TelecomNewsroom interview with Brian Johnson, CEO and Co-Founder, DivvyCloud
By Contributing Editor Anne Whealdon
Brian Johnson is CEO and Co-Founder of DivvyCloud, a company that protects cloud and container environments from misconfigurations, policy violations, threats, and IAM (Identity and Access Management) challenges. With automated, real-time remediation, DivvyCloud customers achieve continuous security and compliance and can fully realize the benefits of cloud and container technology. Brian, a passionate technologist, led the first migration of a “triple A” online game to Amazon Web Services (AWS), and broke new ground by architecting the hybrid cloud environments that supported EA’s massive, distributed global computing needs.
With ONUG Fall 2019 quickly approaching, TelecomNewsroom caught up with Brian to discuss the evolving enterprise industry and what the company hopes to achieve at this year’s event.
TelecomNewsroom, Anne Whealdon (TNR-AW) Question: Tell us about what you do and what problems DivvyCloud is solving.
DivvyCloud, Brian Johnson (DC-BJ) Answer: DivvyCloud helps companies accelerate innovation through the use of cloud and container services without the loss of control.
TNR-AW Q: What is the one thing that differentiates DivvyCloud within the industry?
DC-BJ A: We deliver value, we don’t extract it. Our goal is to deliver amazing value to our customers, and this focus powers all of our interactions and success.
TNR-AW Q: What is DivvyCloud’s position on hybrid multi-cloud deployments for the enterprise?
DC-BJ A: Every company should have a purposeful multi-cloud strategy. Once a company decides to embrace IaaS and PaaS public cloud computing, they then face the challenge of deciding on a vendor— typically AWS, Azure or GCP. Traditionally, companies would select a single public cloud vendor with whom to partner. However, we believe companies should instead implement a multi-cloud strategy, choosing to work with more than one public cloud provider.
There are several drivers that lead us to recommend the adoption of a multi-cloud strategy as the default for leading companies:
Mergers & Acquisitions: Deloitte reports that “Corporate and private equity executives foresee an acceleration of merger and acquisition (M&A) activity in 2018, both in the number of deals and the size of the transactions. Technology acquisition is the new No. 1 driver of M&A pursuits…” Increased M&A means that companies are more likely to acquire a new cloud. Leading IT organizations are being proactive to put in place the people, processes, and tools that will allow them to support all major cloud providers so they aren’t caught flat-footed when a merger or acquisition is announced and they are expected to integrate and operate a new cloud tech stack.
Best of Class: Developers want to build great products, and to do so, they want access to the latest, best-of-class cloud technologies and services available from every and any cloud technology provider. Access to multi-cloud services creates an opportunity to innovate in new ways and with speeds that would have previously been impossible, and this is vitally important to company success. According to IDC, “By 2021, at least 50 percent of global GDP will be digitized, with growth driven by digitally-enhanced offerings, operations, and relationships. By 2020, investors will use platform/ecosystem, data value, and customer engagement metrics as valuation factors for all enterprises.” IT leadership at innovative companies are embracing multi-cloud proactively to deliver on the promise of self-service-driven, dynamic, and software-defined infrastructure for developers while upholding the IT organization’s mandate for security and compliance governance.
High Availability/Redundancy: IT leaders recognize that even hyper-scale cloud providers (AWS, Azure, and GCP) will not be free of service disruptions. They are building multi-cloud strategies that allow them to ensure that business-critical applications and systems are not reliant on a single cloud.
Vendor Lock-in: As Forbes points out, companies are increasingly concerned about vendor lock-in and are proactively implementing a multi-cloud strategy. This allows them maximum flexibility when negotiating pricing and terms. This multi-cloud strategy also provides a modicum of protection against companies like Microsoft, Google or Amazon, which are increasingly entering new markets as competitors. Companies don’t want to be reliant on a single cloud provider and be put in the position of delivering financial support to a vendor that is now taking business from them.
Containers (and really Kubernetes): Developers love containers, and DevOps love Kubernetes. Kubernetes is cloud-agnostic, and you can run your cluster on AWS, GCP, Azure, or any other cloud. The rise of containers, and especially the popularity and accessibility of Kubernetes, creates a new opportunity for companies to now be cloud agnostic and, frankly, makes it much easier to be multi-cloud and provides an easier hedge against vendor lock-in. 451 Research analyst Jay Lyman discussed this when he wrote that Kubernetes can “create a consistent developer deployment model across on-premises and hybrid clouds.” As Matt Asay writes, “Kubernetes potentially up-ends the idea of running everything in one particular cloud.”
TNR-AW Q: How do you define digital transformation and what is DivvyCloud doing to help enterprise businesses adapt more effectively?
DC-BJ A: The use of cloud and container services delivers unparalleled ability to rapidly bring new products and services to the market and flexibly scale these in real-time to meet demand. This agility is often reliant on providing self-service access to developers, and if not approached properly, this can create a loss of control.
The good news is that a multitude of standards and frameworks exist to help companies establish baseline policies to ensure that they are using the cloud in a secure, compliant, and well-governed fashion.
DivvyCloud delivers hundreds of out-of-the-box policies that customers can use to automate the detection and remediation of policy violations. These policies map back to the major standards and frameworks, including PCI DSS, HIPAA, GDPR, SOC 2, ISO 27001, CIS AWS, CIS Microsoft Azure, CIS GCP, CIS Kubernetes, NIST CSF, NIST 800-53, FedRAMP, and CSA CCM. You can also modify and create your own policies and merge or create new compliance packs.
With automated, real-time remediation, DivvyCloud customers achieve continuous security and compliance and can fully realize the benefits of cloud and container technology without the loss of control.
TNR-AW Q: What is one of the biggest challenges of enterprise digital transformation and how should it be addressed?
DC-BJ A: Customer-level misconfiguration of cloud services is the number one reason for security and compliance risk. When using cloud services (IaaS, PaaS, Serverless, FaaS, and CaaS), security is a shared responsibility between the cloud service provider and the customer.
You, as the customer, are responsible for securing how you use the cloud services, including properly configuring identity and access management (IAM), storage and compute settings, threat analysis and defense, and the security of the application and data processed and stored in the cloud.
Therefore, secure cloud configuration must be a dynamic and continuous process. At a base level, there is the configuration of the cloud infrastructure (e.g., blocking SSH ports, and IAM). Next, there is the configuration of the CSP security controls (e.g., enabling log monitoring and encryption). Finally, SecOps teams must address changes to settings (e.g., detecting and acting on a threat actor turning off logging to cover their tracks).
With DivvyCloud, all changes, no matter how they are implemented (via console, provisioning tools, or programmatically), are detected because monitoring is achieved through a two-tiered approach that includes API polling and event-driven notification for faster detection of changes and automation in real-time. This allows DivvyCloud to identify misconfigurations and resolve them with automated, real-time remediation.
With DivvyCloud, you can accelerate innovation through the use of cloud and container services while minimizing the risk of misconfigurations.
TNR-AW Q: What is the one thing that enterprise companies need to be aware of as they embrace hybrid multi-cloud computing?
DC-BJ A: You need to build a future-proof strategy for multi-cloud security. Too often we see companies focusing on building security for what they have, rather than building a strategy that will allow them to enable the decisions of business units that need to drive rapid innovation. This means building security strategies that will automatically expand to new clouds and technology immediately, so that security isn’t left behind or suddenly blocking or slowing down a crucial business decision (M&A, next gen app development, experimentation, etc).
TNR-AW Q: Based on your experience and industry knowledge, what are you seeing enterprise businesses doing with technology that is a ‘waste of time?’
DC-BJ A: Enterprise companies can’t waste time trying to apply old and outdated approaches to security to the cloud, and then when that fails, make the decision that they need to bypass security in the name of speed of innovation. You can accelerate innovation without the loss of control if companies invest in the people, processes, and tooling that are built for the cloud era. Too often, companies believe they can’t have both, and make the decision simply to leave security behind. This leads to the drumbeat of breaches that we read about every day.
TNR-AW Q: What products or services are you most excited to share with the enterprise community at the ONUG Fall event?
DC-BJ A: We are excited to share DivvyCloud, the leading provider of cloud security. DivvyCloud protects cloud and container environments from misconfigurations, policy violations, threats, and IAM challenges. With automated, real-time remediation, DivvyCloud customers achieve continuous security and compliance and can fully realize the benefits of cloud and container technology. Freedom is good. Chaos is bad.
TNR-AW Q: What is the most important driver of change taking shape today?
DC-BJ A: The move to self-service access to software-defined infrastructure as a core ingredient to the ability for digitally savvy business units to experiment quickly and inexpensively. This leads to incredible gains in innovation, which translates to greater value delivered to the end customer, greater competitiveness, and ultimately greater profitability. However, enabling this paradigm shift requires a huge transformation of how companies implement IT security. We need to move away from “command and control” to a “trust but verify” approach that enables these business units and amplifies their efforts without introducing friction from security that will slow down or disrupt innovation.
TNR-AW Q: What are you looking to gain from participating in the ONUG Fall Conference?
DC-BJ A: We look forward to gaining peer-to-peer communication to learn more about how industry leaders are designing and building security for cloud and container services and share our views.