In this episode of Security on Cloud Podcast, Mark McIntyre, Chief Security Advisor for Microsoft Azure, joins us and shares about his hands-on experience helping Microsoft’s US government customers move confidently to the cloud while securing their legacy IT systems.
Questions and topics on this episode include:
- What are the driving forces behind organizations migrating to Microsoft Azure?
- What effect has the pandemic had on the speed of digital transformation regarding security?
- What do CISO teams need to think about in terms of defending an organization?
- What are the challenges and benefits that companies face with security as they move from a data center model to the cloud?
- What will be the impact of the President’s executive order on cybersecurity?
- Are CISOs understanding the power of cloud-based machine learning and automation in security?
Anitian’s partnership with Microsoft Azure reflects an ongoing digital transformation as businesses look to expand their cloud services. To learn how you can quickly and confidently protect and certify cloud workloads with the Anitian Compliance Automation Platform on Microsoft Azure, grab the Anitian & Microsoft Azure FedRAMP Solution Brief.
John Vecchi: Welcome, everybody. You’re listening to the Security on Cloud Podcast live on Anitian radio. I’m your host, John Vecchi.
Scott Emo: And I’m Scott Emo. You know, it seems that all you hear about these days is cloud and for good reason, the advantages, the scale, the cost savings. There’s even a top 15 cloud security podcast list that includes this Security on Cloud Podcast. I figure a little shameless self-promotion was in order for all that. Anyway, we thought it’d be a great idea to welcome a guest who literally works in the cloud.
John Vecchi: That’s right, Scott. There are many cloud providers out there, but why not talk about cloud security with one of the fastest-growing and largest cloud providers in the world, Microsoft Azure. With that, let’s welcome today’s guest.
He’s the Chief Security Advisor in Microsoft’s Security Solutions area. He supports US and allied governments’ information assurance and cybersecurity efforts by helping Chief Information Security Officer’s (CISOs) and mission teams modernize their security and compliance strategies, focusing on areas like zero trust, cloud-first identity, and Security Operations Center (SOC) operations. He helps companies and CISOs understand Microsoft’s perspectives on the evolving cyber threat landscape. He’s part of the security cooperation program, which is Microsoft’s Cyber Threat Information Sharing program for global certs, and previously ran the government’s security program, which is Microsoft’s global trust and transparency initiative for information assurance and national security bodies.
Prior to Microsoft, he spent years in the US government working on counter-terrorism, information operations, and regional security issues. Coming to us from Bellevue Washington, it’s our pleasure to welcome Mark McIntyre to the Security on Cloud Podcast. Mark, welcome!
Mark McIntyre: Hey! Thanks very much. I really appreciate the opportunity and yes, I’m sort of in the clouds. I’m on the second floor of my house and it’s raining today. So, yes, good timing.
John Vecchi: I’m sure you guys need some rain up there! Scott and I have been plugging along on this podcast and we’ve always wanted to have one of the biggest cloud providers as our guests. We talk cloud all the time, so we’re really thrilled to have you with us today. We’ve got a lot to cover, but before we dive into the many topics we have, can you tell us just a little bit about what it is to be a Chief Security Advisor at Microsoft and Microsoft Azure?
Mark McIntyre: Sure. Well, as you said, I’ve been in the company just about 14 years and most of my time in the company has been spent supporting our federal government security and information assurance work. I’ve also supported efforts with NATO and Five Eyes and other close ally partnerships around the world. And I’m part of a team of global security advisors. I have peers in the United States, Canada, Japan, Australia, and throughout Europe — these are former CISO’s, large organizations, fortune 100 companies, things like that — and we work with our counterparts, our peers, chief information security officers, and their teams to help them understand where we’re going as a company, align roadmaps, lessons learned, and just look for ways to help modernize their security posture. So, it’s a pretty cool job.
I get to work with CISO teams around the US government and defense industrial base, advise them and our investment strategies and priorities, and, of course, to an extent, how we build these capabilities into our technologies. Just like Microsoft, even though these are high threat organizations that are in the news a lot. We have been getting the questions more and more the last several years like, “Microsoft, how do you do this? You’re a huge company working around the world. How do you modernize your security?” Or, “How do you think about employee device policy?” or “How do you maintain that balance between productivity and security?” So our job is to have those types of discussions that we can then use to inform engineering leadership on the right investments that we need to make and make sure that we’re putting these capabilities into our products to help the government.
John Vecchi: Wow, that’s a big job. I’m going to shift gears a little bit because we’ve discussed on this podcast, how the COVID-19 pandemic has accelerated digital transformation for a number of different companies. And what we’re wondering is what are you seeing as the driving force for today’s organizations that are transforming and migrating to Azure?
Mark McIntyre: Well, there are obvious business benefits and cost benefits. Going to the cloud allows an organization to get out of the business of managing a lot of that traditional data center infrastructure and those systems and focus more on their core business or mission objectives. We’ve been doing this for almost 16 months now, and light is coming at the end of the tunnel. A few months into the pandemic, our CEO, Mr. Nadella, made a comment essentially that we’ve been forced to squeeze three years of digital transformation into three months.
Even the US government, where we saw the U.S. Department of Defense (DoD) and other organizations adopt telework pretty quickly and a very impressive effort that way, but the trends that we see around telework and around collecting and analyzing massive data, big data, device policy. These are trends that were already occurring, so I think the pandemic has just accelerated what was already happening anyway. Coming out the other side of it, it’s obvious we’re going to see more flexibility in the workforce. It obviously is going to continue to change the way that CISO teams have to think about defending their organization.
John Vecchi: It’s so true. And you mentioned that, for a lot of companies, we crammed a lot of transformation into a very short amount of time. For many companies, the pandemic forced them to focus on their mission, and in some cases, that was not only making sure to empower workers and their remote workers but maybe pivot to another market, which the cloud could empower, right? But of course, getting to the cloud, migrating to the cloud, and pursuing that mission can have its challenges.
You mentioned earlier that you talk to these CISOs and the companies about the roadmaps, some of the challenges, the common speed bumps that companies face, specifically with security, as they move from a data center-focused model to suddenly the cloud and everything’s very, very different. But do you see certain speed bumps that are big challenges for these CISOs as they move to the cloud, build applications in Azure, and seek that business mission?
Mark McIntyre: Sure. I see several, but in the interest of time, we can focus on a couple. First, let’s start with the good news. The cool thing is that even compared to five years ago, we’re not really having any discussions now about the security value or the efficacy of cloud. People just get it. Around the US government and DoD, even in the IC, you see an increasing focus on the acceptance of cloud-first, for example. It took us time to get there, but now the conversations aren’t, “Why should we do this?” Instead, it’s more “Help us do this.” So people get that value.
The key themes that I see are more around orchestration and execution. First and foremost — and this isn’t just the government, we see this globally — we must do a better job helping our customers understand roles and responsibilities. As you move from traditional on-premises, let’s say, all the way up into a SaaS, pure cloud environment, who owns what? What does the cloud provider do for you? What are their partners responsible for, say, if you’re working with more infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS).
There’s a funny graphic that anyone can look up online — whoever did it is a genius as it’s been copied many times — it’s the famous “pizza as a service” graphic. If you want a great way to visualize roles and responsibilities in the cloud, — one that also makes you hungry — this is a brilliant “picture being a thousand words” model that’s just wicked marketing. But one thing that we emphasize a lot and are trying to do more of are these proactive tabletops so that we can be really clear as we’re working with a customer to migrate resources to the cloud — or if they’re creating net-new resources — we’ll do a walkthrough in tabletops. We can get really crisp on who owns what responsibility.
And the second area would be more around ownership or inventory. As you move into the cloud, what do you actually gain access to? What can you start consuming? I was on a call just yesterday with several defense industrial base members, several CISOs, and I was showing them just a quick 5-10 minute demo of our Azure Security Center offering. It’s a free offering, so there’s no blatant sales pitch, that’s essentially a built-in cloud posture configuration management, a hygiene tool, designed to show you the health of your hybrid infrastructure. And this is no one’s fault, but none of the individuals I talked to had ever heard of it. They just weren’t aware that it was built in for them to use. So we, in the industry and our partners, have to do a better job of making sure that our customers and users know about some of these tools that are just built in to help them facilitate these migrations and become, hopefully, even more secure as they move more resources into the cloud.
John Vecchi: And a lot of that is just the expansive cloud-native toolset that’s there and that’s the power of it, right? They can literally swipe their credit card and stand these up. But if they don’t know they exist, especially development teams and security teams, I can see how that would just be a deer in the headlights as to “What do I do next?” or “What do I stand up next?” Is that safe to say?
Mark McIntyre: Definitely. We need to do a better job of making sure that partners and customers are aware of the capabilities. And I think, to your point, we also want to make sure that we know which customer — or stakeholder, business owner, risk owner, or whoever in the organization — should own that particular tool, or at least should be using it. Is it a compliance team? Is it a security team? Is it DevSecOps management? A lot of things for us to still work through. Believe it or not, this is still considered early days for the cloud.
John Vecchi: Interesting. Yeah, it’s true.
Scott Emo: Well, Mark, in your intro we heard that you worked a ton with the federal government side. I figure that you’re probably aware of the presidential executive order on cybersecurity. It seems like it’s going to be driving a lot of direction and help in cybersecurity. Do you have any thoughts about that executive order (EO) and what that includes or where you think that might drive us?
Mark McIntyre: What executive order? Never heard of it. No, I’m just kidding! I knew that we were not going to get through today without talking about it.
Scott Emo: Yeah, it’s a big deal!
Mark McIntyre: That’s right. And I think it’s a great step forward. First of all, just a disclaimer, I am speaking sort of personally not necessarily on behalf of my company, although we certainly are working aggressively to make sure that we educate our customers and partners about our perspective on it and such.
I certainly read the executive order several times and I have three takeaways. First, it’s definitely long overdue and very much welcomed. For any sort of a security strategy or policy or program to work, you must have top-down management support attention, and the language in the executive order certainly suggests that we’re going to see more rigor and a more thoughtful approach around proactive security. And maybe even a little more of a hammer coming down, which is great, particularly around things like supply chain, software integrity, etc.
And of course, some of the really upfront languages in the EO were around zero trust and modernizing identity and cloud-first approaches. I think those are definitely the right ways to go. As future guidance comes out from the Cybersecurity and Infrastructure Security Agency (CISA) around some of the terminology and expectations, it will be interesting to see how it evolves, particularly around the contractor ecosystem.
One last thing I want to focus on quickly, given my background, is information sharing. Public-private information sharing is always a tough one. In my company, I have a long history of facilitating these types of arrangements with the US government and certs around the world. It works. Or, I should say that when it works, it works great.
However, I really want to caution that this should not be seen as a substitute or a panacea. It should not substitute for, let’s say, the hard work of doing the hygiene and modernizing your strategies and operations. It certainly has a role and it’s a great chance for us to work together in a more cohesive way, but it’s not a panacea for doing that real hard work and making the commitment to modernize.
John Vecchi: Yeah. And further to that, we saw the suggestion around the ransomware with some of these attacks relative to the Biden administration talking about that kind of information sharing, specifically given all the ransomware attacks we’ve had. How realistic is it? Like the executive order, anyone who has spent a lot of time in cybersecurity welcomes this, but that doesn’t mean we haven’t seen efforts like this in the past that potentially didn’t go too far. This one has some teeth to it. But specific to that, even on the side of ransomware, what do you think when you see those kinds of requests? Is it realistic? Could it happen? Is it hard? Is it possible? Is it somewhere in between?
Mark McIntyre: Well, like anything, it’ll probably depend on how the final rules and regulations shape out and get published. Obviously, there’s a certain reporting cadence or reporting deadlines from CISA, the next several months, I believe. But I think it’s a great first step in that we should be more assertive. The government should be more assertive about creating expectations around transparency and such. It’s understandable. I mean, in a sense, it’s okay to be probed and attacked. I mean, that just happens, right? The real question is, how do you respond to it and how do you maintain the trust within your constituents, especially in critical infrastructure? How do you show your customers and your partners that you are doing the needful, that you are taking this seriously? And maybe, if it takes some accountability around reporting, then I think that’s a great step forward.
John Vecchi: Yeah. Of course, we can assume that part of the reason for this executive order was to help articulate a strategy for not only the government side and the DoD side leveraging cloud service providers and independent software vendors technology but also as a model for private companies to deploy. You mentioned it before, but a big piece of the executive order — and of course, we love to see this — mentions automation in that cloud-first strategy which is just fantastic. And it also talks a lot about the zero trust side and speaking from an Anitian perspective, obviously where we’re working very closely with Microsoft and Azure is to automate that environment that the application lives in and create the zero trust environment. As you talk to these companies who are moving to the cloud and having some of these challenges, and then they see the executive order where it says “Zero trust… Zero trust… Automation… Cloud first” and all these practices, what are you and the Microsoft Azure team saying to those companies about ways you can help them with things like that?
Mark McIntyre: That’s a great point. We have been investing heavily in zero trust and automation internally in terms of how we protect our own environment, and this predates the pandemic by several years. Almost without exception, the majority of my discussions during this pandemic have been on zero trust and on modernizing security operations through automation. Not a day goes by where I don’t have at least one or two partner or customer-facing conversations about it or internal sessions with my colleagues. Talking about how we’ve been doing it internally gives us a chance to break bread with our federal partners, walk through some lessons, learn use cases, things like that.
We’ve also created an extensive library of content around zero trust deployment centers, dedicated websites, referenced architectures, workshop materials. I collaborated with a colleague in Azure on a six-part blog series on implementing zero trust for federal systems. We mapped the so-called “pillars” — Microsoft has a six-pillar approach — to NIST and to TIC 3.0 that actually predates the NIST finalizing as 800-207 trust document. So we will keep pushing out more updated guidance.
Automation, I’m glad you mentioned this, especially if you think about the talent shortage that we hear about in security. As my former boss, Ann Johnson used to call it, analyst fatigue, SecOps fatigue. So, you have this going on at the same time that you have this explosion of device usage and data and so, increasingly, our customers are going to have two choices: 1.) they can buy infrastructure or 2.) they can run their business. You won’t be able to do both.
This is a great chance where we, Microsoft and Anitian, can work together to deliver these cloud-powered, cloud-native automated solutions. It’s a way to help machines and cloud do that first level, the tier one type security compliance work, that frees up resources and the humans, like the SecOps teams and such, so they can actually do the higher-level response work and intermediation.
John Vecchi: One of the things we tout as automation is to let the code do the work that, when done manually, can cause trouble. As we look at the statistics of cloud breaches, the overwhelming majority of them are the result of misconfigurations in the cloud, which oftentimes come back to manual work because we’re human and we make mistakes. When you talk to CISO, are you seeing that they understand the power of letting machines do a lot of this, relative to keeping them even more secure? Is that safe to assume? And for our listeners as well, that CISOs are understanding that?
Mark McIntyre: Yes, I hesitated a little bit because, coming from the federal government where I spent 11 years of my career in the Intel community, it does differ a bit between some of the DoD IC customers and, say, more federal civilian typically around understanding, like, for example, the threat actors. But by large, yes, I think more and more organizations understand that automation is a great opportunity for them to let machines and the cloud do that 90 something percent of that work so they can focus their people on the higher-level learning.
I think that the issue is more making them comfortable with the idea that this is not an “all or nothing.” We’re not forcing anyone into the cloud tomorrow; you go at your pace and go where it makes sense. It’s also a great chance to save some money and budget to show that you can modernize while also being responsible for your budget. This is a great way to show a CIO or CTO or oversight committees, whoever, that you’re modernizing and are making a difference because there are certainly numbers that back that up and therefore you can sort of feed that itself I think.
Scott Emo: In the executive order there was also a lot of talk about FedRAMP. At Anitian, we’re seeing a lot more demand for FedRAMP because it’s a $250 billion federal market for SaaS companies to sell into. So, from our perspective, it’s exploding. Are you seeing more of a demand from the Azure side for FedRAMP and FedRAMP onboarding for your customers?
Mark McIntyre: Oh, certainly. Just in my own personal experience, I had I think three calls last week with ISVs looking to expand in the federal market. One case was a healthcare solution company and some of their federal healthcare-related organizations are essentially telling them, “We need you to come into FedRAMP”. So they’re definitely being faced with requirements. Unfortunately, this is a long, expensive, tedious process and they just don’t have the experience going through the process. It’s certainly not a process that we would recommend for the faint of heart. Well, at least for an ISV or an organization to do on their own for the first time. We really lean on partners such as Anitian to help get these organizations through this process and get them compliant. We’ll continue to update our documentation and capabilities to do all we can to enable our partners to accelerate this process as well.
John Vecchi: When you look at FedRAMP, it’s a very high threshold and a very secure standard. We tell people, “Once you become compliant and certified on the FedRAMP side, you’re in pretty good shape for most things that come your way.” With our customers, we refer to it as “ready once, audit many.” In other words, if you’re ready for FedRAMP, most of the other mandates that might come to you from an audit perspective, compliance perspective, or security perspective, well, FedRAMP will probably overshadow those, which is a positive thing.
And in fact, we’re now bringing our automation into the general commercial DevSecOps space to not only help companies just become FedRAMP compliant but say, “Look, use this in your commercial environment”. We use this term we call FedRAMP proven security, so one of the questions that I have is when you look at FedRAMP and then you look at the executive order and the way that it refers to FedRAMP, what do you see? What do you see as FedRAMP’s future? Could it become kind of a defacto standard generally for the commercial side? Is that even plausible?
Mark McIntyre: Well, I appreciate your comment because I was going to mention measure twice cut once, but you’re right. It’s sort of a 2 for 1 if you’re willing to go through that process. I guess first let’s see what happens to the executive order. In general, we should support any effort that lays out baseline standards and goals. And hopefully, as I mentioned earlier, with some muscle or teeth and accountability. We’re hard at work delivering templates, baseline security, configuration, assessment services, scoring tools, and anything that we can do to help our partners and help government security teams deploy new systems or migrate systems that are compliant against a given standard. And then, of course, use automation and data to track in real-time configuration drift and naturally incoming threats.
I think what’s interesting is that you have FedRAMP, the cybersecurity maturity model certification, and the new executive order. I’m not a lawyer or a compliance expert, but I think in some way the logical conclusion is that we’re just seeing steady progress toward more proactive expectations and rigor around supply chain. I think that’s important. And I get questions from governments maybe East Asia or Europe, looking at CMMC and FedRAMP thinking, “Is this something that’s going to affect us?” or “Is it something that we could mimic in our country?”
I think that CMMC is a good example; it might be DoD-focused, but we have every reason to expect that a FedRAMP or CMMC type regime will make its way into state and local governments, education, other critical infrastructure, and elsewhere. It just makes sense and I think it’s the right step.
John Vecchi: And we’ve got StateRAMP, so now you see FedRAMP coming into the state and we see something similar. It’s fascinating. I really appreciate your thoughts on that. Mark, we could talk to you all day and it feels like we just touched the tip of the iceberg here in this discussion. We really appreciate having you with us today so thank you so much for joining us. Often times we have listeners who want to reach out or get in touch. If any of our customers want to get in touch with you in any way, where should they go?
About Our Guest
Mark McIntyre – Senior Director, Security Solutions Area
Mark McIntyre is a Chief Security Advisor in Microsoft’s Security Solutions Area. Mark supports US and allied governments’ information assurance and cybersecurity efforts by helping CISO and mission teams modernize their security, compliance, and identity strategies and investments. Focusing on areas like Zero Trust, cloud-first identity, and SOC operations, Mark helps CISOs understand Microsoft’s perspectives on the evolving cyber threat landscape and how Microsoft defends its enterprise, employees, and users around the world. Mark is based in Bellevue, WA.