Cloudflare TV

🔒 Security Week Fireside Joseph Mente & Vijay Chauhan

Presented by Vijay Chauhan, Joseph Mente
Originally aired on 

In this Cloudflare TV Security Week segment, Vijay Chauhan will host a fireside chat with Joseph Mente, Engineering Manager DevOps & IT Operations, DroneDeploy.

English
Security Week
Interviews

Transcript (Beta)

Hello and welcome to Security Week. My name is Vijay Chauhan. I work in product marketing at Cloudflare and I'm stoked to be holding these Security Week interview segments where we get to talk to our customers about all things cybersecurity.

We're at the end of the working week for Security Week, but we're not done with Security Week just yet.

We still have a bunch of product and partner announcements still to come.

But today I'm super excited that we have with us Joseph Mente of DroneDeploy.

Welcome, Joseph. Thank you. So to kick us off, Joseph, we'd love to learn more about you and your role at DroneDeploy.

Yeah, so I am the manager of DevOps and IT at DroneDeploy, which is a small software as a service startup in San Francisco that does drone software.

So it's part of the reality capture. So if you're trying to do something in the real world, historically, you'd be going out there and walking rows and rows of cornfields.

But what we do is we automate a lot of that process.

We make it really easy and efficient to get raw data into a format that can be actionable.

So for all kinds of industries, for agriculture, mining, energy, anywhere where it's useful to have a camera in the sky.

Awesome. And I know in terms of your background, you've come from an industrial mechanical engineering background from Northeastern, then you earned an advanced degree in systems engineering at Cornell.

Love to learn about your route from there to DroneDeploy, especially any nuggets that you can share about your journey with cybersecurity along the way.

Yeah, so I didn't really start off in software. Frankly, I thought it'd be really boring, you know, be in some basement typing away, not talking to anybody.

But turns out that's not the case. So I happened to land a job at Global Foundries as a sysadmin pretty early on in my career.

And that was really eye opening to, you know, all the things that it takes to actually build value with software.

It's not just, you know, some text files that can compile into something fun.

So that's where I got started on the journey and worked at various places along the way, including Wayfair, really getting different aspects of what it means to be secure, you know, for example, in the manufacturing space.

At the time, they were really, really concerned about the cloud.

And it's like, hey, is this going to be like, how do we control this?

How do we make sure that it's, you know, our partner is going to be having our interest in heart and we can keep it secure.

So there's this mindset of like, okay, we have to make sure that we have everything under control in-house.

But that has since changed. And for example, at DroneDeploy, we make sure that we do smart partnerships with vendors that we can really trust and have been fully vetted so that, you know, we're a SaaS company ourselves.

So we fully understand that our customers trust us. And then we in turn trust our vendors, one of which being Cloudflare.

Awesome. And we'll talk a little bit more about that.

We'll double click on that later. What are you able to share about, you know, at DroneDeploy, your software, your technology, your infrastructure stack?

What does that look like? Yeah. So we run primarily on Google Cloud.

We do a combination of web serving and massive batch jobs to actually process the imagery that comes up.

So we have a pretty extensive infrastructure there. And in order to keep that secure, we use a number of security products that Google has, as well as with Cloudflare.

But the challenge is really managing all this at scale.

So we have a very small operations team compared to the size of the infrastructure that we run.

That just wouldn't be possible 10 years ago. It just would be completely unheard of.

But that's the power of leveraging these software as a service platform to do that.

The technology that we do is state-of-the-art vision processing and machine learning stuff.

But in terms of an operational day -to-day, you know, we are, I would say from an internal security standpoint, we are a pretty standard SaaS company.

We're a distributed team right now, especially in COVID.

So we have many of the same challenges that other companies have in terms of like, well, if you don't have a data center that you maintain yourself, you know, with physical presence that you can go walk in, how do you keep that secure?

So those are a lot of the challenges that we face. That takes a little bit of a different thinking.

And your customer base, you know, quite varied, spanning different industries.

Maybe if you can tell us a little bit about what kinds of folks use your technology and then what do they expect from you as their partner of choice from a security perspective, protecting their data, their IP?

Yeah. So we have customers in all kinds of industries all over the world.

And many of our customers are in critical infrastructure, for example, which is highly sensitive to their data being, you know, exposed to the world, you know, to potentially, you know, third -party threat actors.

So security is really important to our customers that we have everything there.

So we have, you know, ISO, SOC 2 certification, stuff like that, but that's not sufficient for our customers.

They want to, they grill us all the time. I'm like, well, what are you doing to make sure that everything is purely secure?

Like what's your software development life cycle?

How are you making sure that, you know, you don't have any vulnerabilities, you know, send us your pen testing reports, stuff like that.

So it's really, really baked into our customers that they have to have a high degree of trust.

And that's where we really shine in our industry and that we can actually deliver that and not only deliver it, but deliver it efficiently.

And we were talking about offline.

You mentioned that the actual end users are unique in that their location and the kinds of things that they have to do.

Would you mind sharing a little bit about that?

Yeah. So typically in, let's just say, you know, an e-commerce space, like someone's just, you know, online, they're at home, they're on their wifi connection and they're buying, you know, a couch or something like that.

So the Internet connection is very reliable in that case. Typically, I mean, you know, depending on your particular thing, but like compared to in the middle of the outback Australia, that's basically, you know, flawless.

So our customers are in the field, they're in, they're at a mining site, which has no wifi, has no Internet connection, does not have a hard line to a major city.

They're relying on, you know, potentially satellite radio, you know, DSL of some kind, they're relying on wifi beacons that are nowhere near them.

So Internet connection is really spotty in those cases.

So we have to do a lot of things to make sure that our applications are responsive when Internet is just gone, when they're completely offline or when they're intermittently online, which is even more challenging because there's this expectation from a user, like, oh, I'm online, whatever that means.

So I must be able to connect at some sort of, you know, reasonable pace.

But, you know, if they know that they're completely offline, then they're more understanding if they're completely online, then it's easy from a technical standpoint, but this sort of bad connectivity makes them very sensitive to latency and means we have to handle all kinds of interesting cases, so as I say.

And what, from a security perspective, what are some of the security challenges that you've come across, you know, in the past year with the changes to our world?

Yeah, so we always treated our office as, you know, just like a coffee shop that everyone just happens to go to, but it's still allowed some degree of security and that we could make sure that that, you know, local wifi connection was secure.

But it's a challenge when everyone's local coffee shop is their own home wifi and, you know, not everyone is a networking specialist, so they don't know exactly how to set up their wifi properly.

So there's a lot of things that we've had to do to make sure that the devices that people are working with, you know, that has access to customer data are secure.

So that's one of the biggest challenges. You can't assume that your network is secure, not even the local wifi network, because they're all over the place, you know, like before, you know, it might be, you know, part of our risk modeling would be like, okay, well, you know, inevitably we have to come to our office to try to hack our wifi in San Francisco to try to do it.

Well, they could go to any wifi all over the world to do that.

So that's been some of the challenges of distributed, you know, thankfully, we've, the technology today has enabled that to be much, much easier.

And it would be impossible for a company of our size to do that, you know, even just a few years ago, to make that actually, you know, a beyond core model where it's, you know, there's nothing inside our infrastructure that sort of, you know, depends on sort of network IP whitelists or anything.

It's just, it's content based. Maybe for our listeners, if you want to double click on, on the beyond corp model, just a quick overview.

Yeah. So it's a very, to summarize it, perhaps badly, there's a whole white paper that Google has, but basically the, the, the moral, the story of it is that don't depend on a perimeter.

Your perimeter is just not going to cut it these days. So not that you shouldn't have a perimeter, you know, that that's a, it's a tool in a tool belt, but that's not sufficient by any means.

So make sure that when you're connecting, you know, clients to servers, that there's actually authentication on that layer.

That's not dependent on any physical location or any virtual location, like an IP.

Now switching to a little bit about your journey with Cloudflare. I know you've been a customer of Cloudflare for, for a few years now.

I know we have a blog post from, from 2018, where we detailed the original use case, maybe for folks that haven't seen or read that.

Tell us a little bit about how you came across Cloudflare and that original use case.

Yeah. So we started using Cloudflare purely as a DNS provider, like way, way back in the early days of drone deploy.

And we also used it as an insurance policy for, for DDoS protection.

Very standard use case.

That was Cloudflare's bread and butter for a long time. So that was it. You'd be like, Hey, you know, if we got attacked with a denial of service attack, then we could just flip a switch and Cloudflare would protect us.

But then Cloudflare came up with workers a few years back.

We were one of the first customers to do that edge computing.

Like I said before, we have a high latency sensitivity or, and really poor Internet connection.

So one challenge that we faced is how, how our customers access their imagery on our servers.

They're stored on Google cloud, Google cloud storage.

But we need to make sure that it's low latency to a user with a poor Internet connection.

So we use Cloudflare Workers to help with that authentication layer.

So rather than going back and forth across oceans with a poor Internet connection to do the authentication layer and then, okay, you're authenticated and go back and access the storage.

We were able to, to reduce that substantially by making the authentication layer at like, within a hundred milliseconds of the user anywhere in the world using Cloudflare Workers.

So that was a huge win for us because of our particular use case.

Since then, we've started using, really excited to start using the running a blank, the Cloudflare for teams option for browser isolation.

That's the thing that's, that's the next step.

So before when we were using Cloudflare, we were almost exclusively using it for the product itself.

So how do we make our customers secure and make, and have them have a good experience.

But now with, with a browser isolation, it can really help us in the internal IT side of things.

So how do we make sure that, the laptops are, that our employees are working on can, are secure so that it can protect from data exfiltration and phishing for their own personal use, but also for our customers' data.

Yeah. And I know you've been, you mentioned, you've been tracking remote browser isolation really closely, especially this week, we announced general availability on, I think it was Wednesday of Cloudflare browser isolation.

What, what gets you excited about this technology? Yeah. So the, the thing that I really like about it, it's, it's completely, it's taking a completely different approach to, kind of a traditional problem.

So before, and many companies do this today, you, in order to make sure that there was a secure working environment where there might be sensitive information, you would basically VPN into a, like a work station on a server somewhere.

So it'd be like a virtual desktop.

I know my wife's, my wife's mother does that for her job. And there's just super high latency with that.

It's like, it's, there's all kinds of technical challenges with that and making sure that, you know, people can connect to it often.

Whereas if you just give someone a laptop and say, Hey, it works, then that's a much better experience for them.

And it's much faster. But you don't have the protection of, of making sure that there's, you know, monitoring for network protection.

You know, we don't have a network router between the laptop and the Internet when people are working from home.

So it's really exciting for us to have a, essentially that functionality, but working locally on a laptop without adding any latency and being completely invisible to the desktop user.

One of my, my favorite sayings is if security is in the way, it's not secure because people are going to try to find a way around it.

They're going to be like, Oh, I got to turn this thing off.

I'm like, Oh, well maybe I can just like do this thing on the side and I don't have to go to the virtual workstation.

So it's really, really exciting to have something that has all of the nice features of those virtual workstations, but also have all the nice features of having a local desktop that, you know, you can do all the things that you expect with it.

And yeah, that's just super exciting.

And the, the really clincher here, the thing that makes this work as opposed to previously is that the, how people work today is on browsers.

So they're, you know, once upon a time, like everything was done in specialty applications on a laptop.

You know, you still have things like Excel and Doc and stuff like that.

But for us, we use, you know, G suite where it's all done in a browser.

There's no local installed software that does that. So with browser isolation, all of the applications that our employees use are actually running in this isolated environment, but they don't actually realize it's completely invisible to them.

And there's, there's a cloud for also has a ways for us to say, okay, no, this one, this one, actually, we want to do a little bit differently.

We want to make sure that this one does not go through that isolation layer.

So for certain cases where we know that, Oh, we want this differently.

That's fine. But the real challenge is what about those, you know, millions and millions of other web pages that we don't know what they are.

How do you maintain that? So Cloudflare maintains lists of specific suspected sites, suspected phishing attempts.

And that's not something that we can sustainably maintain ourselves. We depend on Cloudflare for that.

And that's the thing that's really a critical difference there is that leveraging all of the data that Cloudflare has in order to maintain that list, because I have other things to do.

This is important, but I have like 10,000 things I'm trying to get done.

This is one less thing that I have to do.

And that's amazing to me. Awesome. And what is the, what do you think of as the underlying threats that you're trying to counter with something like a browser isolation?

Yeah, the number one threat that Drone and Play faces, and it's increasing every day, is phishing.

So that is the thing that's, it's such a hard problem.

And we use G Suite under the hood. So, and they have a number of tools, a number of fancy things, but the challenge is it's really hard for a computer to tell the difference between a legitimate, like, you know, some admin trying to figure out how to buy a gift card for someone versus, you know, CEO phishing attacks, but like, hey, someone I don't know, I'm the CEO, please buy these cards.

I'm in a meeting, like that happens all the time. And you can't catch every single one.

There's no way to catch every single thing. And it's evolving constantly.

So it's helpful. It's certainly, it catches most of them, but there's no way to catch all things.

And even including that, if you say like, okay, maybe Google's filters are going to be like, amazing and perfect.

Well, what about sending some link in Slack?

What about sending some text message to someone?

You know, how do you, how do you capture all of those other avenues of attack?

Like, what about someone's personal email? What if someone gets a personal phishing, a phishing attack on their personal email on their work laptop?

Well, our G Suite filters aren't active there.

So you really can't rely on that level.

That's sort of a point defense. What you really need is a way to make sure that all traffic that's on a sensitive device is secure.

Now, obviously, you know, we couldn't protect on a personal laptop, but we require our users to log into their work laptops, use their work laptops to see potential customer data.

So we know that all customer access is through a secure environment and that's their work laptop.

And that's just really, and there's no other way you can do that. Like you can't, this is just like a completely, I think there's just, there is no other option.

And I was going to ask you about that. You know, browser isolation is not a new category.

And we certainly think like we have a different way of implementing remote browser isolation here at Cloudflare.

What do you think have been some of the barriers to folks, more people adopting it?

I think a lot of it has been the performance.

And that's something that I was really nervous about before.

So I was excited to have Cloudflare try it. And I wanted to see it for myself to see, is it actually invisible?

As I was saying before, like, if it's in the way, it's just not going to work.

Not only like, you know, I could come and be like, hey, this is security.

We're saying you have to do X, Y, and Z, and you're going to have customer play revolts on you to be like, oh, it's getting in the way.

I'm just trying to make the sales, stuff like that. And then the program is going to be shut down.

So if you try to be heavy handed about it, then you're not going to end up being successful in the security space.

So making sure that the performance is great, like it doesn't add extra latency, making sure that there's not a bazillion false positives on it.

It was just like tracking everything.

And if there is, if it is flagged as something, making sure that it fails gracefully.

Making sure like, okay, cool. Maybe like only you only have read access to this.

So you can still access the page. It doesn't look like it's a complete, you know, failure.

And be like, huh, maybe I should like work for security.

I'm like, okay, this one actually is not a threat. Like we should make sure that this is on the allowed list, stuff like that.

Because there's always going to be some exceptions there.

So you have to make sure you handle it gracefully.

And you spoke earlier about performance and productivity of employees. And I know it's a little bit of a leading question, but how important are those two things when you're thinking about what kinds of security tools to deploy?

Is that a compromise you should have to make between performance and productivity of employees?

Yeah. I mean, that is a bit of a leading question. So sometimes, I'll be honest, sometimes you do need to sacrifice some productivity for security if there's no other way.

But every time you do that, you're just asking for trouble. You're, it's a risk that you're taking as a security professional, that that project is going to fail or that a users are going to try to work around it.

There's always a way somehow to work around it.

And the more tightly you try to like, you know, grab your fist on something, that it's going to be whatever the analogy of like grabbing a fistful of sand, like the more tightly you grab it, the more everything's going to slip out.

So you need to have a collaborative relationship with the rest of the company.

It needs to be, you need to make sure that everyone's working on the same page, everyone's on each other's side, we're all on the same team.

So trying to have these like really heavy -handed approach, it's just going to backfire.

So that's why it's so important. And if you can get so that there is no sacrifice on productivity, and it's just invisible, then that's just a huge win.

And that's, it's rare for that to happen with security.

To be perfectly honest, there's almost always some sort of usability sacrifice.

Like, okay, you implement IAM permissions, like, oh, well, I want to access this document.

Well, you can't because you're not in this.

So like, there's always some amount and you can, the most you can hope for is that it's very minimal.

So having something that is, you know, basically invisible is just a huge win.

Now, as you know, we like to ship product fast.

We like to iterate quickly and make rapid improvements. What are some of the additional capabilities from Cloudflare browser isolation that you're looking forward to?

Yeah. So the, when we first started playing around with it and trying it out, we had to configure a bunch of these rules because some of the features around the automated, automatically curated lists weren't there yet.

So they recently added that, which is fantastic because we had a bunch of things where like, we turn it on for some developers and like, I can't go, I can't download packages from PyPy.

Like, I can't, you know, do go, go get. So it was like, okay, well, we have to add that, but like, I don't want to have to maintain all of those lists.

So that was clearly going to be a block in location, but with Cloudflare doing that and automating that list for us, that was just like, really, really exciting for me to be able to do that.

Things like being able to have a read-only mode for something.

So like, okay, you can view the content, but you can't edit it, right?

That's useful for all kinds of things, but the, there's a lot of subtle reasons why you'd want to do that in particular other things.

So it really would depend on the use case, but having those options is really valuable.

The, but I would go back to like the same thing as like, this should be invisible to the users.

This has to be invisible to users, but it should also be pretty automatic for the systems administrators.

That's the thing that's really going to make it shine is that you set it up, you know, you do, you know, you set the level of tolerance for risk in the product itself, depending on, so you want to exclude certain content categories and stuff like that, which Cloudflare automatically maintains.

And then, okay, cool. I'm going to set this up and then don't worry about it for six months.

Like maybe occasionally every six months or so, there might be a ticker, like, oh, I wanted to go to this site and it's not working exactly the way I expect.

And you're like, okay, we'll investigate that. But having it be low maintenance and invisible to the user, but also secure at the same time is what I'm really excited about.

And I know Cloudflare is iterating this constantly.

I'm sure there's going to be a lot more sophistication on these categories, a lot less overhead needed.

So that's what I'm most looking forward to is just making it invisible and painless.

Anything else from the week's announcements aside from browser isolation that caught your attention?

Yeah, there was the antivirus announcement on Tuesday, I think it was.

That's something I'm really excited with attachments because, I mean, that is something you can provide with Gmail, but like I said, you know, you don't always have Gmail as the attack factor, right?

So there's lots of different ways you can get a file to someone.

So having the ability to do that, so instead of just blocking all attachments, which is going to be in the way of the user in many cases, let's say, you know, someone's sending an RFP, having that antivirus scan ahead of time to make sure there's no malicious extra scripts in a PDF file or any like VS code or Visual Studio code in an Excel file, like that's really key.

We haven't explored that yet, but I'm excited to look into a little bit of that.

Outside of security week, what are some other top of mind security challenges that you're thinking about and how do you plan to address?

Yeah, so a lot of it, like I said, phishing is the number one thing and it's a really, really hard problem.

And not that, you know, this one tool is going to fix all your phishing problems, that's just not how it's going to work, but it goes a long way, right?

So that's the number one thing that I'm concerned about for our users.

Data exfiltration is sort of the next step and that's an equally hard problem in many ways.

And it really depends on your particular implementation.

So that's something that I'm personally looking into, but at first I can't really say anything more about that because of our particular setup.

And, you know, you've been sprinkling in some nuggets of advice and guidance, you know, security in the way is not security at all.

Any advice that you have for other security leaders or security practitioners as they look to shore up their defenses in 2021 and beyond?

I mean, I guess the general advice that I would have is that everyone's trying to sell you something.

I get constantly being like, oh, where's this thing?

It's going to solve your problem. And there's always this challenge between sort of like the executive levels thinking there's going to be some silver bullets, you know, not always, but like, there's, you know, that tends to be a thing that happens.

And trying to be like, hey, you know, solve security for us, right?

Like, well, security is not something you can just like get solved and then it's done, right?

It's not like a feature that's just like checked it, right?

It's a constant thing. So it's really important to make sure that you're selecting the right tools and not just the tools, but the right procedures that are appropriate for your business.

Like if you're, you know, the Department of Defense, you have very different needs than a SaaS company out of San Francisco, right?

If you're a finance company, you know, you have very different needs than some like mobile app, right?

So being having the appropriate level for what your customers expect and what the sensitivity of the data that you hold is very important.

And then sometimes you can find things that are gems, but most things are overpriced.

That would be the thing that I would be like, someone's always trying to sell you something, and most of the time it's overpriced.

At least that's in my experience, but I'm not sure if that's new information to any of your listeners.

So for any viewers that are maybe earlier in their careers in cybersecurity or looking to make a switch over to security, what advice do you have for them?

Yeah. So security touches most things in some way, but usually sort of sporadically.

So if you're interested in security and that's the thing that you want to get more into, I would just, you know, jump on the opportunity.

So if some project comes along related to security or you need to cooperate with the security team, just jump right in and be like, hey, I want to do that one.

Volunteer yourself. That's the first step because there's very little training out there as to be like, okay, this is specifically like, this is how you do it, right?

There are certifications which are very important if you want to become a security engineer.

So taking those tests is good.

But a large part of it is making sure that you understand how business interacts with security, because that's not something that's taught in these classes typically.

So making sure you volunteer, make sure you understand the dynamic between security and business and people is a large part of the issue.

It's not just technology. Technology gets you only halfway there.

Making sure you deal with people and can have people in a secure mindset is a major component to security.

All right. Last 60 seconds here. Maybe I can squeeze one more in.

Pro tips on keeping up to date with cybersecurity news and trends?

This may be surprising, but Twitter is actually really big on this. I'm personally surprised that that's where a lot of links are.

There's a bunch of people you can follow on Twitter that will give you links to all kinds of things.

That's the number one surprising one.

I mean, there's the typical one, like besides, you can subscribe to various newsletters and stuff.

But that's probably one that would be most surprising to your listeners.

Awesome. And with that, I wanted to just close out, say thank you to you, Joseph, for joining us during Security Week to share your insights and experiences.

Yeah. Happy to be here. And of course, thank you to our viewers.

Stay tuned for other Cloudflare TV segments and the rest of the announcements during Security Week.

We're not quite done yet, even though it's Friday.

Thanks so much. And bye.