Modern Cyber with Jeremy Snyder - Episode
71

Chris Farris of fwd:cloudsec

In this special in-person episode of Modern Cyber, recorded at fwd:cloudsec Europe, Jeremy is joined by cloud security expert and conference organizer Chris Farris. Drawing on his over 30 years in IT, Chris recounts his journey into cloud security, from his early days with Linux to moving video archives to AWS S3. The conversation revisits the foundational mindset shifts that occurred with the rise of the cloud, focusing on the agility it brought and the security gaps it created, such as the transition from rigid, on-premises governance to the chaotic freedom of API calls and ClickOps.

Watch Now
Chris Farris of fwd:cloudsec

Podcast Transcript

Welcome back to another episode of Modern Cyber. I am again super excited to be recording on the sidelines of fwd:cloudsec, this time of the European edition. We had some great conversations earlier this year at the US edition in Denver, and I got an opportunity to sit down with one of the conference organizers, Chris Ferris. Chris, thank you so much for taking the time to join us. Oh thank you.

Um, yeah. So I've actually been organizer of both fwd:cloudsec Europe and the US version and skinning right from pretty much from the beginning. Yeah. In twenty twenty when we were like, hey, let's go do something attached to AWS reinforce. Force and then, well, twenty twenty happened and we kicked off with, you know, I ran the conference program. So selection of speakers and CFP for our event in Salt Lake City and then kind of took on the logistical role when we moved to Houston and then quickly pivoted out of Houston to follow AWS to Boston. Yeah, from Boston, then from Boston, we went to Anaheim, Anaheim to Arlington. This year we were in, uh, Denver. That was the United States. And then right after, um, Anaheim, we were like, we should do one of these over here in Europe. Um, but this is the second year, right? This is the second year. Yep.

So the idea of Europe came about, uh, at our Anaheim events. Okay, one of the things about fwd:cloudsec is, is we want to be highly accessible to anyone in the cloud security community who wants to get involved. And, you know, for anybody in Europe, flying to the United States, even two, three years ago was an expensive, time consuming effort. It was possible when we had our event tied to a larger event, but we knew we wanted to move and become independent from AWS, reinforce, mainly because we didn't know an AWS reinforce was going to happen. So it was always wait till AWS announces scramble to find a venue and then get sponsors and everything else. Yeah, yeah. we'll go into a little bit more of the conference history, but you know, we haven't really introduced you in your background and Bernie. Yeah. So well, I mean I guess that is my background, right? I run for, you know, I'm one of the organizers of for fwd:cloudsec . Um, yeah. I've been I mean it for thirty years now, which is kind of shocking. Yeah, right. Running Linux on floppy disks and walking back to the dorm. The computer lab to install SLS Linux. Um, you know, I got into cloud basically through my work at CNN. Moving their video archives in S3 and everything else. And when an opportunity to join the security team at Turner came along, that was like, cool. Um, and that was twenty seventeen when we didn't really know what the heck cloud security was. We barely knew what cloud was. Yeah. Um, and there were lots of very, you know, crazy documents and architectures that were great on paper, but nobody was doing it in practice. Yeah. So that's kind of actually when we first met. Yeah. Right. Yeah. Uh, your former company, my former company, we, uh, you know, started figuring out what does practical cloud security look like for companies that weren't Netflix or banks or everything else?

Yeah, I mean, a lot of companies, to your point, very few companies had really invested in the kind of levels of automation or levels of deep cloud, understanding that a Netflix had at that time. And so I think a lot of companies were going through figuring out what is this thing like, what do we do in cloud security that is different from all the security that we've done up until now? Well, actually, it was even take a step back from that. It was what do we do in cloud and how was cloud actually different from our on prem infrastructure days? Yeah. You know, it used to be that, you know, to do anything in it. It was a long, drawn out process that involved a lot of management because you had to go get money, buy servers, ship servers, pay bills and all of that. We moved to the cloud and suddenly it's like, oh, developer needs a server. Okay, well, that's an API call. Oh, I need storage. That's an API call. Oh, I need to bypass the firewall and open up my windows machine on thirty three eighty nine to the world. Oh, that's an API call. Yeah, yeah. So that was really sort of the first phase of it was developers going in and making everything chaotic, and then security caught up to it with a, oh, hey, we've done all of this. We should probably fix that. Yeah, yeah. Um, and then, know, all of the advice was, oh, make sure everything's encrypted. Yeah. And that was not really where the threats were coming from. The threats were coming from developers putting thirty three hundred eighty nine open to the world on a windows box on the internet. Yeah. Uh, by the way, the only thing I would argue with, uh, what you said is there is, I think for a lot of companies that was a click ops operation as opposed to an API call to spin up an EC2 instance or change the security group or whatever. But fair enough. Yeah. I mean, behind the click ops is an API call, but yes, it's simply trivial then and not the. Yeah. Yes. Hey, all the all that governance, all of that effort, all of that paperwork to your point, like that governance or that lack of governance was such a mindset shift for organizations where previously, as you said, you know, if I went through a request to get a server or something, all these governance checks were in a way built into the approval process and the deployment process and the, you know, the people who were requesting the server were not the same people who were putting the server online in most instances. So the people putting server online, they had all the rules around how that server would manifest and would be available. And now all of a sudden, Chris, the developer, gets a server. Actually, I was the sysadmin who was like being told by the developers, we need a server. And then I was going and asking the data center people to go rack it for me, so I missed that. Yeah, I was I'm actually more on the infrastructure side than the developer side, but what I think changed with all of that was suddenly now I didn't need all of those things. I could move faster. Yeah, that was the that was the value prop back in twenty seventeen. For the business to move to the cloud is yeah, we could just move faster. Yeah. The problem was, is we moved fast and we broke things and we didn't really know what we were necessarily doing.

I'm curious to get your opinion on something, because I had a very strong opinion that I think was not super widely shared. I actually thought a maybe even more important than the ability to move fast was the ability to change your initial opinion. And let me explain what I mean by that. So I request a server. I tell you how much Ram, CPU, hard drive space, blah blah blah blah blah. When three days from now I realize that I miss like I mistake made a mistake on the specs that I requested. If I had gone through a physical server procurement process for that, that's on me in like I'm too embarrassed to admit it. And I've got to go to my boss and explain, oh crap, I made a mistake. We need to go ask and ask for more money. Yep. I always told people like the flexibility is potentially more important than the agility or the speed. Well, it's a different kind of it's it's speed, you know, um, it's speed, but it's a speed in a correction fashion rather than an initial rollout. Fair enough. Yeah, fashion. Um, my first reinvent was twenty fourteen. Um, the year they, they rolled out, uh, AWS Lambda. And I remember it was after the, the Skrillex concert. It was Friday morning. I was, you know, Vegas hungover from the dryness and hungover from the alcohol. And my ears were still ringing from the crazy dubstep stuff. Yeah. And I just was like, huh? I want to go sit in this cloud formation. I don't know what this is, but it sounds interesting. Yeah. And the one example that the person giving this three or four hundred level talk on CloudFormation gave me was, oh, look, here's how you can do VPC peering. And it's just this like simple bit of sixteen lines of JSON that declaratively said, this network can talk to this network. Yeah. And I had spent six months getting an engineer to get the right kind of fiber and fiber optics and everything else, to run from one side of a terminal gear room at CNN center to the other side. And it was like six months of, oh, well, we don't have the right optics. Oh, we don't have this. Oh, well, you know, I had to do this other change. And so every time we'd go into the project meeting, it's like, have we gotten this connection hooked up? Yeah. And then I realized that I could replace that engineer and all of those problems with sixteen lines of JSON. Yeah. Um, and then like four weeks, five weeks later, turned into YAML and it shrunk from sixteen lines to, like, five. Sure. Um, and but that was my aha moment with. This is why the cloud is so cool. Yeah. Um, because we had just started going down the whole internet. It wasn't even called infrastructure as code. I forget what the original chef puppet kind of thing was, but, you know, we were just starting to roll out declarative chef cookbooks for all of our applications. So. So yeah, that was sort of our thing. And then, yes, you came in with our first, uh, you know, useful cspm tool. Thank you. Um, that allowed us to, you know, even back then, you were probably one of the first ones to really even go down the whole auto remediation route. Right? Yes, because that was our big differentiation point in those days. And I think there was a ton of value in it. It's so funny.

I mean, you know, we're probably about ten minutes going down memory lane here at the beginning of the conversation. But I think one of the things that I learned out of that process was automated remediation for a lot of organizations was a desired end state, but not reflective of where they were reality wise. So many organizations, if you just think about that procurement process that we described, that procurement process was paralleled in their remediation process. So if you try to take a shortcut to the end state of having fixed the problem organizationally, they weren't ready for that. Correct. In many states eight years later, they're still not. Right? You know, I think you're right. I coined Ferris's three laws of auto remediation. It's like, you know, a bot should, uh, must never impact production or stateful resources. Okay. A bot must act with utmost haste. Because the longer the misconfiguration lives in an environment, the more structural it becomes. And then the third law is, you know, a bot must tell a carbon based life form what it did and why. Because, you know, to to your point, right? We we brought you in to actually solve FinOps problems, not even necessarily security problems. Right? I remember that nothing nothing was being tagged and we didn't know who was spending what money. Yeah, yeah. So you came in to solve our tagging and FinOps problems. And so one of the rules was, hey, uh, you know, if these systems aren't properly tagged, they get stopped. Well, my firewall guy was was trying to test this Palo Alto thing in one of our sandboxes where your product was rolled out. And so he would spin it up and then it would automatically get stopped. And so he would deploy it again and it would automatically get stopped. So I come in one morning and there's like sixteen very large stopped instances. Um, and then, you know, around ten a m after coffee, he wanders over and was like, so I can't get this firewall thing to work. And I'm like, yeah, because, like, you didn't tag it. Yeah, yeah. But he didn't know. Yeah. He didn't tag it properly. And I think he might have even tried to tag it, but it was one of those things where it was, oh, production is supposed to be all lowercase. And he used a capital P or something along those. Right. You know, env or environment, you know. Yeah. Um, so many different. So if he had just gotten a slack message saying, hey, saw you tried to spin up this instance, it wasn't tagged appropriately, so we stopped it. Yeah. Um, that would have immediately circled it. So law three actually came straight out of out of experience, straight out of that experience with the product.

I seem to remember you guys also had a thing where, um, For every unattached EBS volume that somebody's found archived and then killed and that actually saved you money, somebody's got a case of Red bull or something like that. I don't remember that. But yeah. Um, I think that was a Jeff Hyatt thing. Maybe could have could have been. Yes. Um, a case of Red bull for an EBS volume because, I mean, I think the volume is going to cost more than the case over the course of a month. Uh, probably over the course of a year, maybe. Yeah. Fair enough. You know, I mean, that thirty cents a gig. Yeah. Um, but, you know, I mean, I've walked into environments where, you know, the cspm tool will fall over dead on just the number of snapshots that were in. Yeah. You know, half a million snapshots. Yeah. Um, and actually, this was at a subsequent company that was also using the same product. Um, yeah, that it was failing to even enumerate that account because there were five hundred thousand, uh, snapshots in that account. We had a customer who hit the what I call the Gangnam Style integer limit. I don't know if you remember that. You may remember at one point YouTube had to change its storage for the number of views because it was an thirty two and was the first video that hit that limit. And we got a note from a customer who said, hey, I think you guys aren't updating on the S3 bucket object count because it's been at the same number for a few days now, and we know that more objects have been written into the bucket. And then I copy. I went and found the article about this, and I copy pasted that exact number, which I remember being like two point three billion or something, and I gave it to him and I said, is the number of objects in the bucket exactly this number? And they're like, how did you know? I felt bizarre. Thirty two. Yeah, thirty two bits of thirty two. Um, anyway, we could go down memory lane for for a for a long time here, Chris.

But I want to talk about a different subject that's come up here at fwd:cloudsec Europe a couple of times here. And that is this concept of a sovereign cloud. And I know a lot of people are kind of hearing this being bandied about, especially in an age of like, let's call it geopolitical uncertainty, to use a euphemism. Fair enough. Yeah, yeah, old alliances are dying and new ones are struggling to form yet. Fair enough. What? First of all, like, you know, from your perspective, not taking what the vendors in the space, not what taking what the CSPs are claiming it to be? From your perspective, what is important to understand about what Sovereign cloud either is or should be?

So I think the first piece is right. What kind of sovereignty are we talking about? So Amazon and AWS and AWS expert. So you know, these other concepts exist slightly in the other clouds. But I'm going to mostly stick to AWS. Okay. You know they'll talk about data residency and data sovereignty. And that is if I drop a piece of data in EU central one. Okay. Frankfurt, Germany that under no circumstances unless I make an action, does that data get copied to any other jurisdiction? Okay. Um, you know, there's a few things around metadata and billing where they might copy the data to, uh, Virginia if it's part of billing. But, you know, if I put, you know, information about my customer and I drop it in an S3 bucket in EU central one or EU East one, it's never going to end up in the United States unless I explicitly choose to copy it there. And that's been a data sovereignty principle, a data residency principle that's existed since the beginning of AWS. Yeah.

Um, but there are other issues with, uh, the cloud and especially as, um, more and more folks have rolled out and done more and more with with American cloud providers. You know, the American government's been like, well, you know, we we are going to protect ourselves regardless of the privacy concerns of any other citizen or nation. And so they passed this thing called the US Cloud Act. Uh, many, many years ago. And the objective behind the Cloud Act is it doesn't matter where in the world the data is. If you are an American company and we present you with a proper legal thing, you are compelled to hand us that data. Yep. So in theory, yes, I can put some data into EU central one and know that it will always remain in EU central one, unless this very special subpoena comes in from, you know, some three letter agency in the US government that says Amazon give us that data. Now there's been some protection. There are ways on the customer side of shared responsibility that you can sort of protect that, right? Yeah. You could always own your own key. You could always own your own key. You can have encryption. You can monitor to see if that key is ever particularly used. But let's face it, you know, that's not something that any customer is really going to be doing is like looking for a particular decrypt and then matching it up with every other authorized decrypt to find that one decrypt that was done at the behest of some three letter agency. Okay. So that was like not really feasible and viable.

Well, us or other governments have wanted to leverage the power of the cloud because let's face it, you know, the world moves a lot faster than governments can, and they need to be able to move quickly and procure things. So we have things like Govcloud in the United States, there are the isolated partitions that they've been around for twelve, thirteen years now. Yeah. Uh, the basically they were created for the Central Intelligence Agency. Yeah. Um, you know, and this is not secret or anything else. Yeah. I see. So, yeah, you can probably even find buried in Boto3 the, you know, partition names for the, the, uh, isolated clouds. Um, I think the UK has its own sort of gov cloud piece that that's similarly isolated. But at the end of the day, right, all of that data is still going back in some way, shape or form from a billing perspective to Northern Virginia, which is like home to the CIA and very close to the NSA and all of that. So if you're a foreign government and you want to maintain your sovereignty, Amazon really wasn't an option. Um, and really, neither was Azure and GCP. So what started happening about two to three years ago, I really started seeing this push and it came out of a Google Next and Microsoft Ignite. This talk of having like European companies running a version of Azure or running a version of actually it wasn't Azure, it was Oracle and Google. So you would have something like T-Systems that would that would license the Oracle OCI source code and go and throw it into. And so you would have this sovereign cloud in that it was run by a German company, but it was at least mildly API compatible to a different oracle. So if you were trying to do something and say Indonesia and, you know, France and Germany, you might be in three different clouds, but at least you're in three different clouds that mostly look the same. Yeah. Um, and that was kind of that first iteration of sovereign cloud. Um, and so that was both sovereign from all of the bits stayed within a particular border, but also sovereign in the fact that it was operated by a company that was beholden to that jurisdiction, not to the United States.

Just to play devil's advocate for a second. Right. I mean, international law enforcement agencies exist in international law enforcement agreements exist. So I'm in a sovereign cloud. I'm in Europe, I'm in Asia, whatever. I mean, there is Interpol. You know, if an agency really has a legitimate claim to subpoena my data, the fact that I'm in a sovereign cloud in another territory, if, you know, for some reason my company or my data has been implicated in a crime, whether it happened in the US or some other jurisdiction like that, data sovereignty is still no guarantee of keeping my data away from a legitimate government request correct. But the the way it'll the the country where the data resides has the ability to say, yes, this is a legitimate subpoena and we're going to share this data or no, this is an abusive, you know, prosecutable prosecutorial power, and we're not. Um, whereas with the US Cloud Act, it's entirely the US government's choice and the government's where the data resides or where the subjects are citizens of have no say. So in effect, we've just introduced one more decision making authority into that chain, into that request chain, so to speak. So if you have a legitimate criminal enterprise that's engaging in, you know, human trafficking or crypto theft or, you know, ransoming hotels, yes, the US government can pick up the phone and call any other reasonably friendly government that's not also prosecuting Profiting off of that cybercrime and say, hey, we need to know what this data is about. And that process has existed. Those mutual, uh, mutual legal assistance treaties and already all exist. Okay. Okay. But what the Cloud Act brought in was I don't want to use an Mlat. I just want to have that data. Okay. Give me that data without actually having to talk to any other government. Okay. Um, and that was, you know, I mean, basically the US is big and powerful and can kind of bully its, its own companies in that fashion.

So, so, okay, so this topic has come up here at this event in particular. And you know, was two years ago, Amazon announced that the intended creation of the European sovereign cloud is not live yet. Right. It is not yet live. Again they're talking end of twenty twenty five. Okay. Um, you know, it will have generally. And this is public information right. General feature parity Parody with, um, the main commercial partition. Uh. So, yeah. So right now, everybody pretty much is operating in what we'll call the commercial partition. They are building a completely separate partition. This is not unlike what they've actually done in China. Yeah. Building out because they have licensed the source code to AWS to two different Chinese firms. And these two different Chinese firms operate two different Chinese partitions. Right. According to the laws of China, manifest as like the two AWS China regions. Right. Which China partitions? They're not just the regions. I think it's a completely give me the nuance because I'm not. So a partition is so in a region, right? I create an IAM role and that's available in all of the regions, okay. In a partition that IAM role, those global services like route fifty three, they don't exist in the other Their partitions. Okay, so what you're saying is that like a partition may contain regions, but it doesn't go into regions that are not part of that partition. Correct? Okay. So there is no way for me to have an IAM user in that, that I create in US East, one that's also going to work in China, in China, or in European sovereign cloud or in even gov cloud. Right. Um, there's a gov cloud's kind of special because it was the first partition they spun out. So there's like a billing link, okay, between the commercial partition and the gov cloud partition. But an IAM role in the commercial partition has no power at all in the glove cloud partition. It's not even visible in the China partition. Yeah.

So what they're building with European sovereign cloud is a completely separate billing system. Yeah. Um, with completely separate support, completely separate your your enterprise discounts. Yeah. Probably won't even apply. Um, in European sovereign cloud. Or if you have a contract that includes both, you'll have billing discounts. You will get two separate invoices because the billing information from the European sovereign cloud doesn't go to Virginia, it will stay in Brandenburg. And I've heard the I've heard the argument that, um, billing information is not sensitive data. It shouldn't actually matter. But I've also heard the counterargument that, well, part of my billing information, you know how much data I have, you know how much compute I'm consuming. And from that, you can actually imply a lot about my business. So the, the there's a actually, I, I don't know if it's a joke or not, but there's a, uh, stories around the, the Gulf War in the nineties where people figured out that the Kuwait was getting invaded by Iraq, based on the fact that the number of pizzas that were getting ordered around the Pentagon spiked, uh, the pizza index, the pizza delivery index, PDI yes, it's a real thing. So it's a real thing. So yeah. Those kind of weak signals around. Mm. Lots of pizza's getting delivered around Langley and the Pentagon. Yeah. Something is happening. Right. Yeah. Oh, hey, look, you know. Yeah. Ireland's, you know, bill for their sovereign cloud has spiked. What is Ireland up to? Right. You know and then you. Oh well, it's a bunch of S3 stuff or. Oh well now they're using a bunch of AWS bedrock. So now what's Ireland up to. Yeah. Sort of thing. So that level of, you know, even the billing things could be used in a, you know, nation state espionage way, um, to grant some more information.

But the other thing is, is like, you know, if you're doing anything with AWS billing, you probably also have tags, and the tags themselves can contain sensitive information. Yeah. So I don't want the tagging data. I don't want the names of my IAM users or the names of my S3 buckets are interesting because they're a global namespace. But, um, you know, any of the names of my resources, any of the metadata level namespace or partition namespace. Ah, so that's a that's an interesting one. Yes. When the European sovereign cloud opens, it will be a completely separate S3 bucketing namespace. So I could have duplicate bucket names one in US East. Correct. European sovereign cloud region ABC. Yep. So if you have and which is also interesting because when you think about how S3 website hosting works, right, the bucket name has to be the same as that website. So if I, you know, had and I've squatted on a number of buckets at previous jobs where it's like, oh, well, let me make sure I own CNN.com as a bucket name, CNN.com as a bucket name. Right now you have to go and squat all those buckets in the sovereign cloud. Yeah. Because otherwise a threat actor will have it. And the interesting thing about sovereign cloud yeah is you don't have to be in Europe or a European citizen or a European company to open an account in the sovereign cloud. Oh, that anybody will be able to open an account in the sovereign. And that is definitely different from the other partitions because govcloud in China, you have to, you know, submit documentary evidence. China's China's partition, you definitely have to prove you have a Chinese entity. Yep. Um, govcloud is a little bit looser. Um, I don't even think there's a citizenship requirement, but you have to have you either have to be a one of the approved agencies or invited by one of the approved agencies in order to get access, as my understanding, I could be wrong. Yeah, I thought it was possible. I thought it was fairly easy for vendors, you know, like the one you used to work for to go and flip on govcloud to be able to test their stuff in govcloud. Um, I have never actually checked the box for Govcloud, um, in in any of my test organizations. Yeah. Um, but my understanding was, is it's easier to get into govcloud. China is difficult. Um, but this this new partition will be available globally. And this is the first kind of quote unquote, sovereign cloud being created basically by any of the big three. And, you know, maybe the other two or three behind them are you could kind of include into the mix, but, you know, between Amazon, Microsoft, Google and then Oracle, IBM or whatever kind of following behind. This is the first real kind of sovereign cloud initiative from one of the big cloud providers, right. That's not a white label of like the Oracle like right now or. Well, yeah. Oracle uh, China and AWS or Oracle and T-Systems. Right. You know, those are the kind of white labeling of it. This is an Amazon subsidiary that is operating Amazon code. Um, they have committed publicly that it will only be operated and manned by European citizens physically present in the EU. Okay. So even if you were, you know, an employee and you flew to reinvent, you would not have access while you were at reinvent. You would have to be inside the EU because again. Right. You want to make sure that these people are acting on the best interests of Europe and the countries where they reside.

I would argue in the US best interest even. It's really under the guidelines and the kind of the regulations, the decision making regulations of. So that now becomes the biggest flaw that I have heard about sovereign, the European sovereign cloud of AWS, which is, look, the Cloud act, can still compel Amazon to tell a European sovereign cloud employee to give us particular amounts of data. And there is no law that I am aware of in Europe that would basically tell a European citizen working for an American, a subsidiary of an American company that says if you are instructed to produce information under the Cloud Act, you are legally prohibited from doing that according to our laws. Interesting. Um, and that's the piece that the protection that is missing is a way for the employee of European Sovereign Cloud to say, sorry, Seattle, I know you asked me to do this, but I am legally prohibited from doing this, so. No. Yeah. Um, and at that point now you have created a reasonable protection that the European sovereign cloud is, in fact, sovereign. Yeah. Um, otherwise, it's like, you know. Yes. You know, do this or we fire you. Yeah, yeah. Um, and, you know, you can then take it one step further and be like, okay, Europe or okay, European sovereign cloud employee who's being compelled to do this under the Cloud Act, you're legally prohibited from doing this. And oh, by the way, they're legally prohibited from firing you. Yeah, for not doing it. For not complying. Yeah. So now you've basically locked European sovereign cloud into actually being sovereign by protecting the employees and prohibiting the employees from acting against the best interests of the European sovereign cloud customers.

I guess I might argue that having a control that prohibits them from asking in the first place would be a better protection, because it prevents the employee from even having to ask themselves, do I feel like I have the right to stand up and say no to this request? Or do I still feel some level of of, you know, organizational pressure? The fact of the matter is, the way the Cloud act is written is the US government can tell Andy Jassy, you will instruct your people to give us this data. And so what we need is that like European walking statute that basically says they can ask for it all day long and they can threaten you with firing, but they cannot fire you and you, you are legally prohibited from giving them that data. But and and that still allows all the mutual legal assistance treaties to work because it's only Seattle telling European sovereign cloud, hey, give us this data. If the BSI if the French government, if you know, um, you know, whatever else, uh, in the local country say, hey, you know, I would like you to provide this data and it is requested by the European jurisdictions. Yeah. And then that ends up back in the United States for for law enforcement purposes. That's fine, because then it's Europe getting to decide what data crosses back over the Atlantic, not the US. Gotcha.

By the way, it's CRP in Finland, if that's who you're asking. No, no, I was trying to come up with another and I didn't want to bring in the UK because I knew that that MI5 and MI6 and all of that, but they're not in the EU. And so I don't know, I don't know how the European sovereign cloud helps them. Yeah. We could go on to a long digression around what's going on in the UK, but I guess. Okay, so we understand what it is and what it's meant to be and what some of the, um, intentions are around why you would create it. And I certainly understand from a European company perspective why they would use it. What have been the things aside from this kind of like legal oversight, legal lack of structure that you just identified? What have been the main themes around it here at fwd:cloudsec?

Um, I think the other main theme that's come out is just a general unease. And especially, you know, anybody who's seen the Snowden, uh, you know, uh, data that was leaked by him again twelve some odd years ago. Right. You know, it's like, oh, well, you know, they can like put these things in the chips and then the chips are talking back. You know, the, the it's basically it's almost a supply chain concern. Right. Amazon is or AWS us is creating all of this stuff. And it is shipping it over to Europe and it is standing this up. What if any of that is compromised? Yeah. Um, and I mean, it's a valid concern, but let's face it. We're pulling chips that were manufactured in Taiwan and hard drives manufactured in Vietnam, and ARM chips designed in the UK, and software that, you know, Nitro was actually, I think, more designed in the EU than it was in the US. VPCs. VPCs came out of, I think, if I recall correctly, South Africa. So like two came out of South Africa. EC2 came out of South Africa. Okay. I forget where VPC came out of Herndon near me. Okay. Fair enough, fair enough. Um, right. So, like, all of this is already coming in from all of these places. And yeah, sure, you know, you get a really good software engineer that's like also being paid for by some, you know, intelligence service. Yeah. They could slip a back door in, but that's, you know, that's a problem in any cloud and in any supply chain in any supply chain and and everything else. So and and it's not in Amazon's best interest to pre bake in back doors to make the US government happy. It's in Amazon's best interest to actually have security as the top priority in job zero. Yeah. So they've built nitro enclaves and they've had nitro enclaves verified. And so it's going to be very hard for a. US government to be able to say, okay, you now have to go insert this back door into this hardware so that we can then do the cloud act. That that's not impossible. But it takes a long time. It it takes a long time, and it's not easy. And you know, when that happens, like we saw with the UK saying, hey, we want Apple to break end to end encryption in messenger and iPhone backups. That tends to actually generate negative pushback against the government. So while yes, the oligarchs in Silicon Valley and Bezos and, um, you know, crew are having to kowtow to the current administration, they're not going to go above and beyond what they're told to do. Yeah.

So the fact is, I trust, of course, I'm an American. So, yeah, you know, use your own judgment there and do your own threat modeling, please. Yep. I trust that the European sovereign cloud and the stuff that's been shipped from all over the world to Brandenburg to build out this new region reasonably secure. I think it's important that the customers of the European sovereign cloud insist that and demand evidence that all the pull requests for all the changes that are coming out of Seattle or anywhere else that they're coming from to be deployed in the sovereign cloud are reviewed, right. And they're reviewed by members of the sovereign, you know, employees of the sovereign Cloud who are looking for these sorts of backdoors. Could one get snuck in? Yes. Um, and. Okay. Sure. If you're running the nuclear launch capabilities of I guess France is the only European Union member who's got the nukes, right? Maybe you should just keep that all on prem. Um, you know, and then still have to worry about is the Intel chip or the arm chip or the, you know, hard drives manufactured in Vietnam compromised. But, yeah. Um, you know, for almost everybody else's use case. European sovereign cloud is going to be good enough. But yeah, there is the other aspect of because we've talked about confidentiality and cloud app. We've also seen the current administration in the United States decide to go after the International Criminal Court and sanction it because they were bullying his buddy. So there's the availability side of the question, which is another risk that you have with sovereign with with an American owned sovereign cloud, and that is that you as a customer of the Amazon sovereign cloud are are basically sanctioned by the US government. At which point then what happens? We've only once seen a, uh, public politically motivated, uh, you know, Amazon kicked somebody out based on terms of service. And that was Parler after the January six riots. Um, not tourism riots. Uh, that happened during the the twenty twenty transition. Yeah. So and even then Amazon was like, we're kicking you out, but you have time to go get your data. Um, so I don't necessarily know. And it'll be an interesting case of, you know, if the International Criminal Court was a customer and got sanctioned, would, you know, would European Sovereign Cloud shut them down or not? Yeah. And if the German or the Dutch government, um, I guess. Yeah, yeah. The Hague, um, the. Yeah, the Dutch government said no, they are legitimate unsanctioned entity. You cannot shut them down. Then what happens? Right. Yeah. European sovereign cloud is a European entity that is governed by European rules. Could they make a rule that basically says only we can sanction and tell you who you can't do business with? Yeah. And then what happens to okay. Well Amazon has told we cannot take money from this. We have a subsidiary that is being forced to take money from this. Can we no longer actually talk between us, Amazon and US AWS and European sovereign cloud? I don't think that it will ever get to that level of acrimony. And if it does, then you know whether or not your problems, your Netflix is not going to be the concern. Yeah. I mean, it's interesting as we've been sitting here having this conversation. Yeah. I'm very conflicted in this in the sense that I'm a dual citizen and I have a lot of my own kind of personal ethics and morals formed by being a dual citizen and having lived in both jurisdictions, the US and Europe, for years of my life each. And I've thought about this as you were explaining some of the trade offs, because I really there are just trade offs. Exactly. Basically, in theory, this European sovereign cloud. On the one hand, I could say, well, it's a tacit admission that no European provider can provide the platforms that we need, which is like, on the one hand, kind of a bummer. It's like, okay, great. Not enough innovation coming out of here and no European cloud provider. Um, I knew a bunch of old OpenStack providers that, like, had ambitions of federation and creating kind of multi-region OpenStack based things. And we can argue about why that did or didn't work out. Uh, or sorry, it didn't work out because it didn't not did or didn't, but it didn't. But at the same time, I can look at this and be like, well, you know what? This is a reasonable compromise. It allows us access to the platforms that we need to build and innovate and grow and whatever, and it gives us some reasonable legal assurances, still recognizing that there's some risk. But hey, shared responsibility model to something that you said at the very beginning of the conversation, I can always just encrypt on my own. And, you know, and maybe I should be doing that anyway, as a responsible customer who cares about the privacy of the data, that is in my own organization's environment. You know, this could be I could look at this and say, this is just the best of both worlds. I get all the innovation, I get my own control, and I get to defer and delegate some of this oversight and subpoena power to a government that I choose and I trust is more aligned with my U.S. Western liberal values. Yes. Um, completely. And that's why, you know, you need to threat model this out holistically as part of your organization, right? What are you doing if you are. Only doing, you know, basic restaurant hosting as I'm looking across the river here to to to a bunch of restaurants. Right. You know, okay, I'm hosting restaurant websites or I'm doing, uh, you know, uh, effectively a European Uber Eats like bolt or, uh, Oovoo or whatever, right? Yep. So that could be in the European sovereign cloud. And okay, maybe there's some interest in, in a government making sure that, hey, this isn't getting sent back to Langley to be analyzed. But, you know, let's face it, it's food delivery. The the extent of the interest there is. Okay. Is that a lot of food delivery that's happening around the NATO headquarters in Brussels, or is it happening around the the Reichstag here in Berlin? Right. So, um, yeah. Uh, not not not mission critical. Yeah. Um, and I think that that's important to your point, though, about, you know, European alternatives. The issue really now is AWS is AWS, Azure, Google, Oracle. Right. They're they're far enough ahead in this journey that it's going to be hard for a new contender into this market to really catch up on things. Um, I actually I kind of hoped that one might do that, that there would be something that would maybe not be as hyper scale, maybe not have all of the higher order services. But, you know, give me something that's like event driven functions like AWS Lambda or an EventBridge kind of thing, so that when something happens over here, I can build an event driven architecture that, that orchestrates this. Yeah. Um, and that can scale to maybe not Netflix size, but scale to a reasonable size so that it can be relied on by companies who have elastic workloads. Yeah, I'm not sure that's going to happen, but it probably is still important that Europe chart its own course here because. Right. You know, as we're seeing now on the defense side, you know, it's kind of like, oh, well, we were kind of just outsourcing it to. And then now our outsource partner has gone crazy. And um, now you're catching up, right? Yeah, yeah. And, you know, we you're lucky that there's somebody east of here who's taking the brunt of the aggression while we spin up and, you know, rearm and figure out how we are going to collectively, uh, you know, address this threat. Yeah. Um, that said, you know, uh, you've only got so much time before, you know, you're going to have to, uh, be able to carry it on your own. Yeah. Fair enough. We've got about a minute left in the in the conversation. Just a couple reactions and, you know, maybe closing questions here. Um, I think, you know, anywhere that we've said Europe and European sovereign cloud, you could almost substitute any region around the world. But as I was thinking through that point, I realized that there's what's unique about the European situation is that you've got a trading bloc that is, you know, kind of multi-regional, multinational within a region, and they've decided to kind of harmonize and agree on a set of basic standards, even if from country to country, certain laws vary. A lot of, you know, overarching, let's say, criminal tax legal constructs really stay true. I think the only other place around the world where I see that is like Australia, New Zealand, even when I look at other regional trading blocs, they're regional mostly in name only. I look at like Southeast Asia, where I spent a lot of time working on Asean, Asean, the Association of Southeast Asian Nations, huge variety between Singapore and Cambodia or Myanmar and Vietnam, Vietnam and so on. So I do think this is kind of the test case for how this kind of thing can play out. I guess, if you were to think of and one more thing. They're like the scaling issue, right? There's three hundred million Americans. There's four hundred and forty million Europeans. So this is actually a bigger market than the United States from a population perspective, right. So you already have a massive gravity here. Yeah. You know, India would be another option for right. You know, but that's on a nation state level. But that's on a singular nation national level. But it's also big enough to justify and warrant its own sovereign cloud should it be needed. Yeah. And you know, beyond India, right. You have China and they've already instituted their own sovereign clouds for their own, you know, particular reasons. Yeah. And exported them, by the way like all cloud. Well and exactly so so Ali cloud is and you know and that's the other potential option if you're concerned about availability is and I'm not suggesting multi-cloud for the sake of multi-cloud. But you know, if you're worried about the American government shutting you off. Maybe have a strategy and a, you know, kind of a Dora like strategy of also being available to deploy to Alicloud. Yeah. Um, yeah. Awesome. Last question I want to ask you. And it's not related to sovereign clouds. I always tell people that the best thing that comes out of the modern cyber podcast is what I learned from it, because I learned more in hosting all the guests. Everybody comes in with their own expertise areas and whatnot. I learned more from the conversations, I think, than all of our listeners, probably. Well, there you go. What have you learned from hosting fwd:cloudsec? Oh. Mm. Um. I would say that the. So information security has a really good community. Um, and, you know, it's, it's that hacker mentality is not the malicious hacker mentality, but the can I do this mentality right. Yeah. And then you go and you find a group like fwd:cloudsec and the community that we have built in the cloud security forum, slack. And that is such a tight knit community that when I come here, it's like I'm back with family. Yeah. Um, and we're all interested in the same things. We're all celebrating career, uh, you know, individual career achievements, um, you know, life events and everything else. Um, I would say that, you know, operating this conference, I've found a second cloud family, um, that, you know, I don't think existed in any of the other communities that I've, I've been part of. That's really awesome. And we'll put links to fwd:cloudsec into the cloud security forum, slack in the show notes for today's episode, as well as where you can find Chris Ferriss, some of the work that he's done. Chris, thanks so much for taking the time to join us. It's a real pleasure. Talk to you next time.

Protect your AI Innovation

See how FireTail can help you to discover AI & shadow AI use, analyze what data is being sent out and check for data leaks & compliance. Request a demo today.
Request Demo

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!