Podcasts Technology Screaming in the Cloud A Renaissance Man in Cloud Security with Rich Mogull

A Renaissance Man in Cloud Security with Rich Mogull

Published: June 1, 2023, 2:30 p.m.

b'

Rich Mogull, SVP of Cloud Security at FireMon, joins Corey on Screaming in the Cloud to discuss his career in cybersecurity going back to the early days of cloud. Rich describes how he identified that cloud security would become a huge opportunity in the early days of cloud, as well as how cybersecurity parallels his other jobs in aviation and emergency medicine. Rich and Corey also delve into the history of Rich\\u2019s involvement in the TidBITS newsletter, and Rich unveils some of his insights into the world of cloud security as a Gartner analyst.

About Rich

Rich is the SVP of Cloud Security at FireMon where he focuses on leading-edge cloud security research and implementation. Rich joined FireMon through the acquisition of DisruptOps, a cloud security automation platform based on his research while as CEO of Securosis. He has over 25 years of security experience and currently specializes in cloud security and DevSecOps, having starting working hands-on in cloud over 12 years ago. He is also the principle course designer of the Cloud Security Alliance training class, primary author of the latest version of the CSA Security Guidance, and actively works on developing hands-on cloud security techniques. Prior to founding Securosis and DisruptOps, Rich was a Research Vice President at Gartner on the security team. Prior to his seven years at Gartner, Rich worked as an independent consultant, web application developer, software development manager at the University of Colorado, and systems and network administrator.


Rich is the Security Editor of TidBITS and a frequent contributor to industry publications. He is a frequent industry speaker at events including the RSA Security Conference, Black Hat, and DefCon, and has spoken on every continent except Antarctica (where he\'s happy to speak for free -- assuming travel is covered).


Links Referenced:


Transcript

Announcer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.


Corey: Welcome to Screaming in the Cloud. I\\u2019m Corey Quinn. My guest today is Rich Mogull, SVP of Cloud Security over at FireMon now that I\\u2019m a bit too old to be super into Pok\\xe9mon, so I forget which one that is. Rich, thanks for joining me. I appreciate it.


Rich: Thank you. Although I think we need to be talking more Digimon than Pok\\xe9mon. Not that I want to start a flame war on the internet in the first two minutes of the conversation.


Corey: I don\\u2019t even have the level of insight into that. But I will say one of the first areas where you came to my notice, which I\\u2019m sure you\\u2019ll blame yourself for later, is that you are the security editor behind TidBITS, which is, more or less, an ongoing newsletter longer than I\\u2019ve been in the space, to my understanding. What is that, exactly?


Rich: So, TidBITS is possibly the longest-running\\u2014one of the longest-running newsletters on the internet these days and it\\u2019s focused on all things Apple. So, TidBITS started back in the very early days as kind of more of an email, I think like, 30 years ago or something close to that. And we just write a lot about Apple and I\\u2019ve been reading about Apple security there.


Corey: That\\u2019s got to be a bit of an interesting experience compared to my writing about AWS because people have opinions about AWS, particularly, you know, folks who work there, but let\\u2019s be clear, there is nothing approaching the zealotry, I think I want to call it, of certain elements of the Apple ecosystem whenever there is the perception of criticism about the company that they favor. And I want to be clear here to make sure I don\\u2019t get letters myself for saying this: if there\\u2019s an Apple logo on a product, I will probably buy it. I have more or less surrounded myself with these things throughout the course of the last ten years. So, I say this from a place of love, but I also don\\u2019t wind up with people threatening me whenever I say unkind things about AWS unless they\\u2019re on the executive team.


Rich: So, it\\u2019s been a fascinating experience. So, I would say that I\\u2019m on the tail end of being involved with kind of the Mac journalist community. But I\\u2019ve been doing this for over 15 years is kind of what I first started to get involved over there. And for a time, I wrote most of the security articles for Macworld, or a big chunk of those, I obviously was writing over a TidBITS. I\\u2019ve been very lucky that I\\u2019ve never been on the end of the death threats and the vitriol in my coverage, even though it was balanced, but I\\u2019ve also had to work a lot\\u2014or have a lot of conversations with Apple over the years.


And what will fascinate you is at what point in time, there were two companies in the world where I had an assigned handler on the PR team, and one was Apple and then the other was AWS. I will say Apple is much better at PR than [laugh] AWS, especially their keynotes, but we can talk about re:Invent later.


Corey: Absolutely. I have similar handlers at a number of companies, myself, including of course, AWS. Someone has an impossible job over there. But it\\u2019s been a fun and exciting world. You\\u2019re dealing with the security side of things a lot more than I am, so there\\u2019s that additional sensitivity that\\u2019s tied to it.


And I want to deviate for a second here, just because I\\u2019m curious to get your take on this given that you are not directly representing one of the companies that I tend to, more or less, spend my time needling. It seems like there\\u2019s a lot of expectation on companies when people report security issues to them, that you\\u2019re somehow going to dance to their tune and play their games the entire time. It\\u2019s like, for a company that doesn\\u2019t even have a public bug bounties process, that feels like it\\u2019s a fairly impressively high bar. On some level, I could just report this via Twitter, so what\\u2019s going on over there? That feels like it\\u2019s very much an enterprise world expectation that probably means I\\u2019m out of step with it. But I\\u2019m curious to get your take.


Rich: Out of step with which part of it? Having the bug bounty programs or the nature of\\u2014


Corey: Oh, no. That\\u2019s beside the point. But having to deal with the idea of oh, an independent security researcher shows up. Well, now they have to follow our policies and procedures. It\\u2019s in my world if you want me to follow your policies and procedures, we need a contract in place or I need to work for you.


Rich: Yeah, there is a long history about this and it is so far beyond what we likely have time to get into that goes into my history before I even got involved with dealing with any of the cloud pieces of it. But a lot about responsible disclosure, coordinated disclosure, no more free bugs, there\\u2019s, like, this huge history around, kind of, how to handle these pieces. I would say that the core of it comes from, particularly in some of the earlier days, there were researchers who wanted to make their products better, often as you criticize various things, to speak on behalf of the customer. And with security, that is going to trigger emotional responses, even among vendors who are a little bit more mature. Give you an example, let\\u2019s talk about Apple.


When I first started covering them, they were horrific. I actually, some of the first writing I did that was public about Apple was all around security and their failures on security disclosures and their inability to work with security researchers. And they may struggle still, but they\\u2019ve improved dramatically with researcher programs, and\\u2014but it was iterative; it really did take a cultural change. But if you really want to know the bad stories, we have to go back to when I was writing about Oracle when I was a Gartner analyst.


Corey: Oh, dear. I can only imagine how that played out. They have been very aggressive when it comes to smacking down what they perceive to be negative coverage of anything that they decide they like.


Rich: Yeah, you know, if I would look at how culturally some of these companies deal with these things when I was first writing about some of the Oracle stuff\\u2014and remember, I was a Gartner analyst, not a vulnerability researcher\\u2014but I\\u2019m a hacker; I go to Blackhat and DEF CON. I\\u2019m friends with the people who are smarter than me at that or have become friends with them over the years. And I wrote a Gartner research note saying, \\u201cYou probably shouldn\\u2019t buy any more Oracle until they fix their vulnerability management process.\\u201d That got published under the Gartner name, which that may have gotten some attention and created some headaches and borderline legal threats and shade and all those kinds of things. That\\u2019s an organization that looks at security as a PR problem. Even though they say they\\u2019re more secure, they look at security as a PR problem. There are people in there who are good at security, but that\\u2019s different. Apple used to be like that but has switched. And then Amazon is\\u2026 learning.


Corey: There is a lot of challenge around basically every aspect of communication because again, to me, a big company is one that has 200 people. I think that as soon as you wind up getting into the trillion-dollar company scale, everything you say gets you in trouble with someone, somehow, somewhere, so the easiest thing to do is to say nothing. The counterpoint is that on some point of scale, you hit a level where you need a fair bit of scrutiny; it\\u2019s deserved at this point because you are systemically important, and them\\u2019s the breaks.


Rich: Yeah, and they have improved. A lot of the some of the larger companies have definitely improved. Microsoft learned a bunch of those lessons early on. [unintelligible 00:07:33] the product in Azure, maybe we\\u2019ll get there at some point. But you have to\\u2014I look at it both sides a little bit.


On the vendor side, there are researchers who are unreasonable because now that I\\u2019m on the vendor side for the first time in my career, if something gets reported, like, it can really screw up plans and timing and you got to move developer resources. So, you have outside influences controlling you, so I get that piece of it. But the reality is if some researcher discovered it, some China, Russia, random criminals are going to discover it. So, you need to deal with those issues. So, it\\u2019s a bit of control. You lose control of your messaging and everything; if marketing gets their hands in this, then it becomes ugly.


On the other hand, you have to, as a vendor, always realize that these are people frequently trying to make your products better. Some may be out just to extort you a little bit, whatever. That\\u2019s life. Get used to it. And in the end, it\\u2019s about putting the customers first, not necessarily putting your ego first and your marketing first.


Corey: Changing gears slightly because believe it or not, neither you nor I have our primary day jobs focused on, you know, journalism or analyst work or anything like that these days, we focus on these\\u2014basically cloud, for lack of a better term\\u2014through slightly different lenses. I look at it through cost\\u2014which is of course architecture\\u2014and you look at it through the lens of security. And I will point out that only one of us gets called at three in the morning when things get horrible because of the bill is a strictly business-hours problem. Don\\u2019t think that\\u2019s an accident as far as what I decided to focus on. What do you do these days?


Rich: You mean, what do I do in my day-to-day job?


Corey: Well, it feels like a fair question to ask. Like, what do you do as far as day job, personal life et cetera. Who is Rich Mogull? You\\u2019ve been a name on the internet for a long time; I figured we\\u2019d add some color and context to it.


Rich: Well, let\\u2019s see. I just got back from a flying lesson. I\\u2019m honing in on my getting ready for my first solo. My side gig is as a disaster response paramedic. I dressed up as a stormtrooper for the 501st Legion. I\\u2019ve got a few kids and then I have a job. I technically have two jobs. So\\u2014


Corey: I\\u2019m envious of some of those things. I was looking into getting into flying but that path\\u2019s not open to me, given that I have ADHD. And there are ways around it in different ways. It\\u2019s like no, no, you don\\u2019t understand. With my given expression of it, I am exactly the kind of person that should not be flying a plane, let\\u2019s be very clear here. This is not a regulatory thing so much as it is a, \\u201cI\\u2019m choosing life.\\u201d


Rich: Yeah. It\\u2019s a really fascinating thing because it\\u2019s this combination of a physical and a mental challenge. And I\\u2019m still very early in the process. But you know, I cracked 50, it had always been a life goal to do this, and I said, \\u201cYou know what? I\\u2019m going to go do it.\\u201d


So, first thing, I get my medical to make sure I can actually pass that because I\\u2019m over 50, and then from there, I can kind of jump into lessons. Protip though: don\\u2019t start taking lessons right as summer is kicking in in Phoenix, Arizona, with winds and heat that messes up your density altitude, and all sorts of fun things like that because it\\u2019s making it a little more challenging. But I\\u2019m glad I\\u2019m doing it.


Corey: I have to imagine. That\\u2019s got to be an interesting skill set that probably doesn\\u2019t have a huge amount of overlap with the ins and outs of the cloud business. But maybe I\\u2019m wrong.


Rich: Oh God, Corey. The correlations between information security\\u2014my specialty, and cloud security as a subset of that\\u2014aviation, and emergency medicine are incredible. These are three areas with very similar skill sets required in terms of thought processes. And in the case of both the paramedic and aviation, there\\u2019s physical skills and mental skills at the same time. But how you look at incidents, how you process things algorithmically, how you\\u2014your response times, checklists, the correlations.


And I\\u2019ve been talking about two of those three things for years. I did a talk a couple years ago, during Covid, my Blackhat talk on the \\u201cParamedics Guide to Surviving Cybersecurity,\\u201d where I talked a lot about these kinds of pieces. And now aviation is becoming another part of that. Amazing parallels between all three. Very similar mindsets are required.


Corey: When you take a look at the overall sweep of the industry, you\\u2019ve been involved in cloud for a fairly long time. I have, too, but I start off as a cynic. I started originally when I got into the space, 2006, 2007, thinking virtualization was a flash in the pan because of the security potential impact of this. Then cloud was really starting to be a thing and pfff, that\\u2019s not likely to take off. I mean, who\\u2019s going to trust someone else to run all of their computing stuff?


And at this point, I\\u2019ve learned to stop trying to predict the future because I generally get it 180 degrees wrong, which you know, I can own that. But I\\u2019m curious what you saw back when you got into this that made you decide, yeah, cloud has legs. What was that?


Rich: I was giving a presentation with this guy, Chris Hoff, a good friend of mine. And Chris and I joined together are individual kind of research threads and were talking about, kind of, \\u201cDisruptive Innovation and the Future of Security.\\u201d I think that was the title. And we get that at RSA, we gave that at SOURCE Boston, start kind of doing a few sessions on this, and we talked about grid computing.


And we were looking at, kind of, the economics of where things were going. And very early, we also realized that on the SaaS side, everybody was already using cloud; they just didn\\u2019t necessarily know it and they called them Application Service Providers. And then the concepts of cloud in the very early days were becoming compelling. It really hit me the first time I used it.


And to give you perspective, I\\u2019d spent years, you know, seven years as a Gartner analyst getting hammered with vendors all the time. You can\\u2019t really test those technologies out because you can never test them in a way that an enterprise would use them. Even if I had a lab, the lab would be garbage; and we know this. I don\\u2019t trust things coming out of labs because that does not reflect operational realities at enterprise scale. Coming out of Gartner, they train me to be an enterprise guy. You talk about a large company being 200? Large companies start at 3000 to 5000 employees.


Corey: Does that map to cloud services the way that AWS expresses? Because EKS, you\\u2019re going to manage that differently in an enterprise environment\\u2014or any other random AWS service; I\\u2019m just picking EKS as an example on this. But I can spin up a cluster and see what it\\u2019s like in 15 minutes, you know, assuming the cluster gets with the program. And it\\u2019s the same type of thing I would use in an enterprise, but I\\u2019m also not experiencing it in the enterprise-like way with the processes and the gating and the large team et cetera, et cetera, et cetera. Do you think it\\u2019s still a fair comparison at that point?


Rich: Yeah, I think it absolutely is. And this is what really blew my mind. 11 or 12 years ago, when I got my first cloud account setup. I realized, oh, my God. And that was, there was no VPC, there was no IAM. It was ephemeral\\u2014and\\u2014no, we just had EBS was relatively new, and IAM was API only, it wasn\\u2019t in the console yet.


Corey: And the network latency was, we\\u2019ll charitably call it non-deterministic.


Rich: That was the advantage of not running anything at scale, wasn\\u2019t an issue at the time. But getting the hands-on and being able to build what I could build so quickly and easily and with so little friction, that was mind-blowing. And then for me, the first time I\\u2019ve used security groups I\\u2019m like, \\u201cOh, my God, I have the granularity of a host firewall with the manageability of a network firewall?\\u201d And then years later, getting much deeper into how AWS networking and all the other pieces were\\u2014


Corey: And doesn\\u2019t let it hit the host, which I always thought a firewall that lets\\u2014


Rich: Yes.


Corey: \\u2014traffic touch the host is like a seatbelt that lets your face touch the dashboard.


Rich: Yeah. The first thing they do, they go in, they\\u2019re going to change the rules. But you can\\u2019t do that. It\\u2019s those layers of defense. And then I\\u2019m finding companies in the early days who wanted to put virtual appliances in front of everything. And still do. I had calls last week about that.


But those are the things that really changed my mind because all of a sudden, this was what the key was, that I didn\\u2019t fully realize\\u2014and it\\u2019s kind of something that\\u2019s evolved into something I call the \\u2018Grand Unified Theory of Cloud Governance,\\u2019 these days\\u2014but what I realized was those barriers are gone. And there is no way to stop this as people want to build and test and deploy applications because the benefits are going to be too strong. So, grab onto the reins, hold on to the back of the horse, you\\u2019re going to get dragged away, and it\\u2019s your choice if your arm gets ripped off in the process or if you\\u2019re going to be able to ride that thing and at least steer it in the general direction that you need it to go in.


Corey: One of the things that really struck me when I started playing around with cloud for more than ten minutes was everything you say is true, but I can also get started today to test out an idea. And most of them don\\u2019t work, but if something hits, suddenly I don\\u2019t have the data center constraints, whereas today, I guess you\\u2019d call it, I built my experiment MVP on top of a Raspberry Pi and now I have to wait six weeks for Dell to send me something that isn\\u2019t a piece of crap that I can actually take production traffic on. There\\u2019s no okay, and I\\u2019ll throw out the junky hardware and get the good stuff in once you start hitting a point of scale because you\\u2019re already building on that stuff without the corresponding massive investment of capital to get there.


Rich: Yeah well, I mean, look, I lived this, I did a startup that was based on demos at a Blackhat\\u2014sorry, at a Blackhat. Blackhat. Did some demos on stage, people were like, \\u201cWe want your code.\\u201d It was about cloud security automation. That led to doing your startup, the thing called DisruptOps, which got acquired, and that\\u2019s how I ended up at FireMon. So, that\\u2019s the day job route where I ended up.


And what was amazing for that is, to add on to what you said, first of all, the friction was low; once we get the architecture right, scalability is not something we are hugely concerned with, especially because we\\u2019re CI/CD. Oh, no, we hit limits. Boom, let\\u2019s just stand up a new version and redirect people over there. Problem solved. And then the ability to, say, run multiple versions of our platform simultaneously? We\\u2019re doing that right now. We just had to release an entirely free version of it.


To do that. It required back-end architectural changes for cost, not for scalability so much, but for a lot around cost and scheduling because our thing was event-driven, we\\u2019re able to run that and run our other platform fully in parallel, all shared data structures, shared messaging structures. I can\\u2019t even imagine how hard that would have not been to do in a traditional data center. So, we have a lot of freedom, still have those cost constraints because that\\u2019s [laugh] your thing, but the experimentation, the ability to integrate things, it\\u2019s just oh, my God, it\\u2019s just exciting.


Corey: And let\\u2019s be clear, I, having spent a lot of time as a rat myself in these data centers, I don\\u2019t regret handing a lot of that responsibility off, just because, let\\u2019s not kid ourselves, they are better at replacing failed or failing hardware than I will ever be. That\\u2019s part of the benefit you get from the law of large numbers.


Rich: Yeah. I don\\u2019t want to do all of that stuff, but we\\u2019re hovering around something that is kind of\\u2014all right, so former Gartner analyst means I have a massive ego, and because of that, I like to come up with my own terms for things, so roll with me here. And it\\u2019s something I\\u2019m calling the \\u2018Grand Unified Theory of Cloud Governance\\u2019 because you cannot possibly get more egotistical than referring to something as your solution to the biggest problem in all of physics. The idea is, is that cloud, as we have just been discussing, it drops friction and it decentralizes because you don\\u2019t have to go ask somebody for the network, you don\\u2019t have to ask somebody for the server. So, all of a sudden, you can build a full application stack without having to call somebody for help. We\\u2019ve just never had that in IT before.


And all of our governance structures\\u2014and this includes your own costs, as well as security\\u2014are built around scarcity. Scarcity of resources, natural choke points that evolved from the data center. Not because it was bad. It wasn\\u2019t bad. We built these things because that\\u2019s what we needed for that environment at the data center.


Now, we\\u2019ve got cloud and it\\u2019s this whole new alien technology and it decentralizes. That said, particularly for us on security, you can build your whole application stack, of course, we have completely unified the management interfaces in one place and then we stuck them on the internet, protected with nothing more than a username and password. And if you can put those three things together in your head, you can realize why these are such dramatic changes and so challenging for enterprises, why my kids get to go to Disney a fair bit because we\\u2019re in demand as security professionals.


Corey: What does FireMon do exactly? That\\u2019s something that I\\u2019m not entirely up to speed on, just because please don\\u2019t take this the wrong way, but I was at RSA this year, and it feels like all the companies sort of blend together as you walk between the different booths. Like, \\u201cThis is what you should be terrified of today.\\u201d And it always turns into a weird sales pitch. Not that that\\u2019s what you do, but it at some point just blinds me and overloads me as far as dealing with any of the cloud security space.


Rich: Oh, I\\u2019ve been going to RSA for 20 years. One of our SEs, I was briefly at our booth\\u2014I\\u2019m usually in outside meetings\\u2014and he goes, \\u201cDo you see any fun and interesting?\\u201d I go\\u2014I just looked at him like I was depressed and I\\u2019m like, \\u201cI\\u2019ve been to RSA for 20 years. I will never see anything interesting here again. Those days are over.\\u201d There\\u2019s just too much noise and cacophony on that show floor.


What do we do? So\\u2014


Corey: It makes re:Invent\\u2019s Expo Hall look small.


Rich: Yeah. I mean, it\\u2019s, it\\u2019s the show over at RSA. And it wasn\\u2019t always. I mean, it was\\u2014it\\u2019s always been big as long as I\\u2019ve been there, but yeah, it\\u2019s huge, everyone is there, and they\\u2019re all saying exactly the same thing. This year, I think the only reason it wasn\\u2019t all about AI is because they couldn\\u2019t get the printers to reprint the banners fast enough. Not that anybody has any products that would do anything there. So\\u2014you look like you want to say something there.


Corey: No, no. I like the approach quite a bit. It\\u2019s the, everything was about AI this year. It was a hard pivot from trying to sell me a firewall, which it seems like everyone was doing in the previous year. It\\u2019s kind of wild. I keep saying that there\\u2019s about a dozen companies that exhibit at RSA. A guess, there are hundreds and hundreds of booths, but it all distills down to the same 12 things. They have different logos and different marketing stories, but it does seem like a lot of stuff is very much just like the booth next to it on both sides.


Rich: Yeah. I mean, that\\u2019s\\u2014it\\u2019s just the nature. And part of\\u2014there\\u2019s a lot of reasons for this. We used to, when I was\\u2014so prior to doing the startup thing and then ending up at FireMon, I did Securosis, which was an analyst firm, and we used to do the Securosis guide to RSA every year where we would try and pick the big themes. And the reality is, there\\u2019s a reason for that.


I wrote something once the vendors lied to you because you want them to. It\\u2019s the most dysfunctional relationship because as customers, you\\u2019re always asking, \\u201cWell, what are you doing for [unintelligible 00:22:16]? What are you doing for zero trust? What are you doing for AI?\\u201d When those same customers are still just working on fundamental patch management and firewall management. But it doesn\\u2019t stop them from asking the questions and the vendors have to have answers because that\\u2019s just the nature of that part of the world.


Corey: I will ask you, over are past 12 years\\u2014I have my own thoughts on this, but I want to hear your take on it\\u2014what\\u2019s changed in the world of cloud security?


Rich: Everything. I mean, I was one of the first to be doing this.


Corey: Oh, is that all?


Rich: Yeah. So, there\\u2019s more people. When I first started, very few people doing it, nobody knew much about it outside AWS, we all knew each other. Now, we\\u2019ve got a community that\\u2019s developed and there\\u2019s people that know what they\\u2019re doing. There\\u2019s still a shortage of skills, absolutely still a shortage of skills, but we\\u2019re getting a handle on that, you know? We\\u2019re getting a bit of a pipeline.


And I\\u2019d say that\\u2019s still probably the biggest challenge faced. But what\\u2019s improved? Well, it\\u2019s a give-and-take. On one hand, we now have strategies, we have tools that are more helpful, unfortunately\\u2014I\\u2019ll tell you the biggest mistake I made and it ties to the FireMon stuff in my career, in a minute; relates directly to this question, but we\\u2019re kind of getting there on some of the tool pieces.


On the other hand, that complexity is increasing faster. And that\\u2019s what\\u2019s made it hard. So, as much as we\\u2019re getting more skilled people, better at tooling, for example, we kind of know\\u2014and we didn\\u2019t have CloudTrail when I started. We didn\\u2019t have the fundamental things you need to actually implement security at the start of cloud. Most of those are there; they may not be working the way we wish they always worked, but we\\u2019ve got the pieces to assemble it, depending on which platform you\\u2019re on. That\\u2019s probably the biggest change. Now, we need to get into the maturity phase of cloud, and that\\u2019s going to be much more difficult and time-consuming to kind of get over that hump.


Corey: It\\u2019s easy to wind up saying, \\u201cOh, I saw the future so clearly back then,\\u201d but I have to ask, going back 12 years, the path the world would take was far from certain. Did you have doubts?


Rich: Like, I had presented with Chris Hoff. We\\u2014we\\u2019re still friends\\u2014presented stuff together, and he got a job that was kind of clouding ancillary. And I remember calling him up once and going, \\u201cChris, I don\\u2019t know what to do.\\u201d I was running my little analyst firm\\u2014little. We were doing very, very well\\u2014I could not get paid to do any work around cloud.


People wanted me to write shitty papers on DLP and take customer inquiries on DLP because I had covered that at the Gartner days, and data encryption and those pieces. That was hard. And fortunately, a few things started trickling in. And then it was a flood. It completely changed our business and led to me, you know, eventually going down into the vendor path. But that was a tough day when I hit that point. So, absolutely I knew it was the future. I didn\\u2019t know if I was going to be able to make a living at it.


Corey: It would seem that you did.


Rich: Yeah. Worked out pretty well [laugh].


Corey: You seem sprightly to me. Good work. You\\u2019re not on death\\u2019s door.


Rich: No. You know, in fact, the analyst side of it exploded over the years because it turns out, there weren\\u2019t people who had this experience. So, I could write code to the APIs, but they\\u2019ll still talk with CEOs and boards of directors around these cloud security issues and frame them in ways that made sense to them. So, that was wonderful. We partnered up with the Cloud Security Alliance, I actually built a bunch of the CSA training, I wrote the current version of the CSA guidance, we\\u2019re writing the next version of that, did a lot of research with them. They\\u2019ve been a wonderful partner.


So, all that went well. Then I got diverted down onto the vendor path. I had this research idea and then it came out, we ended up founding that as a startup and then it got, as I mentioned, acquired by FireMon, which is interesting because FireMon, you asked what we did, it\\u2019s firewall policy management is the core of the company. Yet the investors realize the company was not going in the right direction necessarily, to deal with the future of cloud. They went to their former CEO and said, \\u201cHey, can you come back\\u201d\\u2014the founder of the company\\u2014\\u201cAnd take this over and start moving us in the right direction?\\u201d


Well, he happened to be my co-founder at the startup. And so, we kind of came in and took over there. And so, now it\\u2019s a very interesting position because we have this one cloud-native thing we built for all these years. We made one mistake with that, which I\\u2019ll talk about which ties back to your predicting the future piece if you want to go into it, but then we have the network firewall piece now extending into hybrid, and we have an asset management moving into the attack surface management space as well. And both of those products have been around for, like, 15-plus years.


Corey: No, I\\u2019m curious to your thoughts on it because it\\u2019s been one of those weird areas where there\\u2019s been so much change and so much evolution, but you also look at today\\u2019s \\u201cOWASP Top 10\\u201d list of vulnerabilities, and yeah, they updated a year or so ago, but it still looks basically like things that\\u2014from 2008\\u2014would have made sense to me when I\\u2019m looking at this. Well, insomuch as they do now. I didn\\u2019t know then, nor do I now what a cross-site scripting attack might be, but other than that, I find that there\\u2019s, \\u201cOh, you misconfigured something and it winds up causing a problem.\\u201d Well, no kidding. Imagine that.


Rich: Yeah. Look, the fundamentals don\\u2019t change, but it\\u2019s still really easy to screw up.


Corey: Oh, having done so a lot, I believe you.


Rich: There\\u2019s a couple of principles, and I\\u2019ll break it into two sides. One is, a lot of security sounds simple. There\\u2019s nothing simple at scale. Nothing simple scales. The moment you get up to even 200 employees, everything just becomes ridiculously harder. That\\u2019s the nature of reality. Simplicity doesn\\u2019t scale.


The other part is even though it\\u2019s always the same, it\\u2019s still easy to think you\\u2019re going to be different this time and you\\u2019re not going to screw it up, and then you do. For example, so cloud, we were talking about the maturity. I assumed CSPM just wasn\\u2019t going to be a thing. For real. The Cloud Security Posture Management. Because why would the cloud providers not just make that problem go away and then all the vulnerability assessment vendors and everybody else? It seemed like it was an uninteresting problem.


And yet, we were building a cloud security automation thing and we missed the boat because we had everything we needed to be one of the very first CSPM vendors on the market and we\\u2019re like, \\u201cNo, no. That problem is going to go away. We\\u2019ll go there.\\u201d And it ties back to what you said, which is it\\u2019s the same stuff and we just outsmarted ourselves. We thought that people would go further faster. And they don\\u2019t and they aren\\u2019t.


And that\\u2019s kind of where we are today. We are dramatically maturing. At the same time, the complexity is increasing dramatically. It\\u2019s just a huge challenge for skills and staffing to adjust governance programs. Like I think we\\u2019ve got another 10 to 20 years to go on this cloud security thing before we even get close. And then maybe we\\u2019ll get down to the being bored by the problems. But probably not because AI will ruin us.


Corey: I\\u2019d like to imagine, on some level, that AI could be that good. I mean, don\\u2019t get me wrong. It has value and it is transformative for a bunch of things, but I also think a lot of the fear-mongering is more than a little overblown.


Rich: No, I agree with you. I\\u2019m trying to keep a very close eye on it because\\u2014I can\\u2019t remember if you and I talked about this when we met face-to-face, or\\u2026 it was somebody at that event\\u2014AI is just not just AI. There\\u2019s different. There\\u2019s the LLMs, there\\u2019s the different kinds of technologies that are involved. I mean, we use AI all over the place already.


I mean my phone\\u2019s got it built in to take better pictures. It\\u2019s a matter of figuring out what the use cases and the, honestly, some of the regulatory structure around it in terms of copyright and everything else. I\\u2019m not worried about Clippy turning into Skynet, even though I might make jokes about that on Mastodon, maybe someday there will be some challenges, but no, it\\u2019s just going to be another tech that we\\u2019re going to figure out over time. It is disruptive, so we can\\u2019t ignore that part of it.


Corey: I really want to thank you for taking the time to speak with me. If people want to learn more, where\\u2019s the best place to find you that isn\\u2019t one of the Disney parks?


Rich: That really is kind of the best place to find\\u2014no. So, these days, I do technically still have a Twitter presence at @rmogull. I\\u2019m not on there much, but I will get DMs if people send those over. I\\u2019m more on Mastodon. It\\u2019s at @rmogull defcon.social. I write over at FireMon these days, as well as occasionally still over Securosis, on those blogs. And I\\u2019m in the [Cloud Security Slack community 00:30:49] that is now under the banner for CloudSec. That\\u2019s probably the best place if you want to hit me up and get quick answers on anything.


Corey: And I will, of course, include links to all of that in the show notes. Thank you so much for taking the time to speak with me today. I really appreciate it.


Rich: Thanks, Corey. I was so happy to be here.


Corey: Rich Mogull, SVP of Cloud Security at FireMon. I\\u2019m Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you\\u2019ve enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you\\u2019ve hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry comment talking about how at Dell these days, it does not take six weeks to ship a server. And then I will get back to you in six to eight weeks.


Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.


'