Christopher Turco, StackPath: “companies often overestimate their employees’ security consciousness”
Many employees might not be aware of how hackers deploy phishing to obtain access to sensitive workplace data or one’s personal information.
Unfortunately, employees are frequently clueless about the number of security risks that the organization faces and might overestimate its preparedness to deal with cybersecurity threats.
Even though technology cannot solve all the possible security problems, solutions like edge computing can minimize or prevent cyber threats, safeguarding your company's data.
Christopher (Kip) Turco, the CEO at StackPath – a leading platform of edge computing, edge delivery, and edge security solutions shared about what it’s like to be transforming cloud computing at the edge of the Internet and what it takes to overcome the obstacles along the way.
How did StackPath originate? What has your journey been like?
In 2015, StackPath was founded with a focus on making the Internet safer. We came out of stealth in 2016 with our platform and its first product, a secure content delivery network (CDN). It was built on technologies integrated through our acquisitions of MaxCDN, a frictionless CDN service focused on SMB, Fireblade, an enterprise-grade Web Application Firewall (WAF), Staminus, a DDoS attack protection solution, and Cloak, an exceptional consumer-oriented VPN solution. Shortly, we brought Highwinds to the family, an enterprise-focused CDN provider, and Server Density, an innovative monitoring service.
As we integrated these technologies into a single platform, we realized that our approach naturally aligned with the evolution of the cloud industry and the emerging needs for edge computing. We were building a cloud computing platform at the edge of the Internet. So instead of using it only for our services, we opened it up to customers and partners so they can use our platform to build their edge.
Can you introduce us to your edge platform? What are its key features?
Our goal is to simplify how enterprises and developers leverage our distributed edge to build and deploy high-performance applications and reach their global audience with comprehensive security.
The next wave of applications like nextgen gaming, the Metaverse, smart buildings, smart cities, and autonomous vehicles will require a super-fast response to events, and that is what we’re building. Our platform provides high-performance, highly reliable, and secure infrastructure closer to end-users.
We utilize best-in-class servers, as well as storage technologies, and interconnect them with high-speed networking to bring the fastest performance available in the industry. But not only is our platform fast, it’s secure and easy to use. With it, developers can:
- Use any programming language to write their apps.
- Package apps as virtual machines, containers, or serverless scripts.
- License the compute instance with the right amount of CPU cores, memory, and storage to address their application needs.
- Define simple rules to auto-scale their apps to meet unpredictable demand.
- Enable their apps to connect and collaborate with other apps, no matter their location.
- Protect their apps with powerful access control policies.
- Gain visibility to how their apps are performing and take any necessary corrective actions.
- Enable their apps to reach a global audience by connecting it to our edge delivery services like CDN.
- Protect their applications from L4-L7 DDOS attacks and bots by connecting their application to our edge security services like WAAP.
What are the most common challenges that come up when securing the edge?
There are many benefits of the edge, one being it’s generally more complex to bring down a distributed application than to bring down a centralized application. While there are inherent performance, security, and resiliency benefits at the edge, the challenges to securing distributed applications remain. For example, lifecycle management is complex. Developers should use closed-loop automation and CI-CD processes to automate building testing, deployment of applications and their policies, and utilize shift left testing to find and address issues early.
Distributed state management and data coherence in distributed applications are also complex. Developers should use strong data encryption and data authorization technologies when propagating states and data between their applications.
Additionally, apps have north-south traffic (traffic between end-users and applications) and east-west traffic (traffic between collaborating components of a large application). Developers should make sure both east-west and north-south interfaces are encrypted, protected, and secured.
Once an application is deployed, it can be subject to L3-L7 DDOS attacks. Developers should use proper security mechanisms like ZTNA, IDP, WAF, WAAP, and L3-L4 DDOS protection. They should automate deployment, and configuration of these security services, automate proper conformance and compliance testing and use tools to constantly monitor for anomalous behaviors.
It’s tough to manually configure and manage each instance of an application or application component. It’s highly preferred to leverage a service that has a single pane of glass, centralized management, and an API server that can dynamically distribute and secure distributed application instances.
How did the recent global events affect your field of work? Have you noticed any new security issues arise as a result?
The pandemic has changed the world forever. There’s an increased use of remote consumption of many latency-sensitive workloads and real-time applications, which has accelerated the migration of many workloads to the edge. More families now have high-speed Internet and it’s inefficient to backhaul traffic to a centralized public cloud, and better to secure it at the edge. In addition, more employees around the world are working from home on personally owned devices and the edge is an ideal place to apply security services.
5G deployments and adoption have also increased the number of devices and users with access to high-speed Internet and private networks. Having more people and more devices increases the opportunity for attacks and, unfortunately, many of these devices aren’t designed to be secure which exposes a source for cyberattacks, particularly when software applications have insecure public interfaces and when companies aren’t constantly monitoring exploits. Recent events in Ukraine have increased concerns about cyberattacks. It’s a race between good and bad actors and an area where tools and innovations are needed.
These recent events highlight how demand for performance and security can best be met by distributing apps and security mechanisms closer to end-users. It’s inefficient to do everything in centralized public clouds. That’s why companies should consider building distributed architecture for their applications and deploying applications on secure edge clouds. They should also rethink their security strategies and utilize edge security to protect these distributed applications and use CI/CD pipelines for lifecycle management of their applications and configurations.
Why do you think sometimes companies are unaware of the risks hiding in their own networks?
There are many reasons why companies are unaware of the risks already inside their networks. Here are a few:
Companies often overestimate their employees’ security consciousness. Also, they underestimate the odds of an employee security breach. A company’s insider has better access and, whether intentional or through human error, it’s easy for them to put the company at risk.
Securing IT infrastructure and apps require investment. Not only is it costly, but it’s highly complex to secure data, applications, and IT infrastructure. There are many vectors of attack and many different tools and techniques to protect against them. It’s very complex and requires highly skilled security professionals.
The cost of a security breach is high. It includes lost revenue, reputation damage, and damages to the employees, customers, and partners. Companies need continuous protection and quick response times. They need proper tools to classify, secure, and implement proper data loss protection. These tools are constantly evolving because the vectors and mechanisms change constantly requiring enterprises to use automation to keep these tools current.
Many companies have chosen cloud solutions as a way to enhance security. Are there any details that might be overlooked when making the switch?
It is hard to find qualified security professionals and secure applications. The infrastructure itself is complex because it’s constantly shifting. As mentioned, companies and IT departments may not have enough resources or budgets to take on security – particularly when their applications leverage modern cloud-native architectures and get deployed in public clouds. Many companies have chosen cloud solutions to enhance security and, in most cases, work with a single cloud provider or a managed services provider to manage security and keep it current. This is a necessary step in the right direction for most enterprises.
One thing that companies should keep in mind when making the switch is the benefit of a multi-vendor approach and a distributed architecture. Yes, that requires setting and enforcing security standards with more than one provider, but having more than one vendor for a service provides longer-term stability and business continuity. In this case, you’re not shut down completely if that platform fails. And with a distributed application, you can have different services running in different places, on different platforms.
Our recommendation to enterprises is to make sure that their data and applications aren’t dependent on a single provider’s security and to use the right security mechanisms at the right place including edge security as part of their overall security posture. Another recommendation is to partner with managed services providers to leverage multi-cloud and edge-cloud solutions.
In your opinion, what does the growing popularity of cloud solutions mean for threat actors? Will it be more challenging to carry out cyberattacks?
Companies find it tough to hire and train qualified security professionals. Technologies, tools, and processes are also complex. Cloud companies are better positioned to invest, innovate, and implement state-of-the-art security solutions. They are better positioned to partner with other security companies to provide comprehensive security solutions to enterprises.
Having said that, bad actors will continue to find new ways to attack as we continue to innovate and build defenses. It’s a cat and mouse game. It just means that the industry should continue to innovate and bring in new technologies, solutions, and processes faster than the bad actors do. The focus, knowledge, and resources of cloud providers will certainly help the good actors defend better.
With so many connected devices these days, what cybersecurity measures do you think are essential for everyone to keep their devices safe?
I think it’s essential for users and businesses to take responsibility for security at the device and application level, not just at the network level. Here’s some advice:
- Avoid applications that don’t provide multi-factor authentication.
- Use VPNs and firewalls even on home networks.
- Innovate and evolve the applications to ensure that they’re protecting data from origin to destination.
- Use multiple clouds and avoid depending on one provider.
- Leverage edge clouds and distributed microservices-based architecture to minimize the blast radius of a security breach.
- Use the latest security technologies, tools, and cloud security services.
- Hire the best security professionals to secure your key assets.
- Partner with managed services providers that have the necessary resources, knowledge, and focus.
Would you like to share what’s next for StackPath?
Even though the future is unknown, I can share that StackPath continues to innovate. We’re a good-sized company, but we’ve always kept that startup mentality. We have groups of engineering operations and technical folks who are focused on continuous innovation. They try to keep us ahead – whether it’s from an advanced networking perspective, a security perspective, or just a processing or computing perspective. Innovation is core to the culture and DNA here in StackPath and, as we set out to do six years ago, we’re still doing whatever we can to make the Internet safer and build a secure edge cloud to enable safe distributed applications.