DevOps Chat: A CISO’s Quest for Better Security, With Altitude Networks
Michael Coates is on a mission, a journey, an unassailable quest. You don’t come away from senior security leadership roles at Twitter and Mozilla without some real-world lessons of how to improve cybersecurity. Those lessons inspired our guest Michael Coates, former Twitter CISO, to co-found his new startup, Altitude Networks.
While we don’t yet know all the details about Altitude Networks, we know Coates is addressing the protection of data when using cloud collaboration software such as Google Drive, Box, Dropbox, Office 365 and other online collaboration services.
Coates shares with us the lessons he learned from security roles at Twitter and Mozilla and is applying at Altitude Networks. Security products need to be designed to solve problems and alleviate work, not make work. And security needs to enable end users to get their work done and not interrupt them with confusing popups, options and decisions most won’t understand.
Join us on this episode of DevOps Chat to get the latest on Coates and his new company, Altitude Networks. You also can sign up for Michael’s new newsletter at hubs.ly/H0jvMBN0.
As usual, the streaming audio is immediately below, followed by the transcript of our conversation.
Transcript
Mitch Ashley: Hi, everyone. This is Mitch Ashley with DevOps.com, and you’re listening to another DevOps Chat podcast. Today, I’m joined by Michael Coates, co-founder and CEO of Altitude Networks. Now, Michael is the former CSO of Twitter and also headed up Security Assurance at Mozilla, so we’re talking to somebody that knows his stuff. Our topic is a different way to think about security. Michael, welcome to DevOps Chat.
Michael Coates: Thanks, Mitch. Super excited to be here.
Ashley: Excited to have you on. Would you start out by just introducing yourself, tell us a little bit about you, and also about Altitude Networks?
Coates: Yeah, for sure. Yeah, I’ve been fortunate enough to be in the information security industry for the past 15 years or so, and through that time, held some pretty interesting roles from both hands on practitioner, red team, also blue team for a Fortune 500 network. I started and cut my teeth actually hacking into banks and governments and enterprises.
Ashley: Mm-hmm.
Coates: And then, you know, in the last few years, led security programs at some pretty important companies, in my opinion.
Ashley: I would agree.
Coates: With a big user base, yeah, so between Twitter and Mozilla, you know, hundreds of millions of users at each of those, you know, outside of the day job had some interesting times in the OS community where I was on the board of directors and Chairman of that for several years.
Yeah, so, now I’m over at Altitude Networks, a Co-founder of the company, and really excited to be tackling a new space that kinda had us vexed when I was at Twitter and the same with my other CSO peer group on how to protect data when it moves into cloud applications, specifically SaaS applications, and those ones where your employees are sharing that data every which way. How do you wrap your head around how that’s all being shared to protect the right data with the right controls? So, really excited to be diving into that now.
Ashley: So, great topic. It’s one I’m actually really passionate about. Before we jump into that, though, I’m really curious, from an entrepreneurial perspective, what’s it like going from the transition of a very large company, CSO of Twitter, now you’re done with the small team, you’re Co-founder for Altitude Networks and you’re building product and getting ready to launch that at some point. What’s that transition been like? Because that’s a big shift.
Coates: Yeah, it is. I’ve had some interesting questions of, “Oh, is it so much more stressful now that you’re starting a company?” And I think to myself—well, it’s different stresses, that’s for sure. You have to think about everything, like whether or not payroll’s gonna get run, or you’re going to find a new vendor or you’re going to build a product or have customers—all of those things ultimately fall under you.
Ashley: Mm-hmm.
Coates: But at the same time, I also don’t worry so much like I used to before, like, if I turn on the news, will there be, like, a world changing event that is somehow stemmed from something I have to deal with at work? [Laughter]
Ashley: [Laughter] Mm-hmm.
Coates: And that’s kind of a nice weight off the chest, so to speak. But I would also be remiss if I didn’t mention how much I enjoyed my time at Twitter. It’s pretty amazing to work with an awesome team, and to work on a platform of that size. I mean, even from a technical perspective, there are other massive real time systems. There’s stock exchanges, there’s credit card networks. But those have pretty predictable data sets, and Twitter has such a variety of data, from tweets to pictures to images to retweets. That’s pretty cool to be working on something of that size and scale.
I really loved my time there, but the transition to, yeah, FounderWorld? Happy to have those lessons, happy to have managed teams and organizations and talk to the C suite. Those are all things that have helped dramatically as I start a company. So, different stress, but it’s all a great time.
Ashley: It is a different stress, and you find that things don’t get escalated past you. It’s sort of like, you can only have so much time, so many things to do, and that’s the life of an entrepreneur.
Coates: Mm-hmm. Definitely.
Ashley: Well, let’s dive into the topic, and I’m passionate about this, just to share a little bit of my experience around this topic is, when I got into security in the early 2000s, we’re making the shift from network security being a thing done by very few people in an organization if you had had someone who really understood it to, “Here, you’re a sys admin or a network admin, you’re now the security person”—how do they come up to speed? So, there’s a shift in who is doing security and we had to build products for them, not just for the pure experts.
Talk about what you see as today’s challenge. I know you talked about this on your AppSec talk last year. I’d love to hear your thoughts on what do we need to change and why.
Coates: Yeah. So, my talk last year at the last AppSec conference was around—largely around usability of security, and it’s been something that I’ve seen firsthand, both at Mozilla and Twitter, and from the platforms they are with their huge consumer user base but also working within the company and thinking about how to influence security across—you know, very modern companies where DevOps culture and continuous deployment and very almost empowered engineers is very common.
You know, one of the things that’s a big point for me is focusing on the basics of security, doing the right thing all the time everywhere. That really makes a huge difference in your security program, and the corollary of that for users is how we put a user through their user experience in a product and their security journey, so to speak. And, for far too long, we’ve over rotated on the academic completeness of our security controls, and it makes sense, because when we started, security very much was, how do you make the protocol secure, you know, how do you make the encryption correct? And those things all do need to be academically up to snuff.
But then there’s this migration where a lot more security became user facing. We had different authentication paradigms, we had browser security settings, we have privacy settings. And now, all of these security actions and decisions are right in the face of the user. And where this all falls apart is, we think we’re giving users choice to decide how they want to proceed and visibility and transparency. But it’s really not a fair discussion, because users have no idea what we’re doing. [Laughter]
And so, you can start to think about mixed browser warnings, which is gone now, but you know, “there’s insecure content on this page, do you want to continue, do you want to display?” Like, what is a user supposed to do with that? Or it’s a certificate error message. The users have no idea. Like, they want to do what they wanna do.
Ashley: Right, right.
Coates: And so, this notion of giving them empowerment via information and choice was actually wrong. And so, we’re in this really interesting spot now where we say, how do we do the really hard thing, which is, make security by default without choice for users? How do we just give them what they want to do and do it securely?
And so, if we back up a little bit and think about where we’ve done this wrong, we can think of something like PGP. Academically—great, super secure.
And then I ask the question, like, how much security has it brought to the world, in terms of PGP for e-mail? Nobody sends e-mails encrypted with PGP.
Ashley: Very true.
Coates: Because it’s just too hard, it’s too confusing, it’s too cumbersome.
Ashley: Too hard to set up.
Coates: Yep, yep. And so, that’s where we get to the—we have to make the secure path, the easy path, the default path.
Ashley: Well, I’ve always said that end users think of security as what’s the most convenient thing for them—which is, of course, nothing if they didn’t have to do anything—but anything you present in front of them in terms of an obstacle to get to a secure point in the software they’re using or their activity online, they’re gonna do the minimum they need to do, because it’s not what they’re there for. It’s a hassle, it’s a barrier, it’s a distraction—plus, they don’t know about it. They’re not experts at it.
Coates: Yeah. And a lot of people, when they hear that statement think, “Ah, see? There it is. The user’s the problem. They don’t”—
Ashley: They need to be educated. Let’s educate them.
Coates: Yeah, they need to be educated or they don’t care. And that’s totally wrong, because we’re trying to combat natural human behavior, and that’s a losing battle.
Ashley: Mm-hmm.
Coates: The user wants to do something that makes sense to them. They want to buy something on a website, they want to see their e-mail. They don’t want to think about all these things that don’t make sense to them that are out of that normal path. And when we bring that into the real world, we can really make sense of this.
When you get in your car, you want to drive it to go somewhere. You don’t wanna flip a switch and turn on an air bag. You don’t want a question of, “Do you want to proceed? Your brakes are at 30 percent.” None of that stuff is there. The car works. You, of course, do maintenance, but all of the security and safety feature of the car are there. The only thing you have to actually do is put on your seatbelt unless you have one of those cool old school cars that do it for you. [Laughter]
Ashley: And we had to pass a law to get people to do that, so yes. [Laughter]
Coates: Yes, exactly. And so, you can see where the natural path of a human is to accomplish something and they have assumptions based on your brand of whatever they’re doing that the security and safety is built in, and that’s where we have to aspire to.
Ashley: Mm-hmm. I completely agree. There’s sort of this idea of—you know, simple is hard, right? Designing something simple in terms of a product or service is actually a very complex, a lot of thought goes into it to make it simple, and oftentimes, flexibility or configurability in software and services actually increases complexity greatly. I know that some of the customer interviews I’ve done on products, when you have more than one way of doing the same thing—and users assume there’s a reason why you have more than, there must be different, even though you know they do the same thing, you don’t know what they were gonna do, so you give them options. Well, that actually makes it a much tougher product to use.
Same thing in security, right? The steps they have to go to install it—I don’t wanna worry about it, I want whatever I’m using and whether it’s malware protection, that should all be configured for me. Don’t make me go through that.
Coates: Yeah, definitely. I think that point that you made there is, simple is hard. And that’s why most of our efforts in security haven’t taken that last leap, because they’ve spent considerable time even getting to the point where they are. And, to take it the next mile to make it simple is actually incredibly difficult.
Ashley: It is.
Coates: And you see that both in consumer facing where we just stop and say, “We’re not really sure what we should do for everyone, so we’ll give them a choice,” and then you also see it in the security, the vendor space, where the tool or solution has been designed. Like, while we accomplished what we technically wanted to accomplish, we can do X. It’s really hard to use. You have to have an expert that’s trained in it, you know, we’re gonna give you professional services, yadda yadda, because making it easier to use without all of that stuff is another very hard thing to do.
Ashley: Mm-hmm. Well, talk about this in the context of your new company, Altitude Networks. Now, you haven’t launched any products yet, but you’ve been fairly open about where you’re focusing. How are you applying—I’m assuming you’re applying this to the company that you’ve started. Tell us a little bit more about that.
Coates: Yeah, yeah. I mean, at a principles level, one of the things that I believe in is that solutions and products should alleviate work and make things better. And it shouldn’t sound like that controversial of a statement, but [Laughter]—
Ashley: [Laughter] That radical, but sometimes it is.
Coates: Yeah, but looking back—exactly, looking back at what I mentioned about most security vendor solutions, they don’t actually reduce work. They give you another tool, but they require a bunch of security engineers to configure and babysit and maintain. And, right now, where there’s a shortage on talent, there’s an overload of work, there’s challenges of priorities—that’s not really a good deal. Like, I would be hesitant to buy new tools in my old role, because I couldn’t put my very talented engineers on it.
And so, that principle of, let’s bring a solution in that solves problems and alleviates work is one of kinda the underlying currents of what we’re building. Now, what problem are we solving? That was influenced by problems that I faced that Twitter that as I looked into were not Twitter specific. When companies move into cloud collaboration software like Google Drive or Box, Dropbox, Office 365, or any other of those SaaS collaboration softwares, they empower employees to share data within the company and with business partners—which is great.
Ashley: Mm-hmm.
Coates: When we get back to the human element that we’ve talked about before, the fact of the matter is, although the access controls of those documents all work fine—there’s nothing wrong with the way Google built them—humans make mistakes, and sometimes humans are malicious. And so, those same people that have good intent, they share documents with the wrong people. They share it with their personal account, maybe they share their financials with the world by mistake or an internal legal document with the whole company. All sorts of things go wrong on a regular basis, and I’m telling you that firsthand. [Laughter]
Ashley: Mm-hmm.
Coates: And so, the question is, in this new paradigm, this new deployment in the cloud, how do we wrap our head around that in a usable way? And so, that’s where we come in. We come in to hook into those environments and say, we’re going to do the hard work to analyze every single action, every single document, and then find that needle in the haystack and say this—“your employee just shared your board deck with their personal account. If they quit, if they’re compromised, they have that very juicy data.” Or, “Your earnings just got shared with the world a week before they were supposed to.” All of those things that require context between relationships, between file sensitivity and otherwise are impossible to do at human scale, we can do, of course, at computer scale.
Ashley: Mm-hmm. Now, the two examples that you gave that are the board deck, the earnings—you know, those also kind of tie into, like I say, regulatory or financial, very visible things. Are you focusing more in that area, or are you also focusing with, “Hey, Mitch just opened up his hard drive on Dropbox or whatever service to the world, he’s got it public and it shouldn’t be accessible,” or are you really working on the whole spectrum of that?
Coates: Yeah. It looks at the spectrum of risk that is introduced to data in these new environments, and the examples that I talk about are more business focused risk that we see happening regularly.
Ashley: That have money attached to it.
Coates: And our deployments, those are not—again, those are not made up examples. And the thing that you were mentioning, also, is just another problem that can happen of somebody making a large number of documents shareable to the whole world or something like that.
Ashley: Mm-hmm.
Coates: Similarly, I mean, even in that Uber/Waymo situation with Google, you know, an employee downloaded tens of thousands of documents and walked out the door. That’s a pretty hard thing when someone says, “How did you not see that?” Like—well, I mean, conceptually, sure, it makes sense, you should be able to see that. But in the massive amount of data that’s being transacted on a regular basis, you actually have to have your systems tuned to find the right things and alert in the right ways.
Just like Target, when they got breached, they had quote best of breed logging and alerting technology, but that doesn’t mean those things were built to actually find the real problems and separate the signal from the noise. And that’s what’s cool about what we’re doing—as a former practitioner, as a former CSO, we know the areas that we have to focus on to make the product actually usable to people, which is signal to noise, usability, elegance, simplicity, minimal hands on, and all those things actually are quite hard, as we’ve been talking about. [Laughter]
Ashley: [Laughter] It sounds like an area that could be ripe for some AI machine learning applied to the problem, the domain that you’re tackling. Is that an area that you’re investing in or looking at now or something down the road, as opposed to a rules based, policy based, there’s lots of that stuff around, right?
Coates: Yeah. I mean, well, in the space in particular, I mean, one of the reasons I’ve been doing this is, there isn’t that around for this domain. [Laughter] But no, my co-founder, he came out of Capital One where he was doing machine learning to detect fraud on the payment platform.
Ashley: I noticed that, yes. [Laughter]
Coates: Yeah, and so, you can really see where our two worlds come together and how this direction makes a lot of sense. The thing I’ll say about machine learning and AI is—well, one, too many security vendors have really pooh-poohed those phrases by just throwing them around everywhere.
Ashley: Overuse, overhyped—everybody has it, right.
Coates: Yep, yeah. That’s a quote, and I think there’s a really good meme around, you know, you take the AI bag off and underneath it’s a bunch of if/else statements, so. [Laughter]
Ashley: [Laughter] It’s a case statement. Yeah, okay, got it.
Coates: Yeah, yeah. So, there’s a ton of value we can bring with intelligence, automation, and tuning. And there’s no reason we shouldn’t start with those things and get that immediate value for customers, because they don’t have it. They don’t have the visibility, they don’t have the connection, they don’t have the workflows. We can bring all of that just right out of the gate.
But what’s super cool is, when we do take that next step into ML or AI, there’s just a really next level set of stuff we can find to alert companies about protecting their data and their usage patterns, and that’s gonna be really cool.
Ashley: Well, one of the things people don’t talk about machine learning—for it to be effective, you have to have very large data sets, right? So, the more you get your product exposed, the more customers using, et cetera, or if there’s some third-party data set you could use, of course, that’s another option, so.
Coates: Mm-hmm, yeah.
Ashley: Usually, it’s something not out of the gate that’s gonna be necessarily effective unless you’ve got that large data set.
Coates: Yeah. That’s the worst. Like—hey, this product’s great, you know, just turn it on and then six months after training it’ll tell you something, like, “Oh!” No, no, no. You turn us on, we’ll give you the data and in about two hours, we’ll tell you where your problems are.
Ashley: Well, good. Well, you know, we’ve had a great conversation here. I wonder, are there any interesting things upcoming in your world that might be come see you at a talk or an event that’s happening, anything that we can connect with you again in the near future?
Coates: Yeah, I just launched my security newsletter, and this is gonna be a lot of fun, because there’s a ton of really interesting things that I’ve learned, you know, through my time at Twitter and Mozilla. And I’ve held mentor sessions with other security leaders that aspire to take the next steps in leadership and move into CSO roles, and even junior folks looking to break into the security field. And I found some of those themes, some start to repeat and get good feedback from the people I talked to.
So, I just launched this newsletter where I’m gonna start to share that information, again, with anyone that wants to sign up. And I hope to do another security mentor session later this year. I did one last year, I just let anyone in the whole world sign up to a bunch of different blocks I had set aside and, you know, over six months, I talked to, I don’t know, several dozen people from all over the world. It was a lot of fun, so I hope to do one of those again this year.
Ashley: And if I remember right, the newsletter you can sign up for on the Altitude Networks site, correct?
Coates: It is on there. We should probably make it a little more discoverable. I have it as a pinned tweet, so you can definitely find it that way from my Twitter, _mwc.
Ashley: Okay, great. I know somehow I came across it. Well, Michael, thank you so much. We’ve completed another great topic. I’m very interested in what you’re doing and love to hear, as things progress and move along in your product development and launching and love to have you back again.
Coates: Great. Thanks so much. Really enjoyed it.
Ashley: Well, you’ve listened to another DevOps Chat podcast. I’d like to thank my guest, Michael Coates, Co-founder and CEO of Altitude Networks, for joining us. Also, be sure to check out the link in the podcast description to sign up for Michael’s newsletter. I’d also like to thank you—you, our listeners—for joining us today. This is Mitch Ashley with DevOps.com, and you’ve listened to another DevOps Chat. Be careful out there.
