A (13:42)

Yeah, definitely. So I've been at Adobe for almost eight years. Prior to this I was at Microsoft. So I've been in a variety of security roles at Adobe, both as an individual contributor and as a technical leader. So I'm currently on the Cloud infrastructure security team in the cloud security space. I've also done software development and some of this was focused on cloud security around building platform services that increase product developer productivity and enforce security best practices. So right now my team focuses on infrastructure security, which is pretty much everything except the software that's running on the endpoints. And since that's such a large space, we definitely work with our partner teams to ensure that we have comprehensive security coverage.

B (14:26)

You know there's folks in this industry, when I speak with them and I say that is a big Job and senior manager of cloud security at Adobe falls into that category.

A (14:38)

Yeah, you know what helps me the most though is I have such a great team that's very proactive, very competent. You know, they're, they're experts on the cloud security space, they're experts on what's going on the industry, and so they really help us to lead a successful cloud security program here.

B (14:57)

Well, today we're focusing on this notion of cloud security at scale. How do you define that? What does that term mean to you?

A (15:06)

Yeah, so to me, cloud security at scale means three different things. So the first is cloud security is a very large space and encompasses many different areas. So you really need to define what your foundation for that is. So what is your cloud security strategy or what is your standard? This is something that needs to be done as a joint effort across what's probably going to be multiple teams. So you can define a comprehensive strategy and not have different blind spots. There are some pre established frameworks that you can use as a foundation. Each cloud service provider has their own recommendations as well around best practices for using their services. But at the end of the day, each company needs to define what this means for them. So that'll be based on your risk tolerance, your compliance certifications, the data you protect, and just overall the experience that you want to give to your customers. So once you define your baseline standard, the next step is really understanding how your company compares to that. So each major functional area that you've defined in your cloud security strategy or standard will have their own way of doing this. So one of the common things I see across the industry today as I talk to others in my network is using a cloud native application protection platform or a cnapp solution. So a cnapp solution helps security teams pull together visibility across multiple areas of cloud security. So that's all the way, if you think left all the way. From code to detections. There's really no one size fits all approach to this. Depending on your company size, a CNAP solution might be best. Or maybe you do everything in house or what Adobe does. Most companies do is they use a combination of both purchase tools and in house built tools so they can have a true, comprehensive view of how they compare to their cloud security standard. So there's really no one solution here. The outcome that you want to look for is defining a comprehensive visibility into where you're deficient compared to what your cloud security standard is, so that you know where your focus needs to be. And then the third aspect of cloud security at scale is moving Your entire cloud environment closer to that standard, based on your discoveries. So there are two main areas of this. The first is secure by default, and that's ensuring that all new cloud resources are deployed in a secure state. So this is looking at the full development life cycle from code to production. So I look at the secure by default as building security into the product for from the beginning, not bolting it on afterwards. And so this requires developing relationships with the product teams, building their trust, getting it into their work stream so that you can be there from the very beginning of their ideation phase, their design phase, through the entire process, so that you can ensure that what they're implementing follows best practices. And then the second is preventing security drift. This is around after cloud resources are deployed. Over time, you know, new vulnerabilities are discovered, things go eol. And so ensuring that you have practices in place to constantly refresh your infrastructure and have a plan to be able to both detect those at the end of life or vulnerabilities and then fix them.

B (18:30)

So when we're talking about scaling cloud infrastructures, are there any common misconceptions that you've come across things where people have a different idea from what may be reality out there?

A (18:41)

You know, there are a few that come to mind. So the first would be focusing so much on remediation that you don't address risk prevention. So depending on your situation, you know, focusing only on discovering risks and remediation can keep you very, very busy, but it won't really move your security program forward. You know, I kind of see that as maintaining the status quo. So the best practice in that situation would actually be to assess the risk that you're discovering and then determine how to prevent new ones from being created in the first place. And of course, along with that, you know, it's thinking about, you know, risk areas, you might not have as many findings in as you would expect and then investigating why that is, you know, are you truly secure in that area? Are you just not seeing things that you probably should be seeing? You know, so this is something that'll look different for every company, you know, depending on your specific situation. So for example, you know, if you're immediate vulnerabilities and you know, you want to prevent new ones, you know, you might think about, you know, what, what are your, what are your hardening guardrails like, you know, prior to deployment, you know, and how often are you refreshing your VMs? And then a second misconception around cloud security is that effective cloud security belongs to the security team and that it's the security team's responsibility to make that happen. And that's absolutely not correct. Security is everyone's responsibility. So part of a mature security program is bringing security awareness to non security teams. So the entire company works together to keep customer data safe. So the misconception is that you don't have to foster a culture of shared responsibility around cloud security. You really do need to in order to be successful.

B (20:15)

What's the best method that you've found for getting that sort of buy in, for getting, you know, everyone across the organization to, to agree and invest in this idea that it is everyone's responsibility?

A (20:27)

Yeah, that's a great question because in, in large companies you have such a diverse set of, of roles and responsibilities and functions, you know, across the entire space. And so it really comes down to a couple of things. So one is awareness, you know, you sure that everyone is aware that the actions they take can impact our cloud security? They have to understand what's okay to do, what's not okay to do, especially around things like social engineering. They have to be able to understand what best practices are and have that be top of mind for them. And I think the second thing would be around trust. So I mentioned before that it's important for the security team to be able to work with product teams from the beginning so that they can ensure that the products are built, you know, secure by default, you know, in ways that implement best practices. And so we have to ensure that the product teams trust the security team and that they, they believe that as we work with, as they work with us and as we work with them, that they'll have better outcomes over time.

B (21:36)

Hmm. Well, I would love to dig into some of the nitty gritty here and some of the actual architectural decisions that you all contend with when you are building cloud security at scale. What are some of the things you've experienced?

A (21:52)

One of the biggest things I could think of would be a lack of shared standards. So not building security in from the beginning or taking a secure by default approach. So product teams are customer first, you know, as they support and grow their product offerings to meet customer needs. So if they don't implement security best practices from the beginning, and by this I mean designing security into their product offering as it's in the design phase and then implementation phase, they'll have to go back and fix the infrastructure after it's deployed. And that can be a major slowdown to the business because it takes their attention and focus away from improving the product and it can also lead to unnecessary risks before they're remediated. There's security drift that can happen over time, but ideally you'll be managing platforms or you'll be using managed platforms that will automatically enforce best practices and that can help reduce the risk.

B (22:40)

Are there any specific lessons that you've learned while you're there at Adobe that have really informed how you approach scaling cloud security across an enterprise?

A (22:50)

Yeah, definitely. So Adobe is a large company and we've been able to successfully implement standard practices. These have brought comprehensive security and efficiency to each of our product teams. You know, if you work for a small, small company, you know, now is the best time to implement standardized practices so that as your company continues to grow, that will be in there from the beginning. You know, we've seen a lot of benefits from that. You know, one of them is of course on the security side that product teams don't have to worry about going back and remediating after the fact our customer data is secure. And the other thing is, you know, as we, as we as product teams utilize shared practice or sorry, standardized practices, it helps them be more efficient as well.

B (23:38)

Where do you suppose we're headed when you look toward the horizon, the future of cloud security? And of course AI and machine language are top of mind for a lot of folks. What do you suppose the future holds here?

A (23:52)

Yeah, this is a really good question too, and one of the areas I really like to look at and think about. It's one of the things that makes cloud security fun. You know, it's not doing the same thing every day. It's constantly changing, it's constantly evolving. The major cloud service providers are constantly releasing new features and functionality. Just about, it seems like every week or so there are new features and things and developers are constantly, they're staying on top of that and they're constantly using these new features. As cloud security professionals, we need to expect that and we need to ensure that our programs cover these new areas and that we're prepared for the new risks and attack vectors that are introduced. You know, one of the other areas that I think about it when I hear that question is AI, artificial intelligence. You know, it seems to be the hot topic in the industry right now. And so AI systems can present cloud security professionals with both a new risk and an opportunity. So some of these AI systems, like chatbots or automated tools, are increasingly being tested for weaknesses. So this means that we as security leaders need to be focused on understanding how these systems can be manipulated to better ensure that the right safeguards are in place, kind of shifting from just AI in general to kind of more generative AI, you know, that's, it's really transforming cybersecurity by enabling faster threat detection, automated responses, predictive analytics. Adobe sees AI is a powerful tool to enhance security, but not necessarily to replace human oversight. You know, so while these technologies offer new efficiencies, they can also introduce, you know, new and novel risks that have to be managed with transparency, governance and accountability. So at Adobe, our fundamental approach to AI is grounded in our AI ethics principles of accountability, responsibility and transparency.

B (25:44)

You know, I'm curious just from a personal point of view, whenever I have the opportunity to talk to someone in a position like yours, how do you deal with the scale of the challenges that are before you? Again, as we said, an organization the size of Adobe, how do you break it down into manageable bite sized pieces for you and your team to be able to tackle?

A (26:08)

Yeah, that's definitely something that we think about often and that we have to strategize around. And I think this goes back to what I was saying before, around how security is really a shared responsibility across the whole company. So that includes, you know, all of the, every employee at Adobe or you know, whatever company you're at, doing their part to reduce risk and prevent risks, you know, prevent attackers. But the other aspect of that is making sure that you have great relationships with your partner teams so that you can work together and put together a holistic strategy where, where you, where one team isn't trying to tackle all of security by themselves, but instead, you know, you have the different pillars where, where each team is working together, doing their specific thing to work to, to put together the larger picture.

B (27:04)

That's Garrett Hoffman, senior management of cloud security engineering at Adobe. At Talas they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most. Applications, data and identity. That's Thales. T H A L E S. Learn more at Thales Group. And now a word from our sponsor, ThreatLocker. The powerful zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function shut out cybercriminals with world class endpoint protection from Threat Locker. And finally yesterday, reports were bubbling up across social media that users of Elon Musk's X are now trapped in an endless Two factor authentication obstacle course. The trouble started when X told anyone using passkeys or hardware keys to re enroll on the shiny X.com domain, a necessary side effect of retiring the creaky old twitter.com address. Unfortunately, those keys still think Twitter exists, and they refuse to make the jump. After the November 10 deadline, many users found themselves locked out entirely, stuck between error messages and looping setup screens. It's the latest in a long string of headaches since Musk bought the platform for $44 billion, though his own account seems blissfully unaffected. X has yet to comment, perhaps still circling the login page with the rest of us. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Sa.