Introducing the Ermetic Advisory Board: Adrian Ludwig of Atlassian

We recently announced the formation of the Ermetic Advisory Board which includes a who’s who of CISOs and cloud security experts from the technology, media and communications sectors.

So who *are* these experts? Last week, we met Travis McPeak of Netflix. Next up is Adrian Ludwig, the CISO of Atlassian.

We recently spoke with Adrian and asked him for his predictions and insights on public cloud security...

What do you think are the biggest cloud security challenges/concerns for organizations?

The answer varies a lot from company to company. For many organizations, just understanding what they have in the cloud and where it’s moving is their biggest challenge, and we see that often with Atlassian’s customers.

But there’s a whole other class of companies that are building almost exclusively in the cloud, like Atlassian, and these companies need to understand how to make large scale applications more secure. (The first group will eventually get to this point as well.) They need to understand how an incident in one part of their environment will affect the other parts. This is different from the on-premise data center model where it’s common for everything to be interconnected, and one server or service can lead to a much bigger compromise.

One advantage of the cloud is that segmentation is a native capability, but companies need to leverage it, and they are only just starting to get their heads around how to do that. Not just at the network level, but up and down the stack - for example, microservices authentication and definition of roles with narrow entitlements.

In the cloud, it’s so easy to create infrastructure and secure it, and that’s an opportunity to do things right and include security as part of the process of deployment. But to take advantage of that opportunity, you need a security team that moves as quickly as DevOps and keeps up with the pace of change.

What are your predictions for Cloud and cyber security over the next year? Next five years?

Things are really crazy right now because of COVID19, and after this we will see a few years of recovery. I like to look five years out at macro-level changes. Over the next couple of years, people will begin to understand that anything that isn’t in the cloud is a liability. An investment in tools that are primarily designed for older, on-premise infrastructure is not going to be as important. Budgets and investments will shift to the cloud. That will be driven by the business benefits (e.g. scalability, reduced management expense), but security has a chance to get in front of it and be really helpful.

A lot of the tools we use now in securing our cloud infrastructure were built for on-prem, and we need to do a ton of work to make them relevant in the cloud. For example, network scanners rely on stable IP addresses that can be configured to work with cloud infrastructure that add and remove containers nearly every second to enable scalability, but it’s clearly challenging and not the environment those tools were designed to secure. We’re seeing more and more security companies that are only offering products for the cloud, because they understand that it’s all moving in that direction anyway.

What drew you to Ermetic?

It’s a strong team and they are tackling an important emerging opportunity in a very thoughtful way. I find it very interesting that most of the problems we’re facing in the on-prem world are related to managing the infrastructure - patching, keeping up to date, maintaining the workflows. The cloud gives us an opportunity to design an application-centric infrastructure architecture; something we could not do in the old data center.

Ermetic is a part of that trend. It helps you understand your environment, how services are related and how permissions are defined, so you can be proactive about designing them in a secure way. Traditionally, there is permission sprawl and not a lot of thought about how the infrastructure should be deployed. So my hope is that with Ermetic, companies will be able to get in front of that.

What do you do outside of work? What are your hobbies or interests?

I have two young boys, so family adventures (hiking, biking, scootering, climbing, skiing, etc.) keep me pretty busy, and I don’t tend to think of myself as having hobbies. Before the boys came along, I spent a lot of time participating in endurance sports -- I love spending hours, or even most of a day, running in the mountains, and have proudly completed several ultramarathons. In 2020, the abrupt stop of traveling for work and commuting into the office has given me a bit more time to spend outside, so I’ve started running again. Maybe next year, I’ll have gotten strong enough to run another ultra.

I’ve also picked up Olympic archery, which was something one of my boys got excited about earlier in the year. It turns out not to be as exciting as it looked in "Robin Hood," so I’m on my own now, but I have been shooting pretty much every day this year. On the days that I shoot well, it’s really calming, almost meditative. And on the days that it doesn’t go well, I stop early and get a little bit of extra time back. So, I probably won’t make it to the Olympics anytime soon.

What is your favorite inspirational or motivational quote?

“Always listen to yourself, Peekay. It is better to be wrong than simply to follow convention. If you are wrong, no matter, you have learned something and you grow stronger. If you are right, you have taken another step toward a fulfilling life.” -Bryce Courtenay, The Power of One