Status Go: Ep. 216 – Myth Busters: The Cloud is Not Secure | Darren Maas

Summary

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Spotify | Email | RSS

About Darren Maas

Proven expertise in leading projects, process improvement, and identifying new technologies to help drive the organization. Able to develop IT vision and strategy to align with and achieve the organization’s goals and objectives. Recognized for strong attention to detail in planning and prioritizing, and a strong “get it done” attitude.

Episode Transcript

[00:00:00]: Security is everyone’s responsibility

[00:00:37]: Welcome to Myth Busters: Cloud, Security & Innovation

[00:02:01]: Darren Maas’ Career Journey

[00:03:05]: 12 Years at SES

[00:03:26]: SES’ Tech Stack

[00:05:44]: Origin of the Cloud Security Myth

[00:07:16]: Keeping Up with Fast Changing Technology

[00:08:33]: Cloud Breaches

[00:09:27]: SES’ Approach and RPaaS

[00:11:07]: RPaaS Defined

[00:12:08]: Evolution of Security Culture

[00:13:06]: Executive Support

[00:13:44]: Building the Incident Response Plan

[00:15:27]: The Shared Responsibility Model and You

[00:18:08]: Shared Responsibility Model and RPaaS

[00:19:58]: Time Spent on Cyber

[00:22:36]: IT and Vendor Management

[00:24:30]: A to C and C to F Model

[00:27:16]: Elevated Conversations

[00:27:44]: Bust That Myth!

[00:29:16]: Actions for Tomorrow

[00:30:11]: Thank you and Close

Episode Transcript

Darren Maas [00:00:00]:

You know, we’ve always had a fairly good posture when it comes to people are cognizant of not clicking the, the email links and all of that. But that only takes you so far that, you know, people really need an awareness that security is everyone’s responsibility.

Voice Over – Ben Miller [00:00:19]:

Technology is transforming how we think, how we lead, and how we win. From InterVision, this is Status Go, the show helping IT leaders move beyond the status quo, master their craft, and propel their IT vision.

Jeff Ton [00:00:37]:

Welcome back to our continuing series Myth Busters: Cloud, Security, and Innovation. Like the much more famous MythBusters TV show, we’re going to dive into several myths and through interviews, case studies, and data, bust that Myth! Follow us over the next several months as we share blogs, infographics, and, of course, podcast episodes. On the second Monday of each month, we will interview a peer, CIO, CTO, or business owner who has successfully busted that myth. Two weeks later, we’ll hear from an InterVision expert who will further destroy the Myth.

One of the myths that we hear most often when speaking with technology professionals is that the cloud is not secure. I don’t think I have attended a conference in the last ten years where I’ve not heard someone say that the cloud is not secure, and I’m sure many of you have heard that as well. Heck, I was probably one of the ones saying that ten or twelve years ago. Today we are joined by Darren Maas. Darren is the Technical Services Manager for Security Equipment Supply, an independent family-owned wholesaler of low-voltage electronics. Together we are going to bust that myth.

Welcome to Status Go, Darren.

Darren Maas [00:01:59]:

Hi Jeff, thanks for having me.

Jeff Ton [00:02:01]:

Really appreciate you jumping on this call today. Darren, before we dive into cloud and cloud security, could you share a little bit about your background and your career journey? What brings you to where you are today?

Darren Maas [00:02:15]:

Sure. So, I started with our company twelve years ago. Actually, I’ve been with them that long now stuck with I started my It journey here as the help desk guy through the ranks, served as a sysadmin for a while, and nowadays, I’ve moved into basically vendor management, where I am able to focus on providing value to the business, our It strategy and so on. I have the technical background that’s required in order to work with our technology partners and make sure that they are doing what we want them to do for our business.

Jeff Ton [00:03:05]:

So twelve years, that’s a testament to the company, I think, and the culture there at SES that you’ve been there twelve years, you’ve grown in your career. It is part of what everybody likes, right?

Darren Maas [00:03:20]:

It’s definitely a place that I like, and it’s a good culture around here.

Jeff Ton [00:03:26]:

That’s awesome. Let’s talk about the tech stack at SES. What combinations do you have of on-premises or private cloud and SaaS? What makes up the portfolio these days?

Darren Maas [00:03:41]:

Sure. So, I guess I’ll start with what was traditionally the core of our infrastructure was. We have about 20 servers that are running in the VMware IaaS in the InterVision data center that primarily hosts our ERP software. Outside of that, all the other servers are running applications that are typically related to that. And then we have a file server and so on outside of that. Then in Azure, we have a few services that are going to be growing. We are expanding more into Azure, with we will be implementing Microsoft Dynamics 365 ERP in place of the existing ERP. And then, we have Adobe Commerce for our website e-commerce site and that is tied back into the data center IaaS so that it can talk to the ERP. We also have probably the same or as many SaaS services some are tied into our AD and some are not. And we are not fully Azure ad yet. We are still using On-Prem AD. But we do use…we’re all in the 365 stack and are syncing to Azure AD and then use that for single sign-on with various other services.

Jeff Ton [00:05:15]:

So when you talk about the stack or the portion of the stack that is in an InterVision data center, it’s considered your private cloud. Right?

Darren Maas [00:05:32]:

I mean, it’s VMware based, virtual, it’s a co-manage environment. I can do what I want to do in there as far as standing up VMs and all that. And I can also rely on InterVision.

Jeff Ton [00:05:38]:

Excellent.

Darren Maas [00:05:39]:

I definitely rely on them for all the monitoring and maintenance of It.

Jeff Ton [00:05:44]:

Well, as you know, we’re here to bust the myth that the cloud is not secure. Let’s start with where you think that myth got started. Where did this come from in IT circles?

Darren Maas [00:05:58]:

Sure. I think it comes from the mindset that if I control it, I know what’s going on with it and therefore I can know that it’s the most secure. I suppose that can be true at a certain scale. I think the problem comes from that there might be many companies that operate under the impression that they do have the expertise and the resources in-house in order to handle all of that where they may not. I know that we don’t. Historically, our It department has been at most two people.

Jeff Ton [00:06:40]:

Right.

Darren Maas [00:06:41]:

It’s the one-man shop, basically. And these days, we have expanded. We called our tech team these days to include our ERP and E-commerce teams. But as far as actual technology expertise, we’re not any more robust than we used to be. So that’s where our technology partners come in and provide that expertise and the bench strength to be able to handle that. Yeah. Being able to do it all yourself is something that I gave up long ago.

Jeff Ton [00:07:16]:

Well, it is. It’s very complex. And the way that the threats are evolving, ransomware and beyond, makes it vital that you stay up to date on where those threats are coming from and how those attacks are being formed and driven. And trying to do that in a small shop or even in a large shop that doesn’t have dedicated resources to staying up to date on that can be pretty difficult.

Darren Maas [00:07:55]:

Yeah, I keep up to date with technology news, with security news, and so on, but there’s only so much that I can absorb while still dealing with it day to day.

Jeff Ton [00:08:06]:

Well, and I would imagine, as you mentioned at the outset, where your focus is as you’re keeping up with the technology news, where does it apply to SES? So you’ve got that filter up front, right?

Darren Maas [00:08:24]:

What things can I pay attention to that will provide value to the business. And what major security pitfalls do we need to be looking out for.

Jeff Ton [00:08:33]:

Yeah, I think the other place that this myth got started is there’s been these highly publicized breaches that occur in the cloud. But when you dig underneath the covers, what you find out is it wasn’t really a breach of the cloud, it was a breach of someone’s credentials or someone’s server that was exposed accidentally, publicly.

Darren Maas [00:09:02]:

Sure. Yeah. They say that the cloud really just means someone else’s computers. That’s true. It’s only as secure as you make it.

Jeff Ton [00:09:13]:

Yeah.

Darren Maas [00:09:14]:

You have to make sure that you have the proper policies in place, access policies, and so on. The proper controls in place around it. Without that, sure, it will be insecure.

Jeff Ton [00:09:27]:

Yeah. Well, let’s talk about SES’s approach to cybersecurity. What things have you done to make sure that SES is protected as well as can be and to make sure that cybersecurity is seen as everybody’s responsibility within SES?

Darren Maas [00:09:51]:

Yeah. So with the InterVision RPaaS program that we’ve just about finished onboarding with it, we now have the DRaaS set up – Disaster Recovery as a service –  where we have a failover set of our data center servers in the Las Vegas Data Center. So not only do we have backups, but we can also, at the click of a button, within a minute to an hour or so, failover to a whole live replicated copy of our servers in Las Vegas. That’s all, air gapped from the St. Louis data center.

Jeff Ton [00:10:29]:

Right.

Darren Maas [00:10:31]:

And then also working with Stan Smith, our VCISO provided from the RPAS program, we are building our incident response plans, which basically until now, we’re, “hey, everybody get in the room and figure this out.”

Jeff Ton [00:10:44]:

Let’s figure out what’s going on.

Darren Maas [00:10:46]:

Yeah, we will.

Jeff Ton [00:10:48]:

Definitely a lot of listeners in that same boat.

Darren Maas [00:10:50]:

Yeah, we’ll definitely be in a much better place going forward where we’ll have a procedure in place, we’ll know who needs to call who and what to do in the event of an incident, which is worlds more than we had before.

Jeff Ton [00:11:07]:

Yeah, well, and for our listeners who may not be familiar with RPaaS, we’ll put a link in the show notes to a couple of episodes that we’ve done on RPaaS, but basically, it’s ransomware protection as a service, and it combines, as Darren mentioned, it combines disaster recovery as a service. It includes virtual CISO, virtual Chief Information Security Officer help, as well as detection and response.

Darren Maas [00:11:45]:

Yeah, right. It has the Arctic Wolf MDR, and then we combine that with we have a couple of different EDRs in our environment that it ingests from the logs from that as well as connecting to our cloud services and gives us basically a single pane of glass view to what’s going on in the entire environment.

Jeff Ton [00:12:08]:

That’s excellent. As you’ve rolled some of this out, you’ve been with SES for twelve years. How has the Security Stature culture evolved over those twelve years outside of your technical resources?

Darren Maas [00:12:28]:

It was always considered before it was something that everybody knew that we needed to be paying attention to. I think that with the change to where now we’re building our incident response, we’re going through tabletop exercises, people have really realized that it is everyone’s responsibility. We’ve always had a fairly good posture when it comes to people being cognizant of not clicking the email links and all of that, but that only takes you so far. People really need an awareness that security is everyone’s responsibility.

Jeff Ton [00:13:06]:

Do you have the support of the executive team on this?

Darren Maas [00:13:10]:

I sure do. That’s always been a constant. Our president has always been enough tech savvy that he’s keeping us all aware and making sure that we’re making the right movements.

Jeff Ton [00:13:25]:

Well, with the name of your organization, Security Equipment Supply, you kind of have to have that, right?

Darren Maas [00:13:33]:

That has always been what we’ve said. We can’t really say that we’re a security organization without being at least cognizant of security.

Jeff Ton [00:13:44]:

Yeah, absolutely. So, you’re in the midst of implementation, if you will, of this and you mentioned that you’re building out the Incident Response Plan and formalizing that. What are some of the other next steps that you’re looking at to evolve your security?

Darren Maas [00:14:06]:

Right. Stan and I will be taking a look at various things that will need to be investigated and discovery and all that. I know that the next thing that we’re going to probably look at is going to be access control, as in being set up to where somebody could do a BYOD, bring your own device, and then have the tools loaded onto that machine that they need in order to access our network. And if they don’t, then they don’t get on the network.

Jeff Ton [00:14:38]:

Yeah.

Darren Maas [00:14:40]:

And probably some of that’s going to come with our move to Azure AD that I foresee on the roadmap here.

Jeff Ton [00:14:48]:

Right. Well, Darren, we’re going to pause right there for a word from InterVision Systems. Our listeners know that InterVision is the publisher of the Status Go podcast.

Voice Over – Ben Miller [00:15:06]:

Unlock the Power of More. With InterVision Systems, we provide the cutting-edge technology and expert guidance you need to take your business to the next level. Don’t settle for less. Choose InterVision Systems and discover what’s possible. Contact us now to learn more.

Jeff Ton [00:15:27]:

And if you do want to learn more, visit InterVision.com/myths. There you’ll find more information about busting the myth that the cloud is not secure, as well as the other myths that we have already attacked in the first couple of months of this series and maybe a hint or two of those myths that are coming up. Right now, we’re talking with Darren Maas of SES Security Equipment Supply Company, and we’re talking about his approach to cybersecurity and securing the cloud. He’s already gone through a little bit about his technology stack. And Darren, what I’d like to do now is pivot a little bit to this shared responsibility model. We hear a lot about that from the cloud providers, but what does that mean to you as the person responsible for technology there at SES?

Darren Maas [00:16:30]:

Yeah, I think that probably a mistake that some people make when they start looking at the movement to cloud is they think that because it is someone else’s computers they can just move all their things over there, and that provider is going to take care of it. Well, that’s not the case. There’s a RACI chart there to be considered that you have the responsibility of securing certain aspects of it. For the most part, the onus is mostly on you to make sure that the security is in place.

Jeff Ton [00:17:07]:

Well, I think that’s a great point because even under the shared responsibility model, security is on you. Right? I mean, it’s still ultimately your responsibility as the caretaker of the technology assets of SES. So, you have to have an understanding of who’s doing what and why and also verify that they’re doing it.

Darren Maas [00:17:39]:

Right, right. Well, if we’re talking about the RACI chart, you as the consumer of the cloud service are the accountable party, meaning that you are the one that has to make the decisions about how you secure your environment and hold the responsible party, the people actually turning the dials and doing the work responsible for doing that. You have to make sure that all that security is in place and hold them accountable for that.

Jeff Ton [00:18:08]:

Yeah, well, and you’ve taken that shared responsibility model even up a notch, I’d say, because you’re an RPaaS customer of InterVision. You’ve got InterVision there almost as the intermediary between the cloud provider and you, is that correct?

Darren Maas [00:18:31]:

That’s correct. InterVision is who we rely on. They’re our technology partner not only for our private cloud, but for our public cloud. And so, yeah, we always do the review of what needs to be considered right now, what security aspects do we need to look at that’s done together. And then I say, yes, this is what we need to focus on. And yeah, they’re who I rely on for that.

Jeff Ton [00:19:01]:

So, you’re setting the priorities, but you’re also listening to their expertise to help guide the priorities, right?

Darren Maas [00:19:10]:

Correct. That would be the consulted part.

Jeff Ton [00:19:12]:

Yeah.

Darren Maas [00:19:15]:

I am not the expert, so I have to turn to the people who do know all of that and get that expertise in order to make the informed decisions.

Jeff Ton [00:19:25]:

I love the RACI chart because, man, that really brings it home. Right? When you think about who’s responsible, who’s accountable, who’s consulted, and who’s informed.

Darren Maas [00:19:37]:

When framed properly, that is a very useful tool.

Jeff Ton [00:19:40]:

Well, especially when it comes to security in the cloud and making sure that you’ve got things buttoned up. How often are you meeting with the InterVision team for the consulting basis?

Darren Maas [00:19:58]:

Yeah, with Stan right now, we’ve been meeting just about every week during the RPaaS implementation. I could see that being a little less frequent once we iron out some things, but he’s been invaluable for me to turn to. I’ve been able to, on a few different instances so far, turn to him and say, “Hey, Stan, what’s your thought on this? Can you provide me a write-up to take back to my team and show them?”  “Hey, here is why we should or should not be doing this thing.”

Jeff Ton [00:20:32]:

Well, for our listeners. You’ll be able to hear from Stan. He’s actually going to be our subject matter expert that provides the expert perspective on cloud security coming up in a couple of weeks here on Status Go. So, you’ll be able to hear from Stan and get his perspective as well.

As you think about where your security footprint is right now. I know you’re in the midst of implementing RPaaS, but how much time do you spend on a daily basis? On a weekly basis, thinking about cybersecurity?

Darren Maas [00:21:18]:

I’d have to say that it’s becoming less, which is a good thing because of all this, it’s became less. But I’d have to say about 20 to 25% of my time is devoted to just taking into consideration what our next steps are and what things we need to be looking out for from the security angle.

Jeff Ton [00:21:41]:

Well, and I imagine even after, I don’t know that you’re ever fully implemented, but at some point the RPaaS implementation will be complete, and you’ll be in more of the day-to-day mode of taking care of the technology assets and the technology strategy for SES. What do you anticipate focusing on from a cybersecurity perspective when you hit that milestone?

Darren Maas [00:22:10]:

Right, it will be something that’s never truly complete. It’ll be an ongoing process with Stan and I to continue to look at new things that we need to improve upon and also continually just revisit tabletop exercises, making sure that our people are continually aware of this is what they’ll need to do in an incident response scenario. Security is something that is never just done.

Jeff Ton [00:22:36]:

Yeah, well, the threats are evolving, right? And now, holy cow, a whole other subject would be AI. And where that fits both as a strategy for technology at SES as well as AI and cybersecurity.

I want to go back to a comment that you made earlier on, Darren, and that is that you’re basically in vendor management. And I know when we talked the other day, somebody actually told you that because you were talking about, well, I’m using this vendor for this and I’m partnering with that vendor for that. Talk to us a little bit about that approach as a strategy because it’s not pure vendor management, as we used to think about vendor management back in the day.

Darren Maas [00:23:28]:

Right, yeah. As we talked the other day, at a conference, I’ve had these conversations with people about how they think the cloud is not secure and so on and so forth. And I tell them how we’re approaching it and how we rely on our technology partners, our vendors, and they say to me, “oh, well, that just sounds like you’re no longer in IT. You’re in vendor management.” Okay, maybe, yeah. But what that means is that I’m bringing my expertise to the table to make sure that the people who do manage our technology day to day and do all that work are doing what they need to do. Why would I want to concern myself with the C to F work when I should be doing the A to C work, focusing on the what and the why versus the how?

Jeff Ton [00:24:23]:

Right.

Darren Maas [00:24:26]:

Where I should be focusing on is bringing that value to the business.

Jeff Ton [00:24:30]:

Yeah, well, you mentioned the A to C and C to F, and now you’re singing my song here. Just to explain that to our listeners. If you’re not familiar with that. It’s the concept that it’s a grading scale, right? And so, we’ve all remember back to our days of being in school, and you got a grade ABCD, or maybe sometimes an F. And the concept is there are some things that we do as technology professionals that when we absolutely nail it, we do the best job that we can. Our business partners, and our business associates will give us a C. And I always love to use the example – no one walks into your office, Darren, and says, “hey, thank you very much for delivering my hundred emails today. I really appreciate that.” But if email is down, your phone is probably ringing off the wall to use an old-school reference to a phone on a wall.

And the other side of that coin, though, is that there are some projects that you can focus on that when you do nail it, you do hit that home run, your business partners are going to give you an A, right? So why, as you say, why focus on the C to F work? Let somebody else do that. In this case, you’ve partnered with InterVision for a good chunk of it. While you’re able to focus then on the A to C work.

The real value-add when you think about that, Darren, over the last, I don’t know, call it the last four or five years. What things have you been able to do for SES that maybe you wouldn’t have been able to, you and your team, maybe you wouldn’t have been able to had you had to also do all this C to F stuff?

Darren Maas [00:26:34]:

Oh, well, as I said, I was the sysadmin guy before we turned to InterVision for all this, and my role has completely changed. What I’m able to do today is so much more that it’s elevated me so that I can actually focus on the business as opposed to standing up virtual machines and making sure my switches are routing, and my firewalls have the right Echoles and all of that. Yeah, no, the job is so much better, but now that I’m able to do that and work with the business and focus on the business.

Jeff Ton [00:27:16]:

Well, it’s elevated the conversations, right? You’re having conversations with the C suite that you would never have time to do before?

Darren Maas [00:27:25]:

Absolutely not. Yeah, I would not have had any time to do that because I was working day to day on doing. Making sure the help desk was running and making sure the servers are running and the firewalls and all that. Yeah, it’s a world of difference now.

Jeff Ton [00:27:44]:

That’s tremendous. I love hearing that. Now, as you know, we’re here to bust the myth that the cloud is not secure. And you alluded to this a few minutes ago, but I want you to put yourself, you’re at a conference because, hey, we can go to conferences again. What would you say today to a CIO or an IT director, or maybe even a CISO that told you that the cloud is not secure? What would your message be?

Darren Maas [00:28:13]:

I think again, as I said earlier, it probably would come down to that. The cloud is only as secure as you make it, and you have to make sure that you are accepting that responsibility. When you look at moving to the cloud, if you think that you can do security better than doing security in the cloud, I question where you’re coming from.

Jeff Ton [00:28:40]:

Yeah. Because they invest billions in securing the cloud, even when you think about physical security. Right. They spend more on physical security than most companies are able to do. So yeah, I think that’s a great message.

Darren Maas [00:29:00]:

Our servers were in a locked room when we had them on-prem. Sure. But now they’re in multiple locked rooms behind multiple locked doors inside a data center that you require access to get into.

Jeff Ton [00:29:11]:

With armed guards.

Darren Maas [00:29:13]:

Sure.

Jeff Ton [00:29:16]:

That’s right. Well, Darren here on Status. Go. We love to leave our listeners with a call to action, something that they can really go do because they listen to our conversation. So, what are one or two things that our listeners should go do tomorrow, because they listen to our conversation today about cloud security?

Darren Maas [00:29:42]:

If you’re hesitant about moving to cloud because of the security, then I would say talk to the people who know, talk to the people who have done this. Cloud is not something to be afraid of inherently, but you do need to be aware of what is involved in actually doing the move to the cloud, both from the security standpoint and from the infrastructure standpoint. A lift and shift strategy is probably not going to get you there right.

Jeff Ton [00:30:11]:

And to your point earlier, that understanding the RACI chart, whether it’s cybersecurity or whether it’s infrastructure -as-a-service, platform-as-a-service, even SaaS, it’s good to understand and put it in terms of a RACI, whose responsibility is it, who’s accountable, who’s consulted and who’s informed throughout that lifecycle.

Darren, I have to thank you so much for jumping on this call. I have really enjoyed our conversations. I know your insights are going to be valuable to our listeners, and I appreciate you carving out the time in the midst of an ERP migration, or at least preparations for one.

Darren Maas [00:30:53]:

We have been busy, so thanks a lot. Thanks for having me, Jeff.

Jeff Ton [00:30:59]:

There you have it, myth busted. The cloud is an excellent option for companies, and it is secure. To learn more and dive deeper into these myths, visit InterVision.com/myths. To find the show notes and the interview transcript, visit InterVision.com/status-go. Those show notes will provide links and contact information. And if you’re interested in continuing this discussion, look for The Status Go Podcast group on LinkedIn. This is Jeff Ton for Darren Maas. Thank you very much for listening.

Voice Over – Ben Miller [00:31:41]:

You’ve been listening to the Status Go podcast. You can subscribe on iTunes or get more information at InterVision.com. If you’d like to contribute to the conversation, find InterVision on Facebook, LinkedIn, or Twitter. Thank you for listening