Episode Summary

When someone says Pinterest, the first thing that comes to mind is a social platform and a place to seek inspiration. But for the people working behind the scenes, it's more than that.

In February 2021, Pinterest had 459 million active monthly users. That's a lot of data and traffic, and security measures must be put in place for an exceptional user experience. So how do they do it?

In this episode of Cloud Security Reinvented, our host Andy Ellis chats with Andy Steingruebl, the Chief Security Officer at Pinterest. The two discuss the difference between the on-premise and cloud era and what differentiates Pinterest from companies like PayPal. They also touch upon the best and worst on-premise practices and the future of technology.

Guest-at-a-Glance

💡 Name: Andy Steingruebl

💡 What he does: Andy is the Chief Security Officer at Pinterest.

💡 Websites: Pinterest

💡Noteworthy: Andy is an Information Security professional with more than 25 years of experience. He has extensive experience in most security management and architecture areas, including Policy, Compliance, Communication, Infrastructure, and Incident Response. He is an excellent communicator with the ability to communicate with all levels of the organization, customers, policymakers, and regulators. He has a track record of significantly contributing toward making the internet a safer, more secure place for users and companies.

💡 Where to find Andy: LinkedIn

Key Insights

⚡ Transitioning to the cloud was challenging. With all the cloud's benefits, it's hard to understand how we functioned without it. However, as Andy explains, even professionals in the security field had to adjust to it. ''Now, the big issue is trying to come up with policies for yourself on what stuff you need to have your arms tied around and what are the principles. How do you set the right security bar for an outsourced vendor who's going to have access to your stuff or provide some key business function? [...] We're long past, 'I'm not putting some of my really sensitive stuff in the cloud.' You use Workday, Google for mail, and so on.''

⚡ It's all about efficiency, but we must have the right people in the right positions. Technology today is all about making resources and tools accessible to as many people as possible to enable faster solution development or problem-solving. But is this a good thing? ''The blessing and the curse of the cloud is that because you can deploy so many resources to a problem, sometimes you don't get as focused on how much it is costing you, or if this is the best way to use the technology? [...] So a really interesting perspective is how we've pushed around some of the work. The work doesn't go away; it either doesn't get done, or people who aren't specialized at it are doing it. The same can happen with security, where you let everybody be responsible for certain rules instead of letting a few people try to set a definitive posture like that firewall. I'm not suggesting it's the exact right model, but having some things you can have certainty around is nice, and we've moved away from that. And it's hard to function in that world.''

⚡ Focus more on people. A piece of advice Andy gives to his young colleagues is to develop healthy relationships with teammates. Yes, everyone will focus on growing professionally, but sometimes it is more challenging to develop high-quality social skills than technical ones. ''As you try to move upwards in your career, it's not just the technical stuff because pretty soon you will outgrow the problems you can solve all by yourself. And once you outgrow problems you can solve by yourself, you need to collaborate with others and how well you can do that is important.''

Episode Highlights

How Has Our Perspective of Security Changed in the Cloud Era?

''I was an on-prem guy, and I remember doing vulnerability management. We would buy some bit of vuln scanning stuff to put inside our environment because one, the network access required was pretty scary, and two, vulnerabilities are really serious. So who wants other people to know about your vulnerabilities?

So, Qualis comes out with a product. They say, 'We're going to do this vuln scanning thing, but from the cloud, and you put it up on our website.' And I remember being freaked out about that. Like, 'Oh my gosh. You're crazy. I'm not going to do that.'

[But in the] new world where you don't have to do it yourself, and in most cases, you probably don't want to. And in many cases, we tell people, 'Don't do it yourself. Don't run your mail system. Pay somebody else to do that. It's too big a pain in the butt with too many risks. That's sensitive stuff, but don't keep that in house. You're not going to do it as well as you can pay somebody else like Google or Microsoft to do it for you.'''

Companies Differ by Traffic Volume Online

''It's a little bit industry-specific; you deal with lots of traffic [...] It was a big adjustment when I got to PayPal to realize. If you've been working at a lot of businesses that aren't internet-scale businesses, you don't understand traffic volumes and the torture testing that you put systems through. [...] It's the traffic volume difference between a business with a browser, an interaction component, and just a transaction piece.''

What Does the Future Holds for Technology

''In the pure security space, I think unification. Trying to unify things into simpler policies that we can have — we can go back to having a declarative security policy. [...] I'm a big fan of protocols and declarative security policies — not the things that are enforced by code, but things that you can look at in a policy and reason about. [...]

And the other one is that slowly but surely we're moving managed code and programming languages that make it harder to make mistakes or at least some of the security mistakes of the past. So, like that, that's going to be a pretty foundational change as well. I think at least in the security of taking the burden off lots of folks and eliminating a whole bunch of attacks.''

This podcast is hosted by Orca Security