Risky Bulletin: Sponsored Episode – Prowler on the Open Cloud Security Movement
Hosted by Kathleen Campano
Introduction to Prowler and Tony Dallafuente
In the sponsored episode of Risky Bulletin, host Kathleen Campano engages in an insightful conversation with Tony Dallafuente, the Founder and CEO of Prowler. Prowler is a comprehensive cloud security tool designed to safeguard multi-cloud environments, including AWS, Azure, and Kubernetes. Available both as a free open-source repository on GitHub and as a commercial SaaS platform, Prowler caters to organizations with varying data access and management needs.
The Genesis of the Open Cloud Security Movement
Tony Dallafuente elaborates on the inception of the Open Cloud Security Movement, a side project spearheaded by Prowler. According to Tony, the movement was born out of a recognized deficiency in the cloud security postures of companies transitioning to platforms like AWS, Azure, GCP, and Kubernetes.
“One of the reasons that we started the Open Cloud Security movement is because we have seen over the last years a lack of improvement actually in the cloud security posture of companies all around the world moving to AWS, Azure, GCP or using Kubernetes.”
— Tony Dallafuente [01:05]
The movement emphasizes the necessity for open collaboration among companies and organizations within the cloud security domain. Drawing parallels to the early days of the Internet, Tony highlights how open-source solutions like Linux and contributions from major providers catalyzed the Internet's expansion. Similarly, Prowler aims to foster an open-source ecosystem in cloud security to drive innovation, transparency, and community-driven enhancements.
“In order to keep growing the cloud adoption, we need also to keep growing open source about cloud security.”
— Tony Dallafuente [01:05]
Open Source as the Backbone of Prowler's Success
Prowler’s commitment to open source is pivotal to its success and future growth. Tony affirms that the open-source model not only underpins Prowler’s offerings but also aligns with their philosophy of unrestricted technological access.
“We truly believe on the pure open source concept. Let’s say, of course, there are many different licenses, but when, if you want to allow everybody to access a technology, the best way is using open source.”
— Tony Dallafuente [03:06]
The open-source approach facilitates community contributions, enhancing the tool's capabilities and ensuring it remains at the forefront of cloud security advancements. Prowler’s model contrasts with closed-source alternatives, positioning itself as a more adaptable and transparent solution in the market.
Tony also draws parallels with other successful open-source projects, noting their foundational role in creating a more secure and robust Internet.
“There are other products doing very good job on open source and enhancing the security of the Internet. I can mention a few, but you mentioned like Elastic or Wazoo...”
— Tony Dallafuente [03:50]
Addressing Intellectual Property Concerns
Transitioning to an open-source model often raises concerns about intellectual property (IP) and the potential for competitors to exploit shared code. Tony addresses these apprehensions by emphasizing the importance of open collaboration in accelerating innovation and staying ahead of emerging threats.
“The only way to keep growing the innovation pace and to be up to date with all the new threats and existing threats of the cloud is with an open movement again.”
— Tony Dallafuente [04:15]
He acknowledges that while the cloud introduces different dynamics—such as a pay-per-use model compared to traditional software distribution—the core benefits of open source, like community-driven enhancements and transparency, remain invaluable.
“In the cloud you pay per use, you pay for the innovation to the cloud, service providers, etc. So the paradigm of open Source is a little bit different here.”
— Tony Dallafuente [04:15]
Tony posits that open-source companies, like Prowler, can surpass their closed-source counterparts by offering superior, community-enhanced solutions, thereby naturally encouraging the adoption of open-source models.
Community Contributions and Collaborative Enhancements
A significant portion of Prowler’s functionality stems from community contributions. Currently, approximately 20-30% of Prowler’s security checks are developed by external contributors, including major players like AWS.
“Around 20 to 30% of the checks are coming from external contributors including AWS and many other companies.”
— Tony Dallafuente [06:24]
This collaborative ecosystem ensures that Prowler remains comprehensive and up-to-date with the latest security threats and remediation strategies. Additionally, Prowler has introduced Prowler Studio, an AI-driven tool that accelerates the creation of new security checks and controls.
“Parallel Studio is a new tool that is based on AI to build detections and remediations for the cloud.”
— Tony Dallafuente [11:40]
Prowler Studio leverages artificial intelligence to reduce the time required to develop new security controls by over 80%, thereby enhancing efficiency and responsiveness to emerging threats.
Navigating Certifications and Compliance
Prowler is designed to support over 30 compliance frameworks and certifications, including PCI, ISO 27001:2022, and the latest CIS security benchmarks. However, Tony emphasizes that cloud security transcends standard compliance, necessitating continuous updates and mappings between regulatory requirements and cloud-specific controls.
“When it comes to certifications or compliance certifications we support more than 30, like the most common ones...”
— Tony Dallafuente [07:50]
Prowler’s dedicated team ensures that the platform remains aligned with evolving regulatory landscapes, thereby assisting organizations in maintaining robust and compliant cloud security postures.
The Open Cloud Security Conference and Expanding Collaborations
In an effort to promote the Open Cloud Security Movement, Prowler is organizing the Open Cloud Security Conference scheduled for April. This online, virtual event aims to bring together industry leaders from companies like Elastic and the Linux Foundation to discuss the importance of open-source cloud security and collaborative efforts to enhance it.
“We are doing the Open Cloud Security Conference in April and this is going to be an online virtual conference...”
— Tony Dallafuente [09:36]
The conference will feature notable speakers, publish whitepapers, and serve as a platform to unify the community around common security objectives and innovative strategies.
Advancements in Prowler: Version 5 and Beyond
Prowler continues to evolve, with the latest Version 5 introducing a new user interface (UI) that caters to both on-premises and cloud environments. The platform has expanded its support to include Kubernetes, Azure, GCP, AWS, and Microsoft 365, integrating new controls for enhanced security and compliance.
“In version 5 we added a new UI of course that can be used on Prem or in the cloud...”
— Tony Dallafuente [10:43]
Prowler Studio, recently made public under the Apache license, exemplifies the integration of AI in streamlining security operations. By training AI with comprehensive documentation and metadata from Prowler’s repository, Prowler Studio can swiftly generate detections and remediation strategies for specific security issues, significantly cutting down development time.
“We have trained that AI with all our checks, our documentation and the JSON files...”
— Tony Dallafuente [12:31]
This AI-driven approach not only accelerates the creation of security controls but also enhances the platform’s ability to adapt to new and unforeseen threats efficiently.
Conclusion: Prowler’s Vision for the Future of Cloud Security
Tony Dallafuente’s discussion underscores Prowler’s unwavering commitment to open source and collaborative security in the cloud landscape. By fostering an inclusive community, leveraging AI for rapid innovation, and maintaining robust compliance support, Prowler aims to spearhead advancements in cloud security. The Open Cloud Security Movement and upcoming conference signify Prowler’s proactive role in shaping a more secure and transparent cloud environment for organizations worldwide.
“We are solving a problem in the cloud that is still the same as five years ago.”
— Tony Dallafuente [05:16]
As cloud adoption continues to surge, Prowler’s open-source foundations and community-driven enhancements position it as a pivotal player in ensuring that security keeps pace with technological advancements.
Notable Quotes:
-
“One of the reasons that we started the Open Cloud Security movement is because we have seen over the last years a lack of improvement actually in the cloud security posture of companies...”
— Tony Dallafuente [01:05] -
“We truly believe on the pure open source concept. Let’s say, of course, there are many different licenses, but when, if you want to allow everybody to access a technology, the best way is using open source.”
— Tony Dallafuente [03:06] -
“The only way to keep growing the innovation pace and to be up to date with all the new threats and existing threats of the cloud is with an open movement again.”
— Tony Dallafuente [04:15] -
“Around 20 to 30% of the checks are coming from external contributors including AWS and many other companies.”
— Tony Dallafuente [06:24] -
“Parallel Studio is a new tool that is based on AI to build detections and remediations for the cloud.”
— Tony Dallafuente [11:40] -
“When it comes to certifications or compliance certifications we support more than 30, like the most common ones...”
— Tony Dallafuente [07:50] -
“We are solving a problem in the cloud that is still the same as five years ago.”
— Tony Dallafuente [05:16]
This episode of Risky Bulletin offers a comprehensive overview of Prowler’s initiatives in advancing cloud security through open-source collaboration, community engagement, and innovative tooling. Tony Dallafuente’s insights provide valuable perspectives for organizations striving to enhance their cloud security postures in an increasingly complex digital landscape.