Goodpods logo
Goodpods

Log in

goodpods headphones icon

To access all our features

Open the Goodpods app
Close icon
Access Control - Security as a Service

Security as a Service

05/13/24 • 41 min

Access Control
Interview with Rob Picard, CEO of Observa, a company that can build and run your security program.

Access Control Podcast: Episode 22 - Security as a Service Rob Picard, CEO of Observa

  • Outsourcing security to a provider like Observa can be beneficial for early-stage companies that don't have the budget or need for a full-time in-house security team. It allows the company to focus on their core business while getting the security expertise they need.
  • When starting an engagement, Observa focuses on three key things: addressing urgent goals (like getting SOC 2 certification), creating a plan for the longer-term security program maturity, and managing the ongoing operational work.
  • Common security mistakes Observa sees include companies making decisions based on fear, uncertainty, and doubt rather than facts; agreeing to overly restrictive security requirements from customers; and having a cynical "everything is a dumpster fire" attitude rather than a pragmatic approach to security.
  • SOC 2 is an important compliance framework, but its primary purpose is to provide a way for companies to make statements about their security practices and have them audited, not necessarily to improve security itself. However, going through the SOC 2 process can lead to security improvements.
  • When educating auditors, it's important to help them understand how new technologies and architectures (like containerization, passwordless authentication, etc.) change the risk profile compared to traditional IT environments.
  • The security team's role should be to enable the business to make informed risk decisions, not just to say "no" to everything. Security should be a partner, not a gatekeeper, and the team should avoid glorifying a "no" culture.

- Outsourcing certain security functions like pen testing, managed detection and response, and incident response can be beneficial for early-stage companies that don't need or can't afford a full in-house security team.

plus icon
bookmark
Interview with Rob Picard, CEO of Observa, a company that can build and run your security program.

Access Control Podcast: Episode 22 - Security as a Service Rob Picard, CEO of Observa

  • Outsourcing security to a provider like Observa can be beneficial for early-stage companies that don't have the budget or need for a full-time in-house security team. It allows the company to focus on their core business while getting the security expertise they need.
  • When starting an engagement, Observa focuses on three key things: addressing urgent goals (like getting SOC 2 certification), creating a plan for the longer-term security program maturity, and managing the ongoing operational work.
  • Common security mistakes Observa sees include companies making decisions based on fear, uncertainty, and doubt rather than facts; agreeing to overly restrictive security requirements from customers; and having a cynical "everything is a dumpster fire" attitude rather than a pragmatic approach to security.
  • SOC 2 is an important compliance framework, but its primary purpose is to provide a way for companies to make statements about their security practices and have them audited, not necessarily to improve security itself. However, going through the SOC 2 process can lead to security improvements.
  • When educating auditors, it's important to help them understand how new technologies and architectures (like containerization, passwordless authentication, etc.) change the risk profile compared to traditional IT environments.
  • The security team's role should be to enable the business to make informed risk decisions, not just to say "no" to everything. Security should be a partner, not a gatekeeper, and the team should avoid glorifying a "no" culture.

- Outsourcing certain security functions like pen testing, managed detection and response, and incident response can be beneficial for early-stage companies that don't need or can't afford a full in-house security team.

Previous Episode

undefined - Securing the Open-source Future

Securing the Open-source Future

Cryptography, Trust, and Open-Source with Filippo Valsorda

Throughout this episode, Filippo offers a comprehensive view of his professional journey in the field, from his initial intrigue with cryptographic algorithms during his high school years to his pivotal role in the Go Team at Google. Key discussion points include:

  • Key milestones in web cryptography include HTTPS, WebPKI, and the impact of messaging protocols like Signal and WhatsApp on end-to-end encryption.
  • Looking to the future, Filippo discusses the importance of transparency mechanisms in cryptography and highlights the need for accountability.
  • Filippo advises against rolling one's own crypto but encourages collaboration and learning with experienced individuals to build a feedback loop for secure implementations.
  • Filippo shares his thoughts on the current state of Certificate Authorities (CAs).
  • Filippo explains the accountability established by transparency in open source and compares it to closed-source software.
  • Security patching is addressed, highlighting the need for a balance between stability and urgency when applying patches.
  • Filippo explains the potential threats posed by quantum computers and the ongoing efforts to implement post-quantum key exchanges in protocols like SSH and TLS.
  • Cryptographic concerns in cloud computing are discussed, focusing on the importance of trust in cloud platforms while acknowledging the shared responsibility model.
  • In a practical piece of advice for improving security, Filippo recommends being deliberate in trimming dependency trees to reduce vulnerabilities.

Next Episode

undefined - Certificates, Keys, and Trust: The World of PKI and mTLS.

Certificates, Keys, and Trust: The World of PKI and mTLS.

Key Discussion Points:

  • Ben and Chris discuss their motivation for starting Anchor, stemming from frustrating experiences with certificate management and outages caused by expired certs throughout their careers.
  • The evolution of web cryptography is covered, from the early days of SSL to the modern era ushered in by events like the Firesheep exploit, Heartbleed vulnerability, and the emergence of Let's Encrypt.
  • Ben and Chris explain the benefits of using an internal PKI and private CAs rather than public CAs for back-end infrastructure. Private CAs enable shorter certificate lifetimes, protect information about internal infrastructure, and allow customized issuance flows.
  • To help improve the developer experience with local TLS, Anchor launched lcl.host which provides an easy workflow for developers to use real certificates during local development.
  • Security best practices are discussed, including using name constraints to limit certificate scope, employing a multi-layered security approach, practicing key rotation and disaster recovery scenarios.
  • Advice is given for teams new to PKI and MTLS, emphasizing the importance of hands-on experimentation in dev environments to build understanding.

https://lcl.host/

If you like this episode you’ll love
Design Life

Design Life

Guy Kawasaki's Remarkable People

Guy Kawasaki's Remarkable People

a16z Podcast

a16z Podcast

The AI in Business Podcast

The AI in Business Podcast

Resist Average Academy | Tommy Baker

Resist Average Academy | Tommy Baker

Episode Comments

Generate a badge

Get a badge for your website that links back to this episode

Select type & size
Open dropdown icon
share badge image

<a href="https://goodpods.com/podcasts/access-control-361113/security-as-a-service-51954154"> <img src="https://storage.googleapis.com/goodpods-images-bucket/badges/generic-badge-1.svg" alt="listen to security as a service on goodpods" style="width: 225px" /> </a>

Copy