentication mechanism.

Yeah. And does that sound about right?

Yeah. And clearly, one of the one of the attitude shifts that you have to have with that concept is treat your network as though it's compromised.

And that's absolutely the right thing to do. You should you should have that mindset.

So I think that the shift in attitude was previously presence on a network on some some network segment was sufficient to grant access to some type of resource.

And that was the only thing that was required is if you're inside the border, if you're inside the perimeter, you can hit this, this resource, this web server, this, you know, whatever it is a Windows file share.

And that's all we really require.

And that's where the idea of okay, well, VPN client, I've got to be I've got to somehow make my external device look like it's inside the border.

In order to get that type of access. I think everybody looks at that now, well, hopefully and says, that's not safe because as soon as I get one employee who clicks the phishing link, and now has a compromised device, still an authenticated user authenticated device connected to an internal network, but it might be somebody malicious that's driving the browser on that on that device and connecting to those unprotected services.

So we have to treat the internal network as though it is like the external network.

It's a it's a it's a threat. There's all sorts of people that want to do us harm on that network.

So that's that's kind of the distinction that I make in the shift in the shift in thinking that I think took place.

Yeah. And it seems like the catch 22 there then is that if we don't trust the network, then we're encrypting the traffic on the network, we're trying to make sure that our traffic is more secure.

But the endpoints are loop as they move in the direction of IoT and things like that, they're fragmenting in terms of like their consistency, or the ability to put endpoint solutions in place.

They they are absolutely.

And I often when people bring up Zero Trust, I say just because you no longer trust the network doesn't mean you trust nothing, you have to or else nobody gets any work done.

So what really trusting is the endpoint at that point. And, you know, for, for sort of employer issued devices managed by an IT organization with software pushed out on it, you know, whether it's whether it's CrowdStrike, or whether it's McAfee, or, you know, any of those different endpoint packages, there's a lot of trust that goes into those things and in in detecting that this is a bad device out there.

And maybe I should do something about that. The IoT world has none of that, you know, the television screen on the wall isn't running into virus.

And that's why it becomes really important to say, I have a certain amount of trust for that, that device.

And really, it's the old school, it is perimeter based, you know, but hopefully, we bring that perimeter down to the individual device.

That's what we try to do, as Aruba, to say that that TV needs to speak one protocol on the internal network.

And that allows me with my laptop inside to connect to it to remote display video, everything else is blocked.

And I don't even want the thing talking to the Internet, because who knows what it's what it's out there, doing it, you know, it could be infected with MRI botnet traffic, and that sort of thing.

So that's a big part of your product, then from a security standpoint, the ability to differentiate between devices and automatically limit.

Yeah, I mean, ultimately, we're a we're a network infrastructure company.

And the security that we provide is kind of old school network access control.

It's saying, you know, what's on the network?

What is it? What are those things doing? Are they doing the things they should be doing?

And that requires, you know, our customers to look and say, well, what do I want that television screen to do so that I can put those types of rules in place?

But then, you know, authentication, who are you?

How, how assured am I of that authentication that you provided? Is it digital certificates and 8021x?

Or is it, you know, I've got a MAC address, and I plugged into an Ethernet port that that type of thing.

Once I know what you are and who you are, then I can try to enforce those those types of access rights and also flag it when somebody violates those access rights to say, hey, the webcam is suddenly trying to port scan the entire Internet, that could be a problem, we should, we should go look at that.

And the final piece of our security story would be how do I integrate that into the rest of the security infrastructure?

So can I can I establish communication with my firewalls with my IDS IPS with my SIM, bi directional so that the network is both a sensor and also an enforcement tool?

That's that would summarize our security story in kind of one minute.

Okay, yeah, I think as a, as a user of products, on, on the security side, I'm always thinking about two things.

I'm thinking about both the making sure that the security part, so it sounds like you've got that side covered, you integrate into the standard tools that the security team is using.

But the other side that I always worry about is that we're going to roll out a product that's going to be implementing security in a way that's going to cause unexpected friction for our employees surprises.

So I guess the surprise you're worried about is somebody plugs in a new device that the network doesn't recognize.

Is that one of the big risks? That's certainly one of them.

Yeah, because you don't you don't know anything about it at that point. And if it's, if it's a device type that we've seen before, then there's some machine learning magic that can take place to say, yeah, that new device is actually, that's an additional television screen.

It's just like all the others, let's automatically treat it the way we treated all the other in the past.

But if it's a if it's totally unknown, then the security team and the network team needs to make a decision of what is our default posture for things that we don't recognize that we've never seen before?

Is it give it Internet access? Because that might be that might solve the security versus usability challenge, and let something work that needs to work, and then you'll detect it and can go back later and look at that and sort of give it a more fine tuned rule.

So you're effectively giving it guest network access?

Or do you say it's blocked entirely? And that kind of depends on what the posture of the overall organization looks like.

To me, it's got to be fascinating working in a company like that, you get to see what's really happening on the networks of real companies.

And I think when we were talking in advance of this session, you mentioned you were talking about home networking, as an example, and probably between the two of us, we've got over 100 different devices on our home networks.

How many different types of devices does the typical enterprise have?

It's, it's hundreds. And again, this depends on the type of organization, of course.

So we were talking about, you know, one of our customers is a big, a big retailer.

And they're just inundated with these things, because there's always some new retail application that, you know, specific for certain product types that they want to bring into that to the stores, and connect into the network.

And their, their conundrum is, how do I segment that from everything else?

Do I create a VLAN on my, my network and my wired network or wireless, every single time there's a new device and put those in it?

Or do we have kind of the wild, wild west VLAN, where we say, well, all the all that stuff, we're going to shove it over here, and let it have Internet, Internet access and nothing else.

And that brings up, you know, do I want the thermostats, sharing network transport and being able to communicate with, you know, some retail person tracking or shelf track tag tracking system?

Maybe, maybe not. But if you know, if it's the electronic price tags that go onto the shelves, that's kind of critical to my retail business, because if they're marked wrong, you know, it creates all sorts of additional problems.

So they're struggling with that. And that has to be something that ends up getting automated to where the network says, I know what that thing is that just got plugged in.

And here's the access rights that needs to have.

Okay. Yeah. So to zoom out a little bit, this is our birthday week at Cloudflare.

And so we're 10 years old as a company. And one of the things that we're thinking about and asking our guests about is what surprised you in the last 10 years of the Internet.

And I would love to hear your thoughts in terms of how the networking world has evolved in the last 10 years, what surprised you and what's gone in the way you thought?

The growth of the cloud has certainly been a surprise to me.

I don't have a wonderful track record at spotting the next big trend. I'm really, really good at spotting stupid ideas and calling those out.

But you know, like in 97, I said, voice over IP is just a fad.

We're never, this is never going to go anywhere.

So I'm willing to admit that sort of thing. And cloud kind of snuck up on a lot of us in in saying, well, that's fine for Amazon.

And that's fine for people who are just doing things that are, you know, public websites, but big companies with with serious data protection needs are never going to embrace this technology.

And that's, that's been a surprise to see the extent to which, you know, the Amazons and the Microsoft's of the world have convinced those companies that it is safe to use that technology.

And I think largely it is, you know, they're those guys are good at running infrastructure and running data centers and achieving reliability and that sort of thing.

So that's been one surprise.

The other one that we kind of talked about before is that surprises me, maybe it shouldn't is the extent to which bad actors have been able to take advantage of, you know, the Internet and how interwoven it's become in everyone's in everyone's lives.

You know, we thought of back in the 90s, we thought of all the hacker community, that's the people that we need to watch out for.

And, you know, here's my DEF CON flag behind me on the, on the wall, but that's not the community that's causing us problems.

It's it's organized crime. And it's, you know, people that have set out and figured out a business model that says, hey, using the Internet can make us a whole lot of money by stealing it from from other people.

That's been that's been both surprising and obviously also disappointing to me, I guess.

Yeah, it seems like in particular, that that kind of the dark side of the Internet is getting a whole nother level of attention right now, for two reasons.

One is the misinformation campaigns on the on the large social platforms.

But the other one has been ransomware.

And this ransomware showing in the world that like people across borders can attack companies and organizations with impunity.

How much do you see that topic come up with your customers as as they think about like network segmentation as a way to minimize that risk?

It's pretty big. And, you know, one of the ways that they want to use network segmentation is to try to reduce that, that attack surface.

So if some if something does get in, it doesn't have just rampant, unfettered access to the rest of the network and all the other devices there.

So that topic has become actually quite big. And hey, why do we need Windows laptops in our network that communicate with each other?

Let's shut down peer to peer communication.

And, you know, the only authorized communication is out through the firewall, maybe back in but very few use cases for peer to peer communication anymore.

And just doing that one thing knocks down a lot of the rampant spread of this sort of stuff once it gets in.

That's fascinating. What, what do you think?

When you go back to the, you know, the 10 plus years ago, what were the architectural decisions that were made that kind of led to this surprising outcome of, of both on the one hand cloud and, and just kind of this badness that's perpetuating?

Yeah, I think I think cloud is sort of just we've been on this pendulum over and over with mainframe computing and many computing and client server.

And this is just the latest iteration of client server again, I think it's more efficient for an Amazon to put together a huge data center.

But they've, you know, and certainly the model has changed the whole elasticity, the I can click a few buttons and get an operating system running.

So virtualization made that possible.

It's, it's, it's, I'm waiting to see what comes next. I'd like to see what the next evolution of that is, because now, now people are talking about edge computing again and saying, well, we can't send too much data to the cloud, we've got all these latency problems, we've got bandwidth problems, we've got cost, what do we bring back out to the edge?

So I'm kind of watching the pendulum again, shifting a little bit, but, but we'll see.

Otherwise, though, I think there's a certain degree of trust, I guess, of, hey, you know, we're a Silicon Valley company, we're inventing this cool technology, we see all the ways that it can enable, you know, cool stuff to happen, or more information or better connect, you know, you worked at Facebook before, the connecting people together, it was the goal of that.

And I think people don't, people like me are rare in that I tried to look at what could go wrong.

And most people I don't think look at what could go wrong as much.

And that's, that's why I think it's really important, you know, we send people to hacker conferences, because I want them to see, you know, what is the process somebody goes through?

And often, it's really just, okay, well, they told me to use the product this way, but I'm going to use it this way.

Are they going to stop me from from doing that?

There's not enough of that mentality out there. And sometimes when you express that mentality, people give you dirty looks like, why are you so negative?

And why is the glass half empty with you? And it's not really that it's more just thinking ahead to, you know, what could happen?

I think that's industry wide.

And, and, you know, people just suffer from too much optimism sometimes and saying, we're going to do a good thing here.

And not think about the other sides of that.

Yeah, I think that's, it's, it's pretty easy to do with technology, right? People get excited about what something can do, and they don't think about the downside.

I guess it started with cars continues with everything else. Yeah. And like everyone likes to say that cars started to go faster when they invented brakes.

So yeah, but but seeing, you know, people have adapted to, you know, we've, we've seen computer security, just in general, people are way better at it today.

At least they know what to do, they may not be able to do it, then they were, you know, 10 or 15 years ago, and we were talking before about universities, how they were the last people to deploy a firewalls, they would, they would often brag about, we don't need a firewall.

And all our workstations are publicly Internet addressable.

That's totally changed. Now people, people have woken up to that. So I think it's, it's a cycle, people, you know, see what goes wrong, and then they fix it.

We don't get ahead of it, but but we do fix it once it's broken. Right? Yeah, no, security profession is certainly grown up in the time you've been involved, in terms of, you get a lot of support in your organization, you get direct line to the senior executives and board members.

Can you talk a little bit about that? How you've seen that evolve?

Yeah, you know, looking at what CISOs went through, even even five years ago, it was often a fight to justify budget.

And it was, you know, how do you quantify the thing that never happened, and attach a price tag to that.

And today, I think there's been a solid shift on boards of directors.

It's definitely on ours.

HPE's board is very involved in cybersecurity and asks a lot of questions about that.

Every board meeting, our CISO is, is getting up there and giving presentations about that.

And then about a year ago, maybe a year and a half ago, they started pulling product people like me into that and saying, you know, a data breach of our financial systems is bad, and embarrassing, and we don't want that sort of thing to happen.

A breach of our products, and you know, HPE builds all sorts of stuff that goes into people's networks, whether it's networking equipment, or servers, or storage, or, you know, these sorts of things.

If those devices are compromised, if those have backdoors in them, or security weaknesses that cause a customer to get hacked because of us, that's way worse than our own systems getting broken into.

And so they've started really, you know, every board meeting, we're being asked to say, you know, what's the status of your product security program?

What have you improved? Where are the gaps? And by the way, we're sending internal audit and sometimes external audit to go after you, not from a financial perspective.

I mean, internal audit used to be focused on misreporting of earnings.

They're definitely looking at cybersecurity now and saying, you know, and not just, not simple things, not just, you know, are you running antivirus software?

And did you change your password? But getting into, you know, SDLC, and do you do static analysis testing in your code?

And how do you do vulnerability management and all that kind of thing?

So it's, that part's encouraging to me.

I was, as I said before, it's a pain for me, because I have to do all that stuff now.

But it's really encouraging to see, you know, corporate governance, including those sorts of things now.

Absolutely. I got to believe your company is probably the same, the same way on that.

Yeah, absolutely. I went through the process like you of thinking through, which is a bigger risk?

And where do we apply our resources?

So I think every security team comes out of the gates focused on like, how do we make sure we as a company don't get hacked?

But when you're when you're when you provide services and products like your company and mine do, protecting our customers becomes job number one.

Yeah. And now, as you're well aware, with cloud stuff, you know, we're expanding into cloud services as well.

The blast radius gets so much bigger if you've got if you've got security problems there.

So now it's not just a box that's in somebody's network. But now it's customer data, and potentially the keys to their kingdom that sits in your own software environment in the cloud.

So now we're that much more worried about it.

Absolutely. How much do you think about default configuration when you release products?

That one's tough. We think about it a lot. And it's always this struggle between security and usability of the product out of the box.

If you let the security purists take over, they would want this thing so locked down that, you know, you've got to have a password on the console port from from, you know, initial setup and that sort of thing.

In internal audit, you know, we were speaking about that they nailed us on something about a year ago and said, Oh, your password complexity policy is turned off by default, you should have that turned on by default.

And we said, Yeah, probably. But here's the outcome of, you know, how many support calls are we going to get if we if we do that, because whatever default password policy we choose for a product is not going to match up with a customer's policy.

So instead, we provide this laundry list of here's what you can configure and turn on to enforce a password policy.

But we don't turn that on by default.

And so it comes up frequently, you know, different default settings, we have at least established kind of corporate standards, or at least within Aruba, we have to say, you know, no default passwords.

If you have a default default password, it's got to be something that gets changed the very first time you interact with the device.

So think about an ethernet switch, you want that thing when you plug it in to start switching packets.

That's fine. It can keep on doing that for 50 years.

But the first time you interact with the administrative interface, it's going to say you have to set a password and you can't go further until you until you do.

So it's always a balance. And, you know, we have a lot of in depth discussions about what's this going to do from a usability standpoint, versus what's this going to do from a from a security standpoint.

Right. And I mean, it's different from selling consumer products and that you're selling to professional teams who are used to hopefully running networks and understand the complexity of the products, but you still want to give them a good password.

Yeah, so we've taken to, you know, we wrote up, we ran up different hardening guides and say, you know, hey, if you're going for a pen test, this is these are all the things you should look at.

And a lot of people use those guides. A lot of people don't, unfortunately.

Sooner or later, hopefully they finally what, how do you think about mobilizing the security community to help your company and your product be secure?

Well, a big way that we do that is with our bug bounty program. We started a bug bounty program, probably six or seven years ago.

It's been a while now. And we've done it through bug crowd.

So they were there's there's bug crowd, there's SYNAC, there's HackerOne.

I think those are the big three that are out there.

They're all good. They all have largely the same type of people working with them.

And sometimes it's the same people, they just kind of say, well, this company over here is in this program, and this one over here, and I'm interested in both.

So I joined both. That's been really good, though, in terms of people finding things that our own engineers don't find.

And again, we've tried to teach our QA engineers to think more in terms of what could go wrong.

And they do when it comes to functionality, they don't when it comes to security.

And what we've been able to do over time is to say, hey, there is a common attack that we're seeing, you know, command injection in the CLI or SQL injection, or one of these patterns that we see.

And we've been able to put together a bunch of the work that the bug bounty community has done and present that to our developers and our testers and say, this is how the attacker community approaches a product like ours.

And so they've gotten better over time at being able to proactively, you know, keep those things out of the product in the first place.

We still have technical debt that we have to go back and deal with from being an 18-year-old company.

But that's been really good.

We also, not that this is exciting, but if you ever go read our vulnerability disclosure policy, we wrote in specific kind of safe harbor statements, and therefore the hacker community, the ethical hacking community that said, if you report something like this to us, we will never go after you from a Computer Fraud and Abuse Act standpoint, from a DMCA standpoint.

Here's the conditions that we place on that.

And here's how we want you to behave. But as long as you're a good being a good citizen about this, absolutely come and tell us these things.

We're never going to take a negative action against you for that. And we're not going to refer you to law enforcement and none of that sort of thing is going to happen.

That's great. I'm sure the community really appreciates that. We need more companies to do things like that.

It looks like we're just about out of time.

So I just want to finish up by saying thank you so much for joining us. It's been a good conversation.

Yeah, thank you. It's been fun.