By Ericka Chickowski 1

This week cloud security upstart Soha Systems snagged a key new hire in Mark Carrizosa, formerly a security architect at Walmart (WMT), to lead as vice president of security.

Backed by the likes of venture heavyweights like Andreessen-Horowitz and Menlo, Soha is hoping to reshape the way enterprise application access is granted in cloud environments.

“Soha is a multi-tenant cloud service that functionally replaces the corporate LAN and WAN and provides access to an enterprise application that has been implemented in the cloud rather than in the private enterprise’s datacenter,” explained Peter Christy and Adrian Sanabria, analysts with 451 Research, in a recent brief. “The Soha service enables an enterprise customer to provide employee- or partner-authorized access to an internal company-facing, not Internet-facing, application that has been set up on a public cloud service.”

According to Soha, Carrizosa will not only help secure Soha as a business, but also act as a voice of the customer out in the field, given his experience as an enterprise security practitioner. Talkin’ Cloud caught up with him to discuss his role, the company and why approaches like Soha should have partners take note.

Talkin’ Cloud: Can you tell me a little bit about your previous role and what attracted you to Soha?

Mark Carrizosa : Most recently I was a principle architect at Walmart e-commerce, and I was responsible for the security architecture and the security development of the entire ecommerce platform across the globe. It was at Walmart where I was first introduced to Soha almost a year ago. And I realized that their solution addressed many of the challenges that I was currently facing exposing internal applications to my BYOD users.

However, as Walmart shifted to begin to start adopting cloud utilization and even potentially including some sensitive applications and datasets it was clear that Soha would be able to effectively allow Walmart to burst into these cloud environments without assuming the majority of the risks involved with exposing an application to the internet.

I took that to heart and started to have more and more conversations and I started to realize that this is the very beginning of a revolution. 

Previously — sometime ago, during the wave of migration from physical to virtual there was a big push to replicate security controls one-to-one. And as we’ve now come to find out you cannot simply just convert physical machines to virtual and still maintain the same controls

You have to deal with high-profile security, virtual networking — those types of things — segregation of duties — and it required a paradigm shift in the way security is accomplished. Today, as we start moving to the new frontier of on-premises versus cloud organizations need to also adopt a new methodology for securing applications or environments that, one, they don’t have any control over, and two, have little visibility to the interworkings of what’s going on.

Soha allows for organizations to maintain that sense of governance and visibility while still eliminating many of those risks for exposing an application on the internet.  And that’s one of the main things that drove me to Soha here is I want to be part of that, I want to be involved in that transformation, and so I was very primed to play a very big part in that revolution, so to speak.

TC: What would you say are the top challenges that security architects face when it comes to shifting to the cloud and not having that one-to-one migration between what on-premises and the cloud?

MC: I would say the top one is lack of visibility. And I’m not saying that these cloud environments don’t offer some type of visibility but it is nothing compared to having something within your four walls. That visibility is paramount in troubleshooting, in incident response, in overall effectiveness of the application or the environment.

Some of the challenges that I faced while at these companies were exposing these applications to users all over the world. They could be internal users, they could be third-party contractors, they could even be vendors. I’m pretty sure a third-party vendor access is a big topic these days.

So there are a lot of use-cases here but effectively what Soha accomplishes here is allowing these applications — these environments — to make use of all the benefits of cloud and internet exposure, but essentially making these public footprint disappear. That is key here in that if we’re talking about risk mitigation — particularly when we’re dealing with regulatory compliance — many of these challenges are based or predicated on the fact that your application is on the internet which is essentially the Wild West. What if organizations could still take advantage of all of that but not have an internet footprint? 

That’s the heart of what Soha does here is it essentially air-gaps your applications or your environment and takes advantage of all the benefits with very minimal risk.

TC: From the managed service and channel partner perspective, where does something like Soha’s offerings fit? 

MC: Over the last six months to a year, you’re starting to see everything tagged with “-as-a-service.” Platform as a service, infrastructure as a service — you name it. 

For security there has been a bit of a lag in that security has always been a very hard point to deal with because the security landscape changes on a daily basis and it’s difficult to maintain that level of reliability so everything becomes a point-in-time type visibility perspective.

To effectively work within the construct of these –as-a-service models, security must also become as-a-service.  And that’s where Soha comes into play is we offer this security service model that allows organizations to take use of all of these controls at a fraction of the cost, at a fraction of the implementation time.

These channel partners — these managed service organizations should be pushing the expediency in which security can be accomplished and the effectiveness throughout the application stack, as opposed to being, like I said, stage gates and validation points that could possibly hinder delivery

So from a selling perspective this really needs to be touted as a security service model that can assist organizations who have burst into these environments with the proper control needed.

And that’s really what’s needed as the transformation of IT moves from commodity infrastructure to focus on application and delivery.