The Future Is Now: Josh Stella Of Fugue On How Their Technological Innovation Will Shake Up The Tech Scene
An Interview With Fotis Georgiadis
I’m a pragmatist and understand that entering this industry is a practical decision because there are lots of well-paying jobs and opportunities to grow a successful career. Like any job, there’s lots of drudgery to deal with on a daily basis. But if your work excites you, you’ll have fun and gain immense satisfaction, even on the boring days.
As a part of our series about cutting-edge technological breakthroughs, I had the pleasure of interviewing Josh Stella.
Josh Stella, a cloud security authority, is on a mission to empower highly regulated companies to harness cloud security and gain the confidence and trust of customers, business leaders and regulators. Ahead of the curve, Josh advised national intelligence agencies in 2012 while at Amazon Web Services; founded Fugue, a cloud security company, in 2013; wrote the first book on Immutable Infrastructure in 2016; and holds numerous advanced technology patents that are liberating the security game so we can all reap the true benefits of the cloud without the risks.
To get ahead of the hackers, Josh hosts the Cloud Security Masterclass series that shows organizations how they can build security now — yes, today — into their cloud infrastructure. By running a single set of low-code, automated policy tools from the onset — yes, at the beginning of all development efforts — and then across the entire software development life cycle, engineering teams can run faster and safer — on Amazon Web Services (AWS), Microsoft Azure and Google Cloud — with 50% fewer resources. Companies can stop relying on costly, time-consuming manual processes and outdated perimeter defense tools. And when our favorite brands operate securely and can be trusted, we can all sleep well at night.
By day, Josh serves as CEO and CTO of Fugue, a cloud security SaaS company that secures millions of resources for many named Global 2000 brands and high-growth, cloud-first tech companies. The company stands by a unique Fugue Guarantee that gives enterprises a simplified, actionable cloud compliance report in 15 minutes and a guided path for getting into compliance fast.
Thank you so much for doing this with us! Can you tell us a story about what brought you to this specific career path?
I founded Fugue in 2013 to create technologies that enable enterprises to protect their cloud computing environments from malicious actors who are growing increasingly sophisticated and insidious in their methods and motivations. But cloud security wasn’t on my radar when I began my career as a 3D animation artist in the early 1990s.
I only became serious about learning how to program because I wanted to build the tools I needed for my animation projects, like shaders that enable an artist to change the way textures and lighting are displayed on the screen. I realized I was having more fun programming than creating 3D art and decided to make the career transition from artist to programming and software architecture.
I joined a marketing company to build things like multimedia CD-ROMs. When the internet first became available, and keep in mind, this was long before Netscape made the web easily accessible to everyone, I recognized it as the future of computing and started building some of the earliest websites. That led to designing web applications, and I joined USLaw.com — a web application — as its CTO in 1999. You can probably guess what happened next …
The dot-com bubble burst, and USLaw.com didn’t survive. But the experience was invaluable, and I used what I learned to lead the team formed by the National Cancer Institute (NCI) that built www.cancer.gov.
I began working in cybersecurity in 2004 when I served as a lead application architect for the Coast Guard and the U.S. Department of Homeland Security.
In 2012, I sharpened my focus on cloud security when I joined Amazon Web Services as a principal solutions architect working with U.S. national security intelligence customers. That really opened my eyes to the problems enterprises were having in securing their cloud environments, and I began building the Fugue technology and founded the company in 2013.
Can you share the most interesting story that happened to you since you began your career?
I had an epiphany while I was at AWS: Cloud computing represents the most significant and disruptive change to computing — including cybersecurity — since the first mainframe computers appeared in the 1960s.
Over the ensuing decades, enterprises integrated technologies like blade servers, virtualization, and high-speed networks that have enabled us to get more work done faster. But the original data center model didn’t change much. It’s a centralized location that houses all the IT systems our devices and networks are connected to, protected by outward-facing perimeter defense solutions like firewalls and intrusion prevention tools. Every data center is a snowflake with its own unique configuration and security issues that the security team must deal with manually — buying physical boxes and putting them in racks, installing security software solutions, building and maintaining backup systems, etc.
The cloud has upended that data center model because it is entirely driven by application programming interfaces (APIs), which are the software “middlemen” that allow different applications to “talk” to each other. The cloud obviates the need to build and maintain a fixed IT architecture in a data center. But it has also shown us that the traditional approach to cybersecurity — essentially building an outward-facing fence around the network perimeter — doesn’t work anymore.
I realized that we could use computer science and software engineering to leverage automation and abstractions to address the new security issues the cloud has created. Almost the entire problem set of cloud security is shifting over to programmers and developers — the folks who write the code. Therefore, we can use code to build secure and functioning systems. It’s a huge improvement over the old way.
Can you tell us about the cutting-edge technological breakthroughs that you are working on? How do you think that will help people?
Fugue brings cybersecurity into the cloud computing age. We focus on helping enterprises eliminate the number one cause of cloud-based data leaks and breaches: cloud misconfiguration.
It’s impossible to overstate just how different cloud infrastructure is from data center infrastructure. Because developers can build their own infrastructure instead of asking a data center team to provide it to them, they are making their own infrastructure decisions — including security-critical configurations — and then changing them constantly. Every change brings risk, so even if the infrastructure is secure today, that can change tomorrow — or even later today.
State of Cloud Security 2021 Report
We recently surveyed 300 cloud professionals for our State of Cloud Security 2021 Report, and the top-line takeaway is that as enterprise cloud adoption accelerates and the scale of cloud environments grows, engineering and security teams say that risks — and the costs of addressing them — are increasing. Although they continue to increase the time and resources they invest in cloud security, they still lack the visibility and automation they need to identify and remediate misconfigurations.
Half of the teams operating large, regulated cloud environments experience more than 50 misconfigurations per day. Our respondents reported that the primary causes of cloud misconfiguration are too many APIs and interfaces to govern (32%), a lack of controls and oversight (31%), a lack of policy awareness (27%), and negligence (23%). Twenty percent aren’t adequately monitoring their cloud environment for misconfiguration.
Just as worrisome, too many still rely on traditional security tools like intrusion detection tools and manual processes to try to address these vulnerabilities. Not only are these approaches ineffective, but they slow down the delivery of the cloud infrastructure that application teams need, and they soak up valuable engineering resources managing the sheer volume of cloud misconfiguration vulnerabilities that need to be reviewed, prioritized and remediated. As a result, security has become the rate-limiting factor for how fast cloud engineering teams can go.
The good news is that awareness of the challenges in cloud adoption has grown; the bad news is that the industry is way behind the hackers, who are using automation tools to quickly scan the entire internet, searching for cloud misconfigurations to exploit. In the race to find misconfigurations, the bad actors are relaxing in self-driving race cars while enterprise security teams are furiously pedaling bicycles.
Patented Cloud Security To Build Trust
Fugue empowers security teams to do more than monitor cloud systems for vulnerabilities. We provide them with the tools (Fugue IaC) they need to unify policy-based automation at every stage of the development life cycle — from initially building the systems (aka Infrastructure as Code) to deploying them throughout the enterprise (aka the runtime) — based on a single set of policies (aka Policy as Code).
Security teams can work as a unified team with cloud engineering and DevOps teams to embed security into all phases of software development to prevent these vulnerabilities before they ever reach the public without hurting developers’ productivity. The key is to prioritize security and embed policy automation upfront across the entire operation — and stop chasing security issues after deployment.
Gartner says 99% of cloud breaches are due to misconfigurations that our policy checks will catch. Because the cloud is essentially a big programmable computer, we can build the security policy engine to automatically determine correctness or misconfigurations at every stage of the development life cycle.
Fugue IaC leverages its patented Policy as Code tools to ensure cloud security across development and operations using 50% fewer engineering resources while speeding up infrastructure approvals and deployments from months to days. We are unique in guaranteeing that we only need 15 minutes to uncover all your cloud security vulnerabilities.
How do you think this might change the world?
We’re helping businesses and government agencies harden their cloud computing security postures to prevent suffering and devastating data breaches and ransomware attacks. And making cloud computing environments more secure isn’t just a business concern; it’s also a societal one as more of our personal data is captured.
The idea that there is no more privacy is ridiculous; we should have the expectation for privacy. We’ve seen how applying the power of algorithms to human communications to collect data can be used for nefarious purposes, including influencing our elections.
The cloud is the most secure computing platform humans have ever produced — if it’s done right. Now we need to build trust and confidence so customers, businesses and regulators can reap the benefits promised by the cloud to improve our lives.
Keeping “Black Mirror” in mind, can you see any potential drawbacks about this technology that people should think more deeply about?
At Fugue, we are rigorous about not accessing any customer information that we don’t need to do our job. We are intentionally not a vector for bad actors.
There’s a dystopian view that bad actors can use security products like Fugue to thwart law enforcement agencies and the CIA in their efforts to prevent cyberattacks or to uncover terrorist plots. My pushback is that today a lone actor working out of his basement can gain access to the same sophisticated hacking tools that a well-funded operation has. They don’t need additional personnel or resources to execute attacks.
Making cloud computing systems truly secure will transport most hackers back to the pre-internet days when malware was uploaded to computers manually via a disk or USB drive. That’s just not a feasible attack vector when an enterprise’s IT architecture is entirely in the cloud.
Was there a “tipping point” that led you to this breakthrough? Can you tell us that story?
The realization that the cloud is a giant programmable computer occurred to me one afternoon after reading some documentation and writing code right before I went to work at Amazon Web Services in 2012. Yes, the cloud is the most secure computing platform humans have ever produced. But if you build it incorrectly and leave misconfigurations open for exploitation by bad actors, the blast radius is awful.
I realized it’s critical to embed security in the entire software development life cycle. In other words, make security a concern when you are building infrastructure with automated tools; don’t wait until after the developers are ready to ship their completed projects. I began working on building the Fugue technology that day.
The key is gaining the ability to express security policy as running code. Code always produces the same result, so the ability to do policy as code — to make security policies as computer programs — is new, and it is due to the cloud and is the future of cloud security.
That was nearly 10 years ago, and unfortunately, the threat has grown exponentially. Consider the recent Twitch data breach. A hacker exploited a misconfigured cloud server and gained access to a trove of Twitch’s sensitive user data and application source code. And Twitch is an Amazon company using the Amazon cloud! That tells you how complex and difficult this problem is.
What do you need to lead this technology to widespread adoption?
Widespread adoption will be within reach when more people understand the new security paradigm presented by cloud computing. When enterprises migrate their IT architectures to the cloud, they tend to think of it like a remote data center and still try to defend it like a data center.
They don’t understand that the principal attack surface in the cloud is the API control plane, which doesn’t exist in the data center. But I see that realization beginning to gain traction this year … finally. We’re on the tail end of the early adopter phase — we’ve grown 3X year over year in each of the last three years, and today, we secure millions of cloud resources for large and small organizations. But there’s plenty of room to grow.
What have you been doing to publicize this idea? Have you been using any innovative marketing strategies?
There’s a lack of resources for people who want to learn, so our best marketing strategy is to educate — give it to people straight — without marketing fluff.
We regularly conduct Cloud Security Masterclasses that guide enterprises on how to deploy low-code, automated policy tools to run faster in the cloud with Amazon Web Services, Microsoft Azure and Google Cloud platforms without “breaking the rules.” We want people to understand that a secure cloud infrastructure allows their companies to focus on innovation while gaining the confidence and trust of business leaders, regulators and consumers.
Our primary audiences are experienced practitioners in cloud or computing security who are not interested in sitting through flashy presentations. They’re looking for practical, technical, specific, in-depth, thoughtful and useful content. The masterclasses, along with handbooks and the annual State of Cloud Security Report, have been successful in educating prospective and current customers on the issues and validating that Fugue knows what it’s doing.
A current list of complementary Cloud Security Masterclasses is available at www.fugue.co/masterclass.
None of us are able to achieve success without some help along the way. Is there a particular person who you are grateful toward who helped get you to where you are? Can you share a story about that?
My wife. I realize that may be cliché, but it’s true. I had worked as a DHS contractor for several years, then went to work full time at AWS, which provided a comfortable and stable living for my family. I felt like I owed it to my family to stay at AWS, but my wife insisted that I needed to launch Fugue. So, I took on the risks and a substantial pay cut to become an entrepreneur not only because I had her full support but also because I was under her orders to do so.
How have you used your success to bring goodness to the world?
We’re building the technologies enterprises need to secure their cloud. Just as importantly, we’re constantly working to raise awareness among organizations of all sizes across all industries about the dire security threats cloud misconfigurations present and how to mitigate them.
Earlier I referenced the book I wrote in 2016, “Immutable Infrastructure,” which explains how to abandon the data center mindset that prioritizes individual machine uptime and maintenance and embrace a more flexible approach using API-driven infrastructure as code. That’s a great starting point for anyone whether or not they’re an IT professional.
The resource library on the Fugue website offers a number of e-books, whitepapers, webinar recordings, and other educational content. For example, I recently led a webinar on the types of AWS misconfigurations that can result in an S3 data breach and walked attendees through a real-time simulation of various tactics bad actors use to exploit those misconfigurations to find and extract sensitive data.
I also regularly present at industry conferences and events. Earlier this month during both BrightTALK’s virtual conference on Modern Application Development and the Virginia Cyber Security Partnership annual meeting, I explained to attendees how they can identify dangerous and overly permissive IAM misconfigurations — and how hackers leverage these vulnerabilities to access your environment, discover resources, move laterally, and extract data without detection.
The primary objective of our education program — the Cloud Security Masterclass series, the presentations, webinars, e-books, etc. — is to show organizations how they can now build security into their cloud infrastructures from the start. The “how” isn’t “implement Fugue,” and we’re not only talking to cybersecurity, DevOps and engineering personnel. We want to raise awareness for all employees enterprise wide, including the C-suite and the board of directors. As Sun Tzu wrote, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”
What are your “5 Things I Wish Someone Told Me Before I Started” and why. (Please share a story or example for each.)
I have a hard time with this kind of question because I believe it’s the journey that makes the person. If a person who is just starting their career as a software engineer asks me for advice, I’ll tell them to do something that keeps them up at night because they love it, even if that something is not the technology sector.
I’m a pragmatist and understand that entering this industry is a practical decision because there are lots of well-paying jobs and opportunities to grow a successful career. Like any job, there’s lots of drudgery to deal with on a daily basis. But if your work excites you, you’ll have fun and gain immense satisfaction, even on the boring days.
You are a person of great influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
I have two inspirations:
The first is that we advance the education of women worldwide. Whatever the issue or challenge the global community is facing — halting climate change, managing increasing population densities, reducing violence, ending wars, just to name a handful — the one common factor in achieving our shared goals is educating women.
The second is that everyone should try to be an artist in some way, somehow. Playing music, writing poetry, painting, even writing code as a form of self-expression. John Quincy Adams said, “I am a warrior, so that my son may be a merchant, so that his son may be a poet.” The world is made better when people pursue creative tasks just for the sake of it because that causes the mind to expand in ways that inspire people to do great work.
Can you please give us your favorite “Life Lesson Quote”? Can you share how that was relevant to you in your life?
There’s a scene in the movie “Lawrence of Arabia” when Peter O’Toole walks into a room with two British army officers, and one asks him to “do the trick.” O’Toole lights a match and doesn’t flinch when it burns out on his fingers. When one officer asks how he can ignore the pain, he replies, “The trick is not to care.” I think there is real wisdom in that. There’s plenty of discomfort and hassle in anything you’re doing — and overcoming obstacles is the only way you’ll actually find your way to doing something interesting to you.
When my Fugue colleagues and I look at a technical problem, we run at the hard parts because that’s where the value is — in conquering the things that are really challenging.
Some very well-known VCs read this column. If you had 60 seconds to make a pitch to a VC, what would you say? He or she might just see this if we tag them :-)
Cloud computing represents the most significant and disruptive change to computing since the adoption of the mainframe computer about 60 years ago. That’s not hyperbole or my opinion — it’s fact. Yet the impact that this transformation has had on security has gone largely unaddressed by business and security leaders, who are under enormous pressure from all sides — their boards, employees and customers — to accelerate digital transformation initiatives. In the rush to migrate IT systems to the cloud, they’re creating a new computing paradigm. But their approach to security remains stuck in the 1990s, as evidenced by the steady cadence of news headlines on the latest devastating data breaches.
We’re presenting you with the opportunity to level the cybersecurity battlefield. Fugue doesn’t offer the latest iteration on traditional security solutions; we’ve developed the first unified, proactive solution to cloud security for highly regulated and cloud-first businesses. We’re committed to helping enterprises secure their cloud computing environments and turn the tide in the decades-long battle against malicious actors. Fugue has been ahead of the hackers. With your help, businesses and government organizations worldwide can stop defending their cloud environments and instead take an offensive position to securing their enterprise and customer trust.
How can our readers follow you on social media?
Josh Stella LinkedIn: www.linkedin.com/in/josh-stella-949a9711
Josh Stella Twitter: https://twitter.com/joshstella
Fugue Website: www.fugue.co
Fugue LinkedIn: www.linkedin.com/company/fugue-inc-
Fugue Twitter: https://twitter.com/fugueHQ
Fugue Facebook: www.facebook.com/FugueHQ
Thank you so much for joining us. This was very inspirational.
