Cloud Native Security: Security from the Start

What has already happened in Germany in the field of electromobility is what a start-up from Berlin would like to prevent for the security sector. Namely, being overtaken by fast, agile companies, while traditional companies are still desperately trying to stay in their comfort zone. What needs to be changed in this regard? A lot...

Sebastian Schäffer likes to talk in pictures; he talks about tanks, the Tyrannosaurus Rex, speedboats and, of course, the Cool Kids on the Block. These pictures give us a glimpse of what he is on about: breaking up stagnant structures and implementing cool projects instead. To replace the security industry’s reputation as the “Department of No” with a colorful coat of paint. He is the co-founder of the startup Alice & Bob.Company, which is a consulting organization for security projects in companies with DevOps teams. It is a Cloud-Native provider and partner of AWS. The Alice & Bob.Company was founded in August 2019 by Mario Apitz, who previously spent many years at Unbelievable Machine.

From rigid silo to a breathing object

“As a startup, it’s difficult to stake a claim in the area of security, because it’s such an arch-conservative topic. But with hard work we’ll get there,” he is absolutely convinced. “For a long time, the topic of security was not rethought. A traditional IT infrastructure can be thought of as a cube with six sides. Higher walls lead to more security. However, today, security is much more like a Rubik’s Cube – it must be agile. Today, we work in distributed cloud infrastructures with microservices. It’s a breathing object and it’s totally fragmented, so it has to be approached in a completely different way than it has been so far.”

“Everything used to be centrally regulated by IT. And because they often had to wait a long time when they needed support for projects, individual departments started to use their own credit card to make use of cloud services. They wanted to be able to do things like forecast commodity prices using machine learning.” This basically marks the start and great success of hyperscalers, and it plays into the hands of this startup, since the Alice & Bob.Company is a designated AWS partner. “The company’s motto is: Security as Code. Companies have DevOps teams – a merger, so to speak, of development and operations – which operate in eight phases in an infinity loop. And now by adding security, it becomes DevSecOps, and security is woven into the running process at every stage.”

IT-Business: How should this be imagined in practice?

Schäffer: Security Champion is the magic word for us. In a development team, one person must be made a Security Champion. It is this person’s job to implement Security as Code. For instance, when the team is finished with coding, there is a code review to see if any personal data is involved, if any passwords have not been hashed, etc. Only when everything is set is the go-ahead given for the next phase. Or we do continuous auditing. This means that every time a piece of software goes live, it is checked directly. Everything that is still a highly manual process here will be successively automated. The Security Champion is also responsible for this. As a result, this person does not work on building the application itself, but has the task to implement Security as Code in this pipeline.

ITB: And what role does Alice & Bob play in all of this?

Schäffer: At the start, we’re the Security Champion. We show people how it’s done, and do workshops with the team once a week. The workshops include completely different topics such as “threat modelling” or “pentesting”. Our goal is that customers will eventually be able to do it themselves. We don’t want to get stuck in one company for years.

ITB: So, you’re making yourself obsolete?

Schäffer (laughs): Well, first of all, there are a lot of customers and there is currently very little competition. Sure, that’s going to change. But there are still many new issues that we want to tackle in future. We are thinking here about our own products, which implement security supported by AI. I don’t want to make anyone dependent on us. I want companies to say: We would like to work with them!

Cool, innovative products

The times when budgets for security are only taken in hand after a successful attack should already be a thing of the past, according to Schäffer. It must be understood that everything has to be made secure from the outset, “especially when you’re migrating critical workloads or personal data to the cloud. I don’t want to sound conservative – but yes, it has to be designed securely”. In his eyes, everything is also moving towards automation, which is also important. “Because you can’t control this beast unless you automate more. You can still find developers, but it’s more difficult with the operating team. The customers want to develop cool, innovative products and they want to do it quickly, because they also want to earn money at some point. That’s why it’s a matter of keeping all those annoying tasks off people’s plates and automating everything possible.”

Who are Alice & Bob, anyway?

Alice and Bob first appeared in a 1978 paper on Digital Signatures and Public Key Cryptosystems by Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. Since then, the names have been used to describe two actors exchanging data in cryptography. Alice takes on the role of the person who sets up the communication. Bob takes on the role of the person who receives the communication. And then, there’s of course a nasty antagonist called Mallory, who tries to torpedo the communication. Cryptography comes into play to ensure that he fails.

Alice & Bob is therefore a fitting name for a startup that has made cloud native security its mission and considers encryption to be part of its DNA. Mallory automatically remains outside.

What’s the deal with the Tyrannosaurus Rex?

And that’s where the Berlin-based startup is currently going strong. The team has grown to sixteen employees within two years. In the segment cloud native security consulting on AWS, the company sees itself as a market pioneer. Only the Direkt Group is considered as a competitor by Schäffer. Although they focus more on the pre-stage, advising customers on the way into the cloud, and calming their fears. “When we arrive, the structures are already there and there are concrete plans, for example, to go to the cloud with the HR data to use machine learning to target the right candidates.” Another important topic is Privacy Shield, which has gained momentum since the issue of the new data protection agreement.

“There’s a picture of a girl whose T-shirt says ‘Freedom’, and she’s leading a Tyrannosaurus Rex on a leash with ‘Security’ emblazoned across its chest. What is it telling us? That it is always important to see that both remain in balance. That’s the only way they can walk together. Having an extremely high level of security eats away at the freedom. If it’s the other way around, then you are vulnerable. There is no absolute security, and there has never been.”

Schäffer’s enthusiasm for the subject is evident in his work. Speaking of his motivation, he adds: “My personal goal is accelerating digitalization within the industrial location of Germany and to show people: Security is not a brake, but an accelerator. I have so much fun with this because I think automation helps any company get cool products on the market quickly. We’re the Cool Kids on the Block. We can turn a sluggish tanker into a speedboat.” He’s very convincing.

Sylvia Lösel is the Editor-In-Chief of the German B2B magazine “IT-Business”, part of the Vogel Communications Group. She is always interested in trending topics in the ICT industry.

As Co-Founder of Alice&Bob.Company, Sebastian Schäffer is a Technology Evangelist who is either on the stage of B2B events to sensitize potential leads or who wins opportunities by pushing the "shift left" best practice.