a16z Podcast - a16z Podcast: Securing Infrastructure and Enterprise Services
Episode Date: February 14, 2017The modern enterprise holds all sorts of applications, devices, and workflow needs. How should we be thinking about securing infrastructure -- and identity -- in this context, for entities like major... news media outlets or financial institutions such as News Corp or NASDAQ? Well, this episode of the a16z Podcast brings those voices together: Frederic Kerrest, cofounder and COO of Okta; Brad Peterson, CIO of NASDAQ; and Dominic Shine, CIO of News Corp ... in conversation with Ben Horowitz at our recent a16z Summit. What's the big security picture for these types of organizations, and others? How should we prepare? Last year's DINE DDoS attack was just one glimpse of what's to come, providing a bit of a barometer read for what's currently working, and what desperately needs re-engineering. One interesting solution involves decentralization; but as we move towards such technology (like blockchain) in security, what will high-frequency trading look like? How will consumer relationships, transactions, UI/design security be reimagined? What areas and fundamentals should we focus on?
Transcript
Discussion (0)
Hi, everyone, and welcome to the A16Z podcast. I'm Hannah, and in today's episode, we have our own Ben Horowitz, moderating a session with Octa's C.O. Frederick Karras and Dominic Shine, who's the CIO of News Corp, plus Brad Peterson, who's the CIO of NASDAQ, on securing infrastructure from mobile to IOT and beyond. This session was recorded as part of our inaugural A16C summit.
All right. So before we get into the real hardcore security stuff, let's talk a little business.
And Dom, News Corp's an interesting position these days coming off of an election.
You're representing kind of one of the most important companies in traditional media.
How do you think about your role technologically in moving News Corp forward?
Wow, what a question.
You might have picked up already I'm British, so I can probably take the fifth on this one.
Yeah, it's an interesting time. Obviously, nothing going on in politics here or in Europe either.
From a technology point of view, what we find is more than ever, the journalists are out and about, they're mobile.
They need access to systems anytime, anywhere. So I see my role is to enable that workforce to have the easiest time possible in a very pressurized environment to create that content, to distribute that content, whilst giving them good security controls that don't.
make their lives too difficult. And short follow-up on that, or maybe not so short. The other thing
that happened in this election was apparently the Russians got involved. Were you concerned
that a foreign entity or someone might actually hack the Wall Street Journal and try and change the
news, you know, at the exact wrong time? So I think we're always vigilant to that sort of risk.
I think our concerns were more that we might have a repeat of the denial of service attacks of the
previous weeks, so I might have disruption. But we have a lot of safeguards around protecting
those crown jewels, those assets. So one of the things that's got kind of tremendous technological
momentum is the technology known as the blockchain and implementations such as Bitcoin and
Ethereum. And, you know, it's been posited that the right place for us for a stock market exchange
isn't NASDAQ so much as it would be the blockchain, because then you could have
software set the order handling rules and everything and get to a more kind of fair exchange
and a much lower fee exchange. When you look at that, how present a threat is that compared to a
future threat? And then how are you thinking about that technologically and what NASDAQ has to do
going forward? Before NASDAQ, I was involved with PayPal, which is a consumer-based product and
Schwab, which is the investor side. So now with NASDAQ, we're focused on.
on the list, what we call the listing side, which is really the issuer or the company,
what I always like to think about is the products for both ends.
And the products for both ends need a lot of change in modernization.
And maybe we'll get into this, the consumer side, there's a tremendous amount that
doesn't work for our existing banking consumer products and investment products.
So for specifically NASDAQ and in exchange, I would say that on either end,
we will always have those two customers. And everything in the middle is up for grabs for re-engineering.
The fact that we're in the middle means that we have to think about how we rethink our role entirely.
I think the main one that is really interesting is the physical world when you had trading.
Trading was proximity-based.
Yeah, right. Well, you were a disruption to, really, the New York Stock Exchange.
Yeah, we were the ones, a group of people that got together and said, you know these things that people do waving their hands.
and throwing paper on the floor at the end of the day and sweeping it up, seems to be a little outdated.
So, you know, why wouldn't we do these with computers?
That was all, though, every city had a stock exchange, and, you know, there were physical places.
So the record keeping was distributed, and that's why we have the DTCC, which is a centralized securities
depository, it's centralized because mainframe technology was all you had at the time.
So I think the architecture was already envisioned in the 70s to be distributed.
but the technology, the solution was only centralized.
I would say that we are going to go more towards a distributed record-keeping system
because we can now.
And that's what's really exciting about blockchain.
For us, we build technology for CSDs outside the U.S.
We see that becoming more of a distributed record-keeping.
And do you think that will make it...
It's more efficient.
So it will lower costs and absolutely speed up the process.
And how about techniques such as high-frequency trading and so forth?
will that become more complex and elevate it to only the very best players,
or will it become obsolete in the distributed world?
Well, I like to look at...
Or unpredictable.
No, but I think that I was in New York City,
even though I lived in the West Coast at the time during 9-11,
and I was really surprised to hear that the industry financial services
that had massive data centers on Manhattan.
And I'm going, why do you have that?
And it was because they over-indexed for speed and latency around trading
that you needed the computer.
the Sun Microsystems that first were right there in the trading floor.
And then big, reputable firms had major data centers in Manhattan.
And if you think about why would you have a data center in Manhattan, you would want to have
it many other places where there's low taxes and low cost of power.
And a lower chance of terrorist attacks.
If you look at consumer, if you look at the investment space where Schwab have their data centers,
where Wells Fargo and B of A and Amex have their data centers,
they're in these places that don't have natural disasters.
They engineered for risk, whereas the exchanges moved from Manhattan to New Jersey.
You can look at it almost like skiing.
When skiing was going, you had longer, faster skis, and then someone invented the snowboard,
and you changed what you were really designing for.
It's designing for fun and performance.
So I would say speed has already been exploited, and now it goes back to, I think,
security, fairness, and resiliency are going to be balanced out.
So we probably won't end up with massive data centers in New Jersey and Chicago.
You would put them in other parts of the world that are safer and more secure.
As that is re-engineered, there's an opportunity to introduce blockchain technology.
So that's what I'm pretty excited about.
That is interesting.
So given what both of you have to move towards in the future, you clearly have to embrace the great
re-platforming to mobile.
I'm not going to ask you.
I'm not going to ask you if you're going to mobile because that would seem like a ridiculous question.
But what are the challenges as you widen the attack surface and you just introduce a very
different kind of technology for consumers to access your services and businesses to access your services?
I'll start with you, Don.
Sure.
So from a security point of view, you mean primarily?
Well, security or whatever.
We are a big organization, 25,000 people, over 10 major businesses.
So the first challenge in any big change is how do you get the about?
balance right between letting each individual business go their own way, move at their own pace,
and bring all the advantages you can by working as a group. That's the first thing with mobile.
So we try and allow the business units to really go at fast speed, to develop their mobile products,
bring the best products to bear, keep improving them. But increasingly, we're deploying
common deployment platforms, API frameworks to try and speed up how they deliver that,
reduce the cost so that we don't have to do the security testing over and over and over again.
The more you do that, you more that you open you up, you more you have to be vigilant
and to make sure that you've got the security aspects right.
So there's a lot more vulnerability testing.
There's a lot more scanning of that.
For internal users, everything we do now, we would not buy a product for enterprise technology
unless it had an excellent mobile app and excellent experience.
We want to enable our workforce to work wherever they want.
whenever they want. Again, with that, you need great user experience, but you need good
security. So, you know, that's been a key part of that architecture to really help us
unify that and lock that down. So that takes away quite a lot of the headaches for us.
Yeah. So, Freddie, what is ACTA doing on mobile security and, like, how is your approach
different than some of the things that people have to play? I think that you touched on one of them,
which is people are just trying to innovate and create new applications and new experiences,
and they're doing that both for internal constituents but also externally.
So you just want a better interaction for your customers and your partners on a lot of this.
The operating systems have become a lot more powerful in the devices that everyone has in their hands.
So you can now leverage a lot of what's available in the iOS, in the Android operating systems in terms of the profile,
which means you can provide a much richer experience.
That has a lot of financial implications because the employees are showing up with mobile devices that we all have,
which are basically supercomputers, but they're expensive.
So you want to enable your workforce to take advantage of the tools that they have,
but you want to do that in a very seamless experience
so that they can still use the business tools,
but do that in the form factor they're used to and make it very easy.
So just taking advantage of a lot of the new infrastructure and technologies
that are available out there.
Got it.
And Brad, when we talk about mobile and mobile security,
given you're dealing with transactions,
the user interface design security and the integrity of the transaction,
and how does that change when you go to mobile?
Well, going back to the Schwab days, everyone really wants access to their money on their phone.
As long as you don't lose it.
It's kind of the old trick of ATMs.
What ATMs did when they first set them up is if the network was down, you couldn't get money out.
And so they did some risk management and said, without being able to check your balance, we'll make you good for it.
There's some amount of risk management that you want to build into just making sure that someone isn't left with zero access to their money when they're looking at their watch.
their phone or their endpoint device being a replacement for the physical wallet. Eventually,
though, you need to connect back into what is likely going to be the future of storing your bits
that represent your assets or your money in a cloud. Those two are the new area where today
all of all of our representation for our wealth and our money is sitting in a proprietary data
center. Financial services has been slow. You need to look at it both ways on the end point in the
cloud, and you really need the solution in both places.
So there's recently a rather dramatic security attack where apparently a Chinese chip
manufacturer, the kind of leading manufacturer, very cheap chips for camcorders and DVRs,
had a security flaw, maybe accidentally, maybe planned in their chip that was then
exploited for a massive denial of service attack against.
basically a very large DNS provider of naming services on the internet resolving names to addresses
and the kind of basic functionality that you need for the internet to work.
What can you do to deal with that kind of attack where you potentially have a state actor
with a very sophisticated attack rolled out over maybe a decade?
Yeah, was it a feature or a bug of the IoT who knows?
That's a very good question.
I think a couple things.
First of all, it showed that we've taken a lot of the infrastructure and the way that we've
design things so far for granted. The way that the original internet was designed and the way that
people are using it today, everyone's got to take a better look in terms of security and infrastructure
and reliability on what we're doing and how we're doing and how we're going to do it in the future
because we're just talking about, you know, a billion people on the internet. We're not talking
about all the devices that are going to come out, which is where some of this originated.
The other thing is this is basically a trial run. I mean, this is in very small form of what's
diagnostic. It's a diagnostic of what's going to happen. In this case, it was some cameras at home
that people are plugging in and using, and it's broadcasting a lot of data,
and these folks are able to take this data and point it towards a specific service.
When you think about everyone in this room now has two, three, four devices,
everyone's carrying smart watches.
Just earlier this morning, someone was telling me about their internet-enabled crockpot
and how you can control your, you know, you laugh, but it's true, right?
You want your chili to be warm when you get home two hours from now.
People controlling the light switches.
You think about utilities that are managing smart meters
and the kind of attack that could happen when and if, you know, someone decides to turn on all the
oppositionings in New York in the middle of the summer, that's pretty serious. And this is just the
beginning of it. It's a good trial run for everyone to take a look and say, what are we doing
today and how we're going to improve it? And there's always things that we can do better,
including us at ACTA. But also, it's a good wake-up call. It's a good wake-up call for the
industry, and in particular the folks in this room, to think about, okay, there's all these
opportunities. We talk about it. You hear about it in the news. Everything's connected. I can talk to
my car. That's all great. But with those opportunities come a lot of risks that come along
that you have to think about. Dom, if, you know, one could imagine somebody launching that kind
of an attack to shut down parts of the media during an election cycle like we just had.
How much do you think about what you have to do yourself versus how you rely on your vendors
for security? How do you balance it? Particularly on an attack like this, which it's very difficult
to be resilient against. Yeah, no, it's an excellent question. I think, you know, Freddie got it
right, it was a wake-up call. So for us, for the things we directly control, we did have a
contingency plan. We were able to switch DNS very quickly. We were in good shape. But we were
exposed to our major partners. And really, it crystallized for us a knowledge that, you know,
you're only as good as your weakest link, your weakest connection. So I think for us, it's ignited now
a real passion to work with our partners to say, okay, let's look at this risk and make sure it's
mitigated. But now let's really think what are the other things that could occur? Have you thought
through that? Prove to us that you've got a contingency plan. You've rehearsed it. So I think
you'll see organizations like us taking a much more strong stance with those partners in doing
due diligence around that when we select them and also monitoring how they work on an ongoing
basis. Right. And Brad, do you have a similar view or do you see it differently or like what's
even possible financially that we see the tax escalate? We have to worry that. We have to worry that
We're a big prize for just terrorism.
If you can take down what is represented, you know, New York Stock Exchange, NASDAQ, as
capitalism.
So we have to work with the government because we're not going to outgun any nation state.
We're deemed critical infrastructure in the U.S.
Everyone in the U.S. that's deemed critical infrastructure has formed a group so that we can
talk amongst ourselves very rapidly.
For the exchange itself, it is not open to the Internet directly.
So that's more of a permissioned environment.
So I think that's one of...
But clearly you've got to let applications in indirectly.
Yes.
And in the early days of the web, actually, because everyone wanted to be web-enabled,
you know, the exchanges were web-enabled directly in.
So we've since changed that.
Thank you.
Yeah.
Some over-eager folks in the late 90s actually said,
well, you know, let's just bring access in from.
anywhere. So that's changed. But, you know, we have, we have to think about it from a, from a just,
it's not necessarily for economic gain or crime, but there's, there's also just the
embarrassment factor of the U.S. And in those critical infrastructure discussions,
do you end up being privy to information about, you know, particularly state actors, you know,
that are concerned? So there's, there's, um, fairly frequent warnings about who might be the target,
but in general financial services institutions do get early warning about campaigns.
And it usually is related to some event that is a reaction to a foreign policy action
by a group of countries and there's a retaliation.
Right.
So we are seeing that.
You almost can read the news and go, uh-oh, something's going to be coming our way and
hopefully, you know, it isn't effective.
The beauty of having the ability, if someone gets hit, we can quickly share it and understand how you might thwart it and definitely check.
You get better ability to check where it's coming from.
So there's early warning that way.
Okay, good.
Well, on that happy note, I will open it up for questions if anybody's got questions.
Do you think about working with two or three top vendors that are really going to provide the security that you need and maybe let go some of the vendors you've been using?
that maybe have higher vulnerabilities or just how do you think about consolidation of vendors in this
world? Yeah. So I don't think it's about consolidation of vendors. I think it's about making
sure that all our vendors and partners achieve the right standard. They can be a unifying force
to tie together some of that. But I think we'll continue to use best of breed tools underneath
that and we'll continue to monitor those, make sure they're fit for purpose. But security is very
important, but it's not the only consideration. So we'll still look at it as a balanced portfolio
things we assess. So I don't see as saying, you know, let's just go with one major vendor because
we like their security posture. I think there's a derisking actually in having a broader suite and
having options. How do you see your security spent changing among the various sub-sectors of
security that you spend today? Is there a particular area that you're going to emphasize more than before?
I think in overall terms, we're spending more on security.
So over the last year, 18 months, we've been driving a big maturity improvement program across the business.
Things like single sign-on have always been very difficult.
Now they're good and easy to use.
We're spending more on data loss prevention, endpoint management, vulnerability scanning.
Also, you know, in terms of services, we use sort of red team testing approaches.
We'll do actually our own hacking internally.
try and find vulnerabilities. So I think those are some of the major areas where we're investing more.
I would just add. In addition to what Dom said, we're seeing more for the privileged access
employee user behavior analysis. And it goes to some of those events like the pilot who drove
the plane into the Alps. Really having a more dynamic view of an employee who may have been hired
has gone into some type of stress or trauma in their personal life.
whether it's mental illness, whether it's financial,
there are certain roles in the company
that you have to figure out how you look at them more regularly.
So I think that's an area of opportunity
in addition to the one's Dom.
All right, well, I would very much like to thank our guest,
Dom, Brad, and Freddie, and thank you for joining us.