Managing cloud security across multiple cloud providers, private cloud, AppSec and software as infrastructure, is highly complex.
In this TechStrong TV episode, TJ Gonen, head of cloud security product line at Check Point Software, advises a security strategy that meets the challenges of cloud environments and cloud-native software architectures, and DevOps toolchains.
Information about Check Point’s cloud offerings is available here.
The video is immediately below, followed by the transcript of the conversation. Enjoy!
Mitch Ashley: I have the pleasure of being joined by TJ Gonen, who is head of cloud security product line at Check Point Software. Welcome, T.J.
TJ Gonen: Hey, thanks for having me, Mitch.
Ashley: I love your name. A guitar player in a band in college was named TJ, a good friend of mine.
Gonen: Oh, really? [Laughter]
Ashley: So, it’s always nice when I come across another TJ. Well, hey, would you introduce yourself and, as we were joking before, for the two people who might not know, in the world, Check Point Software, tell us a little bit about Check Point.
Gonen: Right, yeah, so TJ Gonen, and I joined Check Point actually about a year and a half ago from an acquisition of the company. I was one of the founders in the serverless security space, in the cloud security space, so I’ve been around Check Point for 18 months, about 18 months.
Check Point has been around for a bit more than that, 27 years, one of the OGs of cyber security—literally invented the firewall. [Laughter] So, it sounds crazy, but that’s literally what happened and over the last 27 years or a bit more now, one of the largest individual or independent cyber security companies in the world, billions of dollars, traded on NASDAQ, 100,000 customers over the years, 60,000 active customers, enterprises, I think we secure literally everyone and provide solutions across the full gamut of cyber security with a lot of focus on cloud security over the last two, three years, just because that’s a topic. And that’s what I do for Check Point, I round the cloud security product line.
Ashley: Excellent. Yeah, I was sharing with you the second firewall I implemented was a Check Point firewall back in the ‘90s, so it goes back a ways. You’ve been around—
Gonen: It does, it does.
Ashley: – tried and true solution, for sure. Well, we wanna talk about not just the old days of when maybe you or I started in security. You know, obviously, the environments of what we manage and have to deal with the threat, the attack surface, all of those things has become infinitely more complex, and it’s continuing to go that way, if that’s an accurate phrase.
I’m sure one of the issues that you deal with is helping customers with how do they manage all of their security across, you know, multiple clouds, cloud providers, their applications, their on prem, stuff that they’re running, SaaS services—whatever it might be that anybody in the organization is touching, whether they’re inside a firewall or outside, right, especially with remote work. Tell us a little bit about that.
Gonen: Right. Yeah, I think—I mean, because both you and I go a long way back, then we have the privilege, if it’s a privilege, to look at the generations. So, it’s interesting. I think, you know, we talked about Check Point inventing the firewall in ’93, ’94 when the Internet revolution started, and I think that differently, when you look at security before the Internet and you look at security since then, obviously, that changed dramatically. And I think that what we’re experiencing now with cloud is sort of that thing happening again. It’s another inflection point.
Gonen: And if you—and realistically, from the invention of the Internet and the ultra-connected world, most of what we had to deal with was, generally speaking, in the same domain. Yeah, more complex, more bandwidth, more stuff, more operating systems, but the blueprint—I think people figured out sort of the blueprint over the last 20-something years of what you are supposed to do after the Internet came across, right? Cloud, I think, restarts a lot of this discussion, and it’s not just the sheer notion of, yeah, your data center is somewhere else and your stuff is somewhere else—I think it’s just velocity and scale.
I think the biggest struggle we hear from customers and prospects, and honestly, even if you own your own environment, is just, you think you figured it out and then a day after, it’s 10 times bigger, 50 times more people have access to it, and you lost control. It’s so easy to lose control. So, I think where we were, where we had, “Hey, you know what? Oh, you have a data center? Okay, let’s put the firewall, let’s put some segmentation, let’s put AV or whatever—okay, here’s the blueprint.” Now, we are in this place where, how many data centers do we have? One, day after it’s 50, and now, how do you know, even, what’s going on there?
So, I think scale and speed has been the biggest problem, and I think cloud is a real revolution. It’s not incremental, it’s not another thing you need to deal with.
Gonen: It’s a thing you need to deal with, and it’s a big issue.
Ashley: The evolution of, we move things to the cloud, but we do things the same way we did on prem.
Gonen: Right, right—it’s not that.
Ashley: Then there’s the next evolution of how do you do it within, truly within a cloud environment that matches that. I mean, I remember the days of just managing the rules and what were they all in there for and who put what in, and just—that was complex, you know, when you’re an enterprise, multi-location.
Ashley: Talk about the management capabilities that you have to have in a cloud environment, multi-cloud environment.
Gonen: Actually, you sort of touched on something that is a no-no in the cloud environment. You literally mentioned something that, like—hey, someone was sitting down and writing firewall rules and configuring who has access.
Gonen: Manual, right? There is just no way you can do anything manually in the cloud. I mean, think about this, Mitch. Everything that happened over the last 10 years in Dev and infrastructure has been focused on automating everything.
Gonen: Literally. We talk about CI/CD, and obviously, DevOps and now cloud, if you look at cloud—cloud totally automated infrastructure and then it totally automated application infrastructure and now it’s automating everything, no code and stuff like that.
Ashley: Including infrastructure as software, right?
Gonen: Yes, exactly.
Ashley: Not all of them are in a stack.
Gonen: Everything. So, everything has moved towards automation. So, if we are going to, let’s say, you can imagine saying someone is gonna configure something manually on security, by definition, we’ve failed. So, the biggest challenge that’s facing security is how do I automate security? Because it has to secure stuff that’s fully automated.
So, I would say, you asked about management—the first thing I would say about management for cloud, it can’t be manual. If there is, we have a saying inside Check Point that we say in the CloudGuard team, it ain’t done ‘til it’s automated. Whatever you were working on, whatever capability feature security for, if it’s not automated, if you can’t automate it, you are not done, because by definition, you are gonna be left behind and something is gonna be open, because the rest of the stuff is automated.
So, I think the biggest—and when we talk with a prospect and when I talk on the stage, even, I always say, “Listen, when you talk about your security blueprint for the future for the cloud, number one is automation. It’s not how secure it is, it’s how automated it is.” Because it doesn’t matter, you can have rocket science technology for security—if it’s not automated, you’re gonna miss half of your footprint, anyway. So, automation has—
Ashley: Mm-hmm. [Cross talk] the same way twice, right?
Gonen: Right, exactly. [Laughter]
Ashley: Without the audit trail. Well, talk a little bit about, you know, there was sort of the orchestration phase, right?
Gonen: Right, right.
Ashley: What we thought of as automation now, you’re talking about the entire Dev and Ops process.
Gonen: Yeah, right.
Ashley: The infrastructure as code, applications, dynamic environments—you know, things are changing very quickly.
Gonen: Right, right.
Ashley: How does it differ today from maybe folks that remember orchestration as [Cross talk]?
Gonen: Right, yeah. So, it is different, and I think in security—let’s talk from a security perspective, because I think that’s the angle that, definitely, we deal with today. We feel like there’s two pieces to automation that are critical in this world. I call it, I split it into the first one being the presence of security needs to be automated. We lost the luxury of someone telling us that it’s doing something so we can put security in place.
Gonen: That luxury is gone, so the presence of a security control or mechanism has to be there automatically. So, if someone—just to keep it really simple, if someone is deploying new container to the cloud, which happens a billion times a day, and I decided that that container needs to be secured, then whatever the security mechanism I chose for that container needs to be there automatically. The container is deployed, security is there. How? Magic. I don’t know, but the presence of security has to be automated.
The second thing that has to be automated is the security configuration itself. Because, again, we lost the luxury of someone saying, “Hey, I deployed an application, how about you call someone to configure the web application firewall and fine tune it to the application?” or, “I changed the application, now someone needs to fine tune the rules.” What? Find new what? It’s gonna change in five seconds, again.
So, two things have to be automated—the presence of security, and that really talks to DevOps and integrating into the infrastructure as code pieces, just like code is automated or the deployment process is automated, the presence of security and deploying serverless functions, security has to be there. I’m deploying a new VPC and I decided that I need a firewall at the entrance, it has to be there automatically. No manual, no human intervention. And the second piece is the actual configuration. So, if I decided—let’s follow that thought process—if I decided that I’m deploying a serverless function, a Lambda function with AWS, security needs to be there. The security needs to be there automatically, but also the profile of that security, the allow and block rules has to be there automatically and they need to auto adapt to changes.
And I think that’s such a—this is such a different breed of security automation. This is not just orchestrating security into where it needs to be, and it needs to be in a billion places, it’s also the sheer notion of how do I keep things maintained and configured correctly. And that’s why I think a big change is the definition of who does security engineering.
Gonen: Like, you and I started a billion years ago—me a billion, maybe you half a billion.
Ashley: I’m two billion, so.
Gonen: Two billion? You’re two billion, okay, there you go. [Laughter] So, between us an average of one and a half billion years ago. A security engineer is the one that configured the Check Point firewall, right?
Gonen: And part of the process was, “Hey, open this port for me, close this port for me, what’s the”—that’s gone. The new engineering is, the new engineer is not only the DevOps guy and the DevSecOps guy, because everything is as code and security has to be as code. I would argue that the new security engineer is the machine itself. Because you have to eliminate, as much as possible, even the process of an intervention, even by a DevOps person.
There is, the security just needs to find itself there and auto-configure itself. That’s where it needs to go, and that’s where we put in a lot of effort. That’s why I said it ain’t done ‘til it’s automated, because I can give you the best solution ever, but if I actually require you to know what’s going on, there is just no way. You can’t keep up. There’s not enough humans in the world to keep up with the change of what’s happening now in the cloud.
Ashley: Let me ask you this, because something that I’ve believed for quite a while now is that we are always talking about educating developers about security and helping to write a more secure code.
Gonen: Right, right.
Ashley: But the opposite is true, too. Not that security engineers need to be software developers, but security engineers need to understand software architecture as more than a temporary cloud. You obviously know it, you’ve been using the language of containers and Kubernetes and software as code. It’s not that you need to—it isn’t the old way of let’s go to the security team and have them set this all up for us, which is the whole premise of what you’re talking about. That happens, that has to be built into the process, it has to be built into the environment.
So, what is the role of the security engineer in that kind of a shift left, DevSecOps, that kind of an automated environment—what skills do they need to have today that they maybe didn’t need 5 or 10 years ago?
Gonen: It’s so fascinating. I mean, this topic, I think that there’s—we’re in this real point in time where there is a new role, architecture, or let’s say hierarchy defined. Because I think you’re gonna find security people, just to your point, when you come to a CISO and you say, “Hey, can you tell me what’s happening in my Kubernetes environment inside Azure?” And the average CISO is gonna say, “I have no clue.” The Dev guys, they do whatever they want with this environment. My security guys know how to read dashboards. They don’t know how to read code.
Ashley: More of a SecOps kind of—
Gonen: More of a SecOps, yeah. And I think, then—and to your point, though, when you go to the develop and you say, “Hey, developer, what’s your security strategy?” and he says, “Dude, I’m a developer—what security strategy?” So, I think you’re right that there’s new roles being defined, and I think where the world is coming to is one that you’re gonna find more, like I mentioned a bit earlier, the SecOps and Sec engineering roles are gonna be more and more definitely, in the world of the cloud, people who can write scripts.
Gonen: I think that you come back in five years from now, you talk with a SecOps guy, and you say, “Hey, can you write item scripts, can you write bash process, do you understand how to connect to the AWS API?” and he says no, he’s gonna have a real problem managing engineering, security engineering in the new world.
Now, so, I think where the world is gonna go is that you’re gonna have what today is traditional, security do policy, defining what needs to happen, and governance. So, these are the two ends of the spectrum. I’m gonna define what I expect to happen, which measures what do I test for, what do I scan for and so forth, and I’m gonna make sure that it’s being done. And then, inside that sandwich, inside that Oreo cookie, the piece in the middle is gonna be more of the developer people—DevOps, DevSecOps. Because they’re gonna be in charge of actually doing a lot of the security work, so if the policy says applications have to be segmented in the cloud, so the payment application has to be segmented, you know, separated from the CRM application. The security people are gonna say that. That’s the policy, because it’s PCI data or whatever.
The people that are actually gonna implement segmentation are gonna be DevSecOps people or DevOps people, because the segmentation is done in Kubernetes, and the security guy doesn’t know how to write Kubernetes microsegmentation over Calico and CNI, and these are all buzzwords, he doesn’t even know what they mean. And there’s gonna be governance at the other end to say, “Okay, that was being done. That might be a dashboard or something like that.”
Ashley: You know, there may be—we could spend a whole other conversation on this.
Gonen: Oh, yeah, I’m sure. [Laughter]
Ashley: There might be a nice parallel, the analogue to this was what’s happened on the Ops side, because SRE is big, right?
Gonen: Right, yeah.
Ashley: And those are people that know how to code and know how to write scripts, and maybe something like that is the emergence of the security engineer role is going to be as, “My job is to automate the security.”
Ashley: “Work with the teams, whether it’s the tool pipeline or it’s the software Dev team, the infrastructure teams.”
Gonen: Right, right.
Ashley: And almost that kind of a role, I wonder if that might be where we’re headed.
Gonen: It’s actually very much true, I think that you are heading in the right direction. The SRE was born exactly from that necessity—hey, I need an Operations guy, but I need him to be able to actually orchestrate stuff using code. And I think it’s exactly what’s gonna happen or is already happening to some extent, but it just doesn’t have a name yet, except DevSecOps, right? Like, maybe DevSecOps is the closest thing, which just doesn’t come down to an acronym—DSO, maybe, I don’t know. [Laughter]
Ashley: Yeah, we need a new job title, I’m sure.
Gonen: We need a new job title. [Laughter] But other than that, that’s exactly it. And really, I mean, in the cloud world—listen, if you’re a cloud native company and your data center and applications are cloud native, if you hire a security guy from 10 years ago, he’s gonna be lost.
Gonen: I mean, everything is code. He needs to be able to—
Ashley: Plus, a lot of developers are moving into security that have an interest, right?
Gonen: Yeah, right, yeah.
Ashley: So, that may be the best way to acquire. Well, hey, we’re running out of time, T.J., and I look forward to having you back.
Gonen: Yeah, sure.
Ashley: I’d love to chat with you more, especially as we get into sort of the DevOps and the CI/CD pipeline and integrating security into that.
Gonen: Yeah, I’d love to.
Ashley: Who knew 27 years ago we’d be having this conversation—
Gonen: [Laughter] There you go.
Ashley: – with Check Point? So, things have certainly advanced. Where can folks find out more and check out your cloud offerings?
Gonen: Yeah, so, CheckPoint.com, and it says in very large letters cloud. That’s where you can go and you can start a demo, you can read a lot of the white papers around these things. And actually, I think more than anything else, we were just talking about developers—experiment with it yourself. Developers, that’s what they like to do.
Ashley: Mm-hmm, absolutely—write a little bit of code, see what it does.
Gonen: [Laughter] Right.
Ashley: TJ Gonen, great talking with you, Check Point Software. I look forward to chatting again. Take care.
Gonen: Sounds good. Take care.