Cloud Security Podcast

Join your hosts, Anton Chuvakin and Timothy Peacock, as they talk with industry experts about some of the most interesting areas of cloud security. If you like having threat models questioned and a few bad puns, please tune in!

cloud-security-podcast_high_res.png

Episode list

#124
June 5, 2023

EP124 Safe Browsing: Lessons from How Google Secures Five Billion Devices at Low False Positive Rates

Guest:

27:27

Topics covered:

  • Could you give us the 30 second overview of our favorite “billion user security product” - SafeBrowsing - and, since you were there, how did it get started?
  • SafeBrowsing is a consumer and business product – are you mitigating the same threats and threat models on each side?
  • Making this work at scale can’t be easy, anytime we’re talking about billion device protection, there are massive scale questions. How did we make it work at such a scale? 
  • Talk to us about the engineering and scaling magic behind the low false positive rate for blocking?

Resources:

Read more
#123
May 29, 2023

EP123 The Good, the Bad, and the Epic of Threat Detection at Scale with Panther

Guest:

29:29

Topics covered:

  • What is good detection, defined at micro-level for a rule or a piece of detection content? 
  • What is good detection, defined at macro-level for a program at a company? 
  • How to reliably produce good detection content at scale?
  • What is a detection content lifecycle that reliably produces good detections at scale?
  • What is the purpose of a SIEM today?
  • Where do you stand on a classic debate on vendor-written vs customer-created detection content?
Read more
#122
May 22, 2023

EP122 Firewalls in the Cloud: How to Implement Trust Boundaries for Access Control

Guest:

25:23

Topics covered:

  • So, if somebody wakes you up at 3AM (“Anton’s 3AM test”) and asks “Do we need firewalls in the cloud?” what would you say?
  • Firewalls (=virtual appliances in the cloud or routing cloud traffic through physical firewalls) vs firewalling (=controlling network access) in the cloud, do they match the cloud-native realities?
  • How do you implement trust boundaries for access control with cloud-native options?
  • Can you imagine a modern cloud native security architecture that includes a firewall?
  • Can you imagine a modern cloud native security architecture that excludes any firewalling? 
  • Firewall, NIDS, NIPS, NGFW …. How do these other concepts map to the cloud? How do you build a "traditional-like" network visibility layer in the cloud (and do we need to)?
Read more
#121
May 15, 2023

EP121 What Happens Here Stays Here: Confidential City (and Space)

Guests:

25:25

Topics covered:

  • Could you remind our listeners what confidential computing is?
  • What threats does this stop? Are these common at our clients? 
  • Are there other use cases for this technology like compliance or sovereignty?
  • We have a new addition to our Confidential Computing family - Confidential Space. Could you tell us how it came about?
  • What new use cases does this bring for clients?
Read more
#120
May 8, 2023

EP120 Building Secure Cloud and Building Security Products: Finding the Balance

Guest:

  • Jeff Reed, VP of Product, Cloud Security @ Google Cloud
23:23

Topics covered:

  • You’ve had a long career in software and security, what brought you to Google Cloud Security for this role?
  • How do you balance the needs of huge global financials that often ask for esoteric controls (say EKM with KAJ) vs the needs of SMBs that want easy yet effective, invisibility security?
  • We’ve got an interesting split within our security business: some of our focus is on making Google Cloud more secure, while some of our focus is on selling security products.  How are you thinking about the strategy and allocation between these functions for business growth?
  • What aspects of Cloud security have you seen cloud customers struggle with the most?
  • What’s been the most surprising or unexpected security challenge you’ve seen with our users?
  • “Google named a Leader in Forrester Wave™ IaaS Platform Native Security” - can you share a little bit about how this came to be and what was involved in this?
  • Is cloud migration a risk reduction move?
Read more
#119
May 1, 2023

EP119 RSA 2023 - What We Saw, What We Learned, and What We're Excited About

Guest:

  • Connie Fan, Senior Product and Business Strategy Lead, Google Cloud
25:25

Topics covered:

  • We were at RSA 2023, what did we see that was notable and surprising?
  • Cloud Security showed up with three startups with big booths, and one big player with a small demo station. What have we learned here?
  • What visitors might have seen at the Google Cloud booth that we're really excited about?
  • Could you share why we chose these two AI use cases - generation of code and summarization of complex content - out of all the possibilities and the sometimes zany things we saw elsewhere on the floor?
  • Could you share a story or two that highlights how we came to this AI launch and what it looked like under the surface?
Read more
#118
April 24, 2023

EP118 RSA 2023 - How to Protect Your Organization from Cyberattacks in Time of Political Turmoil

Guests:

29:29

Topics covered:

  • It seems like we’re seeing more cyber activity taking place in the context of geopolitical events. A lot of organizations struggle to figure out if/how to respond to these events and any related cyber activity.  What advice do you have for these organizations and their leadership?
  • A  lot of threat intel (TI) suffers from “What does this event mean for threats to our organization?” - sort of how to connect CNN to your IDS? What is your best advice on this to a CISO? 
  • TI also suffers from “1. Get TI 2. ??? 3. Profit!” - how does your model help organizations avoid this trap? 
  • Surely there are different levels of granularity here to TI and its relevance. Is what a CISO needs different from what an IR member needs? Do you differentiate your feed along those axes?
  • What does success look like? How will organizations know when they’re successful? What are good KPIs for these types of threat intelligence? In other words, how would customers know they benefit from it?
  • Is there anything unique that cloud providers can do in this process?
Read more
#117
April 17, 2023

EP117 Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity?

Guest:

29:29

Topics covered:

  • What does an engineering-centric approach to cybersecurity mean?
  • What to tell people who want to "consume" rather than "engineer" security?
  • Is “engineering-centric” approach the same as evidence-based or provable? 
  • In practical terms, what does it mean to adopt an "engineering-centric approach" to cybersecurity for an organization? 
  • How will it differ from what we have today? What will it enable?
  • Can you practice this with a very small team? How about a very small team of “non engineers”?
  • You seem to say that tomorrow's cybersecurity will look a lot like software engineering. Where do we draw the line between these two?
Read more
#116
April 10, 2023

EP116 SBOMs: A Step Towards a More Secure Software Supply Chain

Guest:

29:49

Topics covered:

  • Why is everyone talking about SBOMs all of a sudden? Why does this matter to a typical security leader?
  • Some software vendors don’t want SBOM, and this reminds us of the food safety rules debates in the past, how does this analogy work here?
  • One interesting challenge in the world of SBOMs and unintended consequences is that large well resourced organizations may be better equipped to produce SBOMs than small independent and open source projects. Is that a risk?
  • Is the SBOM requirement setting the government up to be overly reliant on megacorps and are we going to unintentionally ban open source from the government? 
  • What is the relationship between SBOM and software liability? Is SBOM a step to this? Won’t software liability kill open source?
  • How does Google prepare for EO internally; how do we use SBOM and other related tools?
  • To come back to the food analogy, SBOMs are all well and good, but the goal is not that consumers know they’re eating lead, but rather that our food becomes healthier. Where are we heading in the next five years to improve software supply chain "health and safety"?
Read more
#115
April 3, 2023

EP115 How to Approach Cloud in a Cloudy Way, not As Somebody Else’s Computer?

Guest:

29:29

Topics covered:

  • You had a very fun blog where you reminded the world that many organizations still approach cloud as a rented data center, do you still see it now? Do you think this will persist for 3, 5, 10 years?
  • Other than microservices, what’re the most important differences between public cloud and a rented data center for a CISO to keep in mind?
  • Analysts say that “cloud is secure, but clients just aren’t using it securely”, what is your reaction to this? 
  • Actually, how do you define “use cloud securely”?
  • Have you met any CISOs who are active cloud fans who prefer cloud for security reasons?
  • You also work for an NDR vendor, do you think NDR in the cloud has a future? 
Read more