Brad Schaufenbuel, VP and CISO for Paychex, discusses managing and prioritizing cloud security with Dan Deeney, Co-founder and CEO of Paladin Cloud, and Joe Fernandes, VP and General Manager for OpenShift Red Hat.

 

 

Transcript:

We welcome everyone. Thanks for joining. I’m Dan Deeny co-founder and CEO of Paladin Cloud. My co-moderator, Joe Fernandez, VP, of cloud platforms at Red Hat. And we’re here today for a fireside chat with Brad Schaffel, Chief Information Security Officer at Paychex. So thanks for joining. Let’s do a quick round of introductions on our side with Paladin Cloud. We’re a multi-cloud security company with a prioritization engine to help DevOps and security teams prioritize and remediate the most important risks. Let me turn it over to Joe.

Hi, everybody. My name is Joe Fernandez, as mentioned, I’m the general manager for the hybrid cloud business here at Red Hat. I’ve been with Red Hat for about 12 years now. And Red Hat, as many of you know, is a leader in enterprise open source solutions. Long history going back to Linux and Middleware and now hybrid cloud solutions. That we’ll be discussing today.

And as Dan said, I’m Brad Schaufenbuel. I’m Vice President and Chief Information Security Officer at Paychex. Paychex is the second-largest payroll and human capital management software and services company. In fact, we pay one in 12 American workers. as for our technology stack, we run production workloads in multiple on-premises data centers with Red Hat OpenShift as our private cloud platform as well as in four public cloud platforms including Microsoft Azure, Amazon web services, Google cloud platform, and Oracle cloud infrastructure.

First question here. So with this complex, you know, multi and hybrid cloud platform and footprint that you’re running and managing Brad, how do you think about security, you know, across, you know, that landscape? 

I’d say the the key challenge that we have in managing security across multiple cloud environments is that security is managed differently in each cloud. So unless we use, you know, third-party multi-cloud security solutions, we must become experts at the management consoles and the security services of of each cloud that we use. And that leads to, you know, inconsistent implementation of controls across all these clouds and incomplete visibility across all those clouds.

I’m sure. Right, because you’ve got best of breed security tools, right? For various environments that perhaps, you know, don’t have the full context, it’s not maybe a holistic view. You know, they’re good at what they do for what they do in that environment, let’s say. But, you know, with the complex landscape, I mean, that, that’s a challenge.

It certainly is.

Yeah. And how has it been just overall working, you know, across, you know, these platforms within kind of this environment. So, I mean, are your teams kind of swivel-chairing across different dashboards and different tools? And you’re trying to figure out how to manage this consistency that you talked about here?

Yeah, that, that’s been the challenge and, and obviously from, in terms of expertise, you know, each of our cloud security engineers have to become experts in each cloud. And then, of course, if you wanna, let’s say, implement policies consistently, then you’ve got to figure out how to implement the same policy in each environment. And that’s, that’s always a challenge and sometimes we just don’t get it right, you know, and there’s, there may also be differences in granularity of controls across those environments. So it becomes very time-consuming to try to consistently implement policy across all these environments. 

Cool, maybe I’ll jump in here with another question then Brad. So security is a pretty broad topic, right? Lots of different areas from data security to application runtime security, to securing your software supply chain. You know, what are, what are some of the specific use cases that, you know, you look into Paladin and Red Hat to help you with across this this hybrid environment that you’ve discussed?

Yeah. So, you know, we look to implement security at any point that an attacker might target for a cloud workload. So we want to identify and fix vulnerabilities in the application code that runs on in a workload. We want to identify and fix vulnerabilities in the configuration of a container or virtual machine that these applications actually run in. We want to identify and fix misconfigurations of the cloud services themselves, and we want to identify and stop attacks against workloads in real time at run time. And Red Hat advanced cluster services can protect containerized Kubernetes workloads in all major clouds and hybrid platforms like OpenShift and Paladin can create, can connect to ACS vulnerability scanners, cloud security posture management solutions, and application code scanners and then correlate and prioritize risks across all those clouds. 

So when you think about, you know, prioritization, this is a topic that that’s top of mind for, for folks when we, when we meet, you know, with customers. So how do you really think about, you know, the concept of prioritizing risk, right?

You kind of have the CISO security team looking at this and you have the DevOps teams and DevOps teams that are looking at this. How do you really think about prioritization when you sort of have, you know, application data security, cloud security?

Yeah. And, and then also kind of the alert fatigue that comes with all that?

Yeah.

We have over, you know, a dozen security tools that identify vulnerabilities in our hybrid cloud environment. From our network vulnerability scanner to our application security testing solutions to our cloud security Posture management platform and our container security platform. So each of those tools identifies hundreds if not thousands of vulnerabilities. And there’s far too many for our remediation teams to address those all in a timely manner. So we have to prioritize those vulnerabilities based on risk. And that’s why a platform that connects to all these tools, all the different tools that identify vulnerabilities. And then it correlates all those vulnerabilities, de-duplicates them and then prioritizes those vulnerabilities it is essential for us mitigating risk in our environment.

Yeah, that makes sense. And you know, are you thinking about the concept of like business or customer facing or revenue generating risk factors relative to others that may not impact the kind of the business level risk?

Yeah, that’s an important important context to the formula to determine which, which vulnerabilities get prioritized. Obviously, you know, anything that’s public facing and that is revenue generating needs to be prioritized above things that maybe are locked down in terms of access to internal users only or that our applications that are not public facing or customer-facing that are, you know, generate little revenue for us.

All of those obviously need to be de-prioritized. It’s not that we don’t address the issues eventually but in terms of which ones we do. First, it’s important that we use business context to determine the order in which those are addressed. Yeah, so I can definitely relate to the alert fatigue and need to correlate and prioritize those issues. But then you know what we’ve been talking about, like how quickly can we move to remediation? And you know how much of that remediation can we automate right? Versus having humans, you know, manually patching or, or addressing issues?

How do you think about automation and connecting that to some of these identification solutions, you know, and any insights in terms of successes or or solutions that you’re utilizing to automate the remediation process, right?

Yeah, the good news is that there there are opportunities to increase automation in intermediate remediating issues. I mean some cloud security solutions, for instance, are including terraform code that can directly fix the vulnerabilities they’re identifying. And where direct automation of remediation is not really possible. Then cloud security solutions are automating the remediation workflow by identifying the, you know, the proper remediation team for an identified issue, assigning a ticket to that remediation team in a service management platform, and then closing that ticket when it’s validated that the fix is in place.

And this automation is the only way really that security teams are going to be able to effectively manage their cloud security risk because the volume here is, is just so high that you either need to have something that fixes it on the spot or that automates that workflow, that manual workflow. To ensure that it gets done, 

Iis this still an ongoing process for you? You still see more opportunities to, to continue driving that automation forward?

Oh, yeah, this is a never ending project right? There are new where we identify new workflows, new remediation teams all the time. So it’s always a work in progress.

Fantastic.

So when you think about data security, Brad, so you’re a large, you know, global human capital management, financial services company, data privacy and security is a key issue. You know, how does that aspect you know, factor into your thinking around risk overall across kind of the platforms and the tools and what’s the importance of that data privacy exposure issue with your customers and I guess users?

Yeah. Well, there’s always opportunities to lower our overall risk profile by focusing on specific areas of risk. And because the cyber threat and vulnerability landscapes are always evolving. Cyber risk management must be a continuous and a never-ending process. So the areas of risk that exceed our risk appetite tomorrow may be completely different from those areas of risk that exceed our risk appetite today. Right now, our our biggest areas of cyber risk are ransomware, resiliency, and identity misuse. Tomorrow, it’ll be something else. And the important thing is really to have processes in place to identify and prioritize those risks. So you’re maximizing risk reduction. So that’s, that’s really our focus across all environments including we have environments in Europe and, and the United States a completely different set of legal and regulatory frameworks and privacy requirements in both of those domains. So we’ve got to manage the you know, knowing where, where our assets is and where, where our assets are and where, how data flows between them is also critically important for us to, to, you know, comply with the legal and regular regulatory requirements of each of the jurisdictions that we operate in.

Right. Yeah. So as a, as a global company with those types of, you know, governance and compliance and data sovereignty requirements, especially in Europe with GDPR. In a way you’ve got this decentralized model and approach to risk just where the data is and how it flows or the restrictions around it. 

Yeah, and even organizational units with the different, also the different remediation teams in different regions as well. And so our solution also helps. needs to determine which remediation groups even address the issue.

And are, are you thinking about sort of a centralized view of management as the, the CISO of the organization or are you sort of have this multilevel type approach, you know where there’s decentralization occurring to it.

It’s a hybrid, of course, between the two because I’m responsible for managing, you know, cyber risk across the globally across the entire organization. And obviously, when I speak to stakeholders, like our executive team and the board of directors, they want to understand risk holistically across the entire organization. But at the same time, you know, there are different legal and regulatory requirements in these jurisdictions. There may be different risks in each area and different teams that we have to work with to address those risks. So, when it comes to actually boots on the ground, you know, assessing and remediating risks, it it’s different across the different jurisdictions and we have to have a framework in place to, to handle that across all these different business units and geographies, 

Brad. We were talking before the call, you know, Paychex was early adopters of OpenShift and early adopters of Linux containers and Kubernetes in general, right? And now we’re using, as you mentioned, Advanced Cluster Security from Red Hat and Paladin Cloud to help secure those environments. So I know you talked about being hybrid across, you know, different data center and public cloud footprints. You guys are also hybrid between container-based application deployments and probably virtual machine based application deployment. How do you think applications, how do you think of security in that context like the container environments versus the VM environments. And you know, like some of the, you know, reasons that kind of brought you to adopt Open Shift or, or ACS.

And yeah, I mean, the primary reason going down the OpenShift route was moving to containerized micro services-based applications that could be quickly scaled up and scaled down the payroll and human capital management software business is very cyclical in terms of demand. You know, this time of the year is our busy season like we on board, you know, half our new customers for the entire year. in the months of November and December are there’s all kinds of special payrolls towards the end of the year, like a year-end bonuses, that kind of thing. So transaction volume is much higher. We also see, you know, a huge spike in online fraud and attacks at the end of the year as well. So our applications need to auto-scale and you know, the capacity needs to be able to be increased and decreased with that demand. And obviously, Red Hat OpenShift and containers and Kubernetes allow us to essentially spin up and spin down containers very quickly and distribute that load across additional containers almost instantaneously, which obviously was my more difficult to do in a more traditional virtual environment. 

As I remember in the early days, you know, when this, you know, OpenShift Kubernetes container technology was new. We, we spent a lot of time talking to folks like yourselves and other security teams because anytime there’s something new, right, there’s concern about risk and how we manage this. But I think over time folks realize, OK, this is not just a a container environment, it’s, it’s a fully immutable environment, right? Where, you know, we’re controlling things from a set of container images and using that to to control what can be deployed and how it can be patched. Do you feel like that?

Yeah, that creates a lot of challenges from a security perspective. Essentially the velocity of change is so rapid that you know, you have to have tools that basically can protect these, these workloads and also give you the right visibility and help you address issues across essentialy infrastructure that’s ephemeral in nature.

Exactly.

Without the right tools to do that, it’s pretty much impossible. 

Do you feel this is still like an ongoing, you know, like you feel like we’re over the hump in terms of folks really understanding the nature of their container environments or you know, and addressing some of these challenges or, or 

The big change really has been, you know, the emergence of tools to help you do that. And I think obviously Red Hat ACS and Paladin and you know, help, help us manage that risk in an ever changing environment.

So as you think about your footprint, right, you’re heavy on-prem and private data centers you’re in, you know, multiple public clouds. How do you see that footprint kind of evolving over time?

Yeah, it’ll it’ll always be changing. I mean, we’re, we’re an organization that also we, we grow organically, but we also grow through acquisition. So, you know, we purchase companies that have a large cloud footprint in one of, one of those four cloud environments. And then over time, a lot of those legacy applications are being refactored as modern microservices-based apps that are container, fully containerized. So essentially, there’s a shift from legacy virtualized or apps running on virtual machines into container environments, whether those containers are running on public cloud resources or on-prem. So that that shift will continue, which means the security tooling that we have specifically for securing containerized workloads and public cloud platforms will only become more and more important over time.

Well, let’s maybe close on final thoughts here. So, let me turn it over to you Joe, first, for final thoughts.

Yeah, I know, I think it’s great. I think some of the challenges you discuss, Brad is something we hear time and again, right? Like the challenges around managing across a hybrid environment where you’re running across different infrastructure providers, whether it’s your own data center or, you know, the different major public clouds. I mean, that’s sort of, I think for most large enterprises, you know, just the de facto, right? Like I always say, you know, you’re either hybrid by intent or hybrid by consequence through the acquisition and so forth, but everybody is sort of running a hybrid-type environment. And then, you know, the evolution of application deployment to container technology from the traditional VM-based approaches. And what that meant for you, I think that’s, you know, very common as well and it’s good to kind of see what you’ve done, not only in helping identify proactively these issues, but correlate and prioritize and then drive automation. So, so yeah, I just thanks for that and again, we’re going to continue at Red Hat through, through OpenShift and Advanced Cluster Security and really our entire portfolio trying to find new solutions to address these issues, a new area we’re focused on heavily now is looking at the software supply chain, like how those images are built, how they, how they put together and, and you know, addressing some of the new standards in that space around, you know, image signing and salsa validated build processes and stuff. So there’s always more to do there. But thanks again  for being a great customer and for providing feedback that’s helping us evolve this process and these these solutions.

Oh no problem. I think that supply chain issues is kind of the next major one for us to tackle. But in terms of key takeaways from my perspective, perspective for this discussion. I say one, it’s, it’s important to have tools in place that identify, assess and stop the exploitation of vulnerabilities across your organization’s private and public cloud platforms. I think the second you know, key takeaway from my perspective is because of the the volume of these vulnerabilities, it’s important to have a solution that correlates and prioritizes cloud-related risks. And then I think the the third key takeaway from my perspective is automation is really needed to drive the remediation process both directly and indirectly. There’s, it’s, it’s going to be next to impossible for security teams to keep up with the pace of issues that are identified in their public and private cloud environments without automating some of those processes.

Awesome. Well, great. Thank you for providing your perspective and insights here, Brad, And thanks for taking the time for this discussion. You know, we look forward to continuing to work with you and the team.

Oh, thank you for having me.

Thanks.