Cloud Security Podcast

Join your hosts, Anton Chuvakin and Timothy Peacock, as they talk with industry experts about some of the most interesting areas of cloud security. If you like having threat models questioned and a few bad puns, please tune in!

cloud-security-podcast_high_res.png

Episode list

#21
July 6, 2021

Security Marketing? Every Product Needs a Story!

Guest:

Kelly Anderson, Head of Product Marketing, User Protection Services @ Google Cloud

23:23

Topics covered:

  • What is marketing, really? Why is it sometimes reviled by the technologists?
  • What makes a great marketer in cloud security?
  • What’s different about cloud security marketing, as opposed to regular old on-premise security marketing? Is there still FUD in the cloud?
  • Which things are the easiest or hardest to do in Google Cloud Security marketing?
  • How do you talk about products so they stand out from the noise?
  • How’s Google Cloud marketing helping our users stay ahead of the adversaries?

Resources:

Read more
#20
June 28, 2021

Security Operations, Reliability, and Securing Google with Heather Adkins

Guest:

Heather Adkins, Sr Director, Information Security @ Google

23:23

Topics covered:

  • Your RSA presentation has 3 pillars: zero trust, microservices, automation/zero prod, is this all you need to be secure & reliable in the modern world?
  • Let’s drill down again into the “secure and reliable” concept, are you sure that they are interrelated?
  • Is there a risk that microservices could actually increase attack surface?
  • What are the practical security upsides of “no touch production”? 
  • SRE and DevOps revolutionized IT, can we expect a similar revolution for security? Where would it come from?
Read more
#19
June 21, 2021

Double-clicking, but not on fire hydrants, with bot fighters

Guests:

  • Sparky Toews, Product Manager for Adobe Identity @ Adobe
  • Randy Gingeleski, Senior Staff Security Engineer @ HBO Max
  • Brian Lozada, CISO @ HBO Max
27:15

Topics covered:

  • Why are bots a problem to you? Give us a bit of your bot threat assessment?
  • Can you tell us how you think about and practice securing the user experience?
  • What kind of security products or best practices are involved?
  • How do you see what security professionals do to secure the user experience evolving over time?
Read more
#18
June 14, 2021

More Cloud Migration Security Lessons

Guests:

  • Jane Chung, VP of Cloud @ Palo Alto
  • Joe Crawford, Director of Strategic Technology Partnerships for Google Cloud @ Palo Alto
27:15

Topics covered:

  • What are the top security mistakes you’ve seen during cloud migrations?
  • What is your best advice to security leaders who want to go to the cloud using the on-premise playbook?
  • What security technologies may no longer be needed in the cloud? Which are transformed by the cloud?
  • Cloud often implies agility, but sometimes security slows things down, how to fix that?
  • How do security needs change based on adoption architecture (cloud, hybrid with on-premise, multi-cloud, multi cloud with on-premise)?
  • From a security perspective, is there really any such thing as “lift and shift”?
  • How do we teach cloud to security leaders who “grew up” on-premise?
Read more
#17
June 7, 2021

Modern Threat Detection at Google

Guest:

Julien Vehent, Security Engineering Manager in the Detection and Response team @ Google

28:15

Topics covered:

  • What is special about detecting modern threats in modern environments?
  • How does the Google team turn the knowledge of threats into detection logic?
  • Run through an example of creating a detection for a new threat?
  • How do we test our detection rules?
  • We use the same people to write detections and to respond to resulting alerts, how is it working?
  • What are the key skills of good security analysts to build cloud threat detection?

Resources:

Read more
#16
June 1, 2021

Modern Data Security Approaches: Is Cloud More Secure?

Guest:

Tim Dierks, Engineering Director, Data Protection @ Google Cloud

28:15

Topics covered:

  • What are the key components of data security in the public cloud today?
  • Why do companies need specific data security plans and products?
  • Do you think Google Cloud today has enough controls for processing the most sensitive data?
  • Many organizations seem to be unaware of where sensitive data exists in their cloud environments, how do you think this problem will be fixed?
  • What is your view on encryption's role in future cloud security?
  • Do organizations mostly encrypt for security or for compliance?
  • How do we help companies navigate the tradeoffs between complying with nation-state regulations and best practices for availability?
  • I hear you are involved with some interesting key management innovations like HYOK via Cloud EKM, why do these matter for clients today?
Read more
#15
May 24, 2021

Scaling Google Kubernetes Engine Security

Guest:

Greg Castle, Senior Staff Security Engineer at Google

20:48

Topics covered:

  • How is kubernetes security different from traditional host security?
  • What’s different about securing GKE vs security Kubernetes on-prem?
  • Where does one start with security hardening for GKE?
  • In your view, what are top realistic threats to container deployments?
  • What do users get wrong most often?
  • Did we manage to make containers both more secure and more usable?
Read more
#14
May 19, 2021

Making Compliance Cloud-native

Guest:

Zeal Somani, Security Solutions Manager @ Google Cloud, former PCI QSA

20:11

Topics covered:

  • What are the usable recipes for thinking about compliance in the cloud?
  • What regulations are more challenging for public cloud users?
  • How do you see the client/provider responsibility split for compliance?
  • What is this “shift left” for compliance?
  • How do we educate auditors and regulators who insist on 1980s solutions to 2020s problems?
  • What are the most popular mistakes and blind spots with trying to be compliant in the cloud?
Read more
#13
May 10, 2021

Application Security in the Cloud

Guest:

Alyssa Miller,  BISO @ S&P Global Ratings

24:55

Topics covered:

  • How do application security practices change as organizations launch their cloud transformations?
  • What bad things happen to you if you lift/shift your big applications to somebody's IaaS?
  • What unique challenges do containers and serverless deployments create for application security?
  • Is there good news here? How can cloud native technologies make application security easier than a traditional on-prem environment?
  • What can organizations do to ensure the security of cloud-based SaaS solutions?
  • How do DevOps and CI/CD impact the ability to secure cloud-based applications?
  • What is your advice to security leaders who still want to practice appsec for cloud apps in the same manner as they did it for on-premise, the old way?
  • What follow-up reading do you recommend on preparing for an application migration to Cloud?
Read more
#12
May 3, 2021

Threat Models and Cloud Security

Guest:

Seth Vargo, Security Engineer @ Google Cloud

19:40

Topics covered:

  • How should security teams change their thinking about threats in the cloud?
  • Where and when should an organization start in building their threat model for their cloud environment?
  • What are the key changes of threat models after cloud migration?
  • More specifically, when it comes to identity, credentials, lateral movement, what are the key ways in which cloud security differs from traditional or on-premises security?
  • How should users who are leading the cloud migration help their colleagues think about security in the cloud?
  • When am I "done" with cloud security planning?
Read more