Showing 11 episodes for Cloud Posture And Hygiene
#220
April 21, 2025
EP220 Big Rewards for Cloud Security: Exploring the Google VRP
Topics covered:
- Vulnerability response at cloud-scale sounds very hard! How do you triage vulnerability reports and make sure we’re addressing the right ones in the underlying cloud infrastructure?
- How do you determine how much to pay for each vulnerability? What is the largest reward we paid? What was it for?
- What products get the most submissions? Is this driven by the actual product security or by trends and fashions like AI?
- What are the most likely rejection reasons?
- What makes for a very good - and exceptional? - vulnerability report? We hear we pay more for “exceptional” reports, what does it mean?
- In college Tim had a roommate who would take us out drinking on his Google web app vulnerability rewards. Do we have something similar for people reporting vulnerabilities in our cloud infrastructure? Are people making real money off this?
- How do we actually uniquely identify vulnerabilities in the cloud? CVE does not work well, right?
- What are the expected risk reduction benefits from Cloud VRP?
#210
February 10, 2025
EP210 Cloud Security Surprises: Real Stories, Real Lessons, Real "Oh No!" Moments
Guest:
- Or Brokman, Strategic Google Cloud Engineer, Security and Compliance, Google Cloud
Topics covered:
- Can you tell us about one particular cloud consulting engagement that really sticks out in your memory? Maybe a time when you lifted the hood, so to speak, and were absolutely floored by what you found – good or bad!
- In your experience, what's that one thing – that common mistake – that just keeps popping up? That thing that makes you say 'Oh no, not this again!'
- 'Tools over process' mistake is one of the 'oldies.' What do you still think drives people to it, and how to fix it?
- If you could give just one piece of cloud security advice to every company out there, regardless of their size or industry, what would it be?
#203
December 16, 2024
EP203 Cloud Shared Responsibility: Beyond the Blame Game with Rich Mogull
Topics covered:
- Let’s talk about cloud security shared responsibility. How to separate the blame? Is there a good framework for apportioning blame?
- You've introduced the Cloud Shared Irresponsibilities Model, stating cloud providers will be considered partially responsible for breaches even if due to customer misconfigurations. How do you see this impacting the relationship between cloud providers and their customers? Will it lead to more collaboration or more friction?
- We both know the Jay Heiser 2015 classic “cloud is secure, but you not using it securely.” In your view, what does “use cloud securely” mean for various organizations today?
- Here is a very painful question: how to decide what cloud security should be free with cloud and what security can be paid?
- You dealt with cloud security for a long time, what is your #1 lesson so far on how to make the cloud more secure or use the cloud more securely?
- What is the best way to learn how to cloud? What is this CloudSLAW thing?
#201
December 2, 2024
EP201 Every CTO Should Be a CSTO (Or Else!) - Transformation Lessons from The Hoff
Guest:
- Chris Hoff, Chief Secure Technology Officer at Last Pass
Topics covered:
- I learned that you have a really cool title that feels very “now” - Chief Secure Technology Officer? What’s the story here? Weirdly, I now feel that every CTO better be a CSTO or quit their job :-)
- After, ahem, not-so-recent events you had a chance to rebuild a lot of your stack, and in the process improve security. Can you share how it went, and what security capabilities are now built in?
- How much of a culture change did that require? Was it purely a technological transformation or you had to change what people do and how they do it?
- Would you recommend this to others (not the “recent events experience”, but the rebuild approach)? What benefits come from doing this before an incident occurs? Are there any?
- How are you handling telemetry collection and observability for security in the new stack? I am curious how this was modernized
- Cloud is simple, yet also complex, I think you called it “simplex.” How does this concept work?
#199
November 18, 2024
EP199 Your Cloud IAM Top Pet Peeves (and How to Fix Them)
Topics covered:
- What is your reaction to “in the cloud you are one IAM mistake away from a breach”? Do you like it or do you hate it? Or do you "it depends" it? :-)
- Everyone's talking about how "identity is the new perimeter" in the cloud. Can you break that down in simple terms?
- A lot of people say “in the cloud, you must do IAM ‘right’”. What do you think that means? What is the first or the main idea that comes to your mind when you hear it?
- What’s this stuff about least-privilege and separation-of-duties being less relevant? Why do they matter in the cloud that changes rapidly?
- What are your IAM Top Pet Peeves?
#195
October 21, 2024
EP195 Containers vs. VMs: The Security Showdown!
Guest:
Cross-over hosts:
Guest:
Topics covered:
- How would you approach answering the question ”what is more secure, container or a virtual machine (VM)?”
- Could you elaborate on the real-world implications of this for security, and perhaps provide some examples of when one might be a more suitable choice than the other?
- While containers boast a smaller attack surface (what about the orchestrator though?), VMs present a full operating system. How should organizations weigh these factors against each other?
- The speed of patching and updates is a clear advantage of containers. How significant is this in the context of today's rapidly evolving threat landscape? Are there any strategies organizations can employ to mitigate the slower update cycles associated with VMs?
- Both containers and VMs can be susceptible to misconfigurations, but container orchestration systems introduce another layer of complexity. How can organizations address this complexity and minimize the risk of misconfigurations leading to security vulnerabilities?
- What about combining containers and VMs. Can you provide some concrete examples of how this might be implemented? What benefits can organizations expect from such an approach, and what challenges might they face?
- How do you envision the security landscape for containers and VMs evolving in the coming years? Are there any emerging trends or technologies that could significantly impact the way we approach security for these two technologies?
#194
October 14, 2024
EP194 Deep Dive into ADR - Application Detection and Response
Topics covered:
- Why do we need Application Detection and Response (ADR)? BTW, how do you define it?
- Isn’t ADR a subset of CDR (for cloud)? What is the key difference that sets ADR apart from traditional EDR and CDR tools?
- Why can’t I just send my application data - or eBPF traces - to my SIEM and achieve the goals of ADR that way?
- We had RASP and it failed due to instrumentation complexities. How does an ADR solution address these challenges and make it easier for security teams to adopt and implement?
- What are the key inputs into an ADR tool?
- Can you explain how your ADR correlates cloud, container, and application contexts to provide a better view of threats? Could you share real-world examples of types of badness solved for users?
- How would ADR work with other application security technologies like DAST/SAST, WAF and ASPM?
- What are your thoughts on the evolution of ADR?
#193
October 7, 2024
EP193 Inherited a Cloud? Now What? How Do I Secure It?
Topics covered:
- There is a common scenario where security teams are brought in after a cloud environment is already established. From your experience, how does this late involvement typically impact the organization's security posture and what are the immediate risks they face?
- Upon hearing this, many experts suggest that “burn the environment with fire” or “nuke it from orbit” are the only feasible approaches? What is your take on that suggestion?
- On the opposite side, what if business demands you don't touch anything but “make it secure” regardless?
- Could you walk us through some of the first critical steps you do after “inheriting a cloud” and why they are prioritized in this way?
- Why not just say “add MFA everywhere”? What may or will blow up?
- We also say “address overly permissive users and roles” and this sounds valuable, but also tricky. How do we go about it?
- What are the chances that the environment is in fact compromised already? When is Compromise Assessment the right call, it does cost money, right?
- How do you balance your team’s current priorities when you’ve just adopted an insecure cloud environment. How do you make tradeoffs among your existing stack and this new one?
#186
August 19, 2024
EP186 Cloud Security Tools: Trust the Cloud Provider or Go Third-Party? An Epic Debate, Anton vs Tim
Guest:
- A debate between Tim and Anton, no guests
Topics covered:
- You must buy the majority of cloud security tools from a cloud provider, here is why.
- You must buy the majority of cloud security tools from a 3rd party security vendor, here is why.
#176
June 10, 2024
EP176 Google on Google Cloud: How Google Secures Its Own Cloud Use
Guest:
- Seth Vargo, Principal Software Engineer responsible for Google's use of the public cloud, Google
Topics covered:
- Google uses the public cloud, no way, right? Which one? Oh, yeah, I guess this is obvious: GCP, right?
- Where are we like other clients of GCP? Where are we not like other cloud users?
- Do we have any unique cloud security technology that we use that others may benefit from?
- How does our cloud usage inform our cloud security products?
- So is our cloud use profile similar to cloud natives or traditional companies?
- What are some of the most interesting cloud security practices and controls that we use that are usable by others?
- How do we make them work at scale?
#165
March 25, 2024
EP165 Your Cloud Is Not a Pet - Decoding 'Shifting Left' for Cloud Security
Guest:
- Ahmad Robinson, Cloud Security Architect, Google Cloud
Topics covered:
- You’ve done a BlackHat webinar where you discuss a Pets vs Cattle mentality when it comes to cloud operations. Can you explain this mentality and how it applies to security?
- What in your past led you to these insights? Tell us more about your background and your journey to Google. How did that background contribute to your team?
- One term that often comes up on the show and with our customers is 'shifting left.' Could you explain what 'shifting left' means in the context of cloud security? What’s hard about shift left, and where do orgs get stuck too far right?
- A lot of “cloud people” talk about IaC and PaC but the terms and the concepts are occasionally confusing to those new to cloud. Can you briefly explain Policy as Code and its security implications? Does PaC help or hurt security?
