In this TCP Talks episode, Justin Brodley and Jonathan Baker talk with Josh Stella, co-founder and CEO of Fugue, a cloud security company that helps businesses run faster on the cloud without breaking any rules. 

Josh shares insights from Fugue’s State of Cloud Security 2021 Report, and highlights key themes, including preventative security measures, automation, and engineering-first compliance. 

According to the report, within the next two years, all but 1% of security breaches will be caused by misconfiguration of cloud resources. Josh and his team at Fugue aim to minimize these mistakes by simplifying cloud security through a systems-based approach.

One way to streamline security, Josh notes, is to take advantage of automation. With cloud environments becoming increasingly complex, relying on pure knowledge will soon be untenable. Josh urges business leaders to embrace automation to reduce the risk of human error in their security systems. 

Josh also discusses how businesses can declutter security tech stacks, the “land grab” happening in the cloud, and trends he predicts will shape the future of cloud compliance. 

Featured Guest

👉 Name: Josh Stella 

👉 What he does: Josh is the co-founder and CEO at Fugue, a cloud security company on a mission to help businesses move faster by ensuring safe cloud environments. He has over a decade of experience in the cloud security space, including positions at Amazon Web Services and in national security. 

👉 Key quote: “If Fugue as a software vendor and as domain experts in cloud security can’t make your job a lot easier through tooling, then we’re not doing our job.”

👉 Where to find him: LinkedIn | Twitter | YouTube

Key Takeaways 

🚨 While compiling the State of Cloud Security 2021 Report, Josh and his team at Fugue interviewed over 300 organizations. They found that as cloud environments have grown and become more complex, organizations are seeing more instances of misconfigurations. 

According to the report, 49% of respondents experienced over 50 misconfigurations per day. Another interesting detail: For the first time since Fugue started compiling its annual report, Identity and Access Management (IAM) was the number one concern regarding misconfigurations.

🚨 Josh argues that automation is the next step in making cloud environments more secure. Fugue aims to make security automation easy by providing pre-built rules and templates to automatically check code and monitor deployments. 

Looking forward, Josh is optimistic that automation will become a key piece in enterprise cloud security. “The thing I would like to see a change in is the attitude that security problems are because people are screwing up … [I would like to see people] thinking about how to actually solve these problems, which is through computer science and automation,” he says.

🚨 One way to enable automation is to put engineering departments in charge of compliance, as opposed to traditional security teams. According to the State of Cloud Security 2021 Report, more than 66% of businesses are delegating security policy to engineering teams — a trend Josh hopes to see continue. 

He says that today, engineering and DevOps teams work so fast security teams struggle to keep pace. Businesses that haven’t moved responsibility for security over to these teams are more likely to experience those potentially dangerous misconfigurations. 

Resources

Here’s what was mentioned in the episode 👉

✔️ Fugue: cloud security company aimed at helping businesses run faster and safer. 

✔️ Fugue Regula: an open-source tool that evaluates infrastructure-as-code templates for security misconfigurations and compliance violations prior to deployment.

✔️ Fugue’s State of Cloud Security 2021 Report: Find out more about the trends and insights revealed by Fugue’s survey of over 300 organizations.

✔️ Fugue YouTube: stay up-to-date with the latest cloud security trends and product how-to’s.

✔️ “Chaos DB: Critical Vulnerability in Microsoft Azure Cosmos DB”: Article on Wiz outlining a critical vulnerability that allows takeover of Azure’s Cosmos DB. 

✔️ Amazon S3: Amazon’s object storage service.

✔️Amazon Lambda: Amazon’s serverless computer service.

✔️Amazon EC2: Amazon’s web service that provides secure, resizable compute capacity in the cloud.

✔️Google Cloud Run: Google’s managed serverless platform that enables use of containers. 

✔️Google Cloud Functions: Google’s serverless execution environment for building and connecting cloud services.

✔️ECS Anywhere: a feature of AWS Elastic Container Service that enables users to run and manage container workloads on customer-managed infrastructures.

✔️EKS Anywhere: an AWS feature that allows customers to create and operate Kubernetes clusters on customer-managed infrastructure.

✔️GCP Anthos: Google’s managed applications platform. 

✔️Azure AKS: A Microsoft feature offering serverless Kubernetes.

✔️AWS Cloud Audit Academy: AWS learning path for those in audit, risk, and compliance roles.