🔒 Security Week Fireside Chat: Brian Rutledge & Vijay Chauhan
Presented by: Vijay Chauhan, Brian Rutledge
Originally aired on February 10, 2022 @ 3:00 PM - 3:30 PM EST
In this Cloudflare TV Security Week segment, Vijay Chauhan will host a fireside chat with Brian Rutledge, Security Director, Temenos.
English
Security Week
Interviews
Transcript (Beta)
Hello, my name is Vijay Chauhan. I work in product marketing at Cloudflare and I'm super excited to be holding these Security Week Cloudflare TV segments where we get to talk to our customers about all things cybersecurity.
So we're in the midpoint of Security Week, still a bunch of product and partner announcements to come.
But I'm super excited today that I have here with me, Brian Rutledge, Cloud Security Director at Temenos.
Welcome, Brian. Thank you very much. Glad to be here. And thank you for joining.
So to kick us off, would be great to learn a little bit more about you and what you do at Temenos.
Sure. I am obviously, as you said before, I'm the Cloud Security Director at Temenos.
It's basically a global role. I started out previously governing the Americas region.
And over the last few months, I've moved into more of a global role.
Primarily, our group is focused on the security controls associated with our SaaS business.
So anything that has to do with network security, perimeter security, application security in some tangential way, and then external threat security as well.
Awesome. Awesome. And, you know, looking at your background, I know, it spans security, compliance, audit, you've been a QSA.
I know earlier on, you got your business degrees from Texas State and UTD.
Would love to learn about, you know, that journey, your route from there to now being Cloud Security Director at Temenos, and especially any nuggets that you have along the way with respect to your security journey.
Sure. So going back that far, once I got out of the Navy, I wanted to go back to school and obviously, you know, get my degrees.
And so at first, I thought, oh, I'll just go into a very generic role, a business role.
And that seemed to work out in undergrad. And so I kind of stuck with that in my graduate studies, and went for my MBA, because I felt like at some point, I wanted to, you know, ascend up the ladder a little bit into executive management at some point.
But that didn't actually, I mean, I did get up the ladder into management at some point.
But what it ended up being was I took a turn towards compliance at first.
I started out as a system administrator at Verizon Telecom, but then jumped over into a compliance group that dealt with their PCI certifications at the time, and stayed there for about 15 years, and then got my CISSP and thought, well, I'd try something new.
So I took off the Trustwave and became a qualified security assessor for two years, basically going, you know, through all kinds of network security and other requirements that were associated with the data security standard.
And then I thought I'd try something else a little bit new and jumped over to a small software company that did software.
The only one there that did my job, I was the security compliance manager, so focused a lot on their compliance, but also on their cloud security, because they were a pure SaaS company.
So I got a lot of exposure to the SaaS security environment and the cloud itself in AWS.
And then, you know, through some acquisitions and things like that, I ended up moving over to a company named Kony in 2019, who was ultimately bought by Temenos and was the corporate compliance director there and ultimately came to be the cloud security director here at Temenos through, you know, experiences and different, you know, job, you know, motivations and trying to stay on the cutting edge, really, of, you know, the cloud environment and understanding how to secure our customer environment.
Awesome. Now, you skipped over a little piece of your background that I'd love, if you're able to, to share, which is the part of your career where you spent time on a nuclear submarine.
Tell us more about that. Yeah, so I was on a submarine called the USS Parchee.
It was based off the west coast in San Francisco, California. And I was an electronics technician, navigation electronics technician.
And so I was primarily charged with knowing where we were at all times and, you know, operating out of the control room.
So there was and there was a lot of data security actually involved with that role.
So I guess maybe that was the first real foray into secure the security world.
But yeah, we used to go off and do interesting little ops off the coast.
Yeah, you're right. I can't talk about them too much. But I've been to some really crazy wild places in my, in my life.
And it, you know, it's, it's pretty amazing.
Submarine life is you have to be okay with, you know, tight and close places to to be able to serve on a boat like that.
Awesome. Awesome. Well, thanks for sharing that.
So now switching to your current role at Temenos. Tell us a little bit about Temenos, the industry that you're in, maybe a little bit about your customer base.
Sure. Temenos is primarily focused on banking software. Previously, before they bought my company, they were more of a core banking solution provider.
And then with the acquisitions of Kony and some other companies, they wanted to get the full suite from front to back, you know, provided to their customers.
So they wanted to go into, you know, formally go into more mobile banking and online banking.
They already had products sort of associated with that. But, you know, Kony was able to come in and provide, you know, a more cohesive product like that.
And so now we're, we're really trying to move our SaaS business forward a lot, a lot faster and a lot more smoothly.
And so, yeah, we have global customers, we have, you know, tier one, tier two banks, we have challenger banks, we have all kinds of banks and credit unions and financial institutions, FIs, that utilize our software, because we have a, you know, we have pretty broad software suite with our Infinity project.
And what can you share, Brian, about your software, your technology or infrastructure stack at Temenos?
So the, yeah, the infrastructure stack is focused, we're trying to focus more on the cloud itself, obviously, and all the native security controls and tools and services that we can leverage from the cloud itself.
The applications itself can vary from mobile banking, online banking, core banking to, you know, loan origination software, fraud prevention solutions, things like that.
It really provides a broad, you know, application base to a client who is wanting to either take a small piece of it or get the entire suite.
And you spoke about your customer base being pretty varied, right? You have the tier one banks, all the way to challenger banks and credit unions.
Speak to us a little bit about kind of the variation in sophistication as well, of those customers, and how does that impact what they expect from you as their vendor, as their partner of choice?
Sure. So a lot of times, the smaller the client is, they rely on us to handle most of the infrastructure.
You'll always have, you know, a larger institution that will come in and want to customize things a little bit more for themselves, things like that.
Credit unions and regular banks obviously have some different motivations there.
You know, smaller challenger banks and things like that, you know, they're looking for, you know, a lot of times they're looking for a one-size-fits-all type solution, more of a SaaS solution, which is kind of what we're moving to, or trying to move to more.
So it's very diverse in the types of customers, you know, that come to us because at any given time, you could have a huge SOW or something like that for a project or a very small, you know, requisite job, you know, plan that, you know, something that needs to be implemented in either, you know, one cloud environment or another, or, you know, we do still have some on-prem customers who'd like to run everything out of their own private cloud, which is, you know, that works too.
We can, you know, license software in that way, but it's a very wide, diverse population of clients for sure.
And how does that diverse customer base, how does that impact, you know, the security challenges that you have to deal with in your role and in your industry?
Right.
Well, everybody has a baseline security that they like to see, right? There's always some check boxes that they come in with, but then you'll have other people that, you know, other clients that'll come in and they'll, you know, they'll want something added onto that, or they'll want some extra services added onto that, or, which makes it a little bit harder to, you know, to not be so custom, which is, you know, it's, you know, we want to try to be as agnostic as possible, but, you know, they'll come in and they'll, they'll want to have a certain cloud hosting provider, or they'll want to have, you know, a different added security control that may not be part of our standard package that would require a change in customization, or they may have some specific data requirements, right.
Based on either GDPR or based on, you know, FFIEC or something like that, depending on what country they're from and what region they're in, we may have to customize that a lot more for a particular customer.
And now, if I can flip over a little bit into your journey with Cloudflare, I know you've been a customer of Cloudflare for a few years now.
Tell us a little bit about how you, how did you find us and what was the original use case or use cases that you were looking to solve with Cloudflare?
Yeah, so my personal journey with Cloudflare, obviously, I've known about the company for many years, but Temenos itself has been using Cloudflare for a while now for protecting their corporate environments.
But recently, I had a requirement to add some extra external security, in particular, some bot management protection, you know, for a client's request.
And so, we leveraged that, you know, that enterprise agreement that we have with Cloudflare already, and went ahead and made that relationship with them for that particular client.
And so, I've been able to see how it works a little bit better from a, you know, a client protection perspective, which is a little bit different than things that you would utilize it for yourself, right?
So, some of those tools we did use from a corporate perspective, but by and large, when you have a client that has a little bit different, you know, member base and customer base on their side, and they have different things that they are trying to protect, it's a slightly different configuration challenge there.
And then, it's really, really awesome to see it in action, right?
So, when it does what it says, you know, it's great to find a vendor and a tool that does what they say they are going to do, right?
And so, it's really refreshing to see it actually work. Awesome.
And on the, you spoke about kind of bots and bot attacks, any double click you can give on, you know, what are some of the types of threats that you want to protect yourself from?
Yeah. So, primarily, one of the things that I've seen recently are credential stuff.
Basically, let's know about that a little bit, where you'll have some malicious actor that will find some user credentials online, and then automate that in a botnet and try to, you know, take advantage of a legitimate endpoint, right?
A lot of times, whenever they're trying to access or penetrate into something that's not necessarily designed for public access, that's easy to know, and that's easy to block, right?
You can just turn it off, in most cases. But in this case, having an attack on a public website that's meant for public interaction is a little bit harder.
And so, you've got to leverage a tool like Cloudflare that has some machine learning capabilities and artificial intelligence that can understand behaviorally speaking, what that aggressive malicious actor is trying to do, and then take advantage of, you know, the network itself, Cloudflare's network.
And for solving that particular problem, you know, around bots and credential stuffing and, you know, attackers trying to get access to information and data that they probably shouldn't, what were some of the other options or technologies that you were considering?
We were considering some other similar tools to Cloudflare, but we already had that relationship with Cloudflare, so it didn't make sense to go with another tool that could be similar in some ways.
But we were already implementing standard native cloud services to deal with that.
But, you know, the cloud hosting providers themselves, this isn't, you know, what they do, right?
They can block really effectively, but they don't have a lot of the behavioral analysis associated with some of the third party vendors, right?
So, I don't know if they'll ever, you know, migrate into that field, but I think, you know, they've left it to the third party vendors like Cloudflare to manage that and do what they do best, right?
Excellent. And we were talking earlier about, you know, the customer base that you have and their expectations from you from a technology as well as a security perspective.
How much interest and how much influence do your customers have in terms of what technologies you use, what security you use to protect their data?
They have some say in that. If you broach a, you know, a vendor like Cloudflare that has name recognition, it's easier, especially if you want to continue to use, you know, Cloudflare like that in that case.
But I do, yeah, we do have clients that come with their own solutions and their own preferences for other tools and vendors.
And so, it depends, right? It really depends on who's managing that.
I mean, if it's something that they're utilizing outside of our service and it's just something that we would hook right into, like maybe an Okta for, you know, IDP or something like that, totally works, right?
Anything that we can leverage from a connectivity perspective, you know, like some of the tools like Okta for an IDP perspective, right?
So, it's like we have a lot of interoperability with other tools.
And so, it's not really hard to bolt on that other security if a client has something that they prefer to use or if there's an integration point that makes more sense for us.
It makes sense. And so, this is security week.
Each day, we've been announcing different products and different partnerships.
Anything that you've seen that we've announced this week so far that has caught your attention?
Well, I do like the remote browsing functionality that you've announced or talked about at least in recent months or recent weeks or whatever.
And I think, you know, from the perspective of the pandemic, that's super helpful, right?
Is keeping, you know, end users secure while not compromising, you know, internal systems, right?
So, I think that really helps when we're so spread out and we're so out of our secure office perimeter environment, right?
The other things that I was interested in is some of your DLP solutions that you've been talking about.
Data loss prevention is huge in my industry, right?
Because we're dealing with people's banking information every day, right?
And that is one of the top things on their list is how is my data secured?
You know, who has access to my data? What can they do with my data if they do have access to my data?
So, data loss prevention is huge for us. And so, anytime that we can leverage, you know, DLP on a user endpoint device or, you know, in the cloud in a strategic way or in a tactical way, I think that makes a lot of sense.
Of course, you know, we utilize, like I said before, we use a lot of defense and depth security controls.
And so, you know, we leverage things like parole-based access control, segregation of networks, you know, perimeter defenses, multi-factor authentication, all this really standard default stuff that, you know, people take for granted.
But, you know, you still need to ensure that that is all working cohesively and that it is all, you know, not preventing, you know, or slowing down an application, but allowing it to, you know, to function properly.
Right. Right. Double-clicking on remote browser isolation, you know, remote browser isolation, it's not a new category.
We certainly feel like we have a very different and differentiated way of implementing it.
What do you think have been maybe some of the barriers to you and other organizations adopting remote browser isolation?
Well, it might be that, you know, organizations may not realize how it works or that it's available, to be honest.
I honestly haven't used it in any of the companies that I've ever worked for.
So, I think if, you know, Cloudflare especially wants to evangelize that and, you know, socialize that out into its broader client community, that would, you know, I'm sure that's obviously what's happening.
But I think, you know, keeping that and using that at, you know, especially as a mechanism to avoid security incidents in an age of COVID and pandemic, right, I think that makes the most sense.
Brian, now switching to, you know, other security challenges that are top of mind for you, you know, what else are you thinking about?
What else have you got plans to try and address in the short term?
Well, I think one thing that we're, you know, a few things that we're trying to, you know, to deal with is standardization.
I think a lot of, you know, companies deal with that, especially larger ones like ours that do a lot of, you know, acquisitions and smash companies together and organizations together.
I think standardization is key.
And I think, you know, the other, you know, huge barrier to progress sometimes I would say for the cloud security world is there's something new every week.
I mean, every single week, we have a new tool, we have a new solution.
We've got open source, we've got vendors supported. Some things cost, you know, thousands of dollars to utilize and some things are free, right?
So, it's a juggling act of trying to figure out what solutions make the most sense for my client, but also, you know, make it something that I can scale, right?
So, like you said earlier, you know, do customers and clients come to us with requests?
And it's like, yeah, they always come to us with ideas, but we also have to ensure that we can scale that, right?
And utilize, you know, that functionality hopefully across all of our clients and not just focus on, you know, individual custom scenarios.
I want to be able to, you know, standardize as much as possible. Automation is a key factor for us to automation orchestration.
Anything that we can automate to, you know, reduce manual mistakes in those processes is key for us.
And, you know, continuous integration, continuous delivery, CICD, those things are, you know, really, really helpful in a good secure software development cycle that promotes.
Awesome. So, standardization, automation, big ticket items for you.
If you start to look a little bit further out, maybe beyond 2021, maybe 2022 and so forth, there are other additional areas of security investment that you're thinking about to reduce your attack surface and improve your risk posture?
Investment is interesting. I don't know if I've got a clear definitive response for investments itself, but what I would say is, you know, looking further out, I think we just need to be cognizant of, you know, what threats are coming at us, what solutions can mitigate those threats.
I think every year there's something that either is capitalized on more like phishing or something like that, right?
I mean, that's been a huge social engineering issue. Now it seems like in our industry and the financial industry, credential stuffing is really huge, right?
You know, denial of service and things like that are really, really huge for us.
So, I think we just need to focus on some of these companies like Cloudflare and other companies like the Verizon Data Breach Investigation Report, where they, you know, pull out all this information and really enlighten us on what we should be looking out for.
I think we rely on a lot of that stuff. And any advice, you know, your fellow security leaders, security practitioners, maybe folks looking to come into the security industry, any advice for them as they look to shore up their defenses for 2021 and beyond?
Yeah. One of the biggest things, it's a huge pet peeve for me, but I think it's a problem in every organization, is getting the security team involved earlier rather than later, right?
As long as we can move security left and keep it in the development stage so that we don't have to bolt it on after the fact, I think that's one of the biggest problems.
And, you know, we face that even here at Temenos.
Someone wants to create something, they want to do it really fast.
That's really great. It's really fun. But, you know, we have to make sure that it won't compromise, you know, a client.
We just can't.
We can't take that risk, right? And so I think having, you know, a proper security voice in the room when we're developing products and services, when we're, you know, compiling all of that into an end, you know, deliverable.
And then also we need to turn around and actually follow up with that and do our, you know, our pen testing and security scanning and things like that.
I mean, that should be happening all throughout the lifecycle, but we want to follow that up and not, you know, get too comfortable and think that there's never some little change that could have happened along the way that didn't introduce a vulnerability in the end.
And I mean, you see that with all these big companies too. I mean, you know, recent issues with SolarWinds and Exchange and things like that.
These are tried and trusted applications, but there's things associated with them that, you know, come out and we have to constantly, constantly test and red team our environments and our products and really try to break them internally so that we don't have them break externally.
All right. We have a couple minutes left, maybe one last quick question for you.
For folks that are maybe early in their cybersecurity careers or looking to switch over to cybersecurity, any advice that you would give them?
Yeah. I think getting into security as early as possible is great.
I don't, there are some certifications that make sense, but look for the ones that make, you know, like I got CISSP, I know there's OSCP out there, which is good for offensive security.
And so I think, you know, looking at your industry and planning where you want to go and what you want to do is really, really a smart thing.
I mean, I didn't do that as well as I could have when I first started, because I jumped around in the beginning, but definitely getting, you know, in somewhere and getting your feet wet in a company is great.
And, you know, maybe if it takes some volunteer work or something like that to try to, you know, it's going to take a chance.
I think that's true. Awesome. Well, with that, I wanted to just close out, say thank you, Brian, for joining us during Security Week and sharing your insights and your experiences.
And also thank you to our viewers.
Stay tuned for other Cloudflare TV segments and the rest of the announcements that we have coming during Security Week.
Thanks again, Brian. Thank you.
