Showing 17 episodes for Cloud Security Practices
#221
April 23, 2025
EP221 Special - Semi-Live from Google Cloud Next 2025: AI, Agents, Security ... Cloud?
Guest:
- No guests [Tim in Vegas and Anton remote]
Topics covered:
- So, another Next is done. Beyond the usual Vegas chaos, what was the overarching security theme or vibe you [Tim] felt dominated the conference this year?
- Thinking back to Next '24, what felt genuinely different this year versus just the next iteration of last year's trends?
- Last year, we pondered the 'Cloud Island' vs. 'Cloud Peninsula'. Based on Next 2025, is cloud security becoming more integrated with general cyber security, or is it still its own distinct domain?
- What wider trends did you observe, perhaps from the expo floor buzz or partner announcements, that security folks should be aware of?
- What was the biggest surprise for you at Next 2025? Something you absolutely didn't see coming?
- Putting on your prediction hats (however reluctantly): based on Next 2025, what do you foresee as the major cloud security focus or challenge for the industry in the next 12 months?
- If a busy podcast listener listening could only take one key message or action item away from everything announced and discussed at Next 2025, what should it be?
#220
April 21, 2025
EP220 Big Rewards for Cloud Security: Exploring the Google VRP
Topics covered:
- Vulnerability response at cloud-scale sounds very hard! How do you triage vulnerability reports and make sure we’re addressing the right ones in the underlying cloud infrastructure?
- How do you determine how much to pay for each vulnerability? What is the largest reward we paid? What was it for?
- What products get the most submissions? Is this driven by the actual product security or by trends and fashions like AI?
- What are the most likely rejection reasons?
- What makes for a very good - and exceptional? - vulnerability report? We hear we pay more for “exceptional” reports, what does it mean?
- In college Tim had a roommate who would take us out drinking on his Google web app vulnerability rewards. Do we have something similar for people reporting vulnerabilities in our cloud infrastructure? Are people making real money off this?
- How do we actually uniquely identify vulnerabilities in the cloud? CVE does not work well, right?
- What are the expected risk reduction benefits from Cloud VRP?
#214
March 10, 2025
EP214 Reconciling the Impossible: Engineering Cloud Systems for Diverging Regulations
Topics covered:
- You are responsible for building systems that need to comply with laws that are often mutually contradictory. It seems technically impossible to do, how do you do this?
- Google is not alone in being a global company with local customers and local requirements. How are we building systems that provide local compliance with global consistency in their use for customers who are similar in scale to us?
- Originally, Google had global systems synchronized around the entire planet–planet scale supercompute–with atomic clocks. How did we get to regionalized approach from there?
- Engineering takes a long time. How do we bring enough agility to product definition and engineering design to give our users robust foundations in our systems that also let us keep up with changing and diverging regulatory goals?
- What are some of the biggest challenges you face working in the trusted cloud space?
- Is there something you would like to share about being a woman leader in technology? How did you overcome the related challenges?
#212
February 24, 2025
EP212 Securing the Cloud at Scale: Modern Bank CISO on Metrics, Challenges, and SecOps
Topics covered:
- Tell us about the challenges you're facing as CISO at NuBank and how are they different from your past life at Spotify?
- You're a big cloud based operation - what are the key challenges you're tracking in your cloud environments?
- What lessons do you wish you knew back in your previous CISO run [at Spotify]?
- What metrics do your team report for you to understand the security posture of your cloud environments?
- How do you know “your” cloud use is as secure as you want it to be?
- You're a former Googler, and I'm sure that's not why, so why did you choose to go with Google SecOps for your organization?
#210
February 10, 2025
EP210 Cloud Security Surprises: Real Stories, Real Lessons, Real "Oh No!" Moments
Guest:
- Or Brokman, Strategic Google Cloud Engineer, Security and Compliance, Google Cloud
Topics covered:
- Can you tell us about one particular cloud consulting engagement that really sticks out in your memory? Maybe a time when you lifted the hood, so to speak, and were absolutely floored by what you found – good or bad!
- In your experience, what's that one thing – that common mistake – that just keeps popping up? That thing that makes you say 'Oh no, not this again!'
- 'Tools over process' mistake is one of the 'oldies.' What do you still think drives people to it, and how to fix it?
- If you could give just one piece of cloud security advice to every company out there, regardless of their size or industry, what would it be?
#206
January 13, 2025
EP206 Paying the Price: Ransomware's Rising Stakes in the Cloud
Guest:
- Allan Liska, CSIRT at Recorded Future, now part of Mastercard
Topics covered:
- Ransomware has become a pervasive threat. Could you provide us with a brief overview of the current ransomware landscape?
- It's often said that ransomware is driven by pure profit. Can you remind us of the business model of ransomware gangs, including how they operate, their organizational structures, and their financial motivations?
- Ransomware gangs are becoming increasingly aggressive in their extortion tactics. Can you shed some light on these new tactics, such as data leaks, DDoS attacks, and threats to contact victims' customers or partners?
- What specific challenges and considerations arise when dealing with ransomware in cloud environments, and how can organizations adapt their security strategies to mitigate these risks?
- What are the key factors to consider when deciding whether or not to pay the ransom?
- What is the single most important piece of advice you would give to organizations looking to bolster their defenses against ransomware?
#203
December 16, 2024
EP203 Cloud Shared Responsibility: Beyond the Blame Game with Rich Mogull
Topics covered:
- Let’s talk about cloud security shared responsibility. How to separate the blame? Is there a good framework for apportioning blame?
- You've introduced the Cloud Shared Irresponsibilities Model, stating cloud providers will be considered partially responsible for breaches even if due to customer misconfigurations. How do you see this impacting the relationship between cloud providers and their customers? Will it lead to more collaboration or more friction?
- We both know the Jay Heiser 2015 classic “cloud is secure, but you not using it securely.” In your view, what does “use cloud securely” mean for various organizations today?
- Here is a very painful question: how to decide what cloud security should be free with cloud and what security can be paid?
- You dealt with cloud security for a long time, what is your #1 lesson so far on how to make the cloud more secure or use the cloud more securely?
- What is the best way to learn how to cloud? What is this CloudSLAW thing?
#201
December 2, 2024
EP201 Every CTO Should Be a CSTO (Or Else!) - Transformation Lessons from The Hoff
Guest:
- Chris Hoff, Chief Secure Technology Officer at Last Pass
Topics covered:
- I learned that you have a really cool title that feels very “now” - Chief Secure Technology Officer? What’s the story here? Weirdly, I now feel that every CTO better be a CSTO or quit their job :-)
- After, ahem, not-so-recent events you had a chance to rebuild a lot of your stack, and in the process improve security. Can you share how it went, and what security capabilities are now built in?
- How much of a culture change did that require? Was it purely a technological transformation or you had to change what people do and how they do it?
- Would you recommend this to others (not the “recent events experience”, but the rebuild approach)? What benefits come from doing this before an incident occurs? Are there any?
- How are you handling telemetry collection and observability for security in the new stack? I am curious how this was modernized
- Cloud is simple, yet also complex, I think you called it “simplex.” How does this concept work?
#200
November 25, 2024
EP200 Zero Touch Prod, Security Rings, and Foundational Services: How Google Does Workload Security
Topics covered:
- “How Google protects its production services” paper covers how Google's infrastructure balances several crucial aspects, including security, reliability, development speed, and maintainability. How do you prioritize these competing demands in a real-world setting?
- What attack vectors do you consider most critical in the production environment, and how has Google’s defenses against these vectors improved over time?
- Can you elaborate on the concept of Foundational services and their significance in Google's security posture?
- How does your security approach adapt to this vast spectrum of sensitivity and purpose of our servers and services, actually?
- How do you implement this principle of zero touch prod for both human and service accounts within our complex infrastructure?
- Can you talk us through the broader approach you take through Workload Security Rings and how this helps?
#195
October 21, 2024
EP195 Containers vs. VMs: The Security Showdown!
Guest:
Cross-over hosts:
Guest:
Topics covered:
- How would you approach answering the question ”what is more secure, container or a virtual machine (VM)?”
- Could you elaborate on the real-world implications of this for security, and perhaps provide some examples of when one might be a more suitable choice than the other?
- While containers boast a smaller attack surface (what about the orchestrator though?), VMs present a full operating system. How should organizations weigh these factors against each other?
- The speed of patching and updates is a clear advantage of containers. How significant is this in the context of today's rapidly evolving threat landscape? Are there any strategies organizations can employ to mitigate the slower update cycles associated with VMs?
- Both containers and VMs can be susceptible to misconfigurations, but container orchestration systems introduce another layer of complexity. How can organizations address this complexity and minimize the risk of misconfigurations leading to security vulnerabilities?
- What about combining containers and VMs. Can you provide some concrete examples of how this might be implemented? What benefits can organizations expect from such an approach, and what challenges might they face?
- How do you envision the security landscape for containers and VMs evolving in the coming years? Are there any emerging trends or technologies that could significantly impact the way we approach security for these two technologies?
#194
October 14, 2024
EP194 Deep Dive into ADR - Application Detection and Response
Topics covered:
- Why do we need Application Detection and Response (ADR)? BTW, how do you define it?
- Isn’t ADR a subset of CDR (for cloud)? What is the key difference that sets ADR apart from traditional EDR and CDR tools?
- Why can’t I just send my application data - or eBPF traces - to my SIEM and achieve the goals of ADR that way?
- We had RASP and it failed due to instrumentation complexities. How does an ADR solution address these challenges and make it easier for security teams to adopt and implement?
- What are the key inputs into an ADR tool?
- Can you explain how your ADR correlates cloud, container, and application contexts to provide a better view of threats? Could you share real-world examples of types of badness solved for users?
- How would ADR work with other application security technologies like DAST/SAST, WAF and ASPM?
- What are your thoughts on the evolution of ADR?
#193
October 7, 2024
EP193 Inherited a Cloud? Now What? How Do I Secure It?
Topics covered:
- There is a common scenario where security teams are brought in after a cloud environment is already established. From your experience, how does this late involvement typically impact the organization's security posture and what are the immediate risks they face?
- Upon hearing this, many experts suggest that “burn the environment with fire” or “nuke it from orbit” are the only feasible approaches? What is your take on that suggestion?
- On the opposite side, what if business demands you don't touch anything but “make it secure” regardless?
- Could you walk us through some of the first critical steps you do after “inheriting a cloud” and why they are prioritized in this way?
- Why not just say “add MFA everywhere”? What may or will blow up?
- We also say “address overly permissive users and roles” and this sounds valuable, but also tricky. How do we go about it?
- What are the chances that the environment is in fact compromised already? When is Compromise Assessment the right call, it does cost money, right?
- How do you balance your team’s current priorities when you’ve just adopted an insecure cloud environment. How do you make tradeoffs among your existing stack and this new one?
#186
August 19, 2024
EP186 Cloud Security Tools: Trust the Cloud Provider or Go Third-Party? An Epic Debate, Anton vs Tim
Guest:
- A debate between Tim and Anton, no guests
Topics covered:
- You must buy the majority of cloud security tools from a cloud provider, here is why.
- You must buy the majority of cloud security tools from a 3rd party security vendor, here is why.
#176
June 10, 2024
EP176 Google on Google Cloud: How Google Secures Its Own Cloud Use
Guest:
- Seth Vargo, Principal Software Engineer responsible for Google's use of the public cloud, Google
Topics covered:
- Google uses the public cloud, no way, right? Which one? Oh, yeah, I guess this is obvious: GCP, right?
- Where are we like other clients of GCP? Where are we not like other cloud users?
- Do we have any unique cloud security technology that we use that others may benefit from?
- How does our cloud usage inform our cloud security products?
- So is our cloud use profile similar to cloud natives or traditional companies?
- What are some of the most interesting cloud security practices and controls that we use that are usable by others?
- How do we make them work at scale?
#172
May 13, 2024
EP172 RSA 2024: Separating AI Signal from Noise, SecOps Evolves, XDR Declines?
Topics covered:
- What have we seen at RSA 2024?
- Which buzzwords are rising (AI! AI! AI!) and which ones are falling (hi XDR)?
- Is this really all about AI? Is this all marketing?
- Security platforms or focused tools, who is winning at RSA?
- Anything fun going on with SecOps?
- Is cloud security still largely about CSPM?
- Any interesting presentations spotted?
#169
April 22, 2024
EP169 Google Cloud Next 2024 Recap: Is Cloud an Island, So Much AI, Bots in SecOps
Topics covered:
- What are some of the fun security-related launches from Next 2024 (sorry for our brief “marketing hat” moment!)?
- Any fun security vendors we spotted “in the clouds”?
- OK, what are our favorite sessions? Our own, right? Anything else we had time to go to?
- What are the new security ideas inspired by the event (you really want to listen to this part! Because “freatures”...)
- Any tricky questions at the end?
#151
December 4, 2023
EP151 Cyber Insurance in the Cloud Era: Balancing Protection, Data and Risks
Topics covered:
- Could you give us the 30 second run down of what cyber insurance is and isn't?
- Can you tie that to clouds? How does the cloud change it? Is it the case that now I don't need insurance for some of the "old school" cyber risks?
- What challenges are insurers facing with assessing cloud risks? On this show I struggle to find CISOs who "get" cloud, are there insurers and underwriters who get it?
- We recently heard about an insurer reducing coverage for incidents caused by old CVEs! What's your take on this? Effective incentive structure to push orgs towards patching operational excellence or someone finding yet another way not to pay out? Is insurance the magic tool for improving security?
- Doesn't cyber insurance have a difficult reputation with clients? “Will they even pay?” “Will it be enough?” “Is this a cyberwar exception?” type stuff?
- How do we balance our motives between selling more cloud and providing effective risk underwriting data to insurers?
- How soon do you think we will have actuarial data from many clients re: real risks in the cloud? What about the fact that risks change all the time unlike say many “non cyber” risks?
