Cloud Security Podcast

Topics covered:

• Google’s use of Google Cloud is a massive cloud environment with wildly diverse use cases. Could you share, for our listeners, a few examples of the different kinds of things we’re running in GCP?
• Given that we’re doing these wildly different things in GCP, how do we think about scaling the right security guardrails to the right places in our GCP org?
• How do you work with application engineering teams and project owner teams to make sure the right controls are there but not getting in the way of business? 
• How do we scale this exemption management process? Are there things we do here that don’t make sense at a smaller scale? Are there emergent challenges that only we would face?
• How do you correctly federate security responsibilities between the central team defining policy and the constituent user teams actually using the platform?
• Burnout is a perennial challenge for security teams – what are you doing to keep your people happy and engaged?

Topics covered:

• We had zero trust episodes before and definitions vary! When we say zero trust, what do we mean?  
  • What about zero trust for workloads in production? When you say “workload,” what do you mean?
• What is BeyondProd, for those that are unfamiliar with it? And how is this different from BeyondCorp? 
• How has BeyondProd actually been implemented at Google?  
• What threats does it help with? Is this real threats or compliance?
• Why is now a good time to be thinking about zero trust for production systems? 
• Companies have many security tools deployed, including microsegmentation and firewalls, how does this toolset fit? Does it replace anything they have deployed?

Topics covered:

• We are here to talk about cloud migrations and we are here to talk about failures. What are your favorites?
• What are your favorite cloud security process failures? 
• What are your favorite cloud security technical failures? 
  • What are your favorite cloud security container and k8s failures?
• Is "lift and shift" always wrong from the security point of view? 
  • Can it at least work as step 1 for a full cloud transformation?

Topics covered:

• "So we're talking about your journey as a CISO migrating to Cloud. Could you give us the 30 second overview of 
  • What triggered your organization's migration to the cloud?
  • When did you and the security organization get brought in?
  • How did you plan your security  organization's journey to the cloud?
• Did you take going to cloud as an opportunity to change things beyond the tools you were using? 
• As you got going into the cloud, what was the hardest part for your organization?
• If that was hardest, what was most surprising? Good surprise and bad surprise?
• Let’s shift to some tactical gears:
  • How did you design security controls for the cloud?
  • Did your data security practice change?
  • Did your detection  / response practice change?
• How has the CISO role evolved and is evolving due to the cloud?
• Having covered all that tactical terrain, one final strategic question: is moving to Cloud a net risk reduction? Can it be?

Topics covered:

• Could we start with a story of a cloud incident response (IR) failure and where things went wrong? 
• What should that team have done to get it right? 
• Are there skills that matter more in cloud incidents than they do for on-prem incidents? Are there on-prem instincts that will lead incident responders astray in cloud?
• What 3 things an IR team leader needs to do to prepare his team for IR in the cloud?
• Are there on-premise tools that can stay on prem and not join us in the cloud?
• What processes should we leave behind? Keep with us?
• What logs and context should we prepare for cloud IR?  What access should we have behind “break glass”?
• While doing IR, what things should we look at in the cloud logs (which logs, also?) to expedite the investigation?

Topics covered:

• One of the biggest shifts we’ve noticed is the shift from building security because we think security is good, to building security as a business. How did you make that cultural shift happen in our organization? 
• With organizations migrating to cloud we have a set of tradeoffs between meeting security teams where they are with on-prem expectations of security vs cloud-native approaches. How do you think about investing in next generation products vs holding the hands of CISOs just stepping into the cloud?
• What matters more to you as a leader, secure cloud (GCP, Workspace) or security products (Chronicle SecOps, BCE, SCC, etc)?
• Is invisible security the same as “building security in”? Aren’t there security controls where the value is derived from them being visible to users?
• Mandiant brings services expertise to Google Cloud, typically not our strong area and not our DNA, how do we plan to make the most of Mandiant within Google’s culture?

Topics covered:

1. You were at Google for a long time, and at Google you sat between Google security and Cloud. Now that you're leading security for a major company, how are you prioritizing your focus between your on-premise resources and your cloud resources? 

2. How are you thinking about threat detection in the Cloud?

3. In detection, how has your technology changed? How has your process changed? What threats do you mostly focus on?

4. Why don’t we talk about the role of automation in detection and response (D&R)? How do you approach automation and eliminating toil?

5. As you're scaling teams, processes and technology for your cloud footprint, what has been easiest to get right and what's been hardest to get right?

6. How do you approach measuring security? What cloud metrics are you sharing upwards to your board?

Topics covered:

• How did you get involved with this year’s Accelerate State of DevOps Report (DORA report)?
• So what is DORA and why did you decide to focus on supply chain security for the 2022 report?
• What are the big learnings from this year’s report?
• What’s the difference between SLSA and SSDF? Is one spicy and the other savory? How’re companies adopting these and how is adoption going? 
• Are there other areas that DevOps can be a contributor in the overall security landscape? 
• How can CISOs rope DevOps fully into their security gang?
• Operationally, how should security and developers and DevOps come together to keep vulnerabilities out in the first place?
• How should security and developers and DevOps come together to respond quickly to vulnerabilities when they’re discovered?
• How do security and developers and DevOps come together to prove to their auditors and customers that they’re doing a good job of the above?

Topics covered:

• We are talking about Google Workspace security today. What kinds of threats do we have to care about here?
• Are there compliance-related motivations for security here too? Is compliance in the cloud changing?
• How’s adoption of hardware keys for MFA going for your users, and how are you helping them? 
• Is phishing finally solved because of that? 
• Can you explain why hardware security FIDO/WebAuthn is such a step function compared to, say, RSA number generator tokens? 
• Have there been assumptions in the Workspace security model we had to change because of WFH? And what changes with RTO and permanent hybrid?

Topics covered:

• Let’s talk about security incident response in the cloud. Back in 2013 when I [Anton] first touched on this, the #1 challenge was getting the data to investigate as cloud providers had few logs available. What are the top 2022 cloud incident response challenges?
• Does cloud change the definition of a security incident? Is “exposed storage bucket” an incident? Is vulnerability an incident in the cloud?
• What should I have in my incident response plans for the cloud? Should I have a separate cloud IR plan?
• What is our advice on running incident response jointly with a CSP like us?
• How would 3rd party firms (like, well, Mandiant) work with a client and a CSP during an investigation?
• We all read the Threat Horizons reports, but can you remind us of the common causes for cloud incidents we observed recently? What goals do the attackers typically pursue there?