Podcasts
Threat Vector
Ep 53
Threat Vector 2.6.25
Ep 53 | 2.6.25

Rethinking Cloud Security Strategies

Show Notes
Transcript

Amol Mathur: When you're looking at different ways to solving cybersecurity challenges, do not just focus on solving point issues in a silo, because the security challenges are increasing at an exponential rate, but your team size is not. So it's very important to sort of look at the bigger picture versus just focusing on point problems and just buying a solution or implementing a strategy that just addresses that point problem. [ Music ]

David Moulton: Welcome to "Thread Vector," the Palo Alto Network's podcast where we discuss pressing cybersecurity threats and resilience, and uncover insights into the latest industry trends. [ Music ] Today, I'm speaking with Amol Mathur, Senior Vice President and General Manager for Prisma Cloud at Palo Alto Networks. With over two decades of experience in cybersecurity, Amol has led transformative initiatives at top organizations, including Akamai, IBM, McAfee, and Trellix. He's a trusted thought leader in building businesses that empower organizations to maintain high degrees of digital trust and safety. Today, we're going to be talking about how platformization enables cloud security prevention. This is a critical topic because as organizations increasingly adopt multi-cloud environments, the attack surface grows exponentially. Securing these complex ecosystems requires not just standalone tools, but integrated platforms that deliver comprehensive proactive prevention at scale. With Amol's extensive background in both cloud security and cybersecurity strategy, we're going to dive deep into what makes platformization a game-changer for modern security teams. [ Music ] Before we get into today's conversation, can you tell me the most surprising thing you've seen in 2025?

Amol Mathur: Wow, the most surpri-- in cyber or in general?

David Moulton: What came to mind?

Amol Mathur: Well, that's a tough one because we are just barely into 2025. I mean, you know, it's not surprising, but it's funny. It's, you know, just the sheer number of companies out there in the exact same space, whether, you know, whatever domain of cyber, and you literally go read their positioning and how they use the word AI or the concept of AI. And you can use-- you can read 10 of them and there is literally no difference. You cannot differentiate from one from another. If you remove the company name, you would be like this comes from the same exact company. So it's fascinating to see how crowded this market has become. And that's why I feel like, you know, for organizations who are on the buying end of these solutions, I really hope that, you know, they know how to truly differentiate between what is real AI and what's just sci-fi.

David Moulton: Having spent years at the forefront of cloud security, from your perspective, what's changed most about the challenges organizations face in managing cloud security?

Amol Mathur: So, you know, when you think of cloud security as such, the cloud is made up of infrastructure. It's made up of custom code and open-source code, which makes your sort of application software that you deploy on the infrastructure. It's made up of identities. And it's made up of data that is, you know, either migrated to the cloud or produced by applications that you're running in the cloud. And now over the last sort of 12-plus months, AI has become a pretty crucial component of the services that you're running in the cloud as well. So, you know, when you look at the different disciplines and domains that span what you have as a footprint in the cloud, it's pretty significant. Like, you know, application security is a whole different domain. Data security is a whole different domain. AI, which is so new, is emerging as its own sort of domain as well. So number one, you know, cloud is not just one thing, but it comprises of multiple different domains, which makes it complex. The second thing is, cloud technologies, while being super innovative, have led to two sort of big trends. One is, it has really democratized the usage of all the components that are available in the cloud that I talked about. You know, before the cloud, everything used to go through a centralized IT team and it was done by a set of individuals. And now, you've got developers and DevOps teams who have direct access to basically use all the cloud services that are being released on a weekly basis. And because that is allowing organizations to move really fast in putting out products and services via these cloud technologies, obviously when you move fast, you always have a challenge of, is security going to become a gating factor? Is it going to slow me down? When do I bake it in? And that sort of makes it extremely challenging and very different from how it used to be to secure your enterprise in the pre-cloud days.

David Moulton: Cloud environments today are more dynamic than ever. What makes securing them uniquely challenging compared to those traditional IT environments that you've talked about?

Amol Mathur: It's not one single central IT team that is, you know, making sure that everything going in the cloud is secure. Now you've got a distributed team of DevOps and developers who are spinning up infrastructure, downloading open-source software, combining it with custom code, and rapidly deploying it. I mean, if you think about software deployment as such, which is not necessarily a cloud thing, but the cloud has severely accelerated it. Now there are organizations deploying enterprise and consumer software multiple times a day versus what used to be software deployment that's happening once a quarter, right? So when you're moving at that speed, how do you make sure that, you know, security is baked in from much earlier rather than becoming an afterthought once an incident happens? So these are some of the real challenges that organizations face today.

David Moulton: Do you think organizations underestimate any particular aspect of these challenges?

Amol Mathur: I think what organizations underestimate, and based on my experience, is the sheer number of issues that manifest themselves in the cloud because of the rapid usage and the velocity of application development and deployment that's happening in the cloud. And, you know, when you have concepts like infrastructure as code where you're, you know, very rapidly standing up an entire network, an entire set of infrastructure to deploy large-scale software. And the same mistake that is in your code can now get magnified in different pieces of infrastructure, which now are all misconfigured with the same, you know, an identity that's misconfigured, that can really snowball into a pretty massive set of vulnerabilities or sort of gaps in their security posture, which can very quickly turn into, you know, security incidents and security breaches, and so on. That's one. The second thing, which is I don't think organizations appreciate enough the value of a prevention-first approach, right? Like everybody-- and you know, we as humans, we always rally around crises. When something bad happens or we are good at, you know, stopping bad things or detecting bad things, but there is a huge amount of value in proactively making sure that you're doing the right thing, right? As I always say, you know, focus on your green vegetables, do your weekly cardio, and you're going to have far less challenges to deal with in a reactive basis. And the same applies in cloud security as well.

David Moulton: Shrink that quick number of crises and how big it is by doing the preventative, and you'll have much better results, right? We can't stop them all, but we certainly know that some of these things are going to happen if we behave wrong, and there's no surprise in that. In your view, what does an ideal cloud security strategy look like in a world where environments are so highly distributed and constantly changing?

Amol Mathur: Cloud technologies and what cloud technologies enable for businesses are no longer sort of an expense item, you know, they are providing a truly competitive edge to organizations. So this velocity, this need to use the latest and greatest technologies, and the need to move fast, that's always going to be there, right? So, A, embrace the fact that rather than trying to become a gate and creating gates in that process, everybody needs to start thinking about creating guardrails. So, you know, not gates, but guardrails, so that you can create an operating environment for your technology teams to still operate and meet the needs of the business, but do in a safer manner. So that's number one. Number two is, you know, whenever a new technology comes out, and the first thing security teams try to do is, you know, everybody tries to get a lot of visibility, and which is perfectly all right and perfectly normal. But as the usage of said technologies gets mainstream attention, it's very, very important that you need to have a bias for action versus just visibility, right? Now, especially in the cloud because, you know, you're moving at a very rapid pace where you can stand up the equivalent of an entire data center which used to take months in the traditional IT world, you can stand it up in less than 30 minutes, right, with programmatic means. How do you make sure that you have the right systems, you have the right tools, technologies, templates, best practices, so that you are doing effective risk prevention, meaning anything that could potentially become a risk once you deploy it post-deployment you're trying, you're getting-- you're mitigating it ahead of time. Number two, you are doing effective risk remediation so even things that eventually make to the cloud, which are risky, you provide the right information to the right folks at the right time to go remediate it, and then even after all of this, you know, there will be times when, you know, you will have things which will be unmitigated, that will get attacked, that will lead to incidents. So, A, you need to have a threat prevention approach. So things that are already well known, you can prevent them, right? You already know what they are. But there are certain things, certain new kinds of attacks which you need to have the ability to very rapidly detect, and then investigate and triage and sort of go prevent that. So, those are the two very key aspects of cloud. First, embrace and have your strategy, which is creating those guardrails. And then, of course, go with prevention, remediation, and detection, and response approach.

David Moulton: Amol, I think you're talking about like a real team effort across an organization, like even beyond the security team because that ease of standing up a new cloud instance that you talked about, that can easily happen from anyone, right? How do security leaders get that kind of buy-in from other teams?

Amol Mathur: Right, so, and that's just a really good question. Having tools and technologies that provide that cross-visibility to different teams on the entire lifecycle of how different applications or infrastructure are getting deployed in your cloud environment. Now, you know, one of the biggest challenges in a fractured approach is you've got your cloud security engineers who are responsible for finding what's wrong on stuff that's already made its way to the cloud, but they have no visibility on where it came from. Like, what is the root cause of, you know, hundreds of vulnerabilities or hundreds of misconfigurations, and so on? You've got-- because the teams that are operating, the tools that are instantiating the infrastructure are different from the teams that are assessing the infrastructure. And then you've got the third team, which is essentially eyes-on-glass security operations people who are defenders, right, who are making sure they're looking at alerts, triaging incidents, looking at bad actors trying to do stuff. And they're very good at doing that, but they have very little understanding of what is the root cause of something, like how do I go fix something so that these incidents don't repeatedly keep happening. Because the tools being used by these three different teams are completely fragmented, they don't share the same data language, data models, taxonomy, they share no context and intelligence, they have different management plans, like this becomes a much harder task where, you know, each team is operating in a big silo. And that becomes a major challenge in effectively, sort of, you know, managing risk in your cloud environments. [ Music ]

David Moulton: What are the most significant barriers to integrating security into this kind of sprawling, constantly changing infrastructure?

Amol Mathur: So one of the biggest challenges is just -- and I'm sure, you know, a lot of people have heard this word -- is fatigue, right? You've got so many different tools and technologies, some considered best of breed, some not considered best of breed, and they're all addressing a very small part of the problem, a very small niche part of the equation while not sharing any context and intelligence. So I'll give you an example. You're using some tool, tool A, to scan your source code, whether it's open source or custom code to find vulnerabilities and secrets, all right? So your developers, before deploying your source code or before deploying your application package, they're essentially doing that and they're getting a bunch of intelligence. Then you've got your cloud security people who are taking snapshots of workloads that are already running in the cloud, and they're figuring out what vulnerabilities are in these workloads and what secrets could have been left by developers. Now, these vulnerabilities and secrets are the same ones that the developers found using a completely different tool, which completely used a different taxonomy, and so on. And now these workloads which have critical vulnerabilities, let's say they are facing the internet, they get attacked. There's a reverse shell spawned and somebody in the SOC is investigating what's really going on. And they understand that there's this vulnerability, but they have no idea how do they go and make sure that this vulnerability does not happen again or doesn't get exploited again. Or they have very little visibility of if this vulnerability is exploited, where else can the attacker go, like what's the blast radius based on the identity plane or the network plane because they have very little understanding of the cloud infrastructure. And they're operating on a completely different set of tooling. And that becomes a major overhead in managing security. Now imagine that you have a platform where the detection and correlation of said vulnerabilities and incidents on these vulnerabilities of risk configurations is all using the same data model, right? So you are easily able to tie back and say, you know what, these 100 instances of vulnerabilities or misconfigurations, they actually can be traced back to these two or three different templates in infrastructure as code, or these couple of open-source packages, which were used multiple number of times. So rather than going and chasing down different dev teams, I just need to go make sure that I get these specific two, three things changed and have an amplified effect on remediation. Or imagine your SOC team is investigating a reverse shell incident on a cloud workload and they immediately have an understanding of the blast radius. And they're like, hey, if the attacker is able to compromise this workload, then they're able to use and assume these identities in the cloud, and move to these crown jewels in my environment, right? Now, when you don't have, call it a platform, which is using a common data taxonomy, which has best-of-breed modules to be able to secure and understand your code, your cloud, and your SOC, then you're going to run into these problems actually.

David Moulton: So, Amol, many teams remain really reactive responding to incidents rather than preventing them. How should we look at the proactive versus reactive security conversation?

Amol Mathur: What we have realized is at the speed that which cloud and cloud infrastructure and apps and workloads are getting deployed, and the sheer number of issues that you need to go remediate because there are challenges like vulnerabilities or misconfigs and networking issues and exposure, and so on. It is impossible-- like you could be the largest organization and you can throw as many people at the problem. It is impossible to go and remediate the issues and get the risk down to a manageable level unless you start preventing the risk right at the source, right? So what does that look like? Failing your builds for critical and high misconfigurations. If someone is trying to instantiate infrastructure, there are, you know, very good, mature technologies that would scan your infrastructure as code and tell you you're about to make a colossal mistake in spinning up this infrastructure. Or when you're deploying your application code, it's able to scan for vulnerabilities and so that you don't deploy software with critical vulnerabilities. Or you don't deploy workloads with, you know, secrets like API keys and developer keys, and so on. And now even after doing this, stuff is still going to make its way to the cloud, right? I mean, you could ship a completely clean build and a new vulnerability shows up in some open source packet six months later. So you will still have remediation to do. You will still have threat prevention and detection and response to do. But a big chunk of this needs to happen pre-deployment from a risk prevention standpoint. Again, Palo Alto networks, we were able to reduce in the 90s percent the issues that would have made its way to the cloud by essentially failing builds. And we have a very robust application security program that looks at, you know, misconfigurations, vulnerabilities, any kind of secrets that might be getting leaked into the cloud environment. And we basically stop it before it becomes a problem. And, you know, this is like, you know, this is 20 years back, this is a very well-known fact that the cost of fixing a problem grows exponentially as you move from design development to post-deployment in any software application. So when you have to go fix something after the fact, it is ridiculously more expensive and disruptive for your organization than doing it much ahead before deployment. Now, of course, you know, this requires a cultural change. You have to take people along for the journey. You can't go form zero to a hundred in one day, you have to really sort of work with the developers and the DevOps teams to do it. But we have done it at Palo Alto. I've seen other large organizations do it. And honestly, like that's the only way to truly be at a place where you can balance your business objectives and risk, where you have to prevent stuff from making its way to the cloud.

David Moulton: I can imagine that some listeners might say that just because Palo Alto networks can get this kind of proactive security in place doesn't make it realistic for smaller teams with less resources. How can orgs design security in a way to give security teams the time and resources to make proactive security efforts a reality?

Amol Mathur: Sure. So, look, like, you know, Palo Alto has a well-staffed infosec team, but by no means we have a bloated security function. I think for organizations of any size, and because, you know, larger organizations need it because they are far more complex and big, smaller organizations might need it because they have-- you know, they don't have nearly as many distinct security functions as a large organization. But having a high degree of automation and having a high degree of automation that is driving information in the hands of people at the right level is extremely key. Now, what do I mean by that? I'll give you a very simple example. Let's say, you know, you're a small organization and you have a lot of developers, so you have a small security team, but, you know, a decent number of developers. And one of your concerns is because your cloud-first is the embedding of secrets, different keys in, you know, infrastructure workload software that's going into the cloud. Now, if, you know, you build the right automation and you have the right best-of-breed tooling to scan your workloads before they are going into a cloud deployment, and when a secret is detected, and if it's a high-risk secret, you integrate with Slack and you immediately let the offending developer and the developer's manager know that, "Hey, we are failing your build because you have done this. Maybe you have a three-strike policy." Like now you have suddenly closed the loop, where rather than a security person getting a report and then having a meeting with and saying, "Hey, you're sharing all these keys, now go back and re-change your stuff," like you have automated that entire loop, and, you know, a lot of people say, well, developers and DevOps folks, they don't care about security. That's not really true, right? If you provide them information in the ecosystem that they operate in and make it easy for them to embrace security, they absolutely will do it. So it's part cultural and part of how you develop the right set of tooling and automation, but it is absolutely possible for organizations of all sizes. This is an evolving sort of concept that we are seeing increasingly play out in organizations. So if I sort of, you know, rewind the clock in time a little bit, cloud, cloud infrastructure, cloud applications, you know, they were always at the fringe of the SOC, right? The SOC understood enterprise networks very well. They understood remote users, systems, malware on endpoints. And, you know, cloud, as we talked about earlier in the podcast, brought about very different new concepts, which were very cloud-centric. So you always had a team of, you know, cloud security folks that were responsible for assessing risk, remediating risk, doing compliance with regulations, and then also sort of doing, you know, looking at threat detection that different cloud security tools were doing and sort of, you know, responding to those threats and trying to remediate those threats. And, you know, you could call it almost like in organizations, there was the official SOC, which usually, you know, you mentally think of eyes on glass, people sitting in a room 24/7. And then there was this group of people who are very cloud-centric doing risk and compliance and threat detection and almost call them like a shadow cloud SOC that was operating. Now, as the adoption of the cloud, the kind of things people are running in the cloud have become tier one, and they're at the forefront of everything that organizations are doing, you know, the cloud can no longer be at the fringe of the security operation center because protecting an organization today means protecting their cloud footprint. So now security organization, security operation centers are like, hey, I need to get visibility into what cloud infrastructure is there, what is happening in this cloud environment, and how do I go respond to these different threats. So we do see, you know, security operations teams bringing cloud under their sort of mandate of visibility, threat prevention, threat detection and response, because it's so mission-critical to an organization. But because of the fragmented approach, this is quite challenging, right? Because you could-- you know, most SOC platforms, they're operating on some kind of log aggregation, SIM technology, you know, now they're getting logs from the cloud infrastructure and so on as well. But because, you know, if they see a certain incident on a cloud workload, let's say, you know, you see a reverse shell, you see some identity being used, you see some sensitive data being accessed, they have very little or no understanding of what's deployed in the cloud and who needs to have access or who should have access. So they have to actually pull in or call the people who have access to those cloud security tools because everything is so fragmented. And that is why sort of the way we are reimagining things is that imagine if you have an incident against a cloud workload, where the workload is involved, there's some open-source software which has some malware that came in, there's some identity being used to laterally move and access some sensitive cloud data store. Now, all the native information on the assets, on the issues with those assets and where those issues originated, if that's available in a single data lake that has a single taxonomy, then your SOC operators in their own native, you know, investigative experience have all this information and thus they're able to much faster understand the incident, mitigate the incident and sort of bring that MTTRs significantly down versus now having to sort of send an email to someone and say, "Hey, Cloud Security team, can you come and help us with this or can you give us access to this different tool?" And this tool uses a different language and, you know, it just takes a much longer time to understand the incident. So there's definitely a big sort of convergence happening where SOCs are saying, I need visibility and control over, you know, doing threat detection response for the cloud. But we see the only way to do that is if your SOC tools and your cloud tools are natively and tightly integrated with the common data language.

David Moulton: So I'm going to shift gears before we wrap up here. AI and machine learning are often touted as these transformative things for security. What's the role of AI in the cloud security conversation you and I have been having today?

Amol Mathur: Some of the key outcomes that AI can drive, number one is detecting threats at speeds and at scale which you just cannot do with humans, right? Because AI, having learned what attacks and attack patterns look like, it's able to stitch together data and log sources coming from hundreds of different places and find that needle in a haystack of what an attacker might be doing in your environment or how they are moving laterally, which would be nearly impossible for a human being to do, and do it repeatedly and do it 24/7. Even when, you know, you're sleeping, AI is still working for you. So that's sort of one large bucket. Another large bucket is how do you simplify cybersecurity, right? And that's where generative AI is playing a big role, where, you know, you can drive a bunch of your cybersecurity operations, a lot of workflow automation by simply having a natural language conversation with your cybersecurity tools. So be very directive in what you need your tools to do and they'll sort of do the complex data stitching and automation and workflow mapping for you. And those two things, you know, sort of work towards one of the core challenges in cybersecurity, which is there's just too much work to do and you just don't have too much-- you know, too many people and too much expertise to execute against those goals. So AI is definitely transformative that way.

David Moulton: Amol, can you talk to me about some of the limitations or misconceptions about AI and cloud security that organizations need to understand?

Amol Mathur: So, I wouldn't-- I mean, wouldn't necessarily put it as a limitation in general, but I think it's very important to understand that your AI is as good as the amount of data that you have to run your models on. Right? It's so interesting like even from how they are scoped and priced, like all sorts of log aggregation and SIM solutions, the traditional SIM solutions, they were built and priced in a way where people would try to get as less data as possible, and only the data in terms of event data and log data that they really-- alert data that they really needed. But for AI to be really effective, right, and really precise, you need to have a lot of high-quality data for AI to really train on, learn on, so it can sort of do its thing. So it's very important when organizations, whether they're doing it for themselves or whether they're choosing solutions that use AI, to really fundamentally understand, you know, what data is the AI being trained on. Because if you're training it on, you know, very little or sparse amount of data, it's-- you can call it AI, but it's not going to be very effective, right? That's number one. And number two is AI by itself gives you a lot of intelligence, at least today, but a lot of the, okay, AI is telling me this, what do I do after this? You have to still stitch that together with different automation practices that, you know, you have in your organization. Now, you know, in the future, where agentic AI and AI agents become a thing where they're just automatically taking action, then, of course, that problem goes away as well. But, you know, most people are still sort of skittish about taking preventative action just purely based on AI. You know, they're always worried about disruption and false positives, and so on. So, stitching AI with some kind of automation framework is very important so that, you know, when AI is telling you something, you're actually acting on it.

David Moulton: Yes, back to that whole idea of a bias towards action, which I think is just a good philosophy for anyone who's trying to get things done in the world. Amol, thanks for a great conversation today. I really appreciate you sharing your insights on the evolution of cloud security and the incredible passion you brought to today's conversation. It was a blast.

Amol Mathur: Thank you. Yeah, it was a fun conversation, for sure. [ Music ]

David Moulton: That's it for today. If you like what you heard, please subscribe wherever you listen and leave us a review on Apple Podcasts or Spotify. Those reviews and your feedback really do help us understand what you want to hear about. If you want to reach out to me directly about the show, email me at threatvector @paloaltonetworks.com. I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Elliott Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]

Threat Vector
Podcast Info
HOST(S):
Sherrod DeGrippo

Meet David Moulton, the voice for Threat Vector, the Palo Alto Networks podcast dedicated to sharing knowledge, know-how, and groundbreaking research to safeguard our digital world.

Moulton, leads Thought Leadership for Palo Alto Networks, draws on a rich background of experience, including roles in design, strategy, marketing, and sales, to connect with experts from across the globe.

Schedule: Biweekly, Thursdays
Credits: Executive Producer is Michael Heller, Show production by Kenne Miller, Joe Bettencourt, Virginia Tran and David Moulton. Editing and audio engineering by Elliott Peltzman.
Creator: Palo Alto Unit 42
Threat Vector