Frankly Speaking, 4/7/20 -- Public cloud is changing IT and security!
A biweekly(-ish) newsletter on random thoughts in tech and research. I am an investor at Dell Technologies Capital and a recovering academic. I am interested in security, blockchain, and cloud.
If you were forwarded this newsletter, you can subscribe here, and view old newsletters here.
These past few weeks, working from home, have reminded me of the last few months of my PhD, grinding away on my thesis and wrapping up projects... while staying indoors and not interacting much with others outside of work. In the past, I've written about how a PhD helps me in VC. I would have never guessed that my PhD would help me be more productive as a VC in quarantine. The most important thing, in my opinion, is to have a good WFH setup. I'm happy to share mine if you send me a note.
I can easily switch between my work and personal laptop. The only thing I am missing that I didn't have to do much is to have a good setup to switch between working and doing Zoom calls. I gave up my iPad, but I think that's the easiest way to switch seamlessly without taking up too much desk space. Having a good desk space ambiance helps with productivity.
Finally, I've seen an uptick in followers recently, so thanks to everyone who has been forwarding my newsletter!
LET'S BE FRANK
How is security going to change with the public cloud and the subsequent move to agile? Or even better, why is the public cloud even a big deal at all? I believe that people, especially investors, are under-estimating the impact of public cloud, especially on security. Since this topic is complicated and nuanced, I will discuss this as part of a newsletter series. I will talk about the public cloud's impact on both security and IT in general. In short, you can't apply a previous IT model to a new setting, i.e. it's insufficient to assume that public cloud is just a private cloud or on-premise deployment with outsourced IT management.
This will be my driving theme. We need to completely rethink the way we do security in the public cloud world. Security teams need to start over and think about public cloud security from first principles. You can't just apply principles from the on-prem world into the public cloud world, such as using firewalls, networking monitoring, etc. and assume it's sufficient or even necessary. That's what made Datadog successful. You couldn't use Cisco or your traditional network/infrastructure monitoring tools for the cloud. It just didn't work.
Why do I believe this? Let's start with how the public cloud is affecting IT in general. No surprise: the public cloud is fundamentally changing IT operations and culture. I believe many investors, especially more experienced ones, don't truly understand this because without developing and deploying an application in both the on-prem and public cloud settings, it's hard to understand how significant the technical differences are. Fortunately (or unfortunately depending your perspective), I did my PhD on systems that secure user data and spent some working in both worlds as AWS was growing in popularity. If you're interested, you can read more about my work here.
Why does software development experience matter in understanding this? I'll explain more below, but it's because IT organizations are no longer top-down, i.e. IT executives are now enablers rather than enforcers. Developers have a heavier influence on decision-making. Executives are no longer imposing software or products, but rather responsible for doing more administrative-related tasks such as budgets, procurement, etc.
One major difference between on-prem and public cloud is that infrastructure is easier to obtain, deploy, and run. A developer organization no longer has to wait for the IT organization to procure more hardware. They can scale up and down easily within AWS, Azure, and GCP. They are no longer at the mercy of the quality of their IT team, which may poorly install and configure these systems. For many, AWS will probably have more complete tools than their organization. The business benefit is that you can innovate and provide customers new features faster than before without concerns around infrastructure availability. The unpredictability of IT has shifted from the IT team to developers, and developers become the center of attention, only needing some basic IT help and budget to execute. This is at the core of agile environments, and it's no surprise we are seeing stronger DevOps cultures.
What does this mean for security? IT infrastructure changes are happening faster, and security teams can't keep up. It's easy to know what infrastructure changes will happen when you own and manage the infrastructure, but now you have to keep up with AWS's pace of features. Also, security problems faced on-prem look different than in the public cloud. For example, open S3 buckets are a much bigger problem in AWS than exposed databases are in on-prem. Configurations are harder to manage in AWS. VPCs are different than having your own datacenters. The list goes on.
In the next newsletter, I will dive deeper into some differences, both security-related and not. I am willing to debate any of these points in a public forum, such as my Twitter. But, you better be ready to debate some technical examples!