Screaming in the Cloud - A Renaissance Man in Cloud Security with Rich Mogull
Episode Date: June 1, 2023Rich Mogull, SVP of Cloud Security at FireMon, joins Corey on Screaming in the Cloud to discuss his career in cybersecurity going back to the early days of cloud. Rich describes how he identi...fied that cloud security would become a huge opportunity in the early days of cloud, as well as how cybersecurity parallels his other jobs in aviation and emergency medicine. Rich and Corey also delve into the history of Rich’s involvement in the TidBITS newsletter, and Rich unveils some of his insights into the world of cloud security as a Gartner analyst. About RichRich is the SVP of Cloud Security at FireMon where he focuses on leading-edge cloud security research and implementation. Rich joined FireMon through the acquisition of DisruptOps, a cloud security automation platform based on his research while as CEO of Securosis. He has over 25 years of security experience and currently specializes in cloud security and DevSecOps, having starting working hands-on in cloud over 12 years ago. He is also the principle course designer of the Cloud Security Alliance training class, primary author of the latest version of the CSA Security Guidance, and actively works on developing hands-on cloud security techniques. Prior to founding Securosis and DisruptOps, Rich was a Research Vice President at Gartner on the security team. Prior to his seven years at Gartner, Rich worked as an independent consultant, web application developer, software development manager at the University of Colorado, and systems and network administrator.Rich is the Security Editor of TidBITS and a frequent contributor to industry publications. He is a frequent industry speaker at events including the RSA Security Conference, Black Hat, and DefCon, and has spoken on every continent except Antarctica (where he's happy to speak for free -- assuming travel is covered).Links Referenced:FireMon: https://www.firemon.com/.Twitter: https://twitter.com/rmogullMastodon: [https://defcon.social/@rmogull](https://defcon.social/@rmogull)FireMon Blogs: https://www.firemon.com/blogs/Securosis Blogs: https://securosis.com/blog
Transcript
Discussion (0)
Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at the
Duckbill Group, Corey Quinn.
This weekly show features conversations with people doing interesting work in the world
of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles
for which Corey refuses to apologize.
This is Screaming in the Cloud.
Welcome to Screaming in the Cloud.
I'm Corey Quinn.
My guest today is Rich Mogul,
SVP of Cloud Security over at Firemon.
Now, I'm a bit too old to be super into Pokemon,
so I forget which one that is.
Rich, thanks for joining me.
I appreciate it.
Thank you.
Although I think we need to be talking more Digimon than Pokemon.
Not that I want to start a flame war on the internet in the first two minutes of the conversation.
I don't even have the level of insight into that.
But I will say one of the first areas where you came to my notice, which I'm sure you'll blame
yourself for later, is that you are the security editor behind Tidbits, which is more or less a
ongoing newsletter longer than I've been in the space, to my understanding. What is that exactly?
So Tidbits is possibly the longest running, one of the longest running newsletters on the
internet these days, and it's focused on all things Apple. So tidbits started back in the very early days as kind of
more of an email, I think like 30 years ago or something close to that. And we just write a lot
about Apple and I've been writing about Apple security there. That's got to be a bit of an
interesting experience compared to my writing about AWS, because people have opinions about AWS, particularly, you know, folks who work there.
But let's be clear, there is nothing approaching the zealotry, I think I want to call it, of certain elements of the Apple ecosystem whenever there is the perception of criticism about the company that they favor.
And I want to be clear here, so to make sure I don't get letters myself for saying this,
if there's an Apple logo on a product, I will probably buy it.
I have more or less surrounded myself with these things throughout the course of the last 10 years.
So I'm not saying this for a place of love,
but I also don't wind up with people threatening me
whenever I say unkind things
about AWS, unless they're on the executive team. So it's been a fascinating experience. So I would
say that I'm on the tail end of being involved with kind of the Mac journalist community.
But I've been doing this for over 15 years. This is kind of when I first started to get involved
over there. And for a time,
I wrote most of the security articles for Macworld or a big chunk of those. I obviously
was writing over at Tidbits. I've been very lucky that I've never been on the end of the
death threats and the vitriol in my coverage, even though it was balanced. But I've also had to work
a lot or have a lot of conversations with Apple over the years. And what will fascinate you is at one point in time, there were two companies in the world where I had an assigned
handler on the PR team. And one was Apple, and then the other was AWS. I will say Apple is much
better at PR than AWS, especially their keynotes, but we can talk about reInvent later.
Absolutely. I have similar handlers at a number of companies myself,
including, of course, AWS. Someone has an impossible job over there. But it's been a
fun and exciting world. You're dealing with the security side of things a lot more than I am. So
there's that additional sensitivity that's tied to it. And I want to deviate for a second here,
just because I'm curious to get your take on this, given that you
are not directly representing one of the companies that I tend to more or less spend my time
needling. It seems like there's a lot of expectation on companies when people report security issues to
them, that you're somehow going to dance to their tune and play their games the entire time. It's
like, for a company that doesn't even have a public bug bounty process, that feels like it's in a fairly impressively high bar.
On some level, I could just report this via Twitter.
So what's going on over there?
That feels like it's very much an enterprise world expectation.
It probably means I'm out of step with it.
But I'm curious to get your take.
Out of step with which part of it?
Having the bug bounty programs or the nature of the system?
Oh, no, that's beside the point.
But having to deal with the idea of, oh, an independent
security researcher shows up, well, now they have to follow our policies and procedures. It's,
in my world, if you want me to follow your policies and procedures, we need a contract
in place or I need to work for you. Yeah, there is a long history about this,
and it is so far beyond what we likely have time to get into that goes into my history
before I even got involved with dealing with any of the cloud pieces of it. But It is so far beyond what we likely have time to get into that goes into my history before
I even got involved with dealing with any of the cloud pieces of it.
But a lot about responsible disclosure, coordinated disclosure, no more free bugs.
There's like this huge history around kind of how to handle these pieces.
I would say that the core of it comes from particularly in some of the earlier days,
there were researchers who wanted to make
their products better, often as you criticize various things to speak on behalf of the customer.
And with security, that is going to trigger emotional responses, even among vendors who are
a little bit more mature. I'll give you an example. Let's talk about Apple. When I first
started covering them, they were horrific. I actually, some of the first writing I did that was public about Apple was all around security and their failures on security
disclosures and their inability to work with security researchers. And they may struggle
still, but they've improved dramatically with researcher programs. But it was iterative. It
really did take a cultural change. But if you really want to know the bad stories, we have to go back to when I was writing about Oracle when I was a Gartner analyst.
Oh, dear. I can only imagine how that played out. They have been very aggressive when it comes to smacking down what they perceive to be negative coverage of anything that they decide they like. Yeah, you know, if I would look at how culturally
some of these companies deal with these things,
when I was first writing about some of the Oracle stuff,
remember, I was a Gartner analyst,
not a vulnerability researcher,
but I'm a hacker.
I go to Black Hat and DEF CON.
I'm friends with the people who are smarter than me at that
or have become friends with them over the years.
And I wrote a Gartner research note saying
you probably shouldn't buy any more Oracle
until they fix their vulnerability management process. That got
published under the Gartner name, which that may have gotten some attention and created some
headaches and borderline legal threats and shade and all those kinds of things. That's an organization
that looks at security as a PR problem. Even though they say they're more secure, they look
at security as a PR problem. There are people in there who are good at security, but that's different.
Apple used to be like that, but has switched. And then Amazon is learning.
There is a lot of challenge around basically every aspect of communication. Because again,
to me, a big company is one that has 200 people. I think that as soon as you wind up getting into
the trillion-dollar company scale, everything you say gets you in trouble with someone somehow,
somewhere. So the easiest thing to do is to say nothing. The counterpoint is that on some point
of scale, you hit a level where you need a fair bit of scrutiny. It's deserved at this point
because you are systemically important, and them's the brakes. Yeah, they have improved
and a lot of the some of the larger companies have definitely improved. Microsoft learned a
bunch of those lessons early on. I wish it currently showed in the product in Azure.
Maybe we'll get there at some point. But you have to I look at it both sides a little bit
on the vendor side. There are researchers who are unreasonable because
now that I'm on the vendor side for the first time in my career, if something gets reported,
like it can really screw up plans and timing and you got to move developer resources.
So you have outside influences controlling you. So I get that piece of it. But the reality is if
some researcher discovered it, some China, Russia, random criminals are going to discover it. Some China, Russia, random criminals are going to discover it. So you need to deal with
those issues. So it's a bit of control. You lose control of your messaging and everything. If
marketing gets their hands in this, then it becomes ugly. On the other hand, you have to,
as a vendor, always realize that these are people frequently trying to make your products better.
Some may be out just to extort you a little bit, whatever. That's life. Get used to it. And in the end, it's about putting the customers first, not necessarily putting your
ego first and your marketing first. Changing gears slightly, because believe it or not,
neither you nor I have our primary day jobs focused on journalism or analyst work or anything
like that these days. We focus on these and basically cloud, for lack of a better term,
through slightly different lenses.
I look at it through cost, which is, of course, architecture,
and you look at it through the lens of security.
And I will point out that only one of us gets called three in the morning
when things get horrible because the bill is a strictly business hours problem.
Don't think that's an accident as far as what I decided to focus on. What do you do these days? You mean, what do I do at my day-to-day job?
Well, it feels like a fair question to ask. Like, what do you do as far as day job,
personal life, et cetera? Who is Rich Mogul? You've been a name on the internet for a long
time. I figured we'd add some color and context to it. Well, let's see. I just got back from a flying lesson. I'm honing in on my getting ready for
my first solo. My side gig is as a disaster response paramedic. I dress up as a storm
trooper for the 501st Legion. I've got a few kids, and then I have a job. I technically have two jobs.
I'm envious of some of those things.
I was looking into getting into flying,
but that path's not open to me
given that I have ADHD.
And there are ways around it in different ways.
It's like, no, no, no, you don't understand.
With my given expression of it,
I am exactly the kind of person
that should not be flying a plane.
Let's be very clear here.
This is not a regulatory thing
so much as it is a, I'm choosing
life. Yeah, it's a really fascinating thing because it's this combination of a physical
and a mental challenge. And I'm still very early in the process, but I cracked 50. It had always
been a life goal to do this. And I said, you know what, I'm going to go do it. So first I'm going to
get my medical to make sure I can actually pass that because I'm
over 50.
And then from there, I can kind of jump into lessons.
Pro tip, though, don't start taking lessons right as summer is kicking in in Phoenix,
Arizona, with winds and heat that messes up your density, altitude and all sorts of fun
things like that, because it's making it a little more challenging.
But I'm glad I'm doing it.
I have to imagine that's got to be an interesting skill set that probably doesn't have a huge fun things like that, because it's making it a little more challenging. But I'm glad I'm doing it.
I have to imagine that's got to be an interesting skill set that probably doesn't have a huge amount of overlap with the ins and outs of the cloud business. But maybe I'm wrong.
Oh, God, Corey, the correlations between information security, my specialty and cloud
security is as a subset of that aviation and emergency medicine are incredible. These are
three areas with very similar skill sets required in terms of thought processes. And in the case of
both the paramedic and aviation, there's physical skills and mental skills at the same time.
But how you look at incidents, how you process things algorithmically, how you, your response times, checklist, the correlations.
And I've been talking about two of those three things for years. I did a talk a couple of years
ago during COVID, my black hat talk on the paramedics guide to surviving cybersecurity,
where I talked a lot about these kinds of pieces, and now aviation is becoming another part of that. Amazing parallels between all three. Very similar mindsets are required.
When you take a look at the overall sweep of the industry, you've been involved in cloud for
a fairly long time. I have too, but I start off as a cynic. I started originally when I got into
the space, 2006, 2007,
thinking virtualization was a flash in the pan
because of the security potential impact of this.
Then cloud was really started to be a thing.
And that's not likely to take off.
I mean, who's going to trust someone else
to run all of their computing stuff?
And at this point, I've learned to stop
trying to predict the future
because I generally get it 180 degrees wrong,
which, you know, I can own that.
But I'm curious what you saw back when you got into this that made you decide, yeah, cloud has
legs. What was that? I was giving a presentation with this guy, Chris Hoff, a good friend of mine.
And Chris and I joined together our individual kind of research threads. And we're talking about
kind of disruptive innovation in the future of security.
I think that was the title.
And we gave that at RSA.
We gave that at Source Boston.
Yeah, it started kind of doing a few sessions on this.
We talked about grid computing.
And we were looking at kind of the economics of where things were going.
And very early, we also realized that on the SaaS side, everybody was
already using cloud. They just didn't necessarily know it. And they called them application service
providers. And then the concepts of cloud in the very early days were becoming compelling.
It really hit me the first time I used it. And to give you perspective, I spent years,
you know, seven years as a Gartner analyst,
getting hammered with vendors all the time.
You can't really test those technologies out because you can never test them in a way that an enterprise would use them.
Even if I had a lab, the lab would be garbage.
And we know this.
I don't trust things coming out of labs because that does not reflect operational realities
at enterprise scale.
Coming out of Gartner, they trained me to be an enterprise guy.
You talk about a large company being 200, large companies started 3,000 to 5,000 employees.
Does that map to cloud services the way that AWS expresses them? Because EKS, you're going to
manage that differently in an enterprise environment or any other random AWS service.
I'm just picking EKS as an example on this. But I can spin up a cluster and see what it's like
in 15 minutes, you know, assuming the
cluster gets with the program. And it's the same type of thing I would use in an enterprise,
but I'm also not experiencing it in the enterprise-like way with the processes and the
gating and the large team, et cetera, et cetera, et cetera. Do you think it's still a fair comparison
at that point? Yeah, I think it absolutely is. And this is what really blew my mind 11 or 12 years ago when I got my first cloud account set up. I realized, oh my God. And that was,
there was no VPC. There was no IAM. It was ephemeral. I don't know. We just had EBS was
relatively new and IAM was API only. It wasn't in the console yet. And the network latency was,
we'll charitably call it non-deterministic. That was the advantage of not running anything at scale.
Wasn't an issue at the time.
But getting the hands-on and being able to build
what I could build so quickly and easily
and with so little friction, that was mind-blowing.
And then for me, the first time I've used security groups
and I'm like, oh my God,
I have the granularity of a host firewall
with the manageability of a network firewall.
And then years later, getting much deeper into how AWS networking and all the other pieces work.
And then let it hit the host, which I always thought a firewall that lets traffic touch the host is like a seatbelt that lets your face touch the dashboard.
Yeah, the first thing they do, they go in, they're going to change the rules.
But you can't do that.
It's those layers of defense.
And then I'm finding companies in the early days who wanted to put virtual appliances in front of everything and
still do. I had calls last week about that. But those are the things that really changed my mind
because all of a sudden, and this was what the key was, that I didn't fully realize. And it's
kind of something that's evolved into something I call the grand unified theory of cloud governance
these days. But what I realized was those barriers are gone. And there is no way to
stop this as people want to build and test and deploy applications because the benefits are
going to be too strong. So grab onto the reins, hold onto the back of the horse, and you're going
to get dragged away. And it's your choice if your arm gets ripped off in the process or if you're
going to be able to ride that thing and at least steer it in the general direction that you need it to go in. One of the things that really struck
me when I started playing around with cloud for more than 10 minutes was everything you say is
true, but I can also get started today to test out an idea. And most of them don't work. But
if something hits, suddenly I don't have the data center constraints. Whereas today, I guess you'd call it,
I built my experiment MVP on top of Raspberry Pi and now I have to wait six weeks
for Dell to send me something that isn't a piece of crap
that I can actually take production traffic on.
There's no, okay, I'll throw out the junky hardware
and get the good stuff in
once you start hitting a point of scale
because you're already building on that stuff
without the corresponding massive investment
of capital to get there. Yeah. Well, I mean, look, I lived this. I did a startup that was based on
demos at a Black Hat. Sorry, at a Black Hat. Black Hat did some demos on stage. People were like,
we want your code. It was about cloud security automation. That led to doing a startup,
this thing called DisruptOps, which got acquired. And that's how I ended up at Firemont. So that's
the day job route where I ended up. And what was amazing for that is to add on to
what you said. First of all, the friction was low. Once we got the architecture right,
scalability is not something we are hugely concerned with, especially because we're CICD.
Oh no, we hit limits. Boom. Let's just stand up a new version and redirect people over there. Problem solved.
And then the ability to, say, run multiple versions of our platform simultaneously.
I mean, we're doing that right now.
We decided to release an entirely free version of it.
To do that, it required backend architectural changes for cost, not for scalability so much,
but for a lot around cost and scheduling because our thing was event-driven.
We're able to run that and run our other platform fully in parallel, all shared data structures, shared messaging structures.
I can't even imagine how hard that would have been to do in a traditional data center.
So we have a lot of freedom. We still have those cost constraints because that's
your thing. But the experimentation, the ability to integrate things, it's just, oh my God, it's just exciting. And let's be clear, having spent a lot of time as
a rack rat myself in these data centers, I don't regret handing a lot of that responsibility off
just because, let's not kid ourselves, they are better at replacing failed or failing hardware
than I will ever be. That's part of the benefit you get from the law of large numbers.
Yeah.
I don't want to do all of that stuff, but we're hovering around something that is kind
of, all right, so former Gartner analyst means I have a massive ego.
And because of that, I like to come up with my own terms for things.
So roll with me here.
And it's something I'm calling the grand unified theory of cloud governance, because you cannot
possibly get more egotistical than referring to something as your solution to the biggest
problem in all of physics.
The idea is, is that cloud, as we have just been discussing, it drops friction and it
decentralizes because you don't have to go ask somebody for the
network.
You don't have to ask somebody for the server.
So all of a sudden, you can build a full application stack without having to call somebody for
help.
We've just never had that in IT before.
And all of our governance structures, and this includes your realm, cost as well as
security, are built around scarcity. Scarcity of resources,
natural choke points that evolve from the data center. Not because it was bad. It wasn't bad.
We built these things because that's what we needed for that environment at the data center.
Now we've got cloud. It's this whole new alien technology and it decentralizes.
That said, particularly for us on security,
you can build your whole application stack.
Of course, we have completely unified the management interfaces in one place,
and then we stuck them on the internet,
protected with nothing more than a username and password.
And if you can put those three things together in your head,
you can realize why these are such dramatic changes
and so challenging for enterprises,
why my kids get to go to Disney
a fair bit because we're in demand as security professionals.
What does Firemon do exactly? That's something that I'm not entirely up to speed on just because,
please don't take this the wrong way, but I was at RSA this year and it feels like all the
companies sort of blend together as you walk between the different booths. Like, this is what you should be terrified of today. And it always turns into a weird sales pitch.
Not that that's what you do, but at some point just blinds me and
overloads me as far as dealing with any of the cloud security space.
Oh, I've been going to RSA for 20 years. One of our SEs, I was briefly at our booth,
I'm usually in outside meetings, and he goes, do you see any fun
and interesting? I go, I just looked at him like I was depressed. I'm like, I've been to RSA for
20 years. I will never see anything interesting here again. Those days are over. There's just
too much noise and cacophony on that show floor. What do we do? So it makes Reinvent Expo Hall
look small. Yeah. I mean, it's it's the show over at RSA. It wasn't always. I mean, it's always been big as
long as I've been there. But yeah, it's huge. Everyone is there and they're all saying exactly
the same thing. This year, I think the only reason it wasn't all about AI is because they couldn't
get the printers to reprint the banners fast enough. Not that anybody has any products that
would do anything there. So you look like you want to say something there. No, no. I like the
approach quite a bit.
It's the everything was about AI this year.
It was a hard pivot from trying to sell me a firewall, which it seems like everyone was
doing in the previous year.
It's kind of wild.
I keep saying that there's about a dozen companies that exhibited RSA.
Yes, there are hundreds and hundreds of booths, but it all distills down to the same 12 things.
They have different logos and different marketing stories, but it does seem like a lot of stuff is very much just like the booth next to it on both sides.
Yeah. I mean, that's, it's just the nature. And part of it, there's a lot of reasons for this.
We used to, when I was, so prior to doing the startup thing and then ending up at Firemont,
I did Securosis, which was an analyst firm. And we used to do the Securosis guide to RSA every
year where we try and pick the big themes. And the reality is, there's a reason for that. I wrote something
once that vendors lie to you because you want them to. It's the most dysfunctional relationship
because as customers, you're always asking, well, what are you doing for SASE? What are you doing
for Zero Trust? What are you doing for AI? When those same customers are still just working on
fundamental patch management and firewall management. But it doesn't stop them from asking the questions and the vendors have to have answers
because that's just the nature of that part of the world. I will ask you, in those past 12 years,
I have my own thoughts on this, but I want to hear your take on it. What's changed in the world of
cloud security? Everything. I mean, I was one of the first to be doing this. Oh, is that all?
Yeah. So there's more people. When I first of the first to be doing this. Oh, is that all? Yeah.
So there's more people. When I first started, very few people doing it. Nobody knew much about it outside AWS. We all knew each other. Now we've got a community that's developed and there's
people that know what they're doing. There's still a shortage of skills, absolutely still a
shortage of skills, but we're getting a handle on that. We're getting a bit of a pipeline in.
I'd say that's still probably the biggest challenge face.
But what's improved?
Well, it's a give and take.
On one hand, we now have strategies.
We have tools that are more helpful.
Unfortunately, I'll tell you the biggest mistake I made, and it ties to the Firemont stuff
in my career in a minute, relates directly to this question.
But we're kind of getting there on some of the tool pieces.
On the other hand, the complexity is increasing faster.
And that's what's made it hard.
So as much as we're getting more skilled people
better at tooling, for example,
we kind of know,
and we didn't have CloudTrail when I started.
We didn't have the fundamental things you need
to actually implement security at the start of cloud.
Most of those are there.
They may not be working the way we wish they always worked.
But we've got the pieces to assemble it, depending on which platform you're on.
That's probably the biggest change.
Now we need to get into the maturity phase of cloud.
And that's going to be much more difficult and time consuming to kind of get over
that hump. It's easy to wind up saying, oh, I saw the future so clearly back then, but I have to ask
going back 12 years, the path the world would take was far from certain. Did you have doubts?
The guy I presented with, Chris Hoth, we were still friends, presented stuff together,
and he got a job that was kind of cloud ancillary.
And I remember calling him up once and going,
Chris, I don't know what to do.
I was running my little analyst for little.
We were doing very, very well.
I could not get paid to do any work around cloud.
People wanted me to write shitty papers on DLP.
And take customer inquiries on DLP because I had covered that at the Gartner days and data encryption and those pieces.
That was hard.
And fortunately, a few things started trickling in and then it was a flood.
It completely changed our business and led to me eventually going down into the vendor path.
But that was a tough day when I hit that point. So I absolutely, I knew it was the future. I didn't know if I was going to be able to make a living at it. It would seem that you did.
Yeah, it worked out pretty well. You seem sprightly to me. Good work. You're not a death's door.
No, you know, in fact, the analyst side of it exploded over the years because it turns out
there weren't people who had this experience. So I could write code to the APIs, but they'll
still talk with CEOs and boards of directors around these cloud security issues and frame
them in ways that made sense to them. So that was wonderful. We partnered up with the Cloud
Security Alliance. I actually built a bunch of the CSA training. I wrote the current version of the CSA guidance. We're writing the next version of that. Did a lot
of research with them. They've been a wonderful partner. So all that went well.
Then I got diverted down onto the vendor path. I had this research idea
and then it came out. We ended up founding that as a startup and then it got
as I mentioned acquired by Firemont, which was interesting because Firemont, you asked
what we did. It's firewall policy management is the core of the company. Yet the investors realized the
company was not going in the right direction necessarily to deal with the future of cloud.
They went to their former CEO and said, hey, can you come back, the founder of the company,
and take this over and start moving us in the right direction? Well, he happened to be my
co-founder at the startup.
And so we kind of came in and took over there.
And so now it's a very interesting position because we have this one cloud native thing
we built for all these years.
We made one mistake with that, which I'll talk about,
which ties back to your predicting the future piece
if you want to go into it.
But then we have the network firewall piece
now extending into hybrid,
and we have an asset management moving into the attack surface management space as well. And both of those
products have been around for like 15 plus years. Now, I'm curious to hear your thoughts on it,
because it's been one of those weird areas where there's been so much change and so much evolution,
but you also look at today's OWASP top 10 list of vulnerabilities.
And yeah, they updated a year or so ago.
But it still looks basically like things that from 2008 would have made sense to me when I'm looking at this.
Well, in so much as they do now.
I didn't know then, nor do I now, what a cross-site scripting attack might be.
But other than that, I find that there's, oh, you misconfigure something and it winds up
causing a problem.
Well, no kidding.
Imagine that.
Yeah, look, the fundamentals don't change, but it's still really easy to screw up.
Oh, having done so a lot, I believe you.
There's a couple of principles, and I'm breaking it to two sides.
One is a lot of the security sounds simple.
There's nothing simple at scale.
Nothing simple scales.
The moment you get up to even 200 employees, everything just becomes ridiculously harder.
There's just, that's the nature of reality.
Simplicity doesn't scale.
The other part is, is even though it's always the same, it's still easy to think you're
going to be different this time and you're not going to screw it up. And then you do, for example, so cloud,
we were talking about the maturity. I assume CSPM just wasn't going to be a thing for real,
the cloud security posture management, because why would the cloud providers not just make that
problem go away? And then all the vulnerability assessment vendors and everybody else, it seemed
like it was an uninteresting problem. And yet we were building a cloud security automation thing. And we missed the boat because
we had everything we needed to be one of the very first CSPM vendors on the market. We're like, no,
no, that problem is going to go away. We'll go there. And it ties back to what you said, which
is it's the same stuff. And we just outsmarted ourselves. We thought that people would go
further faster and they don't and they aren't. And that's kind of where we are today. We thought that people would go further faster and they don't and they aren't.
And that's kind of where we are today. We are dramatically maturing. At the same time,
the complexity is increasing dramatically before. It's just a huge challenge for skills and staffing
to adjust governance programs. Like I think we've got another 10 to 20 years to go on this
cloud security thing before we can get close. And then maybe we'll get down to the being bored by the problems,
but probably not because AI will ruin us.
I'd like to imagine on some level that AI could be that good.
I mean, don't get me wrong.
It has value and it is transformative for a bunch of things.
But I also think a lot of the fear mongering is more than a little overblown.
No, I agree with you.
I think I'm trying to keep a very close eye on it
because I can't remember you and I talked about this
when we met face-to-face or it was somebody at that event.
AI is just not just AI.
There's different, there's the LLMs,
there's the different kind of technologies that are involved.
I mean, we use AI all over the place already.
I mean, my phone's got it built
in to take better pictures. It's a matter of figuring out what the use cases and honestly,
some of the regulatory structure around it in terms of copyright and everything else.
I'm not worried about Clippy turning into Skynet, even though I might make jokes about that on
Mastodon. Maybe someday there will be some challenges, but no, it's just going to be
another tech that we're going to figure out over time.
It is disruptive, so we can't ignore that part of it.
I really want to thank you for taking the time to speak with me.
If people want to learn more, where is the best place to find you that isn't one of the Disney parks?
That really is kind of the best place to find.
Now, so these days, I do technically still have a Twitter presence at rmogul.
I'm not on there much, but I will get DMs if people send those over.
I'm more on Mastodon.
It's at rmogul at defcon.social.
I write over at Firemon these days, as well as occasionally still over at Securosis on
those blogs.
And I'm in the cloud security Slack community
that is now under the banner of Forward Cloud Sec.
That's probably the best place if you want to hit me up
and get quick answers on anything.
And I will, of course, include links to all of that
in the show notes.
Thank you so much for taking the time
to speak with me today.
I really appreciate it.
Thanks, Corey.
I was so happy to be here.
Rich Mogul, SVP of Cloud Security at Firemon. I'm cloud economist Corey Quinn, and this is
Screaming in the Cloud. If you enjoyed this podcast, please leave a five-star review on
your podcast platform of choice. Whereas if you hated this podcast, please leave a five-star
review on your podcast platform of choice, along with an angry comment talking about how at Dell these days
it does not take six weeks to ship a server.
And then I will get back to you in six to eight weeks.
If your AWS bill keeps rising
and your blood pressure is doing the same,
then you need the Duck Bill Group.
We help companies fix their AWS bill
by making it smaller
and less horrifying.
The Duck Bill Group works for you,
not AWS.
We tailor recommendations to your
business, and we get
to the point. Visit
duckbillgroup.com to get
started.