The a16z Show - a16z Podcast: Securing Infrastructure and Enterprise Services
Episode Date: February 14, 2017The modern enterprise holds all sorts of applications, devices, and workflow needs. How should we be thinking about securing infrastructure -- and identity -- in this context, for entities like major... news media outlets or financial institutions such as News Corp or NASDAQ? Well, this episode of the a16z Podcast brings those voices together: Frederic Kerrest, cofounder and COO of Okta; Brad Peterson, CIO of NASDAQ; and Dominic Shine, CIO of News Corp ... in conversation with Ben Horowitz at our recent a16z Summit. What's the big security picture for these types of organizations, and others? How should we prepare? Last year's DINE DDoS attack was just one glimpse of what's to come, providing a bit of a barometer read for what's currently working, and what desperately needs re-engineering. One interesting solution involves decentralization; but as we move towards such technology (like blockchain) in security, what will high-frequency trading look like? How will consumer relationships, transactions, UI/design security be reimagined? What areas and fundamentals should we focus on? Stay Updated:Find a16z on YouTube: YouTubeFind a16z on XFind a16z on LinkedInListen to the a16z Show on SpotifyListen to the a16z Show on Apple PodcastsFollow our host: https://twitter.com/eriktorenberg Please note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Transcript
Discussion (0)
Hi, everyone, and welcome to the A16Z podcast. I'm Hannah, and in today's episode, we have our own Ben Horowitz, moderating a session with OCTA COO Frederick Karras and Dominic Shine, who's the CIO of News Corp, plus Brad Peterson, who's the CIO of NASDAQ, on securing infrastructure from mobile to IOT and beyond. This session was recorded as part of our inaugural A16C summit.
All right. So before we get into the real hardcore security stuff, let's talk a little business.
And Dom, News Corp's an interesting position these days coming off of an election.
You're representing kind of one of the most important companies in traditional media.
How do you think about your role technologically in moving News Corp forward?
Wow, what a question.
You might have picked it already. I'm British, so I can probably take the fifth on this one.
Yeah, it's an interesting time. Obviously, nothing going on in politics here or in Europe either.
From a technology point of view, what we find is more than ever, the journalists are out and about,
they're mobile, they need access to systems anytime, anywhere.
So I see my role is to enable that workforce to have the easiest time possible in a very pressurized environment
to create that content, to distribute that content, whilst giving them good security controls that
don't make their lives too difficult.
And short follow-up on that, or maybe not so short.
The other thing that happened in this election was, apparently the Russians got involved.
Were you concerned that a foreign entity or someone might actually hack the Wall Street
Journal and try and change the news at the exact wrong time?
So I think we're always vigilant to that sort of risk.
I think our concerns were more that we might have a repeat of the denial of service attacks
of the previous weeks, so might have disruption.
But we have a lot of safeguards around protecting those crown jewels, those assets.
So one of the things that's got kind of tremendous technological momentum is the technology
known as the blockchain and implementations such as Bitcoin and Ethereum.
And, you know, it's been posited that the right place for us for a stock market exchange
isn't NASDAQ so much as it would be the blockchain, because then you could have
software set the order handling rules and everything and get to a more kind of fair exchange and a
much lower fee exchange. When you look at that, how present a threat is that compared to a
future threat? And then how are you thinking about that technologically and what NASDAQ has to do
going forward? Before NASDAQ, I was involved with PayPal, which is a consumer-based product and
Schwab, which is the investor side. So now with NASDAQ, we're focused on.
on what we call the listing side, which is really the issuer or the company.
What I always like to think about is the products for both ends,
and the products for both ends need a lot of change in modernization.
And maybe we'll get into the consumer side.
There's a tremendous amount that doesn't work for our existing banking consumer products
and investment products.
So for specifically NASDAQ and in exchange, I would say that on either end,
we will always have those two customers.
And everything in the middle is up for grabs for re-engineering.
The fact that we're in the middle means that we have to think about how we rethink our role entirely.
I think the main one that is really interesting is the physical world when you had trading.
Trading was proximity base.
Yeah, right.
Well, you were a disruption to, really, the New York Stock Exchange.
Yeah, we were the ones, a group of people that got together and said,
you know these things that people do waving their hands and throwing paper on the floor at the end of the day and sweeping.
it up seems to be a little outdated. So, you know, why wouldn't we do these with computers?
That was although every city had a stock exchange. And, you know, there were physical places.
So the record keeping was distributed. That's why we have the DTCC, which is a centralized
securities depository. It's centralized because mainframe technology was all you had at the time.
So I think the architecture was already envisioned in the 70s to be distributed, but the technology,
the solution was only centralized. I would say that we are going to go more towards a distributed
record keeping system because we can now. And that's what's really exciting about blockchain.
For us, we build technology for CSDs outside the U.S. We see that becoming more of a distributed
record keeping. And do you think that will make it... It's more efficient. So it will be lower,
it'll lower costs and absolutely speed up the process. And how about techniques such as high
frequency trading and so forth? Will that become more complex and
Belaveta's only the very best players, or will it become obsolete in the distributed world?
Well, I like to look at...
Or unpredictable.
No, but I think that, you know, I was in New York City, even though I lived in the West Coast
at the time during 9-11, and I was really surprised to hear that the industry financial
services had massive data centers on Manhattan.
And I'm going, why do you have that?
And it was because they over-indexed for speed and latency around trading that you needed
the compute, the sun microsystems that, for...
First, we're right there in the trading floor.
And then big, reputable firms had major data centers in Manhattan.
And if you think about why would you have a data center in Manhattan, you would want to have it many other places where there's low taxes and low cost of power.
And a lower chance of terrorist attacks.
If you look at consumer, if you look at the investment space where Schwab have their data centers, where Wells Fargo and B of A and Amex have their data centers, they're in these places that don't have now.
natural disasters, they engineered for risk, whereas the exchanges moved from Manhattan to New Jersey.
You can look at it almost like skiing. When skiing was going, you had longer, faster skis,
and then someone invented the snowboard, and you changed what you were really designing for. It's
designing for fun and performance. So I would say speed has already been exploited, and now it goes
back to, I think, security, fairness, and resiliency are going to be balanced out. So we probably
won't end up with massive data centers in New Jersey and Chicago. You would put them in other
parts of the world that are safer and more secure. As that is re-engineered, there's an opportunity
to introduce blockchain technology. So that's what I'm pretty excited about. That is interesting.
So given what both of you have to move towards in the future, you clearly have to embrace the great
replatforming to mobile.
I'm not going to ask you if you're going to mobile
because that would seem like a ridiculous question.
But what are the challenges as you widen the attack surface
and you just introduce a very different kind of technology
for consumers to access your services
and businesses to access your services?
I'll start with you, Don't.
Sure. So from a security point of you?
You mean primarily?
Well, security or whatever.
We are a big organization, 25,000 people,
over 10 major businesses.
The first challenge in any big change is
how do you get the balance right between
letting each individual business go their own way,
move at their own pace,
and bring all the advances you can by working as a group.
That's the first thing with mobile.
So we try and allow the business units
to really go at fast speed,
to develop their mobile products,
bring the best products to bear,
keep improving them.
But increasingly, we're deploying common deployment platforms,
API frameworks to try and speed up
how they deliver that, reduce the cost,
so that we don't have to do the security testing
over and over and over again.
The more you do that, you more that you open you up,
more you have to be vigilant
and to make sure that you've got the security aspects right,
so there's a lot more vulnerability testing,
there's a lot more scanning of that.
I think for internal users, everything we do now,
we would not buy a product for enterprise technology
unless it had an excellent mobile app
and excellent experience.
we want to enable our workforce to work wherever they want, whenever they want.
Again, with that, you need great user experience, but you need good security.
So, you know, that's been a key part of that architecture to really help us unify that
and lock that down.
So that takes away quite a lot of the headaches for us.
So, Freddie, what is ACTA doing on mobile security?
And, like, how is your approach different than some of the things that people have to play?
I think that you touched on one of them, which is people are just,
trying to innovate and create new applications and new experiences, and they're doing that both
for internal constituents, but also externally. So you just want a better interaction for your
customers and your partners on a lot of this. The operating systems have become a lot more
powerful in the devices that everyone has in their hands. So you can now leverage a lot of what's
available in the iOS, in the Android operating systems in terms of the profile, which means
you can provide a much richer experience. That has a lot of financial implications because the employees
are showing up with mobile devices that we all have, which are basically supercomputers,
but they're expensive.
So you want to enable your workforce to take advantage of the tools that they have,
but you want to do that in a very seamless experience
so that they can still use the business tools,
but do that in the form factor they're used to and make it very easy.
So just taking advantage of a lot of the new infrastructure and technologies that are available out there.
Got it.
And Brad, when we talk about mobile and mobile security,
given you're dealing with transactions,
the user interface design security and the integrity of the transaction.
And how does that change when you go to mobile?
Well, going back to the Schwab days, everyone really wants access to their money on their phone.
As long as you don't lose it.
It's kind of the old trick of ATMs.
What ATMs did when they first set them up is if the network was down, you couldn't get money out.
And so they did some risk management and said, without being able to check your balance, we'll make you good for it.
There's some amount of risk management that you want to build into just making sure that someone isn't left with zero access to their money when they're looking at their watch or their phone.
phone or their endpoint device being a replacement for the physical wallet. Eventually, though,
you need to connect back into what is likely going to be the future of storing your bits that
represent your assets or your money in a cloud. Those two are the new area where today all of,
all of our representation for our wealth and our money is sitting in a proprietary data center.
Financial services has been slow. You need to look at it both ways on the endpoint in the cloud. And
you really need the solution in both places.
So there was recently a rather dramatic security attack
where apparently a Chinese chip manufacturer,
the kind of leading manufacturer,
very cheap chips for camcorders and DVRs,
had a security flaw, maybe accidentally, maybe planned,
in their chip that was then exploited
for a massive denial of service attack
against basically a very large DNS provider of naming services on the internet resolving names to addresses
and the kind of basic functionality that you need for the internet to work.
What can you do to deal with that kind of attack where you potentially have a state actor
with a very sophisticated attack rolled out over maybe a decade?
Yeah.
Yeah, was it a feature or a bug of the IoT who knows?
That's a very good question.
I think a couple things.
First of all, it showed that we've taken a lot of the infrastructure
and the way that we've designed things so far for granted.
The way that the original internet was designed
and the way that people are using it today,
everyone's got to take a better look
in terms of security and infrastructure and reliability
on what we're doing and how we're doing
and how we're going to do it in the future
because we're just talking about a billion people on the internet.
We're not talking about all the devices that are going to come out,
which is where some of this originated.
The other thing is this is basically a trial run.
I mean, this is in very small form of what's...
It's a diagnostic of what's going to happen.
In this case, it was some cameras.
at home that people are plugging in and using and it's broadcasting a lot of data and these folks
were able to take this data and point it towards a specific service. When you think about everyone in
this room now has two, three, four devices, everyone's carrying smart watches. Just earlier this morning,
someone was telling me about their internet-enabled crock pod and how you can control your,
you know, you laugh, but it's true, right? You want your chili to be warm to, you know, when you get
home two hours from now, people controlling the light switches. You think about utilities that are
managing smart meters and the kind of attack that could happen.
and when and if someone decides to turn on all the
interstitionings in New York in the middle of the summer,
that's pretty serious.
And this is just the beginning of it.
It's a good trial run for everyone to take a look and say,
what are we doing today and how we're going to improve it?
And there's always things that we can do better,
including us at ACTA.
But also it's a good wake-up call.
It's a good wake-up call for the industry,
and in particular the folks in this room,
to think about, okay, there's all these opportunities.
We talk about it.
You hear about IoT.
You read about it in the news.
Everything's connected.
I can talk to my car.
That's all great.
But with those opportunities come to,
lot of risks that come along that you have to think about.
Dom, if, you know, one could imagine somebody launching that kind of an attack to shut down parts
of the media during an election cycle like we just had.
How much do you think about what you have to do yourself versus how you rely on your vendors
for security?
How do you balance up, particularly on an attack like this, which it's very difficult to be
resilient against?
Yeah, no, it's an excellent question.
I think, you know, Freddie got it right.
It was a wake-up call.
So for us, for the things we directly control, we did have a contingency plan.
We were able to switch DNS very quickly.
We were in good shape.
But we were exposed to our major partners.
And really, it crystallized for us and knowledge that, you know, you're only as good as your weakest link, your weakest connection.
So I think for us, it's ignited now a real passion to work with our partners to say, okay, let's look at this risk and make sure it's mitigated.
but now let's really think what are the other things that could occur.
Have you thought through that?
Prove to us that you've got a contingency plan.
You've rehearsed it.
So I think you'll see organizations like us taking a much more strong stance
with those partners in doing due diligence around that when we select them
and also monitoring how they work on an ongoing basis.
And Brad, do you have a similar view or do you see it differently?
Or like what's even possible financially that sees a tax escalate?
We have to worry that we're a big,
prize for just terrorism. If you can take down what is represented, you know, New York Stock Exchange
NASDAQ as capitalism. So we have to work with the government because we're not going to outgun
any nation state. We're deemed critical infrastructure in the U.S. Everyone in the U.S. that's
deemed critical infrastructure has formed a group so that we can talk amongst ourselves very rapidly.
For the exchange itself, it is not open to the Internet directly. So,
that's more of a permissioned environment. So I think that's one of... But clearly, you've got to let
applications in indirectly. Yes. And in the early days of the web, actually, because everyone
wanted to be web-enabled, you know, the exchanges were web-enabled directly in. So we've since
changed that. But it was, yeah, some over-eager folks in the late 90s actually said, well,
you know, let's just bring access in from anywhere.
So that's changed.
But we have to think about it from a just, it's not necessarily for economic gain or crime.
There's also just the embarrassment factor of the U.S.
And in those critical infrastructure discussions, do you end up being privy to information about, you know,
particularly state actors, you know, that are concerned?
So there's fairly frequent warnings about who might be the target, but in general, financial services,
institutions do get early warning about campaigns. And it usually is related to some event that
is a reaction to a, you know, a foreign policy action by a group of countries and there's a
retaliation. Right. So we are seeing that. You almost can read the news and go, uh-oh,
something's going to be coming, coming our way and hopefully, you know, it isn't effective.
The beauty of having the ability, if someone gets hit, we can quickly share it and understand how you might thwart it and definitely check.
You get better ability to check where it's coming from.
So there's early warning that way.
Okay, good.
Well, on that happy note, I will open it up for questions if anybody's got questions.
Do you think about working with two or three top vendors that are really going to provide the security that you need and maybe let go some of the vendors you've been using?
that maybe have higher vulnerabilities or just how do you think about consolidation of vendors in this world?
Yeah. So I don't think it's about consolidation of vendors. I think it's about making sure that all
our vendors and partners achieve the right standard. They can be a unifying force to tie together
some of that. But I think we'll continue to use best-of-breed tools underneath that and we'll
continue to monitor those, make sure they're fit for purpose. But security is very important,
but it's not the only consideration.
So we'll still look at it as a balanced portfolio things we assess.
So I don't see as saying, you know, let's just go with one major vendor because we like
their security posture.
I think there's a de-risking actually in having a broader suite and having options.
How do you see your security spent changing among the various sub-sectors of security that
you spend today?
Is there a particular area that you're going to emphasize more than before?
I think in overall terms, we're spending.
more on security. So over the last year, 18 months, we've been driving a big maturity improvement
program across the business. Things like single sign-on have always been very difficult.
Now they're good and easy to use. We're spending more on data loss prevention, endpoint management,
vulnerability scanning. Also, you know, in terms of services, we use sort of red team
testing approaches. We'll do actually our own hacking internally to try and find vulnerabilities.
So I think those are some of the major areas where we're investing more.
I would just add, in addition to what Dom said,
we're seeing more for the privileged access employee user behavior analysis.
And it goes to some of those events like the pilot who drove the plane into the Alps.
Really having a more dynamic view of an employee who may have been hired
has gone into some type of stress or trauma in their personal life,
whether it's mental illness, whether it's financial.
There are certain roles in the company that you have to figure out how you look at them more regularly.
So I think that's an area of opportunity in addition to the ones, Dom.
All right.
Well, I would very much like to thank our guest, Dom, Brad, and Freddie.
And thank you for joining us.