Chris: 0:00

The mechanisms to create ciphertexts are pretty interesting. I'll say the methods. I don't like the math, but the methods are fun.

Brian: 0:09

In some ways, I think they're too interesting.

Brian: 0:13

If I may inject something slightly spicy and criticize some of my colleagues. I've seen way too many people on the review side of things that come into. You know that that are that. You know you'd be surprised. You know how high a percentage of of people the first thing they'll ask when they're doing a review is is uh, what, what random number generation are you using in your encryption? And it's like. It's like hey, why do you, why do you care? I can, I can ssh from any any desk here right into your data center and there's nothing you know you're worried about random number generation Right exactly.

Tim: 1:04

Hello and welcome back to another episode of the Cables to Clouds podcast. I'm your host this week, tim at carpe-dmvpn on Blue Sky, and with me, as always, is my host in need of a thesaurus for all the adjectives Chris Miles at BGP Main on Blue Sky. And this week we actually have a very special guest, new to the podcast, and we brought him here to talk about cloud security careers because I think networking and security go really well together. We've talked about it many times in the podcast and so we actually just released or sorry, we released earlier an episode with Cam, again from Oracle, about networking careers and also interviewing with the tech giant from a network perspective. So Brian Eidelman is here from Oracle to help us get the other flip side of that coin with security. So, Brian, just go ahead and introduce yourself for the listeners please.

Brian: 2:07

Yeah, thanks Tim, thanks Chris for having me on today. And so I'm Brian Eidelman. I'm a vice president of cloud engineering on the field side at Oracle. I lead a team of security and networking experts that work with customers on one. Networking experts that work with customers on one. You know, certifying Oracle Cloud Infrastructure, oci, as a secure place to you know, an improved place to bring their workloads and their applications, and then working with them on designing their tenancy, putting in place their security controls, designing their cloud networks. You know, to scale the hopefully many, many apps and workloads. And so Cam leads the networking side of my team and I have a bigger organization on the security side.

Tim: 2:52

Oh, wow, awesome, yeah. So I mean, how long have you been doing the security thing? I know, obviously I'm not sure how long you've been at Oracle but it sounds like you've been doing the security for a while.

Brian: 3:04

Yeah, so I've been at Oracle 15. So I've been doing security pretty much my whole career. My first, my first job out of college was uh in uh making a factory automation software for the semiconductor industry, but since then I've been in security. Um I I come at security from the sort of uh developers point of view, like developing security tools. Uh I I worked. I was one of the original developers of uh nitegrityMinder, which is a single sign-on software. Oh, wow you know, Okta is sort of the biggest, sort of the today's version.

Brian: 3:33

You know that's cloud-based and you know so. I was employee 50 there and was developing web server plugins as part of a in that role and, um, I was uh worked.

Brian: 3:44

It was employee 12 at infoblox, which is you guys probably know, no info yeah, yeah, dns company, but we did a lot of security, developed a radius product and uh and then I joined oracle working again sort of in a role in in or in on the engineering side, but it was about two-thirds customer facing one-third internal projects, basically working on customer adoption and refining the products of whatever was sort of new from a security perspective. And so in the early days that was Oracle's identity management products and sort of the Java security, and then it became SaaS security and cloud security and for the last five years it's been, you know, Oracle Cloud Infrastructure security.

Tim: 4:28

Oh, wow. So like security development. Yeah, I don't think I've ever met a security developer before.

Brian: 4:34

actually, you know it's worth mentioning that you know I went to college thinking I was going to be a creative writing major and ended up majoring in math. So you know I don't have a traditional computer science, or certainly. You know, back in those days there weren't security degrees for sure, right, so yeah, for sure I dropped out of uh.

Tim: 4:55

Back date me now, but like back in, I think, 2001, I dropped out of uh college because it was um comp sci. It was comp sci or nothing basically at that point. And, yeah, I did not want to be a developer or be the next computer engineer kind of person.

Chris: 5:11

So yeah, totally Exactly the same. I took one Java class and then one calculus class and I was like I'm done, I can't do this. There was no networking courses, so I left.

Tim: 5:20

I think calculus was about the time I dropped out of that as well. I was thinking I would give it a go, and then I got to calculus. I was like, nah, I'm good, never mind, forget it, okay. So yeah, we brought Brian here because he has some really good experience and some big opinions actually about what does it look like if you want to go down the career path of becoming a cloud security expert, engineer, whatever practitioner, maybe developer, I don't know want to go down the career path of becoming a, like a cloud security expert, engineer, whatever practitioner, maybe developer, I don't know like what is actually? That's some of the stuff we're going to talk about, uh, today is like what are the options, uh, with cloud security? So I mean not not to stand on ceremony, brian, like like we're you know? Where do we? Where should we start?

Brian: 6:02

yeah, well, thanks. I mean, one of the one of the reasons why I was excited to come on the show and talk about this subject is, I think you know, cybersecurity has become sort of popular.

Chris: 6:11

I don't know if you want to say that that's right.

Brian: 6:14

The general popular culture knows what it is. But you know, I think there's an impression out there that you know the two jobs. A lot of people have this impression. You know I could be an analyst, a security analyst or maybe like ethical hacking is the other big thing. Right White hat hacker, you know, and certainly those jobs are out there. But you know there's a much, much bigger world out there in cybersecurity. There's, you know, there's all sorts of jobs working in all sorts of different organizations.

Chris: 6:45

There's all sorts of jobs, working in all sorts of different organizations.

Brian: 6:54

And you know, I really view it as sort of a? You know, there's like a three-dimensional landscape where, like across the x-axis, you have the type of job right and there's, you know, yeah, there are those analyst and ethical hacking positions, but there's also, you know, positions making security policies, doing awareness and training for big organizations. There's a lot, you know these days, a lot. You know a lot of compliance specialists. You know, with all the different standards from, you know, government standards, just general corporate standards, industry specific standards like HIPAA, pci compliance. You know there's threat researchers. You know there's cyber forensics. There's, you know sort of the path I've taken being a developer of security tools. There's, of course, you know, armies of consultants that help people apply those security tools. You know there's.

Brian: 7:41

You know the whole ecosystem on the vendor side of those security tools, of product managers and QA people and people that sell the tools, and you know. So there's a ton of different roles and then you know, and then what sort of organization you work in matters a lot, right? So you can work in government, you can work in law enforcement, you can work for private corporations. You know you can work for in specific industries again, you know so and you know universities, so you know that and then finally, there's that type of role right.

Brian: 8:17

So you know you could be a compliance expert in banking. Banking, you could be a compliance expert for a big software company that spends a lot of time communicating with your customers about your compliance and how they can meet their compliance needs with your product.

Tim: 8:34

There's a lot out there. Yeah, I mean, that's huge, right. So, yeah, I like the way you're saying it with this idea of an XYZ axis. It's kind of a cube, not like a square, not like a plotted point, but there's a lot of intersection in all of that, right, so you could be a pen tester, but, like, are you a pen tester for a vendor? That's, like you know, trying to work on customers that are using the vendor software to, like, prove it works, or to, or to, you know, find problems with the software. Or maybe you're, like you know, like a state. You know, not that they exist, of course, but maybe you're state sponsored maybe you're a state sponsored penetration tester.

Tim: 9:19

You know which is a completely different. The role is the same right, but I would imagine the application of that skill set would be wildly different, right.

Brian: 9:31

That's right. That's right. Yeah, I think like the operating environment and like the surface area of the operating environment matters a lot, and so if you're you know, if you're working in a bank, you're obviously you know. Why do people rob these banks? Because that's where the money is.

Chris: 9:45

That's where the money is.

Brian: 9:48

So there's obviously a certain focus there around what banks are concerned about, but they're also concerned about. Banks have a lot of employees and the way in to what's valuable can be through all those employees.

Tim: 10:02

Yeah, social engineering.

Brian: 10:03

There's a lot to monitor there, right, and there's insider threats, but that's different than other companies, different than if you're working for a vendor or at a university or a hospital.

Tim: 10:20

Well, the compliance right. The compliance is like the different frameworks that you have to be compliant with is different in FinServ than, say, hls, which is health and life sciences, for example. Completely different frameworks of compliance, right, different roles, or just two, not roles, sorry. Compliance officer at a bank versus a hospital right, like that's a. That's a totally different z-axis vertical xyz yeah, that's right.

Brian: 10:51

That's right, and then um you know, and those those are right operational, operational roles and and, uh, you know where you might be in in the office of the cso but you know you might be a security person, you know, on the development team of an application you know, helping to develop their security products and advising the rest of the developers on secure coding standards.

Brian: 11:12

You know, like one of my teams. It's interesting sort of getting back to the compliance side is. You know we have a team of common field CISOs. They're former, fairly senior folks and then we have a couple, some you know a junior team, sort of as part of that group that you know worked in on the operational side of things. These are people that you know, former CISOs that now work for Oracle. You know, on interfacing with, you know, our customers security teams, the CISOs of those, those organizations like the ceasos of big banks and etc. Governments and and, uh, you know, and they do get heavy and some of them are you know even within that group there's different sort of specializations.

Brian: 11:54

There's some that are more deep, technical than others, but some are very sort of legally minded. I actually have a couple that are for that are lawyers uh oh wow. Not, they're definitely practicing, but they sort of really live at that intersection of the law and technology and security.

Chris: 12:12

Who would have thought the law matters. They spend a lot of time.

Brian: 12:14

Yeah right, they spend a lot of time with the Oracle legal teams and our customer legal teams and sort of help make sure everyone's on the same page about our commitments and you know, customer commitments.

Chris: 12:25

Yeah, totally.

Brian: 12:26

And the cloud. The cloud, you know it's cables to cloud. So you know, the cloud is very interesting from a security point of view, right, because there's a division of responsibilities and for every type of cloud application there's, you know, different levels of responsibility, right, versus like infrastructure, versus PaaS, versus SaaS, and that flows into the compliance side of things.

Tim: 12:47

Yeah. So actually now, I mean, we've mentioned it X and Y a few times. I've even actually I think I said Z at one point, but like what is the Z-axis like to this? Then I think you might've briefly mentioned it, but like, let's get on that a little bit, yeah, sure.

Brian: 13:01

So in my mind the Z axis are actually like technical specializations, right. So even within a given role and given organization, you do get some specialization right. So you guys are probably and your viewers and listeners are probably most familiar with, like network security, right, and that is a specialization. In fact, that was, you know, early in my career. That was the only thing anyone, if I said, oh, I'm in internet security, they said, oh, you mean firewalls?

Tim: 13:27

Right.

Brian: 13:28

No, no, I'm something called identity management. Then I have to go explain what identity management is. Maybe we'll talk about that in a little bit, but you know.

Brian: 13:35

so that is you know, there are people that make a living with doing firewalls and network security and everything involved with that. But there's you. There's other areas of specialization, so, for example, encryption, right. So if you're on the development side, if you're developing applications, there's people that are experts at doing the encryption side of it. They know the security of the different. These days the libraries are pretty friendly, but there's still some work there. In the old days you used to actually know the algorithms and you'd be developing the libraries. These days, everyone opens SSL or different proprietary libraries.

Brian: 14:12

But you still need to know how to use them and what they really mean with the different ciphers and the random number generation part of the encryption. But on the corporate and operational side and the compliance know the compliance side of it, there's people that specialize in encryption there and and say like, okay, all you know that that go and review all the applications for their big you know big bank and you know that exists, to make sure they're there, that all the encryption is being done correctly, using the right algorithms and the right ciphers and the right.

Brian: 14:44

You know that the key management side of things um, so you know, that's another example. You know, I mentioned identity management, sort of what my my area of focus for a lot of my career. Uh, you know, and that's dealing with, uh, you know, authentication and authorization and single sign on and who users are and then you cloud security is sort of the modern thing. So if you're hosting a bunch of applications on AWS or on OCI, there's all the security involved in that.

Tim: 15:16

So what's interesting is, of course, a lot of this stuff is overlapped, right, so you can't talk about encryption without really talking about identity management. Right, because you're not passing identity management credentials, like whatever that looks like single sign on or certificates, right, certificate based identity management is entirely based on encryption, like TLS encryption, for example.

Tim: 15:36

I took a. So when I was doing my degree in cloud computing with Western governors, I had to take a class on cryptography and it was actually really I I won't say interesting, because actually, if I'm being completely honest, it was a bunch of math and the class was kind of boring. But the creation of cryptography and the science of cryptography I found to be interesting.

Chris: 16:00

The mechanisms to create ciphertexts are pretty interesting. I would say the methods. I don't like the math, but the methods are fun.

Brian: 16:09

In some ways, I think they're too interesting.

Brian: 16:13

If I may inject something slightly spicy and criticize some of my colleagues. I've seen way too many people on the review side of things that come into. You know that that are that. You know you'd be surprised. You know how high a percentage of people the first thing they'll ask when they're doing a review is is what, what random number generation are you using in your encryption? And it's like. It's like hey, why do you? Why do you care? I can. I can SSH from any desk here right into your data center and there's nothing.

Chris: 16:47

You know you're worried about random number generation.

Tim: 16:49

Right exactly.

Brian: 16:51

But no, no, that is. You know it's interesting stuff, and you're absolutely right, tim, that these things do overlap. And that's one thing that I really like about security is, you know it sits at the nexus of you know, not just all the other security technologies, but you know just, there's security in everything and to be an effective person in security, you need to know the environments and the applications and the languages. You know that you're running and so, like, if you're going to be doing security, you know if you're going to be looking at security of you know an application, you might need to know a lot about Java.

Brian: 17:26

You know you need to get into Java security, so you need to learn a lot about Java and you need to learn a lot about application servers and networking and identity management really especially sits at. You know the intersection of all those things. You know when I was doing development and you know a lot about encryption. You know, let's say I always tell Cam that I know enough about networking to know what I don't know, but you know, I did you know I wrote like the world's first commercial Apache web server plug-in.

Brian: 17:58

So I know a whole lot about Layer 7, probably more about the HTTP spec than anybody. But you know, so yeah, all these things are interrelated.

Tim: 18:09

Yeah, so I mean, so let's actually let's get into. So you're mentioning, like identity management obviously is a big part of what you're into, so, or have been, should I say into, so how has it gone from like the basic, like username and password, to like where we're talking about modern-day authentication or authorization? It obviously includes encryption, but is it more elegant? Is there more to it now? Yeah, there's a lot to it.

Brian: 18:38

It's really an area that's gotten. Like I said, 15 years ago no one heard of it, but today Jim Cramer's talking about Okta on CNBC. They have like a $15 billion market cap and it's a pretty widely recognized and important area of security.

Chris: 18:59

And yeah, there's authentication, right.

Brian: 19:02

We all hate passwords and password phishing and everyone realizes that that's not sufficient. So, like the next, pretty much any application and every enterprise of any importance requires multi-factor authentication, right? So that's a big part of it. And then you know that used to just be. You know they'd ask you some additional questions that were basically like you know, some knowledge-based authentication that was basically just like a bad, a bad second password.

Tim: 19:30

So you know, and then it went to like sms.

Brian: 19:34

You know it was. You know that you know the whole point of multi-factor authentication is like usually it's you think, like an atm, is like the good, like simple model. It's something you have plus something you know yeah both of those and, um, you know, but it's gotten more sophisticated, right? So the sms, the point. The point is that what you have is your phone by virtue of getting that text message. But you know, of course, phone numbers can be stolen and spoofed. Yep, I've seen that, and so it's gotten more sophisticated.

Chris: 20:05

And now the big trend these days is passwordless.

Brian: 20:08

It looks like the password's so useless, let's just do away with it completely. So much cost associated with maintaining passwords. People forget, it right People? Beef up their help desks when everyone gets back from holiday vacation because half their employees have forgotten their password. Everyone gets back from holiday vacation because you know half their employees have forgotten their password. You know, but so you know now everyone's ditching passwords, and so it's only like something you have or two things you have.

Tim: 20:32

Yeah, or you get a token right Now. It's like token based.

Chris: 20:34

We're like hey, I want to log into this and it sends you a token and then you use the token to log in.

Tim: 20:40

So, yeah, it ends up being something you have, you know single sign-on.

Brian: 20:43

I mean that's been around for a long time but it's become really universal in sort of requiring single sign-on. And it used to just be web-based single sign-on. But now people want single sign-on both to use like network to steal network to north, south and east, west, or up and down, left and right. So or you know, up and down left and right, you know from you know.

Brian: 21:01

So, for example like not just from across the different applications that a user is using, but down the stack. So from, you know, from the browser to the web server, to the app server, down to the database and sort of, the full fruition of that which is sort of at the intersection of networking and security is, you know, the zero trust networking concepts yeah right, oh yeah, yeah, yeah, for certainly getting the zero trust piece, because I mean I know that.

Tim: 21:28

so so I hear people talk about zero trust as, um, you know, oh well, we can have, you know, workloads. What do you do for workloads that don't have zero trust? And I agree generally that like, for example, workload to workload communication is hard to say like, like, because normally I think zero trust I think of identity, I think identity is tied to like a zero trust framework. But then you have like workloads that don't have true identities and so you have to like identify them with some other kind of fingerprint. But I mean, you're still trying to fingerprint them. You're just not using a user account or something like that to do that kind of fingerprinting of that, of that traffic or that workload.

Brian: 22:02

That gets into the emerging thing in identity management these days is non-human identity, that's right. If you're anyone that was at the Gartner Identity Management Conference. It just happened, it was all about that. Or if you go to RSA, the Identity Management Tracks it's all about non-human identity. That's interesting, not only that. Identities even got to the point where it's like I would say it's all about non-human identity.

Chris: 22:22

That's interesting, but not only that it's like identities even got to the point where it's like I would say it's kind of like multi-tiered as well, because now we have the concept of like privileged access management related to identity, right. So it's like you have this one identity that gets you certain access to a certain number of things at a given time. But if you want some kind of heightened credentials, there's a whole market for Like. How do you elevate your access just at a point in time to do, you know, admin-based activities?

Tim: 22:48

Just-in-time access, Right yeah.

Chris: 22:50

So that's it kind of compounds on top of that right that gets into like another area from tying it back to careers.

Brian: 23:00

There's like the emerging area of what's called like DevSecOps.

Tim: 23:03

Yeah, okay, which I?

Brian: 23:04

think kind of overloaded. When people talk about DevSecOps it can mean the security of DevOps. That's a huge field. A lot of companies out there are selling different tools. It's obviously very important. If you're a modern cloud-native company and you're doing DevOps, the security of that has to be be, you know, correct and, like you said, there's the privilege who can, who can push releases, you know who can you have to make sure that you can't like mimic a pipeline thing.

Tim: 23:35

And then on the.

Brian: 23:36

there is like the traditional, like sec ops side of things too. Okay, like I, I'm, you know, running the security operations center. What's really entailing that? What's you know how can I automate as much as possible?

Tim: 23:48

Yeah, I think that's really good. So how does this change when we start getting into the cloud? I mean, obviously some of this is just going to be the same, just with the cloud, right. But like the fact that the cloud is a managed service provider right, like that they're only a managed service provider right, like that they're not exposing everything to you, so you know, it's like you're consuming, essentially, a service right and you're trying to secure that service. So how does the whole cloud security thing figure in to the whole thing?

Brian: 24:15

I think a couple of ways. I mean first review. Like you know, it's a very different conversation if we're talking about like SaaS versus infrastructure. For sure, for sure.

Chris: 24:21

But you know there's. It's a very different conversation if we're talking about like.

Brian: 24:23

SaaS versus infrastructure? For sure, for sure. But if we're talking about infrastructure, which is probably what I think interests us most, you know it's, you know I think things are democratized in the cloud right.

Brian: 24:30

The whole point of the cloud is you want easy access to everything you don't. You know, in the old days of on-prem right would install the operating system and they'd get some access to it Eventually. If it was a production system, they'd be locked out from it and then they'd have to ask permission to be let back in. The whole efficiency of the cloud is about giving developers direct access to the infrastructure.

Chris: 25:06

But you have to put some guardrails in place, and so uh you know, that's a big part of cloud security.

Brian: 25:08

You know, I, I, my own team, like five, six years ago, right, we had like our oci development environment and like there's, like there's one guy like he stand up something, and you know you, because you know what ends up happening and people like oh, like you know, trying something's not working. Eventually they're like screw it, I'm just, you know, going to remove all my network security lists, open up SSH to the real, you know, and then, right In about 15 minutes, you know, those compute.

Brian: 25:34

Yep, they're being like used for Bitcoin in like Russia or China or wherever.

Tim: 25:39

Yep, it doesn't take long. That's true. That is the, and what's funny about that is that, in the same way that the cloud was built for developers to be agile and not have to worry about having to put in tickets for sysadmins to spin up compute or for network engineers to allocate VLANs and IP addresses, there's also this idea that developers wanted to be agile and get around security too, like security's not going to care about this thing because it's my playground and it's not connected to the corporate network and all of this. So the same agility story existed for developers until all of a sudden, it doesn't, because now these are critical business workloads that have to start connecting on-prem. Yeah, absolutely, absolutely.

Brian: 26:24

So you know it's about guardrails. You know there's a class of security, cloud security posture management, which is all about you know, and there's all these new cloud constructs that need appropriate security. There's, you know, in the cloud it's easy to move data in and out, right to exfiltrate data. Um, the the network is a little more loosey-goosey, and so, yeah, um. So then that's part of, also the rise of, like, identity management.

Brian: 26:52

People say a common phrase is oh, identity is your new perimeter just because you have the cloud and then you have all the different devices that people, that people use um and so in some ways it's pretty analogous to the differences in networking right. It's just there's virtualization, you know abstraction that just people need to deal with.

Chris: 27:12

Yeah, I think that also helps with a lot of things in the cloud being very API driven as well. There's multiple points for authentication to happen, in the way that some of these services and some of these you know infrastructure type things have been built there. So there's definitely more points for it. But, as Tim said, you know, when you had developers building this stuff, maybe 10 years ago probably a lot of that was skipped. And now people are kind of going in and retrofitting security on top of a lot of this stuff.

Brian: 27:40

So you know, and increasingly people are using, you know, many clouds, right? So you know we talk about it a lot at Oracle. I know you guys talk a lot about your job too, but, you know, I think that creates a challenge for certain people and an opportunity for others, if you really can master multiple cloud environments and understand how they're mostly the same, you know, from a security and networking point of view, and they all have similar constructs, similar controls.

Tim: 28:09

I think it's the policy where people start falling down right, like having a unified security policy that can govern multiple clouds. Depending on you know they work very differently from a security and a network perspective. That's really the brass ring I think is being able to get to that.

Brian: 28:25

Yeah, yeah, I think that gets into like a. We could have a whole separate podcast on that and sort of single pane of glass versus, like you know, use some multiple tools. Yeah, for sure.

Tim: 28:37

But like, okay, so let's talk about but I don't want to drop that because I think this is really good and I think it ties back to the whole point of what we're talking about.

Tim: 28:44

And again, we're talking about cloud security careers, right, but I mean, in this case I'm talking about in the podcast, right, the podcast is very, as we've been saying for many God since the beginning, pretty much that like network and security are pretty much joined at the hip, so we have to know them both to some degree. I mean, when I was an enterprise engineer, in addition to being doing collab and DC and all this other stuff, the two ones that I pretty much had to have all the time in lockstep were I was a firewall jockey and I was also like a network engineer, right, and you had to do both. So I mean, what is and I don't think that changes significantly in the cloud either but what does that look like for you? We're talking about networking security, especially in the framework of cloud security careers. What do you think? Where's the burden of knowledge there for somebody who's trying to do that, trying to be that cloud security person?

Brian: 29:39

Yeah, I mean there's definitely a huge, huge overlap to be that cloud security person. Yeah, I mean there's. There's definitely a huge, huge overlap and and I think that again, like the, the fruition of that is is like zero trust, right when the overlap is complete at that point.

Brian: 29:51

And I think that creates some challenges for people that are organization. It was organizations that that have this like separation of security and networking, the kind of like they look at okay with the zero, if they adopt zero trust, who's going to be in charge? Who's going to control? How do we make changes? Their heads explode, right, but you know I think there are, you know, and then like web application firewalls. That's like the area that really like.

Tim: 30:18

Oh yeah.

Brian: 30:18

Total, total intersection. There's other, you know, like network, at least identity management. Usually there's a separate most organizations these days have a separate identity management team. That's sort of onto itself, and then they sort of support network security and support data security teams when they need to do something with the identity management systems.

Tim: 30:41

Man, I hate working with IAM teams when they when they need to do something with the identity management systems. Man I hate working with. I am I haven't found a cloud where I enjoy working with.

Tim: 30:46

I am like identity access management like they're all terrible, like from from my perspective as the technology is terrible or the people are terrible no, no, no sorry I just mean like when I think that's fair but no, no, no, when I have to, I'm just thinking to myself, like when I'm building in, say, aws and Azure and Google Cloud or whatever, I'm building labs and stuff, like I just remember, because you want to operate from least privilege, right, you don't want to just like give yourself an administrator for everything, but getting to that point where you really figure out what is least privilege actually look like the services are so intertwined just to get something working that, like you'll find that, oh, I started off and I only granted myself these permissions, and then I found out that, oh, I can't even like build this service. I can't even build this construct because it's tied to four other services that I don't have IAM access to. And you only find out when you try to make it.

Brian: 31:36

Yeah, no, I know exactly what you mean. Yeah, it can be a little frustrating because and it's not always very well documented, right, exactly. There's all the interplay of all these resources and a lot of trial. And, like you said, the only way to make the cloud secure is to deny by default, exactly, and so it's sort of a necessary evil, it's almost like the applications are now decoupled and so is, yeah, right, the policy to access all of them, right?

Brian: 32:08

so and then the way to make it easier is to is to templatize and automate for sure okay, like, like, we like that's that's why I'm a big believer in, like the concept of a landing zone where you know you design a pattern for your applications and say, okay, like you know, maybe I have three different types of applications and I'm going to extend my ex, extend my network and my policy model in one of three ways as I add a new, a new application right for that test and then prod, uh, yeah for sure.

Brian: 32:42

So that's a good example of what we deal with in security careers right there.

Tim: 32:46

Yep, absolutely absolutely All right. So, because it's the hot thing, we have to ask. So the people working on cloud security careers already have to understand security. Obviously they're going to need to know, depending on what they're doing right, they may need to know some networking. They probably need to know some. On what they're doing right, they may they may need to know some networking. They probably need to know some identity.

Tim: 33:07

Uh, you know and and and all points in between, um, you know where. I haven't been keeping up with it, but, like the I'm, I know that I've seen some stuff about uh. We actually just reported on the news not too long ago about uh ai being involved in cyber attacks and like like a huge, huge increase in cyber attacks in 2024 due to the advent of AI. And is it like a script kitty thing where, like, all of a sudden, everybody has a DDoS capability from their you know code, from their chat GBT, or like what do you? I mean, what do you? Where do you think it fits into the whole cloud security career thing? The AI revolution, if you will, if we have to call it that?

Brian: 33:41

Well, I think.

Brian: 33:42

I mean from a technology point of view. You know that, yeah, I mean, makes people are leveraging AI in different types of attacks, which makes more sophisticated attacks more prevalent. There's the security, some really interesting stuff going on, you know, including in compliance around, as you can imagine, around the security of AI applications themselves. Again, we're like you know the purpose. One of the purposes of AI applications is to democratize the data more people getting access to the data being able to, you know, rather than doing like old school billing, you know, reports with some intelligence app. I'm just going to do some natural language queries and you know, show me, show me all accounts payable over over 90 days. You know, and you know my and then show me show me just my top 20.

Chris: 34:31

Well, you know you, it's great to let the right people do that kind of thing, but you don't want to let everybody do that.

Brian: 34:36

So now you know so, and then you know the people have questions. Okay, like you know, you know, I mean it's funny people like right, there's a Epic right which is the big in the United.

Chris: 34:47

States healthcare app.

Brian: 34:54

They now have a like AI thing that helps the doctors write their notes, and so you know you might, you might, we all might get it going to the doctor's office. They might ask it. So, okay, if I record this and you know you have the ai help. Well, like who's, are you using my, our conversation to train your, your, uh, your ai, farther like where? How long? Where's?

Chris: 35:09

that data gonna live? How long is it gonna?

Brian: 35:11

live, uh, and you know oracle's customers have the same. You know any sas application. You know on the sas side that everyone you know are. You know, hey, oracle, you're developing all these great AI features for your HCM software and your ERP software but are you using our data for that or no? Well, we're not and we need to prove that we're not, and we need to have the controls to show our customers that we're not.

Tim: 35:38

That's interesting, the idea of auditing, like the idea of being able to prove on an audit that you're not using. I haven't considered that. That's interesting.

Brian: 35:47

The idea of auditing, like the idea of being able to prove on an audit that, like you're not, I haven't considered that like as a that's interesting automated out and and I think the you know, the, the people that have like sort of the the best skills and the highest level skills, you know, from a technical point of view, are going to be the ones that are even more empowered and and efficient, you know, and then the soft skills become very important because it's not just, it's not just you know the, the technical skills that are going to be automated out, it's the communication skills and industry, certain specific knowledge, Like you said.

Brian: 36:28

Maybe you know tech and the law, or you know tech and a certain vertical market like healthcare. Right that becomes more valuable.

Chris: 36:40

I think from a security point of view this is just speculating.

Brian: 36:43

Now we're getting a little bit into spec yeah, that's fine, I think those, those lower level, like analyst jobs are. You know, it's probably not something that people want to stay in a long time.

Chris: 36:53

I mean, it already is sort of not what people want.

Brian: 36:54

To stay in a long time, yeah, but they're hard jobs and they're, you know, weird hours and 24 7, but uh you know, those are the ones that are most right for AI automation right.

Tim: 37:04

Yeah, because, analysts, generally what you're doing is you're analyzing a bunch of data, right, and trying to draw insight from it, and so that is literally what you would want an AI to do, because the inference engine and all of that is kind of built for that, right.

Tim: 37:21

It was always on its way out, really.

Tim: 37:23

Just now we've got a natural language interface to make that part of pulling out the insights easier, right.

Tim: 37:30

So, yeah, totally, totally agree, and I also agree that the people that are going to be most I won't say immune, but the least affected probably by the idea of like, hey, is my job going to get taken by AI, probably by the idea of like, hey, is my job going to get taken by AI, not just for security but for networking, for everything that there is probably are going to be the people who are able to go more T-shaped and be able to be yeah, I'm really good at this one thing, but I understand multiple things and I can correlate and apply those multiple things that I know, because AI is really going to struggle with correlation, if you will, between, like you said, I know security, but I also know this vertical very well, but the correlation and drawing insights between those two is going to be a lot harder for an AI to do because it's tokens all the way down. You don't have that thinking ability to correlate. It's not quite there yet.

Brian: 38:28

Yeah, I think that's definitely true, a hundred percent, and not not only and I think there's opportunity there too, because it's it's not just that those people that have those skills are going to be immune from their jobs being taken by ai. They'll be more empowered because they, they, they are adding more value some of the sort of the things that they were relying on.

Brian: 38:43

Just like the doctor is empowered by the notes and they can see more patients in a day or get to go home to their families earlier in the day or whatever. The tech workers that have those higher level skills are empowered. Just like with the cloud right, you know, I think we all, you know, in the old days, right, you know software, you have these huge long QA cycles, and you know, and then people would have to slow adoption of the new features, and you know your customers have QA cycles In the cloud.

Brian: 39:17

You just boom. You update it. People immediately uptake the new feature. You monitor. See how it's working Boom.

Chris: 39:22

Yeah exactly. I think it's funny that that conversation about the doctor like it just kind of puts this image in my mind of maybe someone going to the doctor and it's like a real, like you know, kind of tinfoil hat kind of person just like grilling the doctor about like where's my data, how is it stored, how is it encrypted, how long are you keeping it? I'm sure those are conversations doctors really want to get into.

Tim: 39:43

They know all the answers to these questions too.

Brian: 39:47

You're going to add a year of, like cybersecurity certification no-transcript and this was interesting to me.

Tim: 40:02

So we were talking before the show about the kind of like what the stuff we wanted to cover, and Brian was mentioning that you know, like in cybersecurity the idea of certification is not nearly as what's the word I'm looking for. It's just not as important, or it's not as it isn't used the same way, I guess, as we use network certifications and this was this was surprising to me. So, you know, with network certifications I think it was you know, certifications generally were initially this idea that oh well, we're going to certify that someone who's already doing this job is capable to a certain degree and that's what the certification is for. But it ended up being this idea of like actually it's more, it ends up being more like a learning path, like follow this learning path, pass it, and then you can pass the certification and you know, then you're you know what you need to know. But it became more of a training thing. But like it's not really. So you're telling me it's not really a thing in cybersecurity.

Brian: 41:01

I do think, you know, I think that surprises people because there are a lot of security sort of proliferation of security certifications and you know people offering training for those, and I don't mean to demean those at all, but you know, I mean I'll just put it this way Like I, I was probably like over 20 years in my career and was like I think I was a vice president before I got my first certification of any kind at all. You know I, our our senior vice president, wanted everyone in our organization to get certified on on the Oracle cloud itself and the series of certifications, and so you know, I wanted to lead from the front and actually made a goal for myself to be the first one on my team to to get all of them, and and so I, you know.

Chris: 41:49

But those I did, I did, I got nice. You know, I have uh nine or ten cloud certifications oh, wow, dude.

Brian: 41:56

So so you know, and I do see the value of them I think I think what you were saying to him about like them being a learning path, right, it's a good um. And for myself, you know, there were certain ones I got where I just took the test because I knew it already, and there were others that I had to study for, to varying degrees, and so you know it does sort of a way of acquiring, improving a certain level of baseline knowledge.

Brian: 42:20

But you know, security like we've been talking about there's, so it's a pretty vast knowledge. But, um, you know, security like we've been talking about there's, so it's a pretty vast and and I think that the security certifications out there are really geared at sort of those corporate sort of security assurance and policy type roles, um more than more than you know you know there are some ethical hacking certifications and stuff, but I think it's really, you know that again just like sort of baseline knowledge, and I, you know, my guess, is the most ethical hackers out there, don't it's?

Brian: 42:48

really just about the real, real experience. And I think that's like another point is that you know, for anyone looking to get into, chris and I were talking a little about this earlier, like looking to get into security.

Brian: 43:00

You know the best way to do it is to. You know most people when they, if you're in some sort of tech job and security comes up, they flee, they run away and if you want to get into security, run, run towards it. Become like curious about what's going on. Raise your hand, volunteer to participate. Some of the very best people I've hired have been people that you know, don't have any security.

Brian: 43:21

Like I said, most of them don't have any security certifications. They, you know, don't have any security. Like I said, most of them don't have any security certifications.

Brian: 43:26

They, you know, but they don't even necessarily have a long security background but they've shown their people that, like I've worked with on projects and you know that maybe they're like a lead application architect but they, you know, clearly know their security or, you know, taking the time to learn. I'm like, hey, you know you like security. Maybe you should think about focusing on it full time. And it's worked out well for them.

Brian: 43:48

Another colleague of mine who runs our field CISO team. I asked him about sort of who did you used to hire when you actually were a CISO and ran like a SOC and a security desk and he said I love to hire help desk people because they know all about our environment and we can teach them the security side of it. Also, advice I gave to someone who runs the data security for a large healthcare corporation.

Brian: 44:18

He said, brian, I want to hire some Oracle database security experts. What do I look for? I said hire Oracle database experts that know some security versus security people that know a little bit about the database.

Chris: 44:33

Yeah, I think it's tough to give advice in this department a little bit sometimes, because I feel like the number one advice to get people going is, or or at least like what. What I see from a longevity perspective is just be curious, like you have to be curious pretty much endlessly, but that's not a tangible thing, it's not really. You can't really measure. You know your curiosity, so I think that's good, like talking about, like you know, trying to get involved, like try shadowing, like that's always something I suggest is I don't know if that's just as prominent in the in the security space but like, yeah, just like, engage with the people that you know are doing these things and try to learn. And you know, um, 99 times out of a hundred people are willing to help you. Um, sometimes people are, you know, gatekeepers and et cetera. But you know you'll, you'll move on, you'll get past that.

Brian: 45:21

I think it's hard to be curious in a vacuum, but I think it's easy to be curious If you're already in tech. It's easy to be curious about security within the context of what's happening in your organization with your projects.

Chris: 45:35

And again, most people run away.

Brian: 45:37

I think they run away because either they're intimidated, they think it's difficult and it's not that difficult.

Chris: 45:46

I mean some people find it boring. But if you're interested in it, you don't find it boring. I don't find it boring. I think it's scary sometimes, because security is a vertical that has a lot of resume-generating events, it seems.

Tim: 45:57

Well, network does too, infrastructure does too, to be fair, you have to get pretty far away from tech to not have an RGE happen you know, like a BMS. But no, this is really good and yeah, I think we're just about out of time, but this has been a really good discussion. We'll definitely have to have Brian back. Maybe we'll get into some of the other security stuff we talked about.

Chris: 46:21

So yeah, definitely.

Tim: 46:22

Yeah, so we'll go ahead and stop here. So, as always, thanks for listening to the Cable's Clouds podcast. Make sure you buy our breakfast cereal and our home game. Yeah, you can play as either Tim or Chris. You're not allowed to play as the guests because we want the guests to win. Thank you.

Chris: 46:48

So thanks for hanging out, Brian. Where can people find you?

Brian: 46:51

Yeah duh, linkedin is probably the best place. Brian Eidelman at LinkedIn, if you're an Oracle customer, you can talk to our team.

Tim: 47:02

If you're an Oracle customer, you actually already have it.

Brian: 47:04

Ask whoever you're working with at Oracle that you want to talk to Brian. No, we'll make it happen.

Tim: 47:09

It's already on your speed dial if you're an Oracle customer, so go ahead and give him a call. All right? Well, thanks again for listening and we'll see everyone next time.