SlideShare a Scribd company logo

Episode 5 Justin Somaini of Box.com

Download as PPTX, PDF
Contrast Security
Contrast Security

In this episode, Jeff Williams interviews Justin Somaini of Box.com. They discuss security implications from a consumer perspective, how security and the cloud environment work together, and revisit Bill Gates Trustworthy Computing memo from 2002.

TechnologyNews & Politics
1 of 49
THE SECURITY INFLUENCER’S CHANNEL HOSTED BY JEFF WILLIAMS CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Five: Justin Somaini from BOX.com
THE SECURITY INFLUENCER’S CHANNEL HOSTED BY JEFF WILLIAMS CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Five: Justin Somaini from BOX.com
JEFF WILLIAMS “I saw you were quoted in an article titled, “The New Cyber Threats Juice Pay for Security Chiefs”. You said what we’re starting to see is the introduction of new concepts that will eventually change security. Tell us more about what you were talking about.”
JUSTIN SOMAINI “When we talk about the mobility and always- on networking shift, what we’re starting to see is content and transactions that security practitioners are tasked to protect with confidentiality, integrity, and availability.”
JUSTIN “In other words, we’ve seen IT organizations’ skills move from maybe some internal application architectural skills to vendor management functions.”
JUSTIN “It’s that whole evolution of security that we’re going through, which we’ve gone through many in the past. This is just the next iteration of it.”
JEFF “So you’re saying as we start seeing organizations doing transactions that might be entirely outside their infrastructure, …[that] there could be whole transactions running that never touch a traditional corporate infrastructure.”
JUSTIN “Absolutely! One-third of the workforce doesn’t come into the network on a weekly basis...how do you implement a monitoring or a detective control structure? How do you manage and see what’s going on, let alone be able to protect and manage those environments?”
JUSTIN “That’s one of the biggest shifts that we’re undergoing and will continue to undergo, I believe, for the next 10 years or so.”
JEFF “What can security do to accelerate the process of catching up to these new architectures? I guess what I’m seeing is that there really hasn’t been a lot of change in the way people practice application security and even some kinds of network security. So, what can we do to not be so reactive?”
JUSTIN “Well, there are probably a couple of different things. In this model you have really three different players: • Cloud Players • Security Practitioners • Security Vendors
JUSTIN “When we look at the practitioner, again, looking at some of those solutions, having an open mind that from a security vendor standpoint, applying pressure to the cloud providers to make sure that they’re doing their best to implement the basic controls that they need.”
JEFF “You mention logs. You know, I always think of logs as sort of a very fuzzy way of getting insight into what’s going on in a system or a network from a security perspective. I’m wondering if you see evolution…because right now I sort of feel like the providers are doing their thing and the enterprises are using the services, but there’s really not a lot of engagement, collaboration around security.”
JUSTIN “I would completely agree, I mean, to a great degree in a big, broad, brush stroke kind of statement. I do think this is changing, but the relationship between customer and provider has been one of a transaction versus a living partnership.”
JUSTIN “There are players, and I’m proud to say that I think that we’re one of them [box.com], that are really spearheading the open API integration with our customers.”
JUSTIN “This is not a detachable entity, this could provider. But we can command, control, interact, collect, we can have it be part of our ecosystem even though it’s really a third-party application in a great extent.”
JUSTIN “It all comes back to a very basic, basic concept of the cloud provider saying, “This is our role. We are going to create a capability for our customers to leverage our service more than just the presentation layer that we’ve historically done, but more from an API platform one.”
JEFF “I’ve worked with clients over the years that have done similar things internally. They have enterprise architecture, and in some ways it operates like a cloud service. I think the integration between the applications and that infrastructure has always even been a challenge, even within an organization.”
JUSTIN “Back to the three parties: cloud provider, security practitioner, and security vendor. If we look at the cloud provider, one of the changes in this whole transformation is the concept of back office functions—security, compliance, privacy—and really elevating them to what I would call the front office.”
CLOUD PROVIDERS
JUSTIN “We’re going to identify solutions to security problems of our customers, as opposed to just simply getting a certification.”
JEFF WILLIAMS “Traditionally, end user consumers haven’t been very successful at demanding security from web application providers.”
JEFF WILLIAMS “Do you think there’s anything we can do to get end user consumers to demand security better so that we can sort of raise the water for all boats?
JUSTIN “I think from a business perspective you have the power of the purse. There’s a huge difference between consumers and enterprises in that context.”
JUSTIN “The conversation of security is dramatically different that it was 15 years ago when I started. We have a voice of government. We have a voice of the consumer that is resonating louder. We hae a voice of the advocates that we’ve never really had before on the consumer side.”
JEFF I’m glad to hear that. I think it’s been a long time coming….I think the key, though, is getting consumers to actually demand better security. I think we probably need to do some work around figuring a way for them to articulate that need better.”
JUSTIN “Well, I think first and foremost in any process, whether it’s agile or iterative development cycles or a waterfall model, I can’t stress enough education. The ability for us to educate our developers on the basic controls that need to be best practices…is so critically important.”
JUSTIN “Within development…you really need to have security be bled into the ecosystem to make sure that the behavior, the concept, the belief system is one that really encapsulates security in each and every thought process…”
JUSTIN “I would say the magic really on the back end is how we approach it from a philosophical, educational, and cultural standpoint with the company as a whole.”
JEFF “I think it’s interesting that you mentioned training and your community of experts that help spread the word. I think you’ve reinforced that with that culture, the tools, the testing processes you’ve put in place, and the support that you’ve given developers.”
JUSTIN “Some of the problems of security as a whole? I’m never going to have enough money. I’m never going to have enough people in order to manage the company as a whole.”
JEFF “You mentioned internal transparency between the various stakeholders in security. I noticed on your website you’ve got a page that details a lot of information about how you all do your internal practices. Why do you expose that externally? Not many companies do, so I’m curious. Why?”
JUSTIN “We enroll our customer in transparent conversations so that they truly understand all of the amazing things that we do to protect their content.”
JUSTIN We want them to walk away saying: 1. I have confidence they are doing the right things. 2. They’re going to include us in any sort of situation as it goes along. 3. I can reach out to them for help and assistance if I need it.
JEFF “I’m wondering if you see that changing in the future; Do you think websites in the future will have a software facts label the way that your cereal box has a nutrition facts label on it?”
JUSTIN “I completely believe that this will become the norm. I really do. It will take time. It’s a maturation process.”
JEFF “So you support people doing security testing on your site on a policy of responsible disclosure. How’s that working out?
JUSTIN “The environment that we’ve had in the past few years is very different. The research community is more established. It’s more proactive and supportive from a cloud-provider side.”
JUSTIN “I think it would be negligent if we didn’t have a program in place in order to receive, operationalize, and remediate those issues.
JEFF “Last question. Looking forward, do you think we can get to the point where there really is no difference between the deployment of the functionality and the deployment of the security and the assurance all at once?”
BILL GATES: TRUSTWORTHY COMPUTING MEMO
JEFF WILLIAMS WITH JUSTIN SOMAINI OF BOX.COM

Recommended

Cloudinnovationl
CloudinnovationlCloudinnovationl
Cloudinnovationl
peter williams
 
Webroot countrywide casestudy
Webroot countrywide casestudyWebroot countrywide casestudy
Webroot countrywide casestudy
Paul Tompsett
 
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Dana Gardner
 
ECC Cloud and Security
ECC Cloud and SecurityECC Cloud and Security
ECC Cloud and Security
Erlach Computer Consulting
 
Compliance Guide for NFA-Registered Firms
Compliance Guide for NFA-Registered FirmsCompliance Guide for NFA-Registered Firms
Compliance Guide for NFA-Registered Firms
Actiance, Inc.
 
Why Your Company MUST Upgrade Windows XP, Office 2003 & Small Business Serve...
Why Your Company MUST Upgrade Windows XP, Office 2003 & Small Business Serve...Why Your Company MUST Upgrade Windows XP, Office 2003 & Small Business Serve...
Why Your Company MUST Upgrade Windows XP, Office 2003 & Small Business Serve...
Chad Massaker
 
What's New with vSphere 4
What's New with vSphere 4What's New with vSphere 4
What's New with vSphere 4
Champion Solutions Group
 
N-Able Summit AUS Finance
N-Able Summit AUS FinanceN-Able Summit AUS Finance
N-Able Summit AUS Finance
Dynamic Business Technologies
 

Recommended

Cloudinnovationl
CloudinnovationlCloudinnovationl
Cloudinnovationl
peter williams
 
Webroot countrywide casestudy
Webroot countrywide casestudyWebroot countrywide casestudy
Webroot countrywide casestudy
Paul Tompsett
 
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Dana Gardner
 
ECC Cloud and Security
ECC Cloud and SecurityECC Cloud and Security
ECC Cloud and Security
Erlach Computer Consulting
 
Compliance Guide for NFA-Registered Firms
Compliance Guide for NFA-Registered FirmsCompliance Guide for NFA-Registered Firms
Compliance Guide for NFA-Registered Firms
Actiance, Inc.
 
Why Your Company MUST Upgrade Windows XP, Office 2003 & Small Business Serve...
Why Your Company MUST Upgrade Windows XP, Office 2003 & Small Business Serve...Why Your Company MUST Upgrade Windows XP, Office 2003 & Small Business Serve...
Why Your Company MUST Upgrade Windows XP, Office 2003 & Small Business Serve...
Chad Massaker
 
What's New with vSphere 4
What's New with vSphere 4What's New with vSphere 4
What's New with vSphere 4
Champion Solutions Group
 
N-Able Summit AUS Finance
N-Able Summit AUS FinanceN-Able Summit AUS Finance
N-Able Summit AUS Finance
Dynamic Business Technologies
 
InSync Website Portfolio
InSync Website PortfolioInSync Website Portfolio
InSync Website Portfolio
InSync Tech-Fin Solutions Ltd.
 
Arise EMEA - My Story Video Contest
Arise EMEA - My Story Video ContestArise EMEA - My Story Video Contest
Arise EMEA - My Story Video Contest
Arise International
 
Call Management Services Should be Part of Every Business Telephone System
Call Management Services Should be Part of Every Business Telephone SystemCall Management Services Should be Part of Every Business Telephone System
Call Management Services Should be Part of Every Business Telephone System
Mahindra Comviva
 
2014 Ecommerce Holiday Prep
2014 Ecommerce Holiday Prep2014 Ecommerce Holiday Prep
2014 Ecommerce Holiday Prep
Tenzing Managed IT Services
 
Managing supplier content and product information
Managing supplier content and product informationManaging supplier content and product information
Managing supplier content and product information
Enterworks Inc.
 
Fabasoft at go international.at (November 2010)
Fabasoft at go international.at (November 2010)Fabasoft at go international.at (November 2010)
Fabasoft at go international.at (November 2010)
Fabasoft eGov Suite
 
Product Engineering
Product EngineeringProduct Engineering
Product Engineering
Geometric Ltd.
 
The Rise of the Mobile Web
The Rise of the Mobile WebThe Rise of the Mobile Web
The Rise of the Mobile Web
ZSL Mobile
 
Infographic: 10 Jaw-dropping Skype for Business Stats
Infographic: 10 Jaw-dropping Skype for Business StatsInfographic: 10 Jaw-dropping Skype for Business Stats
Infographic: 10 Jaw-dropping Skype for Business Stats
Exinda
 
iBOS Solution - Incessant Business Operations Suite
iBOS Solution - Incessant Business Operations Suite iBOS Solution - Incessant Business Operations Suite
iBOS Solution - Incessant Business Operations Suite
Incessant Technologies Pvt Ltd
 
VideoPress
VideoPressVideoPress
VideoPress
Automattic
 
Security event presentation 3.4.2016-final
Security event presentation 3.4.2016-finalSecurity event presentation 3.4.2016-final
Security event presentation 3.4.2016-final
Cal Net Technology Group
 
Insperity Business Confidence Survey Q2 2015 [Infographic]
Insperity Business Confidence Survey Q2 2015 [Infographic]Insperity Business Confidence Survey Q2 2015 [Infographic]
Insperity Business Confidence Survey Q2 2015 [Infographic]
Insperity
 
Grace Under Pressure
Grace Under PressureGrace Under Pressure
Grace Under Pressure
Vanguard
 
Agile - Scrum
Agile - ScrumAgile - Scrum
Agile - Scrum
Samir Chitkara
 
Major project final
Major project finalMajor project final
Major project final
University of Petroleum and Energy Studies
 
Episode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber SolutionsEpisode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber Solutions
Contrast Security
 
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Dana Gardner
 
Table of Experts: Insights into Cyber Security
Table of Experts: Insights into Cyber SecurityTable of Experts: Insights into Cyber Security
Table of Experts: Insights into Cyber Security
Aaron Lancaster
 
DevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in HeavenDevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in Heaven
Dana Gardner
 
IT Security - TestArmy
IT Security - TestArmy IT Security - TestArmy
IT Security - TestArmy
TestArmy
 
Cybersecurity the new metrics
Cybersecurity the new metricsCybersecurity the new metrics
Cybersecurity the new metrics
Abhishek Sood
 

More Related Content

Viewers also liked

InSync Website Portfolio
InSync Website PortfolioInSync Website Portfolio
InSync Website Portfolio
InSync Tech-Fin Solutions Ltd.
 
Arise EMEA - My Story Video Contest
Arise EMEA - My Story Video ContestArise EMEA - My Story Video Contest
Arise EMEA - My Story Video Contest
Arise International
 
Call Management Services Should be Part of Every Business Telephone System
Call Management Services Should be Part of Every Business Telephone SystemCall Management Services Should be Part of Every Business Telephone System
Call Management Services Should be Part of Every Business Telephone System
Mahindra Comviva
 
2014 Ecommerce Holiday Prep
2014 Ecommerce Holiday Prep2014 Ecommerce Holiday Prep
2014 Ecommerce Holiday Prep
Tenzing Managed IT Services
 
Managing supplier content and product information
Managing supplier content and product informationManaging supplier content and product information
Managing supplier content and product information
Enterworks Inc.
 
Fabasoft at go international.at (November 2010)
Fabasoft at go international.at (November 2010)Fabasoft at go international.at (November 2010)
Fabasoft at go international.at (November 2010)
Fabasoft eGov Suite
 
Product Engineering
Product EngineeringProduct Engineering
Product Engineering
Geometric Ltd.
 
The Rise of the Mobile Web
The Rise of the Mobile WebThe Rise of the Mobile Web
The Rise of the Mobile Web
ZSL Mobile
 
Infographic: 10 Jaw-dropping Skype for Business Stats
Infographic: 10 Jaw-dropping Skype for Business StatsInfographic: 10 Jaw-dropping Skype for Business Stats
Infographic: 10 Jaw-dropping Skype for Business Stats
Exinda
 
iBOS Solution - Incessant Business Operations Suite
iBOS Solution - Incessant Business Operations Suite iBOS Solution - Incessant Business Operations Suite
iBOS Solution - Incessant Business Operations Suite
Incessant Technologies Pvt Ltd
 
VideoPress
VideoPressVideoPress
VideoPress
Automattic
 
Security event presentation 3.4.2016-final
Security event presentation 3.4.2016-finalSecurity event presentation 3.4.2016-final
Security event presentation 3.4.2016-final
Cal Net Technology Group
 
Insperity Business Confidence Survey Q2 2015 [Infographic]
Insperity Business Confidence Survey Q2 2015 [Infographic]Insperity Business Confidence Survey Q2 2015 [Infographic]
Insperity Business Confidence Survey Q2 2015 [Infographic]
Insperity
 
Grace Under Pressure
Grace Under PressureGrace Under Pressure
Grace Under Pressure
Vanguard
 
Agile - Scrum
Agile - ScrumAgile - Scrum
Agile - Scrum
Samir Chitkara
 
Major project final
Major project finalMajor project final
Major project final
University of Petroleum and Energy Studies
 

Viewers also liked (16)

InSync Website Portfolio
InSync Website PortfolioInSync Website Portfolio
InSync Website Portfolio
 
Arise EMEA - My Story Video Contest
Arise EMEA - My Story Video ContestArise EMEA - My Story Video Contest
Arise EMEA - My Story Video Contest
 
Call Management Services Should be Part of Every Business Telephone System
Call Management Services Should be Part of Every Business Telephone SystemCall Management Services Should be Part of Every Business Telephone System
Call Management Services Should be Part of Every Business Telephone System
 
2014 Ecommerce Holiday Prep
2014 Ecommerce Holiday Prep2014 Ecommerce Holiday Prep
2014 Ecommerce Holiday Prep
 
Managing supplier content and product information
Managing supplier content and product informationManaging supplier content and product information
Managing supplier content and product information
 
Fabasoft at go international.at (November 2010)
Fabasoft at go international.at (November 2010)Fabasoft at go international.at (November 2010)
Fabasoft at go international.at (November 2010)
 
Product Engineering
Product EngineeringProduct Engineering
Product Engineering
 
The Rise of the Mobile Web
The Rise of the Mobile WebThe Rise of the Mobile Web
The Rise of the Mobile Web
 
Infographic: 10 Jaw-dropping Skype for Business Stats
Infographic: 10 Jaw-dropping Skype for Business StatsInfographic: 10 Jaw-dropping Skype for Business Stats
Infographic: 10 Jaw-dropping Skype for Business Stats
 
iBOS Solution - Incessant Business Operations Suite
iBOS Solution - Incessant Business Operations Suite iBOS Solution - Incessant Business Operations Suite
iBOS Solution - Incessant Business Operations Suite
 
VideoPress
VideoPressVideoPress
VideoPress
 
Security event presentation 3.4.2016-final
Security event presentation 3.4.2016-finalSecurity event presentation 3.4.2016-final
Security event presentation 3.4.2016-final
 
Insperity Business Confidence Survey Q2 2015 [Infographic]
Insperity Business Confidence Survey Q2 2015 [Infographic]Insperity Business Confidence Survey Q2 2015 [Infographic]
Insperity Business Confidence Survey Q2 2015 [Infographic]
 
Grace Under Pressure
Grace Under PressureGrace Under Pressure
Grace Under Pressure
 
Agile - Scrum
Agile - ScrumAgile - Scrum
Agile - Scrum
 
Major project final
Major project finalMajor project final
Major project final
 

Similar to Episode 5 Justin Somaini of Box.com

Episode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber SolutionsEpisode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber Solutions
Contrast Security
 
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Dana Gardner
 
Table of Experts: Insights into Cyber Security
Table of Experts: Insights into Cyber SecurityTable of Experts: Insights into Cyber Security
Table of Experts: Insights into Cyber Security
Aaron Lancaster
 
DevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in HeavenDevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in Heaven
Dana Gardner
 
IT Security - TestArmy
IT Security - TestArmy IT Security - TestArmy
IT Security - TestArmy
TestArmy
 
Cybersecurity the new metrics
Cybersecurity the new metricsCybersecurity the new metrics
Cybersecurity the new metrics
Abhishek Sood
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & Executives
Tripwire
 
Episode Four: Wayne Jackson of Sonatype
Episode Four: Wayne Jackson of SonatypeEpisode Four: Wayne Jackson of Sonatype
Episode Four: Wayne Jackson of Sonatype
Contrast Security
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Sandra (Sandy) Dunn
 
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Dana Gardner
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
Dana Gardner
 
Security Snake Oil Cycle 2019
Security Snake Oil Cycle 2019Security Snake Oil Cycle 2019
Security Snake Oil Cycle 2019
Dave Cole
 
ICISS Newsletter Sept 14
ICISS Newsletter Sept 14ICISS Newsletter Sept 14
ICISS Newsletter Sept 14
Capt SB Tyagi, COAC'CC*,FISM,CSC,
 
Our Previous Edition Post event synopsis
Our Previous Edition Post event synopsisOur Previous Edition Post event synopsis
Our Previous Edition Post event synopsis
Vasuki Kashyap
 
Episode 3: Andrew Hay of OpenDNS
Episode 3: Andrew Hay of OpenDNSEpisode 3: Andrew Hay of OpenDNS
Episode 3: Andrew Hay of OpenDNS
Contrast Security
 
49 Common App Transfer Essay Examples Image - A
49 Common App Transfer Essay Examples Image - A49 Common App Transfer Essay Examples Image - A
49 Common App Transfer Essay Examples Image - A
Mandy Brown
 
Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness ...
Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness ...Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness ...
Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness ...
Dana Gardner
 
88 privacy breaches (sample book) 15 apr
88 privacy breaches (sample book) 15 apr88 privacy breaches (sample book) 15 apr
88 privacy breaches (sample book) 15 apr
Straits Interactive
 
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
Dana Gardner
 
Contrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nationContrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nation
David Neville
 

Similar to Episode 5 Justin Somaini of Box.com (20)

Episode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber SolutionsEpisode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber Solutions
 
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
 
Table of Experts: Insights into Cyber Security
Table of Experts: Insights into Cyber SecurityTable of Experts: Insights into Cyber Security
Table of Experts: Insights into Cyber Security
 
DevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in HeavenDevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in Heaven
 
IT Security - TestArmy
IT Security - TestArmy IT Security - TestArmy
IT Security - TestArmy
 
Cybersecurity the new metrics
Cybersecurity the new metricsCybersecurity the new metrics
Cybersecurity the new metrics
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & Executives
 
Episode Four: Wayne Jackson of Sonatype
Episode Four: Wayne Jackson of SonatypeEpisode Four: Wayne Jackson of Sonatype
Episode Four: Wayne Jackson of Sonatype
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
 
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
 
Security Snake Oil Cycle 2019
Security Snake Oil Cycle 2019Security Snake Oil Cycle 2019
Security Snake Oil Cycle 2019
 
ICISS Newsletter Sept 14
ICISS Newsletter Sept 14ICISS Newsletter Sept 14
ICISS Newsletter Sept 14
 
Our Previous Edition Post event synopsis
Our Previous Edition Post event synopsisOur Previous Edition Post event synopsis
Our Previous Edition Post event synopsis
 
Episode 3: Andrew Hay of OpenDNS
Episode 3: Andrew Hay of OpenDNSEpisode 3: Andrew Hay of OpenDNS
Episode 3: Andrew Hay of OpenDNS
 
49 Common App Transfer Essay Examples Image - A
49 Common App Transfer Essay Examples Image - A49 Common App Transfer Essay Examples Image - A
49 Common App Transfer Essay Examples Image - A
 
Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness ...
Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness ...Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness ...
Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness ...
 
88 privacy breaches (sample book) 15 apr
88 privacy breaches (sample book) 15 apr88 privacy breaches (sample book) 15 apr
88 privacy breaches (sample book) 15 apr
 
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
 
Contrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nationContrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nation
 

Recently uploaded

20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 

Recently uploaded (20)

20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 

Episode 5 Justin Somaini of Box.com

  • 1. THE SECURITY INFLUENCER’S CHANNEL HOSTED BY JEFF WILLIAMS CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Five: Justin Somaini from BOX.com
  • 2. THE SECURITY INFLUENCER’S CHANNEL HOSTED BY JEFF WILLIAMS CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Five: Justin Somaini from BOX.com
  • 3. JEFF WILLIAMS “I saw you were quoted in an article titled, “The New Cyber Threats Juice Pay for Security Chiefs”. You said what we’re starting to see is the introduction of new concepts that will eventually change security. Tell us more about what you were talking about.”
  • 4. JUSTIN SOMAINI “When we talk about the mobility and always- on networking shift, what we’re starting to see is content and transactions that security practitioners are tasked to protect with confidentiality, integrity, and availability.”
  • 5. JUSTIN “In other words, we’ve seen IT organizations’ skills move from maybe some internal application architectural skills to vendor management functions.”
  • 6. JUSTIN “It’s that whole evolution of security that we’re going through, which we’ve gone through many in the past. This is just the next iteration of it.”
  • 7. JEFF “So you’re saying as we start seeing organizations doing transactions that might be entirely outside their infrastructure, …[that] there could be whole transactions running that never touch a traditional corporate infrastructure.”
  • 8. JUSTIN “Absolutely! One-third of the workforce doesn’t come into the network on a weekly basis...how do you implement a monitoring or a detective control structure? How do you manage and see what’s going on, let alone be able to protect and manage those environments?”
  • 9. JUSTIN “That’s one of the biggest shifts that we’re undergoing and will continue to undergo, I believe, for the next 10 years or so.”
  • 10. JEFF “What can security do to accelerate the process of catching up to these new architectures? I guess what I’m seeing is that there really hasn’t been a lot of change in the way people practice application security and even some kinds of network security. So, what can we do to not be so reactive?”
  • 11. JUSTIN “Well, there are probably a couple of different things. In this model you have really three different players: • Cloud Players • Security Practitioners • Security Vendors
  • 12.
  • 13. JUSTIN “When we look at the practitioner, again, looking at some of those solutions, having an open mind that from a security vendor standpoint, applying pressure to the cloud providers to make sure that they’re doing their best to implement the basic controls that they need.”
  • 14. JEFF “You mention logs. You know, I always think of logs as sort of a very fuzzy way of getting insight into what’s going on in a system or a network from a security perspective. I’m wondering if you see evolution…because right now I sort of feel like the providers are doing their thing and the enterprises are using the services, but there’s really not a lot of engagement, collaboration around security.”
  • 15. JUSTIN “I would completely agree, I mean, to a great degree in a big, broad, brush stroke kind of statement. I do think this is changing, but the relationship between customer and provider has been one of a transaction versus a living partnership.”
  • 16.
  • 17. JUSTIN “There are players, and I’m proud to say that I think that we’re one of them [box.com], that are really spearheading the open API integration with our customers.”
  • 18. JUSTIN “This is not a detachable entity, this could provider. But we can command, control, interact, collect, we can have it be part of our ecosystem even though it’s really a third-party application in a great extent.”
  • 19. JUSTIN “It all comes back to a very basic, basic concept of the cloud provider saying, “This is our role. We are going to create a capability for our customers to leverage our service more than just the presentation layer that we’ve historically done, but more from an API platform one.”
  • 20. JEFF “I’ve worked with clients over the years that have done similar things internally. They have enterprise architecture, and in some ways it operates like a cloud service. I think the integration between the applications and that infrastructure has always even been a challenge, even within an organization.”
  • 21. JUSTIN “Back to the three parties: cloud provider, security practitioner, and security vendor. If we look at the cloud provider, one of the changes in this whole transformation is the concept of back office functions—security, compliance, privacy—and really elevating them to what I would call the front office.”
  • 23. JUSTIN “We’re going to identify solutions to security problems of our customers, as opposed to just simply getting a certification.”
  • 24. JEFF WILLIAMS “Traditionally, end user consumers haven’t been very successful at demanding security from web application providers.”
  • 25. JEFF WILLIAMS “Do you think there’s anything we can do to get end user consumers to demand security better so that we can sort of raise the water for all boats?
  • 26. JUSTIN “I think from a business perspective you have the power of the purse. There’s a huge difference between consumers and enterprises in that context.”
  • 27. JUSTIN “The conversation of security is dramatically different that it was 15 years ago when I started. We have a voice of government. We have a voice of the consumer that is resonating louder. We hae a voice of the advocates that we’ve never really had before on the consumer side.”
  • 28. JEFF I’m glad to hear that. I think it’s been a long time coming….I think the key, though, is getting consumers to actually demand better security. I think we probably need to do some work around figuring a way for them to articulate that need better.”
  • 29. JUSTIN “Well, I think first and foremost in any process, whether it’s agile or iterative development cycles or a waterfall model, I can’t stress enough education. The ability for us to educate our developers on the basic controls that need to be best practices…is so critically important.”
  • 30. JUSTIN “Within development…you really need to have security be bled into the ecosystem to make sure that the behavior, the concept, the belief system is one that really encapsulates security in each and every thought process…”
  • 31. JUSTIN “I would say the magic really on the back end is how we approach it from a philosophical, educational, and cultural standpoint with the company as a whole.”
  • 32. JEFF “I think it’s interesting that you mentioned training and your community of experts that help spread the word. I think you’ve reinforced that with that culture, the tools, the testing processes you’ve put in place, and the support that you’ve given developers.”
  • 33. JUSTIN “Some of the problems of security as a whole? I’m never going to have enough money. I’m never going to have enough people in order to manage the company as a whole.”
  • 34.
  • 35. JEFF “You mentioned internal transparency between the various stakeholders in security. I noticed on your website you’ve got a page that details a lot of information about how you all do your internal practices. Why do you expose that externally? Not many companies do, so I’m curious. Why?”
  • 36.
  • 37.
  • 38. JUSTIN “We enroll our customer in transparent conversations so that they truly understand all of the amazing things that we do to protect their content.”
  • 39. JUSTIN We want them to walk away saying: 1. I have confidence they are doing the right things. 2. They’re going to include us in any sort of situation as it goes along. 3. I can reach out to them for help and assistance if I need it.
  • 40. JEFF “I’m wondering if you see that changing in the future; Do you think websites in the future will have a software facts label the way that your cereal box has a nutrition facts label on it?”
  • 41. JUSTIN “I completely believe that this will become the norm. I really do. It will take time. It’s a maturation process.”
  • 42. JEFF “So you support people doing security testing on your site on a policy of responsible disclosure. How’s that working out?
  • 43. JUSTIN “The environment that we’ve had in the past few years is very different. The research community is more established. It’s more proactive and supportive from a cloud-provider side.”
  • 44. JUSTIN “I think it would be negligent if we didn’t have a program in place in order to receive, operationalize, and remediate those issues.
  • 45. JEFF “Last question. Looking forward, do you think we can get to the point where there really is no difference between the deployment of the functionality and the deployment of the security and the assurance all at once?”
  • 46.
  • 48.