Security Unfiltered

Bridging the Gap Between Technical Expertise and Business Acumen with Shauli Rozen

Joe South Episode 150

Send us a text

When Shauli stepped out of the army and into the world of engineering, little did he know that his love for math and physics would catapult him into the tech stratosphere. Our latest episode features Shauli's riveting journey as he navigates from algorithms engineering to the forefront of cybersecurity and beyond. His experiences reveal how a mix of curiosity, a robust educational background, and seizing opportunities can shape a multifaceted career in technology and startup management. We uncover the critical moments that prompted Shauli to weave his technical expertise with an MBA, shaping him into the business-savvy leader he is today.

What does it take to stand out as a leader in the ever-evolving business landscape? Shauli and I dissect the fusion of an engineering mindset with the strategic foresight of an MBA, discussing how this powerful combination is essential for deciphering complex problems and steering towards success. We delve into the underestimated importance of soft skills and how international and consulting gigs can polish one's acumen for effective leadership. It's a candid exploration into the harmonic balance of technical prowess and emotional intelligence, and just how impactful this blend can be for those looking to leave their mark on the tech sector.

But it's not all management talk—our conversation turns to the technical labyrinth of securing Kubernetes workloads in the cloud. Shauli sheds light on the challenges in aligning security with DevOps practices and the pressing need for Kubernetes-native security tools. We even speculate on the future of cloud infrastructure, with an eye on service offerings that may eclipse architectural shifts as the main game-changers. Join us as we navigate these complex themes, aiming to unravel the knots of cloud security misconfigurations and seeking solutions that stand up to the unique demands of operations.

Support the show

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Speaker 1:

How's it going, charlie? It's great to get you on the podcast. You know, I think, that we've been planning this for quite a while, but I'm really excited for our conversation today.

Speaker 2:

Thank you, it's great to be here.

Speaker 1:

Yeah, absolutely. So. You know I start everyone off with telling their background. You know how you got into IT, what made you want to get into cybersecurity overall. You want to get into cybersecurity overall, and the reason why I do that is because there's people that are listening or watching on YouTube. Of course, at this point you know that might be trying to make that transition for themselves, and I feel like hearing someone's story and maybe it lines up. They can say, oh well, if he did it, I might be able to do this thing too. You know, I look back on my life earlier on Right and all I ever needed was to see someone else do it. It's like, oh well, if he could do it, maybe I can do this too. So so where does that story start for you?

Speaker 2:

Well, I think I've been in and out of IT or engineering or technology, you know, in different worlds. But, to be honest, like going to engineering for me was kind of like the natural thing to do. The fact that I'm today more of like a business and management type person, you know, running a company is actually, you know, for me the surprising part, like I would be, you know, if I needed to guess when I was 16, where I'll be, you know, at 45, I would probably say I'm going to be like an architect, like a, like a, you know, technology architect, software architect or engineer or something like that. I was super good, like you know, in math and physics when I was younger. So, like natural, kind of like, um, I would say, path for people you know, like me, especially especially in israel, where you know software engineering is so popular, was hey, you know, you finish your army service, you go to learn engineering, software engineering that just what you do, you know. Uh, you finish your army service, you go to learn engineering, software engineering, that's just what you do, you know pretty much. So I went into that and, you know, then I started working for, you know, my first company After school.

Speaker 2:

I was an algorithms engineer. I like I really like solving problems. You know, for me, being a software engineer and algorithms engineer was just almost like continuing the studies and solving more riddles. It was like a new algorithm is like a riddle for me and now you can make it most effective. I wrote a few patents under my name Back in the days I wasn't in security, I was more in algorithms for video compression and multimedia, and then I worked as an engineer for a few years and then I moved to a security startup and, kind of like got the hang of security and did some security software development. And then actually, you know, my path went sideways a little bit when I actually went to do my MBA in the University of Pennsylvania in the States and that took me to like another path of you know. I went into management, consulting and advisory and stuff like that and actually what brought me back into technology was, you know, being back in the startup scene. You know, opening a startup, first joining a startup and then opening a startup together with my co-founders.

Speaker 1:

What made you want to go down the MBA route?

Speaker 2:

It was a bit opportunistic, to be honest. I was like back in the days I was a team leader in a software company in Israel and a very good friend of mine we are still good friend of mine, we are still good friends until today. Unlike me, he was like we were together in like, doing like our engineering degree together, and he knew he was going to go down the business route. So he was planning to go to do an MBA, you know, right after school and he was planning his entire. You know he's much more planned than I like his life, much more planned than I. I mean, he knew he was going to go to do an MBA in one of the Ivy Leagues and I didn't even know what Ivy League means back in the days. And then the reason I went there is that he was there. He was accepted to a school called Walton, which then I joined him, and he called me one day. You know we were in touch as a racial.

Speaker 2:

You know you, you got to apply. You know you got to apply. I know you. You know you love studying, you love diversity. You would love you know what's going on, what's going on. You would love the level of education that these guys bring to the table. I really, really encourage you to do that. That's how I kind of like started. I said, okay, I will apply. I wasn't really serious about it, to be honest. I said, you know I'll apply and see what happens. And then, when you start to apply to these programs, you fall in love with them. As you apply to them, you know, you kind of like start to investigate them more and understand what's going on and see how global and what type of education they're going to give you. So that's how I kind of like fell in love with it and then became more and more invested and finally I went ahead and you know, and studied there.

Speaker 1:

Yeah, I've contemplated myself about getting an MBA, but I'm not sure what I would do with it. You know, and for me like to put in that kind of time and effort, you know, into it, right, I want to see results, I want to see roi on it and I'm not sure what I would do with that. To, you know, create that roi. But you know, I I totally relate when you say, you know, someone else kind of told you to get into it and you know it would, you know, expand you in different ways and whatnot. Um, because I kind of went down that path with the PhD, where I've been exploring it for years, really thinking about it Every year. It seemed I would reassess the ROI that I would get from it and things like that. If there was topics that I wanted to look into or anything like that that you know, if there was topics that I wanted to look into or anything like that. And finally, you know, this past year I finally pulled the trigger and and got into it right. So and I mean it's, it's amazing that I, I guess I finally decided to get into it right. But now it's like, okay, I gotta, I got to do the work and and that's the part that's the part that's like really hard, I think, to estimate ahead of time, because you don't. You don't know what you don't know.

Speaker 1:

And getting a PhD is completely different. You know, you're not in a classroom every single day. You're not having someone telling you hey, you need to turn in this paper. Hey, you need to turn in this paper, you need to turn in this assignment or whatever it is. It's literally like no, there's a body of work that you need to turn in. However long it takes you is how long it takes you. You know it's like there's no path. You know also, like you're figuring out how to do it along the way.

Speaker 2:

So, like you're figuring out how to do it along the way Exactly, you know, I, you know, to be honest, I contemplated about a PhD myself so many times in, you know, even before I did the MBA and after I did the MBA, just because I love studying so much. But the PhD is like you know, it's you need like extreme self-motivation, you know, in order to make it happen and to do it well, because life happens to you as you do it. You know, before we started recording, we talked a little bit about kids and family, and then you have your work. So, finding the time and the balance to actually do it, I really respect the fact that you're up to it and, yeah, it really, really, really requires a strong self-motivation.

Speaker 1:

Yeah, you know, I approached it from two different angles, right? So you know, I'm someone that comes from very little right? Like my family wasn't well off or anything like that. I was the first in my family to go to college, um, you know all all that sort of thing, right? So when I look at my daughter and I say to myself, well, I want to set a good example for her of what's possible, of, you know, setting that bar as high as possible, I would say, set it as high as possible, and if they aim for the bar right, they'll land. Even if they don't, you know, meet it right, they'll land somewhere. That is a good place, you know, yeah, um, and just showing you know, her and my future kids. You know what that looks like, what's what's possible, right? Um, and same thing for my wife. Like, my wife is finishing up her second master's degree, so it's, it's, it's definitely like a part of us and who we are and everything.

Speaker 1:

But then I also took it another step Right, because I'm always looking for trends in cybersecurity. You know what's coming five or 10 years down the road that maybe I should prepare for right now. And I did that with cloud security. You know, obviously I didn't see the very beginning of cloud security because I was, I was getting my bachelor's at the time, it wasn't paying attention to it or anything like that, but it wasn't. It was nowhere near as big as what it is today, you know.

Speaker 1:

But I figured that there was a lot of potential to go that route, because VMware was so big at the time and this basically replaced it, and so I started going down the cloud security path and here I am now, in a larger security area. And so when I was looking at my PhD, I took that same approach and started to dive into satellite security. You know how to actually secure satellites in space? How to, you know, protect them against incoming attacks? How do you relay you know communications to them? How would they be able to interact with communication systems, all that sort of thing, uh, and so now you know, I'm really pushing myself to to, I mean, I, I, I have a hard time saying be an expert, but I guess the phd kind of gives you that without you know anything else, but to really dive into this thing and learn it, because there's so much that I don't know.

Speaker 2:

yeah you know, just investing the time yeah, you know to, to learn a topic, and you know, eventually you just know more about it than other people because you just spent more time with it. Right, it's just, you know the mathematics of time.

Speaker 1:

Are there, you know, looking back now that you're, you know, in charge of this company, right? Were there any key skills, maybe two or three key skills that you got from the MBA that really influence how you operate today?

Speaker 2:

Wow, I think. So. You know I was a very, very, you know, analytical person. You know I was an engineer math, you know everything for me was like. You know I don't want to exaggerate by saying everything for me was black and white, but you know what I mean. I was a numbers type person. You know what I mean. I was a numbers type person and the, the soft skills that you learn in in an MBA and and the variety of people that you meet, I think are the key, you know, benefit that I got from it.

Speaker 2:

Um, also, you know, specifically for myself, it's not just about the MBA, it's about also, you know, moving to to another country MBA. It's about also, you know, moving to another country with your family. So, just, you know, just the mere experience of you know, moving to the United States, experiencing the culture, experiencing, you know, the values and the work ethics and how you know processes are done in a different country, you know, gives me, gives you a lot of perspective and a lot of, you know, new skills that you acquire. And then, and then, quite frankly, frankly, you know, my first job, you know, after the MBA, was in the Boston Consulting Group, which for me was really an extension of the MBA. You continue learning and you know that companies you know I don't want to promote them or anything, but they are so good at building your capabilities. You know giving you frameworks to analyze situations and you know structure your presentations and and communicate your thoughts and understand complex situations, which I think you know gave gave me a lot of value into what I'm doing today.

Speaker 1:

Yeah, it must be very beneficial to come from that engineering background, that engineering mindset, and go into a business, because you can break apart problems and issues in different ways than what you would be able to without it. Know, at least in my opinion, um, because I'm just thinking you know my day job, right? I'm principal cloud security engineer, right? So I'm breaking apart problems all day long, um, and finding, you know, inconsistencies and, you know, directing people towards the, the a new or a better solution, right? That sounds a lot like what running a company is.

Speaker 1:

You're encountering with problems constantly and you have to filter out the ones that you want to pay attention to, the ones that will make or break your company. Right, those are the ones that get your time. But then you also have this back burner in your brain of like, oh yeah, I also need to adjust these other 10 or 15 things. Being able to do that and manage that is, I mean, obviously it's extremely important for a company, but it's always interesting to hear how people get that experience, because everyone gets it differently, I feel how people get that experience, because everyone gets it differently.

Speaker 2:

I feel, yeah, I think you know, problem solving is probably one of the key skills that any manager and leader needs to have.

Speaker 2:

And as long as you're not, you know, as long as you have some soft skills to go along with it because there are some great problem solvers that are that have zero you know soft skills or you know emotional intelligence, and that's a big problem.

Speaker 2:

But once you have that combination, I think that's where you know, you get to be very successful. And you know, even in my life, you know, as I said, you know, for example, when I was in in in a consulting company, right, when I was in a consulting company, right, you see that the engineers that come into that company, they become the best consultants because they have that mindset and the recruiting process basically filters out the fact that they will have, you know, some emotional intelligence and capabilities, so it makes them really, really good consultants. I have to say that another type of persona there aren't many of those because they usually stay. They become doctors, but we had some people who came from medicine school and that's also, you know, a very good indicator and if you think about it like doctors are really engineers of the body right, like they need to evaluate situations and see signals and come up with solutions. So they also are very good, you know, in problem solving in general.

Speaker 1:

Yeah, that is really fascinating. You know, when people ask me how to get promoted, you're already an engineer. You're already a really smart, intelligent area. How do you get promoted to management or architecture?

Speaker 1:

I always start with the soft skills, because the soft skills is really what separates you from everyone else, right, because everyone is used to that engineer. That tech guy that's, you know, a little socially awkward, isn't really used to talking to other people. Everyone is used to that, right? So if you break that mold, you're immediately going to stand out. Even if you're breaking the mold in a controversial way or maybe a poor way right In the beginning, you're still going to stand out. Even if you're breaking the mold in a controversial way or maybe a poor way right in the beginning, you're still going to stand out and hopefully you're standing out to the right people in the right frame of view or frame of mind, right?

Speaker 1:

But soft skills are extremely important, especially today where you know so many of us are remote. You know the soft skills really pay dividends when you know you're on a video call and you have to get across a point and make sure that people are understanding and break it down into a way that suits your audience. That's probably actually the biggest thing that I see a lot of people mess up on is not adjusting what you're saying to the audience. That is in the call. You have to be able to maybe go just an inch below the surface, right Like, hey, here's all this stuff. None of it makes sense to you. That's okay, because this is what it's really doing. Give them that good overview so that they could take that slide and put their own words on it and present it to their management, right? You have to think about it like that, and making that switch over in your mind is typically a really difficult thing to do. I have found, at least.

Speaker 2:

Yeah, I completely agree. You know the ability to simplify, you know technology. Simplify solutions, even simplify problems, is something which is super critical. One of the biggest mistake we are doing everyone is doing, I do it as well, right. The biggest mistake we are doing everyone is doing, I do it as well, right in communications is that we assume that the other side is the same as us. It's just easier to assume that you assume they have your knowledge, they assume they have your kind of like history, and it's really really hard to put yourself in the other side and in the shoe of the other person, as they say, and then we assume different things and the communication breaks and the value is not communicated, and I think that's the biggest mistake.

Speaker 2:

Marketers do that mistake all the time. One of the first thing you need to understand as a marketer is that you don't market yourself. Need to understand, you know the other side. Um, yeah, I think that's. It is so natural, uh, to assume that and and and. It's so easy to forget that. You need to really think about who am I going to speak with you. You know what's their objectives. You know what's their background, what do?

Speaker 2:

they want what they want to get out of the conversation. You know what they need to do. Yeah, it is just very hard to do. It's not hard to do, it's easy to do if you think about it, but it's very hard to focus on it and really, you know, actually do it. Everybody will say, do it right, but to actually do it in real time in a conversation, it's not easy.

Speaker 1:

Right, so let's dive into a little bit about your company. So what is the company that you're in charge of right now and what's the problem that you're trying to solve with this company, with your solution?

Speaker 2:

Yeah, so my company, the company name is Armo and we are a dedicated Kubernetes security company Kubernetes has grown to be pretty much, you know, the de facto standard for, you know infrastructure for cloud workloads. And if we think about application protection platforms, you know, if you think about what Gartner calls ASPM today application security posture management or if you think about CNAP cloud network application protection platform, there are a lot of you know initials and a lot of different kind of like words to say one key thing, which is you need to protect an application running in the cloud and you need to protect the cloud from the application running in the cloud. And those applications will 90% be running on Kubernetes. And that's why we believe that getting intimate with Kubernetes, with the configurations of Kubernetes, the configurations of the workloads in Kubernetes, getting all of the context of what's happening in runtime, is crucial to securing workloads running in Kubernetes. And the main reason is that when you start to secure, you know cloud and Kubernetes native environments, there is a you know I remember I talked about it about a year ago Kubernetes as itself. Yes, it is super complicated and you know enormous and exponential number of you know misconfigurations that can happen. But the main reason for the complexity of things running in Kubernetes is not Kubernetes itself, it's the architecture that it is enabling.

Speaker 2:

So once microservice-based architecture is possible, once microservice-based architecture is possible, just the number of software artifacts that are running in your cluster or in your cloud is growing so exponentially, so vulnerabilities are growing exponentially, the attack surface is growing exponentially, the number of alerts is growing exponentially. So you have so much mess going on that you need a more adaptable security solution. And what we are trying to do in Armour is using that Kubernetes context, that workload context, that runtime context, to adjust the security based on what's happening in your environment. So we will apply stronger hardening capabilities in places where the risk is higher. And we will apply stronger hardening capabilities in places where the risk is higher and we will apply more detailed you know runtime security. We will tighten the security in places where we find the risk based on the context of Kubernetes being higher. And I think just the fact that you know we secure all the same and all workloads are born equally. It's no longer the case. You need to prioritize, because if you don't, you just spread the thing.

Speaker 1:

Yeah, that is a really good point. What you said is that Kubernetes is basically everywhere now. When I started to get into the cloud, it was kind of a niche area. Not very many people dove into it, not very many people understood it. When I started to get into the cloud, it was kind of a niche area. Not very many people dove into it, not very many people understood it, but it's becoming almost like its own domain within cloud security.

Speaker 1:

I was at a company where they were actively mig, you know, migrating their infrastructure in AWS to Kubernetes instances, and you know it was really challenging because our I mean, I call it legacy but they're still top of the line our legacy EDR.

Speaker 1:

Yeah, you know, of course they offer a solution to protect your containers and whatnot, but when you put that agent on there, it's so heavyweight and it's not coded properly. You know to be running on such a lightweight infrastructure that you end up spending two to three times more than what you actually would have been spending, and that's a huge thing because what you actually would have been spending. And that's a huge thing because Kubernetes is so, I guess, nimble, so easy to deploy. You could spin up, you know, like if the cloud is easy to spin up resources. Kubernetes is like a factor of 10, right of how quickly you can actually spin up resources and start eating up a budget, and so if you extrapolate on it, you know you're spending a significant amount of money eating up resources that you really probably shouldn't be. So I always found that interesting, you know. Can we talk a little bit about the challenges of building a security platform on Kubernetes or for containers?

Speaker 2:

Yeah, well, I think you mentioned one of the most critical aspects of it, which is scale and resource consumption. You know when, when you take like legacy, I'll call it legacy even though, as you said, it's top notch. But if you take legacy type, you know solutions and agents and deploy them, you know, in Kubernetes. And then you know new pods spin up, new nodes may spin up, you know, and you grow. You know, horizontally, vertically, you know, in many different ways. First of all, the resource consumption and the cost for the customer is getting super, super high and that's why I think the first challenge that we have faced in building a Kubernetes solution is okay, let's build it from the ground up. For Kubernetes, let's make sure when, for example, a pod is duplicating itself, you don't duplicate your memory footprint or your CPU and you're staying relatively lean. Let's use Kubernetes native capabilities in order to do security.

Speaker 2:

If Kubernetes provides network policy, you don't need another agent to now run all of the network policy. You don't need another sidecar and another sidecar. You know sidecars. I've seen companies that have, like I don't know, six or 10 different sidecars on every pod. You know you spin up a pod, 10 other pods come up together. So being very mindful that you're running like it's. You know, on one hand, it's a limiting factor the fact that you're running on Kubernetes. You need to be as native as possible. On the other side, it gives you a lot of capabilities and a lot of native capabilities that, if you know to use them correctly, makes you much more efficient. Right.

Speaker 1:

Hmm, yeah, how is that? You know, how is that learning gap with Kubernetes, how time and money and resources in Kubernetes? You know they're probably not going to know it as well as you or some of the experts at your company what it should actually be. You know doing how it should actually be designed, things like that, because you know that's probably an important part of what you do. I would think, right, because you're you don't want to them. Why you know this is valuable over something else, why it works this way. Right, why you wouldn't go with that top of the line EDR solution that everyone has in their infrastructure, why you wouldn't go with that module and why you would be going with something you knowbuilt. Have you run into situations like that where you guys are the experts, so to speak, in the room and you kind of have to educate your customers?

Speaker 2:

Yes, and I have to say, over the last two years, what we need to teach or work with our customers on have changed, you know, dramatically. And you know you're always or at least you should be always ahead of your customers in terms of your knowledge and what you're seeing, because you just see more in the market in that specific field. So if you think about, you know, three years ago, or even four years ago, when we speak with customers about Kubernetes, I always one of the biggest things that we always deal with is the fact that Kubernetes has a joint ownership. Kubernetes security has a joint ownership between a security team and a DevOps team or platform team or SRE team. You know the term itself is always changing, but if you think about three or four years ago, we would speak with the security teams about Kubernetes security and honestly, they would be clueless, right? They would say we don't know. You know we know we have Kubernetes, the DevOps team is running it, we give them some guidance and we scan images, but they don't really know what's going on in there. So that was the place back then. It's just getting ownership.

Speaker 2:

Today we are in a place where our third leadership is much more around. How do security and DevOps team work together to secure Kubernetes? We see more and more DevSecOps roles in the company. We see security engineers who know Kubernetes, but they will never know it as well as the DevOps. So one of the key things we need to help our customers is to mitigate between a security requirement, which is a very security-oriented thing, and then the remediation of that within Kubernetes, which is a very DevOps thing, and we actually invest a lot of time into creating features that will, you know, cater to that specific gap feeling.

Speaker 2:

So, for example, you know just a nuance. You know if our system gives an alert to the security team about a misconfiguration that might be problematic in the environment security-wise, we also issue the remediation advice to the DevOps team to apply, and we built it based off the Kubernetes context and the runtime context in a way that it will not break the application. So you know we are always you know. I would say the main thing our platform needs to do is to continuously shrink the attack surface, but in a way that the DevOps feel confident to use, right, that doesn't break applications, and I think that's the first of all. I believe it's one of our key differentiators, but it's also, I think, one of the biggest bridges that you need to build between security and DevOps.

Speaker 1:

Yeah, that relationship is so critical. It's becoming more and more important to really build that relationship between security and the developers and operations, because these organizations, these environments, are getting so large that it's no longer under you know, one team or one manager, right, like there's several different pieces at play, and that kind of ties into what we were talking about before being that engineer being able to, you know, break things down, have the soft skills to be able to talk to, you know anyone in the room and ensure that they understand. You know, one of the I guess maybe one of the biggest challenges that I have faced, even in recent years, is being that security expert. When we're talking about Kubernetes, right, without really knowing Kubernetes and trying to get across you know security standards to developers and saying, how do we achieve it? Because, from an engineering perspective, I put on my engineering hat it's like, okay, well, let's learn Kubernetes. How hard could it possibly be? How long could it possibly take me? Maybe a month or two.

Speaker 1:

And then you start getting into it and two months in, you feel like you know nothing and it's like, okay, I seem to be starting completely over in this area. So I need to lean more on the knowledge of other people that have been working with it every single day. Yeah, and try to make these security I guess requirements you know make sense to them, and try and reword it so that it makes sense to them, so that they could translate it into Kubernetes and say, oh, there's this whole, this whole other you know management plane, right, that we haven't thought about before. But that does the thing that you're thinking of right, it's a, it's a balance. It's interesting how that conversation just tied together with what we were talking about before with soft skills yeah, completely, and it's, you know it's always.

Speaker 2:

It's almost like um, um, you know there's this movie, you know men's out, men are from somewhere and then women are from marcelina. So it it's simple. Security and DevOps and if I need to kind of like pinpoint it, you know security many times. You know they speak a language of risk. Right, they speak a language of you know posture, which is a language that the engineers, the DevOps, they don't speak that language. They don't talk in terms of risk.

Speaker 2:

They talk in terms of you know configurations. They talk in terms of you know engineering, right, they talk about configuration. They talk about you know software packages. They talk about network IPs. That's their language. They talk about network IPs. That's their language. And what we see today is that security, they need to know Kubernetes well enough to kind of like translate some of the risk requirement and the risk terminology into technical terms. But also the developers on their side, they need to learn the risk implications of different things and they need to start thinking about risk as well. I think that's what every platform that gives security for Kubernetes will need to manage. Basically.

Speaker 1:

Yeah, and even recently, the past couple of roles that I've had, it's been acting as that security bridge to the rest of to translate, you know, these security components into something that they understand so that we can, you know, make progress. It has been, I mean, it's interesting, it's probably the evolution of an engineer, so to speak. Right Is, you know, you go from being hands-on keyboard I'm going to write this code and fix this problem and you know, we're going to go through it like that, to being, you know, the subject matter expert in an area and then translating it to other, to other departments, right For them to actually do that work. And it's, uh, that that transition, I guess, has been slightly difficult for me to to, I guess, stomach, right, because I I still, I still want to get in there and I'm still kind of paranoid because I'm not in the weeds like I used to be, so to speak.

Speaker 2:

It's not like man, is someone gonna like think I'm, you know, useless and lay me off because I'm not in the weeds like you know what I mean, like it's that yeah it's that mental shift, you know yeah, you know, um, you know, I have to say you know, another time in in my life at least, that I've went through you know, uh, this type of like dissonance that you're mentioning is, for example, just when you, you know, when you move from being a developer to a team leader right, yes, you, you know you just lose the capability or the capacity to know every function that every developer writes and you need to feel comfortable with giving guidance and being more of the architectural oversight.

Speaker 2:

You're the security architectural oversight, right, and I completely get it. We're all in some ways maybe not all of us, but maybe you and I are control freaks, right, we want to know that exactly what's going on, and it's hard, but it goes again. It goes to what we talked about before and I think you said it right. It goes to the soft skills into collaboration and working together, communicating well, in order to feel comfortable with this new situation.

Speaker 1:

Yeah, absolutely so you know, if you look, you know five, ten years out, right In technology. That's extremely difficult to do to look ten years out. It's probably really difficult to look five years out. Where do you think cloud infrastructure as a whole is going? Because we have Kubernetes, but I wonder what that next iteration of Kubernetes is. Is it serverless, do you think?

Speaker 2:

it's serverless, do you think? Well, there are already some. You know, there's Fargate or the I don't know Autopilot from Google which are kind of like they're running containers, but they are serverless. I think that's. The problem today is that it is very, very costly to go. But also, you know, kubernetes makes it so much easier to manage the server themselves. Then it makes me think about okay, so if servers are so easy to manage, why go serverless? You know I try not to make predictions because everybody that ever made predictions probably was wrong.

Speaker 2:

But one of the things that I'm seeing is that I think the cloud as a cloud service is going to proliferate. So we have Amazon, then we have Google, now we have Azure, we have IBM. I see companies starting to do their own cloud. So what I suspect might happen is that the cloud technologies will just be. You know, in so many many places where you could utilize cloud type technologies, companies are already doing that.

Speaker 2:

You know Kubernetes is running on premise and companies are doing like cloud native, but it's on bare metal in their own environments. It costs them less than going to Amazon if they're big enough. So I actually think, you know, I don't think the big change going forward will be in you know what servers we are using, or the architecture of the server, or Kubernetes. I think it's going to be about the type of services that you can get from the cloud provider. I think cloud providers will win and lose based on the ease of their AI models that they provide via APIs and the database services and how quick those are. I think that's where the next battlefield is in.

Speaker 1:

That's really fascinating, you know what you're describing really eliminates a lot of the security misconfiguration that goes on in the cloud.

Speaker 1:

In the cloud, you know, recently, right, I ran a report in the environment and saw a bunch of public S3 buckets and you know I'm sitting here like this is, you know, literally you know, third or fourth time that I've had to go over this with.

Speaker 1:

You know all of my developer teams probably about 150 different people and you know I'm trying to figure out how to like finally solve this problem so that you know we wouldn't still encounter it, because my environment is a little bit unique. We have limitations around what we can implement from a security perspective, which makes which makes these findings a little bit more difficult. But that that's really interesting because you know what you're talking about is kind of a overarching control plane that is running on the cloud and you just tell that service, you know what you want to be using, what you want to do, what you want to be using, what you want to do, what you want to accomplish, and they figure out the most efficient way to get it done for you and really leverage their own internal skill sets to do that within whatever cloud provider makes the most sense. It's really interesting. I haven't thought about it like that before. Are you seeing that anywhere in the market right now?

Speaker 2:

No, to be honest, like what we see, we do see. You know multi-cloud environments and then everybody is using multi-cloud. They started to think about, you know, for example, security wise. You know, do we have like cross? You know cross-cloud communication and what's going on there and can one attacker move from one environment to another? So we see a lot of that. Also, you know I'm very much in the security domain, so I'm mostly seeing, you know, the concerns of security in these domains and less about the control plane, the applicative control plane. So it's hard to me, but I can say that we see more and more. You know every big company is now having a multi-cloud environment and an on-premise environment as well, and all of that needs to be managed.

Speaker 1:

Yeah, it's a really good point. It'll be interesting to see where the space goes, you know, in the near future, and I wonder if satellites will play a role in it. But you know, Shali, I really appreciate you coming on the podcast. I really enjoyed our conversation.

Speaker 2:

Me too. I really enjoyed it. Thank you for having me. It was a pleasure.

Speaker 1:

Yeah, absolutely. Well, you know, before I let you go, how about you tell my audience where they could find you if they wanted to reach out, where they could find your company if they want to learn more?

Speaker 2:

Yeah, so me, you know. Just Google Shauli Rosen S-H-A-U-L-I-R-O-Z-N. On LinkedIn I think I'm the only one, or at least I'm one of the ones that will surely pop up my company, armo armosecio, and also as important as my company is our open source project, which we almost didn't get a chance to talk about at all, which is called Cubescape, which is today one of the most prominent open source projects for Kubernetes security out there. It's an official Linux Foundation CNCF project. Hundreds of thousands of users, super successful and anyone who will contribute or use that. It's also a win for me and I really, really encourage you to try it out.

Speaker 1:

Yeah, absolutely. We'll have to have you back on to talk more about that project.

Speaker 2:

Yeah, we can do like 60 minutes on the open source itself and we talked about how did they get into security and how did they get to funding the company, how did they get into open source, and the open source journey as a whole is a fascinating journey on its own.

Speaker 1:

Yeah, absolutely, we'll figure that out and make that happen.

Speaker 2:

Yeah.

Speaker 1:

So thanks everyone. I hope you enjoyed this episode.

People on this episode