Cloud Security Podcast

Join your hosts, Anton Chuvakin and Timothy Peacock, as they talk with industry experts about some of the most interesting areas of cloud security. If you like having threat models questioned and a few bad puns, please tune in!

cloud-security-podcast_high_res.png

Episode list

#163
March 11, 2024

EP163 Cloud Security Megatrends: Myths, Realities, Contentious Debates and Of Course AI

Guest:

  • Phil Venables, Vice President, Chief Information Security Officer (CISO) @ Google Cloud
29:29

Topics covered:

  • You had this epic 8 megatrends idea in 2021, where are we now with them?
  • We now have 9 of them, what made you add this particular one (AI)?
  • A lot of CISOs fear runaway AI. Hence good governance is key! What is your secret of success for AI governance? 
  • What questions are CISOs asking you about AI? What questions about AI should they be asking that they are not asking?
  • Which one of the megatrends is the most contentious based on your presenting them worldwide?
  • Is cloud really making the world of IT simpler (megatrend #6)?
  • Do most enterprise cloud users appreciate the software-defined nature of cloud (megatrend #5) or do they continue to fight it?
  • Which megatrend is manifesting the most strongly in your experience?
#162
March 4, 2024

EP162 IAM in the Cloud: What it Means to Do It 'Right' with Kat Traxler

Guest:

27:27

Topics covered:

  • What is your reaction to “in the cloud you are one IAM mistake away from a breach”? Do you like it or do you hate it?
  • A lot of people say “in the cloud, you must do IAM ‘right’”. What do you think that means? What is the first or the main idea that comes to your mind when you hear it?
  • How have you seen the CSPs take different approaches to IAM? What does it mean for the cloud users?
  • Why do people still screw up IAM in the cloud so badly after years of trying?
  • Deeper, why do people still screw up resource hierarchy and resource management? 
  • Are the identity sins of cloud IAM users truly the sins of the creators? How did the "big 3" get it wrong and how does that continue to manifest today?
  • Your best cloud IAM advice is “assign roles at the lowest resource-level possible”, please explain this one? Where is the magic?
#161
February 26, 2024

EP161 Cloud Compliance: A Lawyer - Turned Technologist! - Perspective on Navigating the Cloud

Guest:

27:27

Topics covered:

  • You work with technical folks at the intersection of compliance, security, and cloud. So what do you do, and where do you find the biggest challenges in communicating across those boundaries?
  • How does cloud make compliance easier? Does it ever make compliance harder?
  • What is your best advice to organizations that approach cloud compliance as they did for the 1990s data centers and classic IT?
  • What has been the most surprising compliance challenge you’ve helped teams debug in your time here?
  • You also work on standards development –can you tell us about how you got into that and what’s been surprising in that for you?
  • We often say on this show that an organization’s ability to threat model is only as good as their team’s perspectives are diverse: how has your background shaped your work here?
#160
February 19, 2024

EP160 Don't Cloud Your Judgement: Security and Cloud Migration, Again!

Guest:

Topics:

Cloud Migration
27:27

Topics covered:

  • How can organizations ensure that their security posture is maintained or improved during a cloud migration? Is cloud migration a risk reduction move?
  • What are some of the common security challenges that organizations face during a cloud migration?
  • Are there different gotchas between the three public clouds?
  • What advice would you give to those security leaders who insist on lift/shift or on lift/shift first?
  • How should security and compliance teams approach their engineering and DevOps colleagues to make sure things are starting on the right foot?
  • In your view, what is the essence of a cloud-native approach to security?
  • How can organizations ensure that their security posture scales as their cloud usage grows?
#159
February 12, 2024

EP159 Workspace Security: Built for the Modern Threat. But How?

Guest:

27:27

Topics covered:

  • Workspace makes the claim that unlike other productivity suites available today, it’s architectured for the modern threat landscape. That’s a big claim! What gives Google the ability to make this claim?
  • Workspace environments would have many different types of data, some very sensitive. What are some of the common challenges with controlling access to data and protecting data in hybrid work? 
  • What are some of the common mistakes you see customers making with Workspace security?
  • What are some of the ways context aware access and DLP (now SDP) help with this?
  • What are the cool future plans for DLP and CAA?
#158
February 5, 2024

EP158 Ghostbusters for the Cloud: Who You Gonna Call for Cloud Forensics

Guest:

29:29

Topics covered:

  • Could you share a bit about when you get pulled into incidents and what are your goals when you are?
  • How does that change in the cloud? How do you establish a chain of custody and prove it for law enforcement, if needed?
  • What tooling do you rely on for cloud forensics and is that tooling available to "normal people"? 
  • How do we at Google know when it’s time to call for help, and how should our customers know that it’s time? 
  • Can I quote Ray Parker Jr and ask, who you gonna call?
  • What’s your advice to a security leader on how to “prepare for the inevitable” in this context? 
  • Cloud forensics - is it easier or harder than the 1990s classic forensics?
#157
January 29, 2024

EP157 Decoding CDR & CIRA: What Happens When SecOps Meets Cloud

Guest:

27:27

Topics covered:

  • How does Cloud Detection and Response (CDR) differ from traditional, on-premises detection and response?
  • What are the key challenges of cloud detection and response?
  • Often we lift and shift our teams to Cloud, and not always for bad reasons, so  what’s your advice on how to teach the old dogs new tricks: “on-premise-trained” D&R teams and cloud D&R?
  • What is this new CIRA thing that Gartner just cooked up?  Should CIRA exist as a separate market or technology or is this just a slice of CDR or even SIEM perhaps?
  • What do you tell people who say that “SIEM is their CDR”?
  • What are the key roles and responsibilities of the CDR team? How is the cloud D&R process related to DevOps and cloud-style IT processes?
#156
January 22, 2024

EP156 Living Off the Land and Attacking Critical Infrastructure: Mandiant Incident Deep Dive

Guest:

29:29

Topics covered:

  • Could you give us a brief overview of what this power disruption incident was about?
  • This incident involved both Living Off the Land and attacks on operational technology (OT). Could you explain to our audience what these mean and what the attacker did here?
  • We also saw a wiper used to hide forensics, is that common these days?
  • Did the attacker risk tipping their hand about upcoming physical attacks? If we’d seen this intrusion earlier, might we have understood the attacker’s next moves?
  • How did your team establish robust attribution in this case, and how they do it in general? How sure are we, really? 
  • Could you share how this came about and maybe some of the highlights in our relationship helping defend that country?
#155
January 15, 2024

EP155 Cyber, Geopolitics, AI, Cloud - All in One Book?

Guests:

  • Derek Reveron, Professor and Chair of National Security at the US Naval War College
  • John Savage, An Wang Professor Emeritus of Computer Science of Brown University
29:59

Topics covered:

  • You wrote a book on cyber and war, how did this come about and what did you most enjoy learning from the other during the writing process?
  • Is generative AI going to be a game changer in international relations and war, or is it just another tool?
  • You also touch briefly on lethal autonomous weapons systems and ethics–that feels like the genie is right in the very neck of the bottle right now, is it too late?
  • Aside from this book, and the awesome course you offered at Brown that sparked Tim’s interest in this field, how can we democratize this space better? 
  • How does the emergence and shift to Cloud impact security in the cyber age?
  • What are your thoughts on the intersection of Cloud as a set of technologies and operating model and state security (like sovereignty)? Does Cloud make espionage harder or easier? 
#154
January 8, 2024

EP154 Mike Schiffman: from Blueboxing to LLMs via Network Security at Google

Guest:

29:29

Topics covered:

  • Given your impressive and interesting history, tell us a few things about yourself?
  • What are the biggest challenges facing network security today based on your experience?
  • You came to Google to work on Network Security challenges. What are some of the surprising ones you’ve uncovered here?
  • What lessons from Google's approach to network security absolutely don’t apply to others? Which ones perhaps do?
  • If you have to explain the difference between network security in the cloud and on-premise, what comes to mind first?
  • How do we balance better encryption with better network security monitoring and detection?
  • Speaking of challenges in cryptography, we’re all getting fired up about post-quantum and network security. Could you give us the maybe 5 minute teaser version of this because we have an upcoming episode dedicated to this?
  • We hear you have some interesting insight on LLMs, something to do with blueboxing or something. What is that about?