Cloud Security Podcast

Join your hosts, Anton Chuvakin and Timothy Peacock, as they talk with industry experts about some of the most interesting areas of cloud security. If you like having threat models questioned and a few bad puns, please tune in!

cloud-security-podcast_high_res.png

Episode list

#24
July 26, 2021

Linking Up The Pieces: Software Supply Chain Security at Google and Beyond

Guests:

  • Eric Brewer, VP of Infrastructure, and Google Fellow @ Google
  • Aparna Sinha, Director of Product Management @ Google Cloud
23:23

Topics covered:

  • What is software supply chain security and how is it different from other kinds of supply chain security?
  • What types of organizations need to care about it? Is supply chain security a concern for large, elite enterprises only?
  • What’s the relationship between what we’re doing here, and what SBOM is?
  • Can you talk us through a quick threat assessment of a supply chain security issue? What are the realistic threats here and who are the threat actors involved?
  • How does Google try to solve these problems internally? Have we succeeded?
  • How does this translate into our products? By the way, what’s SLSA?
Read more
#23
July 19, 2021

Threat Detection at Google Cloud Security Summit

Guest:

No guests. Just us.

23:23

Topics covered:

  • What would you say are the most things that Chronicle is trying to address today?
  • What are the good ways to use threat intel to detect threats that do not ruin your SOC?
  • What does “autonomic” security mean, anyway? Is this a fancy way of saying “automatic” or something more?
  • For sure, “the Cloud is not JUST someone else’s computer“ - but how does this apply to threat detection?
  • What makes threat detection “cloud-native”?
  • What kinds of ML magic does your mini UEBA inside SCC use?
  • Can you really do automated remediation in the cloud?
Read more
#22
July 12, 2021

Securing Multi-Cloud from a CISO Perspective, Part 3

Guests:

  • Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud 
  • Dave Hannigan, Director, Financial Services Security & Compliance @ Google Cloud 
25:11

Topics covered:

  • As a CISO, would you ever decide to use multiple clouds, if it were in your hands? 
  • How is security typically considered when companies go multi-cloud in their approach?
  • Practically, or operationally, how does one think through securing multiple public cloud environments?
  • What are the top challenges here? Different controls? Lack of tools? Confusing process? Skills on the team?
  • Would you always buy security tools from a 3rd party (not a CSP) if you have to cover more than one cloud provider?
  • Anything to add about compliance across multiple clouds?
  • What is the best approach for securing multiple SaaS services that your company uses?
Read more
#21
July 6, 2021

Security Marketing? Every Product Needs a Story!

Guest:

Kelly Anderson, Head of Product Marketing, User Protection Services @ Google Cloud

23:23

Topics covered:

  • What is marketing, really? Why is it sometimes reviled by the technologists?
  • What makes a great marketer in cloud security?
  • What’s different about cloud security marketing, as opposed to regular old on-premise security marketing? Is there still FUD in the cloud?
  • Which things are the easiest or hardest to do in Google Cloud Security marketing?
  • How do you talk about products so they stand out from the noise?
  • How’s Google Cloud marketing helping our users stay ahead of the adversaries?

Resources:

Read more
#20
June 28, 2021

Security Operations, Reliability, and Securing Google with Heather Adkins

Guest:

Heather Adkins, Sr Director, Information Security @ Google

23:23

Topics covered:

  • Your RSA presentation has 3 pillars: zero trust, microservices, automation/zero prod, is this all you need to be secure & reliable in the modern world?
  • Let’s drill down again into the “secure and reliable” concept, are you sure that they are interrelated?
  • Is there a risk that microservices could actually increase attack surface?
  • What are the practical security upsides of “no touch production”? 
  • SRE and DevOps revolutionized IT, can we expect a similar revolution for security? Where would it come from?
Read more
#19
June 21, 2021

Double-clicking, but not on fire hydrants, with bot fighters

Guests:

  • Sparky Toews, Product Manager for Adobe Identity @ Adobe
  • Randy Gingeleski, Senior Staff Security Engineer @ HBO Max
  • Brian Lozada, CISO @ HBO Max
27:15

Topics covered:

  • Why are bots a problem to you? Give us a bit of your bot threat assessment?
  • Can you tell us how you think about and practice securing the user experience?
  • What kind of security products or best practices are involved?
  • How do you see what security professionals do to secure the user experience evolving over time?
Read more
#18
June 14, 2021

More Cloud Migration Security Lessons

Guests:

  • Jane Chung, VP of Cloud @ Palo Alto
  • Joe Crawford, Director of Strategic Technology Partnerships for Google Cloud @ Palo Alto
27:15

Topics covered:

  • What are the top security mistakes you’ve seen during cloud migrations?
  • What is your best advice to security leaders who want to go to the cloud using the on-premise playbook?
  • What security technologies may no longer be needed in the cloud? Which are transformed by the cloud?
  • Cloud often implies agility, but sometimes security slows things down, how to fix that?
  • How do security needs change based on adoption architecture (cloud, hybrid with on-premise, multi-cloud, multi cloud with on-premise)?
  • From a security perspective, is there really any such thing as “lift and shift”?
  • How do we teach cloud to security leaders who “grew up” on-premise?
Read more
#17
June 7, 2021

Modern Threat Detection at Google

Guest:

Julien Vehent, Security Engineering Manager in the Detection and Response team @ Google

28:15

Topics covered:

  • What is special about detecting modern threats in modern environments?
  • How does the Google team turn the knowledge of threats into detection logic?
  • Run through an example of creating a detection for a new threat?
  • How do we test our detection rules?
  • We use the same people to write detections and to respond to resulting alerts, how is it working?
  • What are the key skills of good security analysts to build cloud threat detection?

Resources:

Read more
#16
June 1, 2021

Modern Data Security Approaches: Is Cloud More Secure?

Guest:

Tim Dierks, Engineering Director, Data Protection @ Google Cloud

28:15

Topics covered:

  • What are the key components of data security in the public cloud today?
  • Why do companies need specific data security plans and products?
  • Do you think Google Cloud today has enough controls for processing the most sensitive data?
  • Many organizations seem to be unaware of where sensitive data exists in their cloud environments, how do you think this problem will be fixed?
  • What is your view on encryption's role in future cloud security?
  • Do organizations mostly encrypt for security or for compliance?
  • How do we help companies navigate the tradeoffs between complying with nation-state regulations and best practices for availability?
  • I hear you are involved with some interesting key management innovations like HYOK via Cloud EKM, why do these matter for clients today?
Read more
#15
May 24, 2021

Scaling Google Kubernetes Engine Security

Guest:

Greg Castle, Senior Staff Security Engineer at Google

20:48

Topics covered:

  • How is kubernetes security different from traditional host security?
  • What’s different about securing GKE vs security Kubernetes on-prem?
  • Where does one start with security hardening for GKE?
  • In your view, what are top realistic threats to container deployments?
  • What do users get wrong most often?
  • Did we manage to make containers both more secure and more usable?
Read more