Today, automation is more important than ever before. Integrating security and automation early into the SDLC decreases the risk of potential cyberattacks, provides early and relevant feedback, reduces time to market and improves product quality.
In this TechStrong TV episode, Taylor Smith, senior product marketing manager with Prisma Cloud, Palo Alto Networks, discussed the need to take a software-centric and cloud-focused approach to security. He explained the importance of automating security to keep pace with rapidly changing applications and software infrastructure.
The video is immediately below, followed by the transcript of the conversation. Enjoy!
Mitch Ashley: Well, I’m very privileged to be joined by Taylor Smith. Taylor is Senior Product Marketing Manager with Prisma Cloud, of course, of Palo Alto Networks. Welcome, Taylor.
Taylor Smith: Thanks so much.
Ashley: Good to be joined by you today. Tell us a little bit about yourself. I know you fairly recently joined Palo Alto Networks and you have an interesting background in the industry, and of course, tell us a little bit about Prisma Cloud.
Smith: Yeah, absolutely. So, I’m coming up on my six month mark and I’m really enjoying it. I came from both big and small companies, so previously at infrastructure companies and then I did a little stint in the DevOps space working on some DevOps tooling and chaos engineering. Really enjoyed that, but glad to be back into cyber security, which is really my passion, and covering cloud security and shift left security for Palo Alto Networks.
Ashley: Excellent. Tell us a little bit about Prisma Cloud. I know it’s pretty comprehensive, a lot of things there, but how would you give a kind of brief overview of what it is?
Smith: Yeah, absolutely. So, Prisma Cloud, we have the benefit of being best in class in multiple different categories in cloud security. So, we really cover the full life cycle of cloud security, from the infrastructure all the way up to the code level, the code that’s the applications that are running on top of it, and we do that across the full life cycle of your cloud application. So, we’re securing your infrastructure as code all the way to your container images, and we do that at the build time and the run time.
Ashley: Excellent. Well, as a—I’ve used Palo Alto Network products myself. As a networking company, if you wanna think of it that way, maybe that’s an outdated way of thinking of Palo Alto Networks, which is the point of my kind of thought here is, we’re talking about application security and applications and really, everything is becoming software now. So, the network itself, of course, has been turned into software and now is in cloud and on prem. But the whole stack, the entire stack, you know, infrastructure as code.
So, that brings some obvious benefits, maybe some challenges with it. What are your thoughts on that?
Smith: Yeah, absolutely. So, it’s an interesting time to be in the application space right now. Before, you had to go in and physically provision servers, you had to connect cords to routers and network switches, and all of that and then maybe get into the CLI to make some changes.
All of that’s moved to code, all the way from the infrastructure as code all the way up to the containers that you’re defining how they’re gonna operate, the operating systems are all contained in code. Which is great for developers, they’re able to move a lot faster, they can provision things on the fly, they can use things as they need them or scale them down if they don’t. It saves us costs and makes things move a lot faster.
The double-edged sword to that is, now it’s out of the security and infrastructure, the IT team’s hands. Developers are just deploying things, it’s kinda the Wild West. And so, to kinda bring that in, rein that whole world in and make sure they’re secure and doing all the right things, it’s good to embed that security in their process. So, making sure you’re scanning in infrastructure as code templates, scanning container images before it gets to the repository and before it gets deployed into production. And that really gives us a chance to actually patch more often, because now developers are getting the direct feedback, and frankly, they’re more qualified to make those fixes than the security team. So, they can actually go into the code that they wrote and make the changes if they’re given that right feedback.
Ashley: Yeah, I think that’s one of the things, as a security engineer when you think about software, it’s not—I can think of this now as, instead of a solid, it’s almost a fluid.
Smith: Yeah. [Laughter]
Ashley: It’s constantly changing, right? And that makes it really difficult to secure, it also sometimes can be difficult from a quality standpoint. But, really, it is almost that kind of a form of matter and the things are constantly changing. So, you can’t expect manual processes were stopping the line to be what’s going to bring security back into the fold. You’ve got to equip people, you’ve got to equip the toolchain, the pipeline that’s creating code and delivering it out to production, and then guiding that process through what you want secured, how you want it secured, what you deal with, those issues as they come up.
Smith: Yeah, absolutely. Microservices has really revolutionized this where we have a couple customers who, the application that they have, one at the beginning of the week looks nothing like what it looks like at the end of the week. They’ve completely redeployed the full stack, and that’s great for innovation, it really opens up the world, but it does—and you don’t want, as a security engineer, to be going in there and slowing things down. You wanna be a part of that development and actually be a supporter, be someone who actually enables that speed to happen, but still make sure it’s done secure and you don’t get bitten by the misconfigurations, the vulnerabilities in your applications.
Ashley: Mm-hmm. What is it about the cloud, too—I mean, we talked about microservices containers, those don’t have to be run on the cloud, but of course, we think of them as cloud native architecture. Is it from infrastructure management all the way through to the application itself? How do we have to rethink things than maybe what we did when everything was running in our own private data center? What’s fundamentally different that we might try to do it the old way in the cloud, but really, we’ve got to fundamentally change how you think about it?
Smith: Yeah, I think a lot of it comes down to that everything is accessible. I mean, there are private links and there are VPNs to make sure that it’s locked down, but at the end of the day, you don’t have physical access to these data centers. So, a lot of it comes down to, there is somehow public access, and we lock that down as much as possible.
But if you have an EC2 instance in AWS or a VM instance in Azure or GCP, it can be exposed to the world. And making sure that the security groups or the firewall rules are set so that they’re blocking, there’s no catch—I had a customer who explained it to me very well. Where you kinda get these layers of checks in the on prem world where, even if somebody goes in and provisions a virtual machine that is exposed and has all these misconfigurations, most likely, it’s not gonna be touching the world. No one’s gonna be able to access it, so it’s not a big deal. But cloud security, those misconfigurations can really bite you, because they are exposed. And so, getting that right is more critical, and making sure the misconfigurations are found and fixed, it’s much more important than it was in the on prem world.
Ashley: That’s interesting. I’m wondering how you approach a platform like Prisma. Obviously, people who are already Palo Alto customers may come to it kinda naturally through their relationship with you. But how is it, is it a network engineering team that says, “I need to figure out how to secure the cloud?” Is it a software Dev team saying, “I need better tools to make sure I’m configuring and writing secure code?” Who is it that usually is engaging you for Prisma and then how do they bring it into the organization and kind of spread the love, if you will? [Laughter]
Smith: Yeah, yeah. No, it’s fun. Part of what I really enjoy about being at Prisma versus some of my previous jobs is, I’m not working with a single person or archetype, I’m working with some cloud engineers, who they, it’s this new—frankly, new to me engineering type where they’re covering everything cloud. They’re doing full stack up to the application for everything provisioning infrastructure in the cloud. Where before, you might have a network specialist and a compute specialist, now you have a single engineer that covers the full cloud. And then we also have developers and DevOps teams that work with us, and so it’s not necessarily the security teams. And then, we also still work with the security teams, so the SOC, the security engineers and the cloud security specialist.
And all of them have different us cases that they come into Prisma Cloud with, but all of them in the end are trying to use Prisma Cloud to make their lives a lot easier to automate that security and make sure the checks are happening. So, the developers are much more worried about the pre-deploy time where they can secure their applications, their infrastructure as code when they’re container images before they’re actually running containers.
And then, the security teams are actually going into our system to see what’s the posture in the cloud, getting that view, the complete, comprehensive view of all the things that are running in their cloud environments, and then securing their containers, their Kubernetes environments, their serverless environments, all the things that are actually running. And running incident management through Prisma Cloud, running through the incidents and all the trace data that we give them if there’s an incident that happens.
Ashley: It’s really fascinating how the security engineer/network engineer job has changed, that role and the skills that are involved. I wonder, I’m just curious what your experience is being more, dealing with software and configuration of software, maybe automating, scripting, things like that as a network engineer/security engineer. It seems like that would make that job more relatable to what a software developer might be doing. They’re not the same thing, but much different than someone who is rack and stacking and, as you mentioned, plugging things in and thinking of networks and physical devices like we used to, not that long ago.
Smith: Yeah. Yeah, it’s funny, I agree. The role of the infrastructure engineer is becoming much more like a software developer. So, they’re actually learning Python or HCL so they can write Terraform scripts or they can write Ansible scripts and deploy infrastructure using code. And that can now go through pipelines. So, now, I’m hearing infrastructure people start talking about CI/CD, which you would never expect in the on prem world. They’re using a lot of the same language, like unit testing static analysis of their infrastructure as code.
So, they’re kind of learning to be a developer, but specifically for infrastructure.
Ashley: I remember the day, it was actually about, I guess, 11 years ago when I took over an IT organization and a network engineer asked me, “What should I be learning? What’s the next thing I should be thinking about?” and I said, “Learn Python,” and he looked at me cross-eyed.
Ashley: Ended up going to a conference, maybe it was yours, came back and said, “Now I know why you said that, now that we see what’s happening in”—yeah, that’s a huge transformation that’s happened in, really, less than a decade. Think about how massively the network stack has changed and really folded into infrastructure as code as its part of it.
How has your job changed through your career, and have you progressed with how this has happened in our industry?
Smith: Yeah, so, like I said, I came from a big infrastructure company and I covered traditional network security back then, and I moved to a DevOps company. And so, I kinda saw this complete transformation where things were automated, people were moving fast. Reliability is kind of—it’s a whole new definition in the cloud. And so, now, you can, even small companies can have redundancy where they didn’t before.
That makes things very different for the security person. And so, if I’m—now that I’m covering security, again, but now from a more developer focus, I’m seeing how that automation is much more important than ever before, and how that network perimeter is no longer the only place where you can apply security. And it’s becoming less and less important, but it’s still critical to have that perimeter, but all the things happening inside, too. So, that zero trust networking inside your infrastructure, inside your applications, securing your Kubernetes deployments, making sure your containers aren’t over privileged or you’re not pulling in images from open source that are vulnerable.
All that is now just as important or more important than the traditional security that I kinda started my career with.
Ashley: Mm-hmm. Yeah, it’s a fascinating journey we’ve been on.
Ashley: Well, we’re kinda running out of time, here. Where can folks find out more about Prisma Cloud and offerings from Palo Alto Networks?
Smith: Yeah, absolutely, you can check out our website. So, you can go to PaloAltoNetworks.com/Prisma and you can find out a lot more there, or we have a lot of useful resources like blogs or white papers, and so, if you want to find out more about container security or cloud security, go there, and there’s a lot more information for you.
Ashley: I was just gonna suggest, right, developers as well as security and network folks, if we wanna say whatever your role or title might be. Well, it’s been fascinating talking with you, Taylor, and good to be on this journey with you through the evolution of the technology that we use and innovation that’s happening.
So, hope you are doing well and you’ll come back and talk to us again.
Smith: Thanks so much, Mitch. It was a pleasure.
Ashley: You bet.