Introducing the Ermetic Advisory Board: Travis McPeak of Netflix
Travis McPeak shares his predictions and insights on public cloud security.
We recently announced the formation of the Ermetic Advisory Board, which includes a who’s who of CISOs and cloud security experts from the technology, media and communications sectors.
We recently spoke with Travis and asked him for his predictions and insights on public cloud security...
What do you think are the biggest cloud security challenges/concerns for organizations?
The biggest challenge that I see is scale. Many security problems are relatively easy to solve on an individual basis. For example, security engineers can pretty quickly evaluate a proposed change to an application and its cloud footprint. This becomes much harder when scope grows to hundreds, or even thousands of applications, and the changes we care about happen continuously. Security evaluation at scale requires intelligent automation that accounts for organizational policies, risk tolerance and established best practices.
There is also a common disconnect between development teams that have the most context about cloud resources and the security team trying to secure those cloud resources. For example, the developer team may understand the purpose of a given cloud storage bucket but not how to configure it securely. The security team knows how to configure cloud storage securely, but doesn’t know which controls should apply to this bucket. To bridge the gap, security teams should make resources secure by default whenever possible and provide simple tools and guidance that enable developers to securely manage their own resources.
What are your predictions for cloud and cyber security over the next year? Next five years?
Over the next year I believe we will see a continued trend of companies with large security teams publicly releasing the tools and methodology they use to secure their environments. These releases will move the industry towards convergence on common standards that make misconfigurations less common. I predict that within five years, cloud and service providers will integrate these standards in the form of secure defaults and blanket policies.
I also predict that in five years, we will see more services that are managed by the provider, not the user, similar to Lambda. These services will have security properties baked in, making misconfigurations less common.
What do you do outside of work? What are your hobbies or interests?
So many! I love to cook food that impresses my wife and son. This year, I have been learning how to lift heavier weights and operate a mountain bike. I volunteer some time to help run the Bay Area OWASP chapter because our meetups make it easier for folks to get into the industry and for security experts to share ideas. I have been mentoring a few folks that are early in their careers, and that time is always rewarding. Advising startups is a passion for me because I can both share knowledge and learn at the same time.
What is your favorite inspirational or motivational quote?
Similar to compounding interest, continuous improvement yields exponential growth over time. Basketball coach Ken Carter said “If you improve 1% a day, then in 100 days, guess what? You’re 100% better.” This quote, and the general idea, motivate me to push myself a little bit each day.