The Birth of CHAaSM
I can vividly remember my first job in IT 20 years ago…managing over 30 different platforms to support a Government mapping application. The countless number of lost days – waiting to restore backups from VERY slow tapes and hoping that our myriad of servers for development would last another day without major issues. Scripting became an artform – cron jobs became a crutch – while all of my time was consumed with making the day to day burden of management less painful.
No one ever spoke of idempotence. No one worried about large scale multi-pronged attacks. Systems remained on the same platform and version for years so security was quite static…
Ten years later, I found myself building large cloud infrastructures. By that time, the explosion of connectivity created a climate for danger and concern while the old habits prevailed. I was still hacking software to do what it should have done to begin with, and any updates to the software led to constant code management to meet production standards. Time and time again, customers would ask “why isn’t the product built this way?”
Over the next five years, I would come to find out why. While there are a multitude of reasons, they all tell the same story – security is never the top priority in software development. It’s too cost prohibitive (as security is seen as a cost center, not a profit center for development of infrastructure platforms), and It’s too difficult to find the right talent on a shoestring budget under continuous scrutiny for reduction (because the skillset is so scarce in the market). Huge sums of software dependencies are consumed by development teams to build a final solution, but few if any have knowledge of those components – especially the software vendor selling general availability (GA) products. The datacenter as we know it has the most porous foundation of any other technology used in the world. Yet we choose to blindly accept those risks, seek indemnification to litigate vs force software providers to solve the problem, accept a “security through obscurity” mentality in a world where you can’t know your threats unless you can see the code you consume, and give dangerous access controls to the vast majority of humans who are not qualified to protect or defend the sprawl of deployed code.
After retiring in 2018, I decided to walk away from the industry for a year to reflect on the past and gain a better perspective on my next chapter. In that year, there’s been an exponential growth in software production (110+ Billion lines of code), three of the largest breaches in the history of IT, and an increase to 63% of security breaches caused by the insider threat. Something had to be done with the massive expansion of software code, the lack of expertise, the lack of prioritization of security, and the threat of the wrong privileges in the wrong hands. Just like every other industrial revolution, there comes a point where problems can no longer scale with human assets and requires AI automation.
….so CHAaSM was born.