CTO of Twistlock on Cloud-native Security - Argyle Executive Forum Events
John Morello
John Morello is the Chief Technology Officer at Twistlock. As CTO, John leads the work with strategic customers and partners and drives the product roadmap. Prior to Twistlock, John was the CISO of Albemarle, a Fortune 500 global chemical company. Before that, John spent 14 years at Microsoft in both Microsoft Consulting Services and product teams. He ran feature teams that shipped security technologies in Windows, Azure, and Office 365 and served as the Lead Architect of the hybrid cloud consulting team for the Americas. A self-proclaimed "public school guy," John is passionate about building out more modern curricula for cybersecurity. In May 2018, he established a Twistlock outpost at Louisiana State University’s Innovation Park to pay off this vision. John lives in Louisiana with his wife and two young sons. A passionate fisherman and scuba diver, he also serves as Chairman of the Coalition to Restore Coastal Louisiana. John’s security certifications include CISSP, MCSE: Security, CISM, and ISSAP.

John Morello, Chief Technology Officer at Twistlock, explained the advantages of cloud-native in enhancing organizational security.

At the outset of his thought leadership presentation at the 2019 CISO Leadership Forum: Security 3.0—Shifting to Automation, held in San Francisco on April 9, Morella stated, “I’m going to be talking about cloud-native security and how this modern infrastructure platform changes the way we think about risk and the way we adjust to risk. It also provides opportunities for us to do security in a more effective way than we’ve been able to do in the past,” he said.

“There are two opposing forces that are colliding to create a point of change within the way organizations do security. The two forces are cloud-native and what I’ll refer to as the old world. In the old world, processes were much more manual and, in the new world, there’s much more automation,” he said,

“On the one hand, every organization—financial services, healthcare, government, etc.—is becoming a software organization and needs to invest in software as a competency and a source of competitive advantage. As a result, these organizations need modern tools. Among those modern tools are DevOps, containers, and cloud native. On the other hand, these modern tools have allowed the ‘democratization’ of sophisticated attacks, and security teams and SOCs are overloaded with protecting the current estate. Your own software is the softest target,” Morello observed.

“There are a few things about cloud native that makes security more difficult than it used to be. It’s abstraction on top of abstraction, especially from a networking standpoint. Everything is ephemeral, and everything is constantly changing—there are many more entities to secure. Security is largely in the hands of the developer, and developers are more responsible and accountable. Also, security needs to be as portable as the applications,” he noted.

“However, cloud native gives us the opportunity to do security in a better and more efficient way than in the past. Containers and serverless are more declarative, have more predictable run time, and are more minimal in nature. This allows you to apply software to create a model of what’s normal and to be able to practically enforce that model at scale. It’s possible to apply machine learning to understand actual run-time behavior, and we can build models of what applications should do to detect and prevent and what they shouldn’t do,” said Morello.

“In addition to having options of how we can protect our applications, we also have more flexibility and choices in where we can run those applications. There’s a continuum of options for running your cloud-native infrastructure—virtual machines, containers, containers as a service, on-demand containers, and serverless. You can think of this continuum as a lever in which you have a fulcrum that you can put at a different point in that lever for a particular workload that balances the strengths and weaknesses of what that lever is able to do on either side. For example, virtual machines are good solutions for places where you need a strong degree of compatibility, control, configurability, and isolation. On the other extreme is serverless, which has a different set of strengths but also trade-offs relative to virtual machines. With serverless, you’re prioritizing agility to create applications, update applications, and scale them out without having to worry about the underlying infrastructure. If you’re using this continuum, you have the ability to have a more secure way to build that application and a more secure way to operate it over time, because you have a better opportunity for software to drive the way you create those security policies,” he explained.

“The reason this new approach is more secure is because it provides a better way to do application-layer defense than you’ve been able to do in the past. You’re able to build a comprehensive, multi-vector model of what the normal behavior of each one of those applications should be and compare, at run time, the actual behavior relative to what that referential model predicts,” said Morello.

Morello noted these characteristics of this new world of security:

• a security shift to the left—modeling is integrated into CI/CD

• policy is custom tailored for each application and each build

• security automatically scales with the environment