The True Spirit of Compliance with Nickolas Means
Transcript
Announcer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.
Corey: Developers are responsible for more than ever these days. Not just the code they write, but also the containers and cloud infrastructure their apps run on. And probably the billing on top of that - which is neither here nor there. And a big part of that responsibility is app security — from code to cloud.
That’s where Snyk comes in. Snyk is a frictionless security platform that meets teams where they are, automating application security controls across their existing tools, workflows, and the AWS application stack — including seamless integrations with AWS CodePipeline, Amazon EKS, Amazon Inspector and several others.
Deploy on AWS. Secure with Snyk. Learn more at snyk.co/scream. That’s S-N-Y-K-dot-C-O/scream.
And my thanks to them for sponsoring this ridiculous nonsense!
Corey: LANs of the late 90’s and early 2000’s were a magical place to learn about computers, hang out with your friends, and do cool stuff like share files, run websites & game servers, and occasionally bring the whole thing down with some ill-conceived software or network configuration. That’s not how things are done anymore, but what if we could have a 90’s style LAN experience along with the best parts of the 21st century internet? (Most of which are very hard to find these days.) Tailscale thinks we can, and I’m inclined to agree. With Tailscale I can use trusted identity providers like Google, or Okta, or GitHub to authenticate users, and automatically generate & rotate keys to authenticate devices I've added to my network. I can also share access to those devices with friends and teammates, or tag devices to give my team broader access. And that’s the magic of it, your data is protected by the simple yet powerful social dynamics of small groups that you trust.Try now - it's free forever for personal use. I’ve been using it for almost two years personally, and am moderately annoyed that they haven’t attempted to charge me for what’s become an essential-to-my-workflow service.
Corey: Welcome to Screaming in the Cloud. I’m Corey Quinn. This promoted guest episode is brought to us by our friends over at Sym, and into my verbal grist mill, they have thrown their VP of Engineering, Nickolas Means. Nickolas, thank you for joining me.
Nickolas: Thank you so much for having me, Corey. And feel free to call me Nick.
Corey: I certainly shall. So, let’s begin at a high level. When you’re starting a company and trying to, sort of, bootstrap and raise initial rounds of funding and the rest, you’re trying to save money in a bunch of places. And one of the most expensive things you can buy when starting a company is, of course, a vowel. You wound up not naming the company—or the vowel, really—the y is sometimes a vowel, sometimes not. It’s S-Y-M. What is it you folks do exactly? What do you folks start? Where do you stop?
Nickolas: So, the name of the company comes from the idea of helping humans and machines work together more effectively. And that’s really nice and high level; it doesn’t tell you any information about what we do.
Corey: It feels like we’re—we’d assume that most startups pivot at some point; we’re just going to set—
Nickolas: [laugh].
Corey: —[crosstalk 00:01:33] seeds for that nice and early on, and dive on in.
Nickolas: So, what we actually do, the two co-founders and myself all have a background in highly compliant industries. I’ve done VPN stints at a couple of health tech startups; they’ve done similarly. And all three of us ended up building sort of a certain set of things every time we were at one of these companies. Because you have to be compliant with things, and in order to be compliant with things, you have to have a set of controls, you have to restrict certain things: how people get to production, how people access customer data. And those controls, by and large, all suck. They’re all painful and every company ends up building something from scratch at some point to make them not suck quite so bad. And it seemed like there was a product opportunity there.
Corey: I would argue there absolutely is. One of the big problems that I’ve found throughout the time that I’ve been fixing AWS bills on a consultancy basis has been, we’re really talking about cloud governance. But even now, by using the phrase cloud governance, three-quarters of the audience immediately wound up skipping to the next podcast over on their playlist because it sounds like it is one of those incredibly boring things. And to be fair, usually, when it comes to compliance, you want some of the most boring, least creative people in the world overseeing that. Like, when you wind up talking to someone at a company and they have a great sense of humor and they are constantly cracking jokes constantly, it’s like, “What do you do?” Like, “Oh, I’m the CFO.” All you hear from that is, “Oh, I’m about to go to prison. Awesome.”
Like, you want the wild, cutting-loose CEO to have three drinks and then confide, “I really like typing the number six.” You want them [laugh] to be predictable in a whole bunch of ways. And it always feels like compliance takes that entire mindset of, it’s always about risk management, it’s about wanting to make sure that people don’t go off script in a bunch of weird ways, but as an engineer, what I always heard from that is slow down, don’t be creative, go ahead and do things in very predictable ways. Only release things once a quarter, et cetera, et cetera. And yes, that’s one way to meet compliance goals, but it’s a crappy way, in my experience. I’m going to guess, though, that you have a lot more experience with the compliance world than I do because having worked a few times now, for big regulated finance companies, I wanted to get the hell out of the compliance universe.
Nickolas: Yeah, I mean, you used an interesting turn of phrase there. You used the phrase, “Avoid going off script,” and I think there’s a subtle turn there that actually makes all of this work a lot better. Instead of focusing on keeping people from going off script, you focus on keeping them on script. You focus on making it easier to do the right thing than to do the wrong thing. And that takes away a significant amount of the pain involved in compliance stuff.
You look at implementing controls—and everybody has the exact same reaction you just brought up about governance—because there’s so much FUD around this stuff. Everybody has been slowed down by one of these silly rules that makes no sense, that’s checking a box and not actually meeting the spirit of any kind of meaningful improvement.
Corey: Oh, cloud has absolutely doubled our speed of iteration because it used to take six weeks to get a server racked in the data center and we moved our processes to cloud and now to spin up an EC2 instance, it only takes three weeks of approvals. And at that point, it’s what are you really doing? You wind up with people building on shadow IT. It’s part of what contributed to the rise of cloud in the first place. Well, I can go through the annoying thing that this company wants me to do, or I have a corporate credit card and by the time it raises the level of spend to a point where it gets scrutiny, it’s in production serving customers and what are they going to do?
Some of the very early AWS sales conversations with customers started off as, “Well, why should we build on top of your cloud?” asks the exec, and they say, “Oh, sorry, you have 87 different accounts throughout your organization currently with us. We’re just trying to give you some unified view into it and possibly some discounting if you want.” Yeah, these days, that’s a fast track to getting yourself fired in some companies, if you wind up deviating from that story. But also, people are not doing this out of malfeasance; they’re trying to get their job done.
And as soon as guardrails start increasing friction, making it harder to do things the right way than to go around it, people will not comply. I strongly believe that, whether it’s cost—which is my universe, and frankly, only a business hours problem—or actual governance issues with some compliance regimes, which get those wrong and hope you enjoy some time in prison.
Nickolas: Yeah, exactly. I mean, you know, if you look at SOC 2, for example, there’s a lot of companies out there that are willing to sell you a program that will help you become SOC 2 compliant. They show you all the steps you need to take, all the programs you need to put in place. The thing they don’t do is help you establish the controls that are required. They’ll tell you that you have to have somebody formally approving before software goes out to production. They won’t give you any guidance whatsoever on how to put that control in place. And so, it’s really easy for a compliance person that’s not looking to collaborate with engineering just to go, “Okay, I need you to put a button in the deploy process and I need the CTO to click that button.”
Corey: Yes. We’ve always seen that as reactions to different things. I was at a company once where there were some outages caused by bad deploys, so they decided that a VP had to sign off on every deploy. Now, I come from the sysadmin ops world, which explains so much about my cynical perspective on life, so the way we got that overturned within two days is we did the malicious compliance thing, where oh, we need to deploy this. Great, we are walking into the middle of a senior leadership team meeting to get them to—with a tablet or comput—laptop—“I need you to click the button right now.”
And doing that out of hours and all kinds of other things, it’s oh. Yeah. How about we wind up only doing that for significant large changes? How about that? Maybe you don’t need to wake someone up at home in the middle of the night when there’s a deploy going out that fixes a typo on the marketing page; little things like that.
And at some point, you’re always felt like the goal of governance was either ossified scar tissue around all the ways that things have failed before, or through a, frankly, misguided belief that if we wind up distilling everything down to processes and procedures, eventually, someday, we can have a bunch of trained monkeys doing this job instead of people who are expensive and, you know, cynical, and difficult to please. I feel like that is not the right way to think about these things.
Nickolas: Well, I mean, the thing about those controls, you know, it’s exactly what you just said. Nowhere in SOC 2 does it say that your VPN [unintelligible 00:07:56] or CTO has to approve all code deploys, that’s not in there. But that’s the reality of life at a bunch of companies. In reality, if you just follow a software development life cycle that has multiple people looking at code before it gets deployed, multiple people signing off on that code being okay to deploy and you have a staging environment before you hit production, you’ve met the control. And SOC 2 gives you so much flexibility in how you write the control.
So, I think the thing that I’ve seen that makes compliance so much less painful, is when you have somebody that is 95% the boring persona like you’re talking about, but 5% creative. 5% willing to kind of get their hands dirty, empathize with the engineering team, collaborate with the engineering team, and find a way to put some of these controls in place that doesn’t just bring things to a grinding halt.
Corey: I have to assume that, given that you’ve built an entire product slash company around this idea, that you have some opinions other than doing what I do, which is sitting in my lofty ivory tower and oh, you should, in this idealized case, do things a little bit differently. But it’s going to be bespoke and the answer to any complex question, the more senior you get is, “It depends.” You, of course, have built something that scales out in a bunch of different ways. How do you view that in a way that makes it not either completely useless or overly prescriptive?
Nickolas: We focus on giving the power to engineering teams and giving the security complexity [unintelligible 00:09:23] the power to oversee those things. You know, it would be easy to give somebody, like, a clickbox UI, let them design controls for SOC 2 or whatever, end-user interface, but that’s not how engineers think; engineers think and express ideas and code. So, we’ve made the rather controversial decision in the face of a bunch of no-code tools to go low-code instead. So, to build a compliance workflow in Sym, you’re going to write some Terraform, you’re going to write a little bit of Python—a lot less than if you were building it from scratch—but you’re going to end up with something that perfectly fits the way that you already work versus having to shift your work practices around to fit the tool.
Corey: If you have inadvertently stumbled upon one of my hot buttons. There’s a lot of people that take a perspective around low code. And I just want to say that that perspective is often garbage. Like, oh, that’s not a real program—great. Hypothetically, if you have an idea for a business or a product or something, and involve software as most things seem to these days, maybe having to go to a boot camp for six months first as a prerequisite is not the best path forward.
“Well, you’re never going to build something hyperscale in a low-code environment.” Great, how many things that we built that actually need to be hyperscale that don’t go through 16 different architectural iterations between ridiculous idea one day and thing that is actually hyperscale? It’s an early optimization. I have an entire production pipeline in Retool that I built using low code. I think that that is a very powerful thing. And this idea that, “Oh, that’s not real code.” Cool. What’s your point?
Nickolas: Well, and for us, one of the things that we’re trying to enable is for software engineering teams, ops teams, whoever is building these controls, to interact with a security person or a compliance person, for them to be able to read the code, understand what it does, understand the way that the control has been implemented. And so, we provide a bunch of frameworks around that and a bunch of things. Like, you don’t have to go and build a Slack workflow from scratch and nobody has to understand that code because it’s buried in the platform. The only thing that the security or compliance person has to understand is the business logic that’s been put into place. Who can approve it? Who can’t approve it? How does that change after hours? How does that change if there’s an incident? All of that is in very simple Python that you don’t have to be an experienced programmer to be able to read.
Corey: One of the big powerful things behind that is it really reduces the interrupt volume of someone coming by to an engineer who is deep in the middle of something else, and, “Hey, guess what I have? A surprise context switch for something that’s going to take you probably 30 seconds, but then you’re going to be distracted by all of this.” If you give people the ability to self-serve, everything tends to work a lot more smoothly.
Nickolas: Yeah, absolutely. And, you know, that’s one of the ways we use Sym at Sym: we’ve got it in front of our AWS production environment, so if you need to go and do anything in production, you just have to get approval from any other engineer that happens to be in the approval channel, sort of a two-keys-to-launch-a-missile model. And that works fine for our compliance needs and it avoids there being a single point of failure that every time you need to go and get into production, you have to go and say, “Mother, may I?”
Corey: Exactly. It’s one of those things where every time you wind up with something that injects friction, people are going to find ways around it. And in some cases, this leads to positive outcomes where, when you’re subject to PCI, which is a lot more prescriptive than a number of other compliance regimes, it’s, great; this is a lot of things that don’t necessarily reflect how we work, how we want to work, et cetera. We can ignore it, which is not a great plan, we can wind up having to slow everything down, which is the common case, or the right answer is, we’re going to build the PCI environment that is very self-contained, just the critical stuff that needs to be in there is going to be in there, and then we can build everything that touches it around it in ways that are a lot more aligned with how we believe software should be built.
Nickolas: Yeah, absolutely. I mean, you silo off those high-control places, but there are controls that have to extend into the rest of the business. And one of the things that I’m a very firm believer in is, if you’re going to impose a control upon somebody, they need to have the agency to shape and to change that control so that it lets them work the way that they want to work.
Corey: I just want to call out how wonderful that is because I had a belief that looked borderline heretical, 12 years ago, when I said that, “Okay, simple rule. If you want me on call, I am empowered to change the thing that wakes me up.” Whether that is the code itself, the system itself, the paging threshold and frequency, or ultimately, I’m turning the physical pager off. It’s one of those things where I decide what’s an emergency outside of hours on that point. If it’s going to wake me up, I need the power to make sure it never does. Otherwise, you have no agency. It just feels like you’re being victimized by the stuff.
Nickolas: Yeah, absolutely. I mean, there was a wave of on-call regimes that ran through large companies for a while where there would be a centralized on-call team that would be responsible for responding to hundreds of services. And thankfully, we are maturing past that; we’re distributing on-call rotations so that teams that actually build services are responsible for them. And it’s the same mindset, right? If you’re going to be participating, if you’re going to be working with a system or working with a control, then you need to be able to change it, you need to be able to make it work the way that you think that it ought to work.
And in the context of compliance, you need to bring somebody along with you. You need to bring the person that’s responsible for the controls that actually has to sign on the dotted line at the end of the audit period, saying that we do all of these things. So, you have to be able to explain what you’re doing to them. But you have to be able to iterate.
Corey: I have to ask, given that what you are building is going to have heavy involvement from engineering, how do you respond to the probably most common engineering objection I imagine you get, which is, “Well, this doesn’t look hard. I could build this in a weekend.”
Nickolas: You know, it’s funny. We joke that our biggest competitor is build in-house, right? It’s pretty easy to start looking at what it takes to build a from scratch workflow in Slack to build a Slack app, to understand the cost of building it in-house. Because nothing about building an elegant user interface in Slack is easy or cheap. That API is difficult to work with and hard to get good user experience out of.
And we’ve spent a lot of time polishing a lot of places in the platform: we’ve got good documentation, we’ve got a good SDK, we’ve got good integration with third-party services that make all of this stuff easy to do. And it does look easy on the surface, it does look like ‘I can build it,’ but we’ve had customers that have had that objection gone and tried to build it and come back. Because it’s not as easy as anybody thinks.
Corey: My biggest competitor for fixing AWS bills has always been Microsoft Excel. It’s the, we’re going to do it ourselves—badly—internally. Okay, great. If that works for you, terrific—
Nickolas: Yeah.
Corey: —but very often it doesn’t. I mean, I think a classic case study of this is, in the terms of something that is well designed but is almost mind-bogglingly complex—and we’re getting a case study in it this year—is Twitter because it looks from the outside, very simple. I wind up writing a thing and I hit the post button and it shows up in a timeline. And then other people can subscribe to it or not, and they see it themselves. That sounds like something you can build on a weekend. And we look at all the ways it’s now exploding and collapsing and having weird bugs that no one anticipated, to realize, oh, this is a very challenging, very sophisticated application. But because it was well designed at one point, it looks easy.
Nickolas: Yeah. Yeah, it continues to run despite the fact that it’s having less than a quarter of the staff that originally maintained it, maintaining it because the services were well designed in the first place. They’re resilient on their own and they’re self-healing in a lot of cases. It’s the same thing with Sym. You can build these tools in-house, you can build them yourself, but then you’ve got more software to maintain. Because once you build something, you own it, forever. And the cheapest code is no code; the cheapest code is code that you don’t have to write.
It’s easy to look at a simple use case and understand a little bit of the cost of this. If you want a Slack workflow that gives you access to production in AWS, you can wire that up fairly quickly. Those APIs are not all that difficult. Now, let’s say you want to add an integration where if you’re on-call in PagerDuty, you can get to production without having to get an approval. Okay, well, now you’ve got a new API that you need to wire in.
And let’s say that every time that happens, you want to open a Jira ticket so that you can record that that’s happened. Well, there’s another API that you’ve got to wire in.j, whereas with Sym, it’s just, it’s right there. It’s a few lines of code to wire it all together. And it deploys in Terraform alongside the rest of your infrastructure, so you manage it the same way you’re used to managing things.
Corey: It reminds me of my earlier career when I was deep in the configuration management weeds with Puppet and SaltStack, where the biggest competitor we had any of those projects was always someone writing a bash script to do it themselves. And yes, you can do that, but then the requirements change, or you’re going to hit a point of scale that was surprising. And one of the valuable parts of it is that when the future is uncertain, as it always is—
Nickolas: Always.
Corey: Having folks who work in environments that aren’t just yours who encounter a lot of those edge cases you’re going to stumble into and can build things in is incredibly valuable. I don’t think I’ve ever met anyone who ran an infrastructure that said, “I would build it the same way if I had to start over again.” They always want to, “I would fix these annoying things.” Well, by having a product focused on a space like this, it’s yeah, today, you can have that VP click the approve button inside the GitHub Actions workflow. Good for you.
But when you get just a little bit further down the path, you aren’t going to want to do that anymore. There needs to be some decision-making it builds into it, and for certain high-risk changes, maybe a second person and so on. How do you build that logic engine? How do you build that workflow approach? How do you have a break glass thing for middle of the night when the site is down? Et cetera, et cetera, et cetera.
And that’s exactly the sort of thing that I would expect something like Sym to get very right, just because there’s always a bigger fish. You’ve seen this [unintelligible 00:19:17] before in other shops. And more to the point, if there’s something I want to do as a part of this that Sym doesn’t support and you are looking at me strangely if I asked how to do it, that’s usually a good early warning sign that maybe there’s something I’m not thinking about here. Because whatever the problem space is, I’m probably not the only person that has to do this. How are other companies solving for this? And it turns out that all my copy of our SOC 2 report has a typo on it. That would explain a lot. That’s a ‘can’ instead of ‘can’t.’ Nevermind. Or something like that.
Nickolas: Well, and the flip side of that is also true. I mean, the interesting thing about working on something that is sort of wide open with what you can wire up and build with it is we’re always learning from our customers. We’re always learning from the things that they’re doing. And so, you know, when somebody approaches us of, “Hey, we need to solve this particular problem,” if we don’t have a ready answer, we brainstorm and help figure that out. And to your point, that always extrapolates to other customers finding the same sort of thing useful.
The other bit of this that’s really interesting beyond the durability and the ability to kind of rapidly evolve these workflows is the audibility. It’s helpful in a lot of these compliance regimes to have a third-party tracking this data for you. So, when somebody accesses AWS production, who approved that access? When somebody deploys code, who approved those deploys? Well, we sit there as kind of a third party on the side, observing all of this, taking all these notes for you, and piping them into whatever audit tool that you want.
So, you’ve got that data long-term and when it comes time to audit, you’ve got all the evidence you need; it’s already there, already collected. You don’t have to go through and write a regex to parse a bunch of logs to get the information you need.
Corey: And invariably, that regex is always going to be different, depending upon the log stuff. It’s great having a unified central approach that is the trusted repository for this stuff. As you’ve been going to market and talking to your earlier customers and seeing the problems that you folks solve, what have you learned about the market space since you’ve gone into this direction? Because I feel like this is one of those products where you start designing and thinking you know a lot about the space, and you learn so much more just from the customer conversations and seeing that you can build the most finely crafted torque wrench in the world and the customer complains because it turns out, you built a crappy hammer.
Nickolas: So, I think what’s been really interesting to me is how much use our Lambda integration gets. We have a lot of first-party integrations with things like IAM and IAM identity center and Aptible and a bunch of tools that you can interact with, but a lot of our customers have wanted to do very specific things inside their infrastructure and put those things behind an approval. And the Lambda integration turns out to be a great Swiss army knife to do that because you can wire it up—it runs inside your firewall—to take essentially whatever action that you need it to. And that gets a ton of use. Probably more than half of our customers have at least one Lambda workflow in production, and I would not have expected that going in.
Corey: It’s wild to me just how pervasive Lambda has become. And even from a compliance perspective, it’s great because unlike, “Well, it’s a script that runs on a server somewhere,” yeah, it’s immutable. It’s versioned. There’s a way to conclusively prove that at invocation, this is the code that ran, the end, with the following parameters. Done.
There’s no, “Well, looking at the timestamp on the file”—like, no. None of that nonsense. It’s arguable that something that I have seen has been that Lambda is one of those rare technologies where you’re seeing faster adoption in the enterprise and you are in startup land.
Nickolas: Yeah, I would say that’s true. I mean, it’s so great for running undifferentiated workloads. I just need this one thing to happen really quickly and I don’t want to mess with standing up a server to run this thing that runs once a week. Okay, well, here’s a computer that will run just long enough for you to run this thing and then go away. It tracks exactly what ran, exactly when it ran, exactly how it got kicked off.
And in our case, it has access to all of the internal AWS APIs that we wall off in our platform because we obviously don’t want you using those things in the Sym runtime. But you can do anything that you want to your AWS environment from your own Lambda and we will gladly provide the approval step ahead of kicking that job off.
Corey: Are you seeing people use Lambda-based workflows to manage on-premises things or is it more heavily in environments that are already within the AWS boundary?
Nickolas: The Lambda stuff that we see is almost entirely—I think it is entirely for things that are within the AWS boundary. I can’t think of an instance when somebody is managing something on-prem with it.
Corey: I am increasingly discovering, through the magic of Tailscale—among a few other things—that I can use that for things on-premises that talk directly and interface with my Raspberry Pi in the spare room, et cetera. Which is—I think some people call it hybrid, which is the business enterprise term for ‘horrifying—
Nickolas: Yep.
Corey: —because it’s a terrible pattern in some ways. But it’s so convenient and it’s so nice not to have to worry about some of these things, just an infrastructure point of view. One thing that I think that AWS has done very well at, as they’ve evolved, has been with AWS Artifact, which ties directly to their own compliance reports, where in the early days when I was responsible for SOC 2 controls at a company, I found myself answering security questionnaires from vendors as if I was running in a data center. And sure enough, they wanted to tour us-east-1. And it turns out, you can’t really do that.
So now, just pointing them to the stuff that comes out of Artifact, it’s written by auditors for auditors and they go away and leave you alone without having to explain your bespoke artisanal nonsense to them. There’s something very pleasant about being able to throw the lion’s share of the work over to someone who already knows how to do it.
Nickolas: Our audit period is ending here shortly and I have recently been and spending time in Artifact. So yes, a hundred percent.
Corey: It used to be that you would only be able to get those things under explicit NDAs, you’d have to talk to your account manager for every one, it was a back-and-forth process, and you didn’t really know if what you were going to get was going to answer the questions that they had. Now it’s, you show up, you click things three times, and you’re done. The hardest part is sorting out which ones you need from the hundreds of things available within Artifact.
It’s like, okay, that’s great, but this one is in Spanish for some reason. And that’s awesome, but on some level, it feels like that should be an easy filter option. But yeah, no one ever accused AWS of building a good user interface. But once you get the thing you need and can pass it off, great. Job over. It’s one of my favorite services that most people who are what we know as ‘happy’ don’t know exist.
Nickolas: Yeah well, and that, it points to a larger industry trend, right, that companies are getting SOC 2 specifically earlier and earlier because it is becoming table stakes to be able to sell into other companies. They want to see your SOC 2 report before they’re willing to work with you before they’re willing to let your software touch their infrastructure. And there is a lot of value in these compliance programs as essentially a stamp of approval that you’re taking these things seriously, even with as much flexibility as SOC 2 has, just the stamp that we’ve thought about these things and we have serious answers to them is a pretty important signal to be able to send to somebody that’s wanting to buy your software.
Corey: We’ve toyed with the idea of going through the process ourselves because we get asked about it all the time, but it feels like the procurement processes that ask us for it expect us to come in with a whole software suite and the rest. And yeah, if that’s the world we’re operating in, it makes a lot of sense. We’re a services-based consultancy; we come in as individuals, we have conversations with people, and we talk about this and we have no write access to anything in your environment and give you scoped-down permissions for what we talk to because we don’t want the responsibility of that stuff.
And a lot of companies get that intrinsically, but there’s occasionally a few you have to go round and round and round with. It just it feels like it’s one of those, okay, you’re not quite there yet. You’re trying to view everything through this very specific worldview. Maybe it works for your constraints and requirements, but I’ve never understood it. And I’ve learned the older I get, the more time I spend around this, I used to have such a negative perspective on compliance.
And now it’s, you know, everything’s nuanced. There’s a reason that these things are there. It’s not just a make-work project for an industry that wants to slow everyone else down. It’s, there are risks here; these things exist for a reason. There’s a reason that you can go start Twitter for Pets tonight and not be regulated, but the same is not true of First Bank of Twitter Pets.
It’s okay, yeah, one of those things is going to require a fair bit of regulatory scrutiny, and as a society, we want that. Now, the counterargument that I don’t necessarily want to get too far into is, should Twitter for Pets be regulated?
Nickolas: [laugh].
Corey: And that’s a can of worms that I think we’ll leave for another episode.
Nickolas: Yeah, I mean, that’s—you know, the people that hate compliance the most are the people that are on the sharp end of compliance, people that are having to actually deal with the controls that are imposed upon them by these compliance regimes and by somebody who’s taking a very literal view in interpreting the things that some of these compliance programs say that you’d have to put in place. And I think, you know, that’s—kind of bring the conversation full circle—that’s the thing that we want to change more than anything. If we can wave a magic wand and change the compliance universe, the thing that I most want is to help compliance and security people collaborate with their engineering teams and come up with mutually beneficial solutions. Things that actually—the spirit of compliance.
Corey: Oh, yeah. My first PCI audit was a little bit of a challenge, just because the auditor wasn’t really conversant with anything that wasn’t a large company. So, they show up at our twelve-person start off, and, “Okay, where’s the Active Directory?” It’s like, “We don’t have one of those.” “Okay, well how do you authenticate to the WiFi?” It’s like, “Oh, the password’s on the wall.”
It’s, “Well, what happens if I get on that WiFi?” It’s, “What can I do that I couldn’t do from anywhere else?” Like, “Use that printer over there. That’s it.” Because everything else was the idea of the security boundary was built on identity, not on what blessed network you happened to be on; there was no special permissioning that didn’t apply to the Starbucks WiFi next town over.
But that was one of those things where at first they thought this was a horrifying problem and they were not going to be able to certify us, and it turned into no, we had significantly advanced culture of security compliance, oversight, separation of duties, all the things you really care about. We just didn’t have the trappings that usually came across with when you’re thinking about this or starting—or having the temerity to start a company, you know, longer than 18 months ago at a place that wasn’t San Francisco on the latest version of a MacBook Pro running the bleeding edge version of Chrome. It turns out that there’s a big universe out there. And not that there’s anything wrong with either side of it, until they start forgetting that not everyone operates the way that they do.
Nickolas: Yeah. I mean, you know, we talked about checkbox compliance a lot and I think that’s probably the biggest problem is there is a lot of checkbox compliance out there. And people have seen it not actually solve anything and just make everything harder. And so, compliance gets a bad rap.
Corey: Oh, for me, the one that I’ve been picking fights on social media about for a few years now is encryption-at-rest in the cloud. Like, yes, you want full-disk encryption turned on your laptops, your phones, your tablets, et cetera. Someone steals it from the coffee shop, you want to be out the cost the hardware. The end. But if you can get a hard drive intact out of an AWS facility and then reassemble it with the right number of drives in the right places, without… and hasn’t been encrypted. Congratulations, you earned it. As far as I’m concerned, that’s yours. You can keep it.
Because AWS employees aren’t able to do that, let alone third parties. But it is easier by far to click the box to enable encryption-at-rest and not spend half an hour arguing with the auditor… and just get on with your day. And recently in S3, for example, they wound up making that a default. Good for them. It’s just, can we please focus on the part of the story that’s relevant and germane to our business? Because that is not the threat model of modern attacks.
Nickolas: Yeah, I mean, for a long time, how much of the internet ran on unencrypted HTTP, but it was being served off of an encrypted disk? Great. What have we solved?
Corey: Oh, absolutely. It’s wild to me. Even now, I still we feel like there should be a reasonable way to handle—to [unintelligible 00:31:17] basically encryption between two points that doesn’t depend on the third-party CA’s with expiring certs and the rest. Drives me up a wall every time because it’s always the worst possible time. It causes the strangest issues and there is something deeply and profoundly wrong with the fact that the failure mode from the user perspective between, “Your connection is being intercepted by a third party,” and, “Holy shit. This certificate expired two hours ago.” Like, those are very different use cases, but the scary warnings have trained people to treat them the same way.
Nickolas: Yep. Yep, exactly the same. Ugh.
Corey: I really want to thank you for being so generous with your time. If people want to learn more, where’s the best place for them to find you?
Nickolas: Yeah, so the best place to find out more about Sym is our website, symops.com, SYMOPS dot com. And I should mention that Sym is completely free for teams of up to ten people. If any of you out there listening check it out, please reach out. We’d love to hear about your experiences, help any way we can. And if you want to get in touch with me directly, the best place to do that for now, while it lasts is still Twitter. I’m on there as @nmeans.
Corey: And we will, of course, include a link to that in the [show notes 00:32:27]. Thank you so much for agreeing to talk to me about all this stuff. I really appreciate it.
Nickolas: Yeah. Thanks so much for having me on, Corey. It’s been a lot of fun.
Corey: Nick Means, VP of Engineering at Sym. I’m Cloud Economist Corey Quinn, and this has been a promoted guest episode, brought to us by our friends at Sym. If you’ve enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you’ve hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry bitter comment that will get posted in six weeks, after you track down your elusive VP to click the approve button.
Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.
Join our newsletter
2021 Duckbill Group, LLC