Cloud Security Podcast

What is a good multicloud strategy in 2024? We spoke to Vivek Menon, CISO for Digital Turbine about the maturity and security capabilities of major cloud service providers, AWS and GCP.

Vivek spoke about the journey from on-premise to multi-cloud landscapes, the strategic approaches to cloud security in 2024, and the unique challenges that teams face across different cloud platforms. Vivek shared his insights into IAM, misconfigurations, and the value of dedicated cloud-specific teams provide a roadmap for organizations aiming to enhance their cloud security posture.

Guest Socials: Vivek's Linkedin

Podcast Twitter - ?????????????????????????????@CloudSecPod????????????????????????????? ?????????????????????????????????????????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ?????Cloud Security Podcast- Youtube?????

- ?????????????????????????????Cloud Security Newsletter ?????????????????????????

- ?????????????????????????????Cloud Security BootCamp?

Questions asked:

(00:00) Introduction

(01:58) A bit about Vivek Menon

(02:53) Transitioning from On-Premise to Multi-Cloud

(05:35) What is mobile ad tech?

(06:44) Why AWS and GCP?

(08:09) Challenges in Multi-Cloud Environments - The people piece

(09:37) Challenges in Multi-Cloud Environments - The process piece

(10:42) Managing identities in a MultiCloud Environment

(12:52) Managing Misconfigurations in a MultiCloud Environment

(13:58) Multi-Cloud Security- Build In-House or Buy Tools

(17:44) Starting Point for MultiCloud Policy

(18:54) AWS vs. Google Cloud: Comparing Cloud Security Maturity

(20:28) What makes security in Google Cloud stand out

(21:18) CISO Guide: Initiating a Cloud Security Strategy in 2024

(25:01) The Fun Section

(27:03) Where can you connect with Vivek

Dive into the world of AI and Kubernetes with Shopify's Shane Lawrence in this episode of the Cloud Security Podcast. Shane, shares his experience in the security team at Shopify and working on the intersection of AI, Large Language Models (LLMs), and Kubernetes security. Shopify is looking to pioneer the use of AI to streamline developer operations, enhance productivity, and bolster security measures in multi-tenant Kubernetes environments.

This episode will be valuable for you if you work in Kubernetes, Security and looking for how AI can build efficiency in your team.

Guest Socials: Shane's Linkedin (Shane's Linkedin??)

Podcast Twitter - ????????????????????????????@CloudSecPod???????????????????????????? ???????????????????????????????????????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ????Cloud Security Podcast- Youtube????

- ????????????????????????????Cloud Security Newsletter ????????????????????????

- ????????????????????????????Cloud Security BootCamp

Questions asked:

(00:00) Introduction to AI and Kubernetes

(01:32) Shane Lawrence and Shopify's AI Journey

(02:21) AI and Developer Efficiency in Kubernetes

(04:39) AI-Driven Automation for Security

(06:34) Challenges of AI in Kubernetes Environment

(11:22) Case Studies for AI in Kubernetes

(13:43) The Future of Kubernetes and AI

(15:59) Learning and Experimenting with AI in Kubernetes

(17:49) Closing Thoughts and Fun Q&A

How can you build a robust cloud security program in AWS, particularly as a startup and small to medium-sized businesses navigating AWS in 2024? We spoke to Chris Farris, who is the event chair for fwd:cloudsec, a known cloud security expert and one of the first AWS Heroes for security.

Chris shared his insights on how to build a security strategy that is both practical and effective in today's dynamic cloud environment. From discussing the importance of AWS organizations and Identity Centre to breaking down the complexities of cloud security posture management. You will hear actionable advice and best practices.

Guest Socials: Chris's Linkedin ?(???@chrisfarris?)

Podcast Twitter - ???????????????????????????@CloudSecPod??????????????????????????? ?????????????????????????????????????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ???Cloud Security Podcast- Youtube???

- ???????????????????????????Cloud Security Newsletter ???????????????????????

- ???????????????????????????Cloud Security BootCamp

Questions Asked:

(00:00) Introduction

(02:59) A bit about Chris Farris

(03:30) fwd:cloudsec Conference

(04:19) AWS Hero program for Cloud Security

(05:23) Building Effective Cloud Security Programs

(11:39) Top Recommendations for AWS Cloud Security

(13:34) What is AWS IAM Identity Center?

(18:02) How to Set Up AWS IAM Identity Center?

(20:13) Cloud Security in different industries

(29:31) The role of a Cloud Security Engineer

(34:30) Cloud Security Breaches

(38:02) Educational Resources in Cloud Security

(42:41) The Fun Section

Resources spoken about in this episode: fwd:cloudsec AWS IAM Identity Center Leveraging AWS SSO (aka Identity Center) with Google Workspaces breaches.cloud

Is Offensive Security part of your 2024 Security Roadmap? We caught up with Sam Kirkman, Director at NetSPI EMEA at BlackHat Europe 2023 about what an Offensive Security Roadmap going into 2024 should look like. Offensive security is much more than pentesting. We spoke about how to build a capable team, different maturity stages of building such a program and resources you can lean on while you are on this journey across different industries.

Guest Socials: Sam's Linkedin ?(??@sam-kirkman-cybersecurity)

Podcast Twitter - ??????????????????????????@CloudSecPod?????????????????????????? ???????????????????????????????????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ??Cloud Security Podcast- Youtube??

- ??????????????????????????Cloud Security Newsletter ??????????????????????

- ??????????????????????????Cloud Security BootCamp

Questions asked:

(00:00) Introduction

(02:53)A bit about Sam Kirkman

(03:53) What is offensive security?

(04:52) The attack landscape

(07:34) Offensive Security Roadmap

(09:43) Components of Offensive Security Roadmap

(11:04) Whats a good starting point?

(12:55) Skillsets required in the team

(16:57) Different stages of maturity

(19:09) Where can people learn more about this?

(22:03) Where you can connect with Sam

You can learn more about NetSPI and offensive security here

Cloud Security environments looks very complex in 2023, and it will continue to evolve in 2024 now with AI. At AWS re:Invent 2023 this year, we sat down with Alex Jauch, Senior Director of Product Management at Outshift to talk about the complexities in Cloud Security, the role of GenAI and what can be items to consider for your 2024 Cloud Security Program.

Podcast Twitter - ?????????????????????????@CloudSecPod????????????????????????? ?????????????????????????????????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ?Cloud Security Podcast- Youtube?

- ?????????????????????????Cloud Security Newsletter ?????????????????????

- ?????????????????????????Cloud Security BootCamp???????

Questions Asked: (00:00) Introduction (01:34) A bit about Alex (02:02) Current Cloud Security Landscape (04:43) The cloud security acronyms (08:44) Dealing with complex infrastructure (12:31) Impact of GenAI on Security (15:26) Do you have GenAi in Production? (16:55) We are all one team! (19:04) 2024 Security Program (20:39) Whats not being spoken about? (22:11) The fun section (26:00) Where you can connect with Alex!

Kubernetes is shaping the future of cloud native technology with interest from security folks, businesses and developers - what does the future of Kubernetes Security look like? At Kubecon NA 2023, we spoke to Emily Fox who is the chair of CNCF's Technical Oversight Committee and Software Engineering Lead at RedHat about how Zero Trust plays out in the Kubernetes environment, challenges and solutions in securing the software supply chain within Kubernetes, the impact of AI workloads on Kubernetes and future of Edge Computing and Kubernetes.

Podcast Twitter - ????????????????????????@CloudSecPod???????????????????????? ???????????????????????????????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- Cloud Security Podcast- Youtube

- ????????????????????????Cloud Security Newsletter ????????????????????

- ????????????????????????Cloud Security BootCamp??????

Questions Asked: (00:00) Introduction (02:23) A bit about Emily (02:51) What is Supply Chain Security? (03:51) What triggered this conversation? (05:10) Supply Chain Security in Managed Kubernetes (06:07) What is Zero Trust? (07:24) Implementing Zero Trust (09:29) The role of Security and Compliance (11:13) Compliance as code in Kubernetes (13:22) What is Edge? (17:41) The impact of AI on Security (20:39) Detection for AI and Kubernetes (22:29) How are the skillsets changing? (25:00) Security for Open Source Projects (28:01) The fun section

Kubernetes security explained : We spoke to Cailyn Edwards, CNCF Ambassador and Senior Security Engineer at Shopify. Interview was recorded at Kubecon NA 2023. We asked her about the complexities of Kubernetes Network Security in a multi-tenant environment. During the interview, she shared the nuances of Kubernetes network security in multi-tenant setups, tools and tactics for securing Kubernetes environments, insights from her journey at Shopify and tips for advancing the security maturity of Kubernetes networks.

Thank you to our episode sponsor Vanta - You can check them out at vanta.com/cloud

Podcast Twitter - ???????????????????????@CloudSecPod??????????????????????? ?????????????????????????????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ???????????????????????Cloud Security Newsletter ???????????????????

- ???????????????????????Cloud Security BootCamp?????

Questions asked:

(00:00) Introduction (02:25) A bit about Cailyn (03:08) How is Kubernetes Networking different? (04:20) Foundational pieces of Kubernetes Networking (06:21) Whats missing in Kubernetes Networking? (07:47) What is Multi Tenancy? (10:20) What are some of the common threat models? (13:16) How are people responding to threats? (14:41) Where to start learning about this? (16:26) Best practices for Kubernetes Networking (18:16) What becomes more important with maturity? (21:14) Resources to learn more about Kubernetes Security (22:30) The Fun Section

Resources shared during the episode:

Kubernetes Security Checklist - https://kubernetes.io/docs/concepts/security/security-checklist/

Pentesting your own cluster with Liz Rice - https://www.youtube.com/watch?v=fVqCAUJiIn0

Cloud Security Podcast just got back from AWS re:invent 2023, there was a lot of chat around, you guessed it - GenAI but along with that there were plenty of security updates and announcement. Shilpi and Ashish broke them all down for you and what it all actually means for all security practitioners.

Podcast Twitter - ??????????????????????@CloudSecPod?????????????????????? ???????????????????????????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ??????????????????????Cloud Security Newsletter ??????????????????

- ??????????????????????Cloud Security BootCamp????

Questions asked:

(00:00) Introduction

(04:49) GenAI at AWS re:Invent

(06:01) No new security service announced

(06:48) Updates from CEO and CTO Keynotes

(11:29) What is Amazon Inspector?

(12:10) Amazon Inspector Security Updates

(15:09) What is AWS Security Hub?

(15:52) AWS Security Hub Security Updates

(18:52) What is Amazon GuardDuty?

(20:10) Amazon GuardDuty Security Updates

(22:49) What is Amazon Detective?

(23:45) Amazon Detective Security Updates

(26:22) What is IAM Access Analyser?

(28:06) IAM Access Analyser Security Updates

(30:33) What is AWS Config?

(31:25) AWS Config Security Updates

(32:35) Other Security Updates

(33:46) 3 Layers of AI

(35:21) What is Amazon CodeWhisperer?

(36:36) Amazon Application Composer

(37:34) Guardrails for Bedrock

(38:13) Amazon Q

(41:17) Zero Trust

(41:45) Ransomware

(44:29) Security Talks

(45:54) Input filtering and validation for WAF

(50:31) Enterprise IAM and data perimeter

(53:00) Conclusion and find out more!

You can check out the Top announcements of AWS re:Invent 2023 + AWS re:Invent 2023 - Security Compliance & Identity

eBPF is recent graduate in the CNCF family and this means that the world of Cloud and Kubernetes, networking looks very different with more security capabilities. Cilium the project from Isovalent has been gaining traction for network security for kubernetes as blindsides have been called out in the managed kubernetes deployments. This episode was recorded at KubeCon NA with Thomas Graf from Isovalent to share what the blindsides are and why eBPF provides better network security capability for kubernetes deployments of any scale.

Guest Socials: Thomas's Linkedin ?(?@ThomasGraf??)?

Podcast Twitter - ?????????????????????@CloudSecPod????????????????????? ?????????????????????????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ?????????????????????Cloud Security Newsletter ?????????????????

- ?????????????????????Cloud Security BootCamp???

Questions asked:

(00:00) Introduction

(03:42) A bit about Thomas

(04:11) Traditional Networking in Kubernetes

(06:52) What is Cilium?

(07:52) What is eBPF?

(08:46) What do people use Cilium for?

(11:31) Starting with network security in Kubernetes

(13:02) Complexities with Scale

(16:02) How do projects graduate?

(17:02) The eBPF documentary

(17:27) Opensource to Company

(18:52) Practitioner to Founder

(19:57) Building an open source project

(21:13) The Fun Questions!

You can check out the The eBPF Documentary here

Kubernetes security cannot just be Kubernetes but it is like security of a datacenter within another datacenter. In this episode with Tim Miller we spoke about CNAPP, how to approach kubernetes security.

Thank you to our episode sponsor ?Outshift by Cisco

Guest Socials: Tim's Linkedin ?(?@timothyemiller?)?

Podcast Twitter - ????????????????????@CloudSecPod???????????????????? ???????????????????????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ????????????????????Cloud Security Newsletter ????????????????

- ????????????????????Cloud Security BootCamp??

Questions asked:

(00:00) Introduction

(02:42) A bit about Tim Miller

(03:35) What is CNAPP?

(04:30) Traditional Kubernetes Security

(05:18) Where to put a CNAPP?

(06:20) CSPM vs CNAPP

(09:00) Attack Path Analysis

(11:05) Kubernetes Attack Path

(12:43) The team you need

(14:06) Resources to learn more

(16:24) Fun Question

SaaS Applications support large companies, small startups. We inevitably accumulate SAAS applications to manage our employees, payroll, communication with things like Workday, Slack, Salesforce and now even things like ChatGPT. But how do you find out what you have and if they are secure. We spoke about all things SSPM with Max Feldman who has done Product Security for years at companies like Slack, Salesforce and now AppOmni.

Thank you to our episode sponsor AppOmni

You can get a copy of their SaaS Security Posture Management Report 2023 here

Guest Socials: Max's Linkedin ?(@maxfeldman14)?

Podcast Twitter - ???????????????????@CloudSecPod??????????????????? ?????????????????????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ???????????????????Cloud Security Newsletter ???????????????

- ???????????????????Cloud Security BootCamp?

Questions asked:

(00:00) Introduction

(04:20) A bit about Max

(04:48) What is a SaaS application?

(05:45) What is SSPM?

(09:33) When to consider a SSPM?

(15:45) SaaS and the Cloud

(16:39) SaaS Attack Surface

(19:34) CASB vs SSPM

(24:00) Is ChatGPT a SaaS application?

(25:07) SSPM vs CSPM + CNAPP

(27:33) SSO and Onboarding

(29:21) Starting a SaaS Security Program

(36:48) Challenges with SaaS Security Program

(41:50) Where you can find Max!

Threat detection is often limited to popular cloud services, so whats happening to all the "not so popular or commonly known" cloud services in your environment? We are speaking to Suresh Vasudevan, CEO of Sysdig about challenges typically companies find with this space and what should be the approach for threat detection. If you feel you are looking at threats from all cloud services you might want to hear this episode to know you actually are.
Thank you to our episode sponsor Vanta and Sysdig

You can find out more about Sysdig here!

Find out more about Vanta here!

Guest Socials: Suresh's Linkedin (@suvasudevan)

Podcast Twitter - ??????????????????@CloudSecPod?????????????????? ???????????????????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ??????????????????Cloud Security Newsletter ??????????????

- ??????????????????Cloud Security BootCamp

Questions asked:

(00:00) Introduction

(03:41) A bit about Suresh

(05:14) How was threat detection done traditionally?

(07:33) How does threat detection translate to cloud?

(08:47) Uncommon services attack vector examples

(11:00) Uncommon services explained

(11:31) Problems with threat detection in cloud

(16:53) How to approach prioritisation?

(19:48) Bridging Cloud and Applications

Resources discussed during the episode!

LabRat
AmberSquid
Scarleteel
The 2023 Global Threat Research

Not Escaping Containers but escaping Clusters - Managed Kubernetes distributions such as Amazon EKS, Google Kubernetes Engine (GKE) and Azure Kubernetes Service (AKS) attack vectors can allow you to reach the underlying AWS Account etc. In conversation with Christophe Tafani-Dereeper & Nick Frichette, from Datadog on how this is possible in Amazon EKS and achieving potentially the same in GKE & AKS too.

Thank you to our episode sponsor Sagetap

Guest Socials: Nick's and Christophe's Linkedin (?????????Nick Frichette + Christophe Tafani-Dereeper)

Podcast Twitter - ?????????????????@CloudSecPod????????????????? ?????????????????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ?????????????????Cloud Security Newsletter ?????????????

- ?????????????????Cloud Security BootCamp Questions asked: (00:00) Introduction

(04:11) A bit about Christophe

(04:37) A bit about Nick

(05:03) What is managed Kubernetes?

(06:26) Security of managed Kubernetes

(09:02) Comparison between different managed Kubernetes

(10:41) Service accounts and managed Kubernetes

(14:22) What is container escape?

(18:20) IMDSv2 for EKS

(19:51) IMDSv2 in EKS vs AKES and GKE

(22:01) Benchmark compliance for Kubernetes architecture

(24:49) Low hanging fruits for container escape

(27:17) Shared responsibility for managed Kubernetes

(29:34) Fargate for Managed Kubernetes

(32:00) Different ways to run containers

(33:37) Escaping Managed Kubernetes cluster

(38:39) Find more about this attack path

(42:38) Escalation priviledge in EKS cluster

(44:19) Reducing the Kubernetes attack service

(44:58) MKAT for Kubernetes Security

(48:23) Preventing AWS AuthConfig

(50:11) Propagation Security

(54:55) The fun section

(57:47) Resources for latest Kubernetes updates

Resources spoken about during the episode

Nick Frichette's Blog - Hacking the Cloud

Christophe Tafani-Dereeper' Blog

Corey Quinn's - 17 ways to run containers on AWS

MKAT

cloudseclist newsletter

You know that feeling when you are unsure if you AWS secret that leaked is still available for use. There is no easy way to check this apart from looking in AWS to see if anyone used it. Turns out there could be another way.We have Ziad Ghalleb from GitGuardian to share free tool they released to help people look up if their secret was exposed on Github

Thank you to our episode sponsors GitGuardian and Sysdig

Guest Socials: Ziad's Linkedin (@ghallebziad)

Podcast Twitter - ??????????????????@CloudSecPod?????????????????? ???????????????????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ??????????????????Cloud Security Newsletter ??????????????

- ??????????????????Cloud Security BootCamp? Questions asked: (00:00) Introduction

(04:53) A bit about Ziad

(05:47) What are secrets?

(07:37) Has my secret leaked

(08:46) How would users know?

(10:31) Whats the risk?

(15:43) What do orgs do for secrets?

(18:01) Keeping tab on your secrets

(20:33) Secrets management maturity

(22:43) Scaling Secrets management program

(25:20) Where to learn more ?

Resources spoken about during the episode

hasmysecretleaked

Secrets Detection Learning Center

Nick McLaren is a Senior Cloud Security Engineer at an Enterprise and he transitioned to this role from a Cloud Security Engineer at a Startup. On this episode he shared with us, how the roles differ between an enterprise and startup, what skills you require to become a senior cloud security engineer and what a day look like in a life of cloud security engineer. Thank you to our sponsors for the this episode Vanta - You can check them out at vanta.com/cloud Snyk - Check them out at Snyk.io/csp

Guest Socials: Nick's Linkedin (??????Nick McLaren)

Podcast Twitter - ????????????????@CloudSecPod???????????????? ???????????????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ????????????????Cloud Security Newsletter ????????????

- ????????????????Cloud Security BootCamp????????????????

Spotify TimeStamp for Interview Question

(00:00) Introduction

(02:15) A message from our sponsor

(03:07) A bit about Nick

(04:30) Startup vs Enterprise

(09:12) Senior cloud security engineer

(11:34) Communicating with the business

(13:18) Agile Methodology

(17:03) A day in the life of cloud security engineer

(19:33) Knowing multi-cloud

(20:43) Learning Azure from AWS

(21:50) Dealing with Third parties

(24:36) you dont need to know everything

(25:51) Getting into Cloud Security

(27:55) Knowing coding and terraform

(29:37) The Fun Questions

BlackHat 2023 and Defcon 31 Roundup were the breeding ground for new and existing hackers to come together and share what to look out for in 2023 and 2024. The skills that stood out were - Identity - Cloud Infrastructure Security - CI/CD Security - Preventative Security - Data Security Do you agree?

Episode YouTube: ???? ??????Video Link????????????

Host Twitter: Ashish Rajan (????????????????@hashishrajan????????????????)

Podcast Twitter - ????????????????@CloudSecPod???????????????? ???????????????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ????????????????Cloud Security Newsletter ????????????

- ????????????????Cloud Security BootCamp????????????????

Spotify TimeStamp for Video

(00:00) Introduction

(00:57) Identity

(03:54) Data Security

(06:33) Cloud Infrastructure Pentesting

(08:38) Preventative Cloud Security

(10:57) CI/CD Security

Michael Piacente has been helping companies find Security Executives (CISO) for a long time for some household name companies like Lyft, Instacart, Airbnb and more . In episode we speak about his current passion for Cloud Native CISOs what they are and what kind of skills should they work on to become CISO in the Cloud native world most organizations are moving ahead with in full force.

Thank you to Sagetap for sponsoring this episode, you can find out more about them on - https://www.sagetap.io/

Episode YouTube: ??? ??????Video Link???????????

Host Twitter: Ashish Rajan (???????????????@hashishrajan???????????????)

Guest Socials: Michael's Linkedin (???Michael Piacente)

Podcast Twitter - ???????????????@CloudSecPod??????????????? ?????????????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ???????????????Cloud Security Newsletter ???????????

- ???????????????Cloud Security BootCamp???????????????

Spotify TimeStamp for Interview Question

(00:00) Introduction

(03:57) A bit about Michael Piacente

(07:20) Why the focus on Cloud Native CISOs?

(09:52) What is a Cloud Native CISO?

(12:47) Different type of leadership roles in Security

(18:30) How are CISOs compensated?

(21:27) How CISOs can protect themselves?

(25:31) Have the roles & responsibilities changed?

(27:33) Importance of personal branding

(34:48) Trajectory after becoming a CISO

Link to participate in Hitch Partner's Annual Survey

Understanding Software Supply Chain security threats for Terraform which has been the default for Infrastructure as Code is important. in this episode Mike Ruth is sharing his experience of working on securing Terraform Cloud/Terraform Enterprise - no open source was harmed in the making of this episode.

Episode YouTube: ??? ?????Video Link??????????

Host Twitter: Ashish Rajan (??????????????@hashishrajan??????????????)

Guest Socials: Mike's Linkedin (??Mike Ruth)

Podcast Twitter - ??????????????@CloudSecPod?????????????? ???????????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ??????????????Cloud Security Newsletter ??????????

- ??????????????Cloud Security BootCamp??????????????

Spotify TimeStamp for Interview Question

(00:00) Introduction

(03:27) A bit about Mike Ruth

(04:01) What is Terraform?

(05:38) Terraform in the context of supply chain

(07:24) Flavors of Terraform

(09:07) Deploying Terraform

(12:25) Terraform Architecture

(14:48) Research findings that Mike and Oca made

(25:52) Securing Terraform Architecture

(28:13) Policy Enforcement

(29:13) What is a Module?

(30:15) Security best practices for Terraform Deployment

(31:53) Learning about Terraform security

(34:44) Maturity for Terraform

(37:45) The Fun Questions

Mike spoke about Terraform Cloud Security Model during the interview.

See you at the next episode!

DSPM or Data Security Posture Management with Yotam Segev from Cyera: Most security teams have known about data challenges in their organization and some of them are put in the too hard to solve right now bucket. Yotam came on the show to talk about who should own and manage data security programs and what can a data security roadmap look like for leaders who are working on the data problem today.

Episode YouTube: ??? ????Video Link?????????

Host Twitter: Ashish Rajan (?????????????@hashishrajan?????????????)

Guest Socials: Yotam's Linkedin (?Yotam Segev??)

Podcast Twitter - ?????????????@CloudSecPod????????????? ?????????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ?????????????Cloud Security Newsletter ?????????

- ?????????????Cloud Security BootCamp?????????????

Spotify TimeStamp for Interview Question

(00:00) Introduction

(04:32) Why is data security getting attention?

(05:46) How was data security done before?

(06:43) Cloud native way of managing data

(07:31) What triggers a data security project?

(08:35) At what stage should you start data security?

(10:06) Challenges with starting data security projects

(13:02) What does success look like?

(15:02) Does the CISO own data security?

(16:03) The right skill set for data security

See you at the next episode!

Is it code to cloud or cloud to code with Harshil Parikh from Tromzo: A lot of leaders today face the inevitable question of should i start with the code or the cloud first. Harshil Parikh from Tromzo was kind enough to share his CISO experience on the topic on what each of these are and what can CISOs priortise in their programs.

Episode YouTube: ??? ???Video Link????????

Host Twitter: Ashish Rajan (????????????@hashishrajan????????????)

Guest Socials: Harshil's Linkedin (Harshil Parikh?)

Podcast Twitter - ????????????@CloudSecPod???????????? ???????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ????????????Cloud Security Newsletter ????????

- ????????????Cloud Security BootCamp????????????

Spotify TimeStamp for Interview Question

(00:00) Introduction

(02:51) Harshil's path into cybersecurity

(04:30) What is code to cloud?

(05:19) What is cloud to code?

(06:29) How was cybersecurity done traditionally?

(08:28) What should CISOs prioritise?

(09:43) How different sectors are impacted?

(10:56) Where should CISOs start?

(12:30) Application vs Cloud vs Product Security

(14:44) Is application security becoming cloud security?

(16:43) What does maturity look like?

(20:18) The fun questions

See you at the next episode!

Josh Lemos former CISO of Block and the current CISO of GitLab comes from a pentester background and made his way to become a CISO. We were lucky enough to interview him during the hacker summer camp on his journey, his experience in AI, takeaway from BH CISO summit and types of CISOs & more. Episode YouTube: ?? ???Video Link???????

Host Twitter: Ashish Rajan (???????????@hashishrajan???????????)

Guest Socials: Josh's Linkedin (?????Josh Lemos)

Podcast Twitter - ???????????@CloudSecPod??????????? ?????????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ???????????Cloud Security Newsletter ???????

- ???????????Cloud Security BootCamp???????????

Spotify TimeStamp for Interview Question

(00:00) Introduction

(01:47) A bit about Josh Lemos

(03:48) What does cloud security mean to Josh?

(04:53) What to look out for with AI/ML?

(07:03) CISO perspective on AI/ML

(08:13) What should a CISO roadmap look like in 2023?

(10:39) Takeaways from BlackHat CISO Summit

(12:24) CISO for B2B vs B2C

(13:43) Hardware vs Software Security

(14:41) Skills needed to become a CISO

(15:48) What is cloud pentesting?

(17:20) Fun Questions

See you at the next episode!

Karl Fosaaen, the author of Penetration Testing "Azure for Ethical Hacker" and the VP of Research at NetSPI, came as a guest to share why the penetration Test of a Web Application hosted on Azure Cloud in 2023 is quite different to just a simple/traditional web app pentesting and the skills you need to pentest Azure environments. Cloud Penetration testing is misunderstood to be just config review in Microsoft Azure Cloud just like in AWS and Google Cloud. In this video, we have Karl Fosaaen was kind enough to answer the following questions and methods.

Episode YouTube: ? ???Video Link??????

Host Twitter: Ashish Rajan (??????????@hashishrajan??????????)

Guest Socials: Karl's Linkedin (????Karl Fosaaen)

Podcast Twitter - ??????????@CloudSecPod?????????? ???????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ??????????Cloud Security Newsletter ??????

- ??????????Cloud Security BootCamp??????????

Spotify TimeStamp for Interview Question

(00:00) Introduction

(02:32) A bit about Karl Fosaaen

(03:26) How is pentesting in Azure different from AWS?

(04:35) Cloud pentesting is not just config review

(05:42) Cloud pentesting vs Network pentesting

(06:25) Cloud Pentest - Next evolution of Network Pentest?

(07:14) Boundaries of cloud pentesting

(09:07) Do you need prior approval for Azure Pentest?

(09:32) Working with Microsoft Security Research Centre

(10:35) Process of pentesting in Azure

(11:57) Low hanging fruits to start off with!

(13:37) How to persist and escalate?

(14:58) Managed Identities in Azure

(16:23) Impact of peripheral services to Azure

(18:33) Scale of deployments in Azure

(21:02) Getting access to permissions for Azure Entra

(22:36) Scaling your pentest tools

(23:34) TTPs or Matrix you can use

(25:30) Getting into Azure Pentesting

(26:56) Transitioning from network to azure pentesting

(28:37) Connect with Karl

Resources:

The NetSPI Blog to learn more about offensive cloud security

Mitre - Cloud Attack Matrix

ATRM

Karl's Book - Penetration Testing Azure for Ethical Hackers: Develop practical skills to perform pentesting and risk assessment of Microsoft Azure environments

See you at the next episode!

Can Honeytokens be used in your supply chain security? Turns out we can! We spoke to Mackenzie Jackson ( @advocatemack ) from  @GitGuardian  about the benefits of using Honeytokens, which organisations can benefit from them and whats involved in deploying them and next steps once they are triggered.

Episode YouTube: ? ??Video Link?????

Host Twitter: Ashish Rajan (?????????@hashishrajan?????????)

Guest Socials: Mackenzie Jackson (? @advocatemack ?)

Podcast Twitter - ?????????@CloudSecPod????????? ?????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ?????????Cloud Security Newsletter ?????

- ?????????Cloud Security BootCamp?????????

Spotify TimeStamp for Interview Question

(00:00) Introduction (02:01) A bit about Mackenzie Jackson (02:37) What are Honeytokens? (03:35) Traditional threat detection (05:29) Honeytoken in action (07:02) Deployments for Honeytokens (09:46) Role of Honeytoken in Supply Chain (11:02) Deploying and managing Honeytokens (13:12) Incident response with Honeytokens (15:01) What companies should use Honeytokens? (16:05) What if the key is deleted !

Resources:

You can find out more about Honeytokens & GitGuardian here!

See you at the next episode!

Penetration Test of a Web Application hosted on Google Cloud in 2023 is quite different to just a simple/traditional web app pentesting.
Cloud Penetration testing is misunderstood to be just config review in Google Cloud. In this video, we have Kat Traxler who is a cloud security researcher, SANS Course author and has worked in the Google Cloud space to even build open source tools that can be used to perform cloud security testing.

Episode YouTube: ? ???Video Link??????

Host Twitter: Ashish Rajan (??????????@hashishrajan??????????)

Guest Socials: Kat Traxler (?? Kat Traxler's Linkedin ??)

Podcast Twitter - ??????????@CloudSecPod?????????? ???????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ??????????Cloud Security Newsletter ??????

- ??????????Cloud Security BootCamp??????????

Spotify TimeStamp for Interview Question

(00:00) Introduction

(04:17) A bit about Kat Traxler

(05:56) Pentesting in GCP vs AWS

(08:07) Config review vs cloud pentesting

(09:24) Cloud pentest vs Traditional Pentest

(10:28) Starting to do GCP pentesting

(12:35) Common services used in GCP

(14:10) Low hanging fruits in GCP

(15:25) What are default service accounts?

(17:52) You may already have google cloud

(20:00) How to persist access in Google Cloud?

(21:56) Shared responsibility in GCP

(24:01) Common TTPs in GCP

(28:05) Is there SSRF in GCP?

(30:19) Open source tools for cloud pentest

(33:59) Fun questions

Resources that Kat shared during the episode

See you at the next episode!

Cloud Security Pentest is not just a Cloud configuration review ! Blackhat 2023 & Defcon 31 conversations included Cloud Security Podcast asking traditional and experienced pentesters about their opinion on cloud security pentesting and the divide was between it being a config review or a product pentest. For this episode we have Seth Art from Bishop Fox to clarify the myth.

Episode YouTube: ? ?Video Link????

Host Twitter: Ashish Rajan (????????@hashishrajan????????)

Guest Socials: Seth Art's Linkedin ??????(??Seth Art Linkedin)

Podcast Twitter - ????????@CloudSecPod???????? ???????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ????????Cloud Security Newsletter ????

- ????????Cloud Security BootCamp????????

Spotify TimeStamp for Interview Question

(00:00) Introduction

(05:17) A bit about Seth Art

(06:44) Network vs Infrastructure Security Pentest

(08:00) Internal vs External Network Security Pentest

(10:26) Assumed vs Objective Based Pentest

(12:51) Is network pentest dead?

(14:04) How to approach network and cloud pentests?

(20:12) Cloud pentest is more than config review

(24:04) Examples of cloud pentest findings

(30:07) Scaling pentests in cloud

(32:25) Traditional skillsets to cloud pentest

(36:58) A bit about cloudfoxable

(39:31) Cloud pentest and Zero Trust

(40:54) Staying ahead of CSP releases

(44:31) Third party shared responsibility

(47:35) 1 fun question

(48:36) Boundary for cloud pentest

(52:21) Last 2 fun questions

These are some of the resources that Seth shared during the episode along with the tools he has created

See you at the next episode!

Google cloud hacking or pentesting is very different to other popular cloud service providers like aws or azure. In this episode we had Shannon McHale (Mandiant now Google Cloud) to talk about how she approaches pentesting a google cloud environment and how you can too.

Episode YouTube: ? Video Link???

Host Twitter: Ashish Rajan (???????@hashishrajan???????)

Guest Socials: Shannon McHale's Linkedin ????(?Shannon's Linkedin?)

Podcast Twitter - ???????@CloudSecPod??????? ?????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ???????Cloud Security Newsletter ???

- ???????Cloud Security BootCamp???????

Spotify TimeStamp for Interview Questions

A word from our sponsors - you can visit them on ???????snyk.io/csp???????

(00:00) Introduction

(03:38) A bit about Shannon McHale

(05:31) What is Red Teaming?

(06:42) Red Teaming in the Cloud

(07:50) Methodology behind Red Teaming

(09:32) Pentesting in Goole Cloud

(10:28) Low hanging fruits in Google Cloud

(14:36) GCP storage

(16:09) Red Team Assessment in Google Cloud

(17:08) The importance of Metadata

(18:17) Recommendations for Blue Teamers

(22:03) How to get started in Red Teaming?

(26:06) Tools or Research that stood out for Shannon

(27:42) GCP Resources that can be exposed

(29:15) Resources to learn about Cloud Red Teaming

(30:37) The Fun Questions

These are some of the resources Shannon found helpful to learn about Pentesting in Cloud along with her own GitHub link

See you at the next episode!

CISOs in organizations that are going through digital transformation have a responsibility of educating the board on how Cloud Security is measured and improved on to manage the risk posture of the organization. We had Phil Venables, CISO of Google Cloud share from his experience of serving as a CISO for so many years on how to best share cybersecurity and cloud security metrics with the c-suite and the board.

??Episode YouTube Video Link??

Host Twitter: Ashish Rajan (??????@hashishrajan??????)

Guest Socials: Phil Venable's Linkedin ??(Phil's Linkedin)

Podcast Twitter - ??????@CloudSecPod?????? ???????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ??????Cloud Security Newsletter ??

- ??????Cloud Security BootCamp??????

Spotify TimeStamp for Interview Questions

A word from our sponsors - you can visit them on ??????snyk.io/csp??????

(00:00) Introduction

(03:02) A bit about Phil Venables

(04:17) Are boards talking about Cloud Security?

(05:47) Security Metrics to show to the board

(07:48) Are Security Metrics seasonal?

(10:23) Aligning security metrics to business goals

(13:59) Educating the board about Cloud Security

(15:50) CISOs should be braver

(18:42) 3 Security Metrics to start with

(25:25) Setting the risk appetite as a organisation

(27:11) Essential attributes for a CISO

(29:14) What makes a successful security program?

(32:18) Skillsets required to become a CISO

(36:49) The fun questions

See you at the next episode!

Google Cloud Security Assessment from a pentester's lens. Anjali from NotSoSecure will be sharing her research into Google Cloud IAP & finding ways to assess the use of Google Cloud IAP in your environment and what are some of the low hanging fruits that you can remove today to reduce any potential risk from the service to your Google Cloud environment.

Episode YouTube Video Link

Host Twitter: Ashish Rajan (?????@hashishrajan?????)

Guest Socials: Anjali S's Linkedin (Anjali S)

Podcast Twitter - ?????@CloudSecPod????? ?????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ?????Cloud Security Newsletter ?

- ?????Cloud Security BootCamp?????

Spotify TimeStamp for Interview Questions

A word from our sponsors - you can visit them on ?????snyk.io/csp?????

(00:00) Introduction

(04:31) A bit about Anjali Shukla

(05:23) What is GCP IAP?

(07:18) Why is IAP so important?

(09:55) IAP and Identity Federation

(11:34) SSH vs Jump Box

(13:57) GCP IAP vs AWS Cognito

(16:22) Misconfigurations in GCP IAP

(23:17) Potential security scenarios

(25:45) Cloud Security Assessment in GCP

(28:13) Doing your own cloud security assessment

(30:49) The Fun Questions

See you at the next episode!

AWS Landing zones are well known but not as much in the Google Cloud space. In this episode we have Jimmy Barber shares how controls can be automated in GCP to create landing zone to manage security across a large google environment.

Episode YouTube Video Link

Host Twitter: Ashish Rajan (?????@hashishrajan?????)

Guest Socials: Jimmy Barber's Linkedin Jimmy Barber

Podcast Twitter - ?????@CloudSecPod????? ?????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ?????Cloud Security Newsletter ?

- ?????Cloud Security BootCamp?????

Spotify TimeStamp for Interview Questions

A word from our sponsors - you can visit them on ?????snyk.io/csp?????

(00:00) Introduction

(03:10) A bit about Jimmy Barber

(05:42) Transitioning from on-prem to cloud

(07:26) How are things different in GCP?

(09:01) Building blocks of working with GCP

(14:15) What is a landing zone in GCP?

(17:23) Building landing zone in existing GCP environments

(20:04) Using Cloud Native services vs others

(22:59) Security gaps in GCP

(25:15) Non technical challenges moving to cloud and GCP

(28:45) Doing security in GCP

(31:18) Where to start learning about GCP

(32:37) The Fun Section

These are some of the resources Jimmy found helpful when learning GCP Security

See you at the next episode!

Cloud Security Podcast - Yes - AWS Cloud folks are starting to look after Google Cloud security now in a lot of organisations. Caleb Tennis from Sequoia Capital joins us to share his personal experience on how from being an AWS professional he started looking after Google Cloud Identity and how to secure their Google Cloud Environment.

Episode YouTube Video - https://youtu.be/k1FrVEe1tGc

Host Twitter: Ashish Rajan (?????@hashishrajan?????)

Guest Socials: Caleb Tennis's Linkedin Caleb Tennis?

Podcast Twitter - ?????@CloudSecPod????? ?????@CloudSecureNews?????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ?????Cloud Security Newsletter ?

- ?????Cloud Security BootCamp?????

Spotify TimeStamp for Interview Questions

A word from our sponsors - you can visit them on ?????snyk.io/csp?????

See you at the next episode!

Cloud Security Podcast - Cybersecurity Threat hunting explained for Google Cloud. Day Johnson is a threat detection engineer and in this episode of Cloud security for Google Cloud security we spoke about how to start doing threat detection in Google Cloud, the common threats and attack vectors in GCP

Episode YouTube Video - https://youtu.be/FCVG7-lFu0Q

Host Twitter: Ashish Rajan (????@hashishrajan????)

Guest Socials: Day Johnson's Linkedin (Day - Linkedin?)

Podcast Twitter - ????@CloudSecPod???? ????@CloudSecureNews????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ????Cloud Security Newsletter 

- ????Cloud Security BootCamp????

Spotify TimeStamp for Interview Questions

A word from our sponsors - you can visit them on ????snyk.io/csp????

(00:00) Introduction

(02:37) A word from our sponsor snyk.io/csp

(03:11) A bit about Day Johnson

(04:12) Common Threats in GCP

(06:04) Starting Threat Detection in GCP

(07:57) Transitioning to GCP from AWS

(10:53) Threat modelling by Service

(14:27) Where to start with threat detection in GCP

(18:17) Common Threat Vectors in GCP

(21:53) Automatic Threat Detection

(23:13) Services to be mindful of

(26:10) Compute Image Creation

(28:07) Get started in Detection Engineering

(32:45) Helpful resources for Threat Detection

(36:00) The fun questions

These are some of the resources Day found helpful for threat detection in GCP along with some resources he mentioned + his talk

See you at the next episode!

Cloud Security Podcast -  AWS Network Security, IAM Security or even Organization security for what can happen in your AWS Environments can be achieved using Data perimeter. John Burgress (?John - Linkedin????) from Stripe spoke about this topic at  @fwdcloudsec  and shared additional insights on the thinking he had when building data perimeters are guardrails. There were lot more gems dropped so def check out the episode.

Episode YouTube Video - https://youtu.be/Hs9ZEaVG7Ww

Host Twitter: Ashish Rajan (????@hashishrajan????)

Guest Socials: John Burgress (John - Linkedin?)

Podcast Twitter - ????@CloudSecPod???? ????@CloudSecureNews????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ????Cloud Security News ????

- ????Cloud Security BootCamp????

Spotify TimeStamp for Interview Questions

A word from our sponsors - you can visit them on ????snyk.io/csp????

(00:00) Introduction

(03:13) A word from our sponsors

(03:38) A bit about John Burgess

(04:26) Data perimeter in the Cloud

(05:10) Defining data perimeter in AWS

(06:50) Where to start building AWS data perimeter

(08:21) The defense in depth approach 09:09 Approach to enable developers

(10:40) Starting point for building data perimeter

(11:41) Limitations with Data Perimeter

(13:06) Implementing data perimeter for segregation

(15:52) Working with Terraform Modules

(16:34) Goals behind data perimeter controls

(18:31) Proactive detection for third party

(20:00) Data perimeter for other CSPs

(20:42) Challenges in establishing data perimeter

(23:06) Dealing with multiple organisations

(23:35) Learn more about data perimeter

(24:06) The fun section

These are some of the resources John found helpful for data perimeter:

See you at the next episode!

Cloud Security Podcast -  NIST Incident response framework has 4 steps including one for Containment. AWS Incident Response being API enabled allows for automating a lot of incident response activity especially containment. In this episode with Damien Burks (?Damien - Linkedin?) spoke about his  @fwdcloudsec  talk where he shared how he automated Incident Response in AWS environments of Citi. There were lot more gems dropped so def check out the episode.

Episode YouTube Video - https://youtu.be/IrLuHMLQs_w

Host Twitter: Ashish Rajan (???@hashishrajan???)

Guest Socials: Damien Burks (Damien - Linkedin)

Podcast Twitter - ???@CloudSecPod??? ???@CloudSecureNews???

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ???Cloud Security News ???

- ???Cloud Security BootCamp???

Spotify TimeStamp for Interview Questions

A word from our sponsors - you can visit them on ???snyk.io/csp???

(00:00) Introduction (00:13) A word from our sponsors - Snyk.io/csp (01:16) A bit about Damien Burks (02:24) Incident Response in the cloud context (03:50) Is incident response different in the cloud? (05:22) Average time for an incident response (07:33) AWS services for incident response automation (08:55) AWS Eventbridge (11:56) The phases of incident response (13:42) Containment Phase: Starting point and challenges (17:54) Organisation with Multiple Accounts (20:09) How to structure the process (21:04) Containment for EC2 instance (23:54) Enjoying this cloud security topic so far?

(25:17) Containment for S3 Bucket (27:57) Where to start with incident response (30:18) Preparing for Incidents (32:08) Fun Questions

See you at the next episode!

Cloud Security Podcast -  Automating a Security Baseline in Cloud with Olivia Siow (?Olivia's Linkedin?) and David Levitsky (?David's Linkedin?). In this episode Olivia and David shared their experience of how they were able to empower developers to always do the right thing through positive reinforcements like making default libraries as part of the AWS Account build to scale security across their organisation. There were lot more gems dropped so def check out the episode.

Episode YouTube Video - ?https://www.youtube.com/watch?v=8kpiDcowl2A?

Host Twitter: Ashish Rajan (??@hashishrajan??)

Guest Socials: Olivia Siow (?Olivia's Linkedin?) and David Levitsky (?David's Linkedin?)

Podcast Twitter - ??@CloudSecPod?? ??@CloudSecureNews??

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ??Cloud Security News ??

- ??Cloud Security BootCamp??

Spotify TimeStamp for Interview Questions

A word from our sponsors - you can visit them on ??snyk.io/csp??

(00:00) Introduction

(04:16) A bit about Olivia Siow

(04:31) A bit about David Levitsky

(04:54) Cloud Security Baseline

(06:38) Do all organisations need a cloud security baseline?

(07:16) Does cloud security baseline help with scaling?

(07:34) Success Metrics for establishing cloud security baseline

(10:41) The cultural side of building a baseline

(11:40) Anatomy of AWS Cloud Account at Scale

(12:58) Building Blocks of Cloud Security Baseline

(16:54) Non Technical Challenges

(19:24) Organisation Challenges

(21:41) Would larger organisations have multiple baselines?

(23:34) Baseline for Multicloud or hybridcloud

(26:10) Use case with terraform cloud and route 53

(30:26) What telemetry is important

(32:36) Segregating Logs in a cloud context

(33:58) Can be done with any cloud and tool of choice

(34:43) Baseline vs CNAPP + CSPM

(37:56) Team skill requirement

(39:16) The fun section

(45:13) Where can you connect with Olivia and David to continue the conversation

See you at the next episode!

Cloud Security Podcast - AWS ReInforce 2023 or AWS Re:inforce 2023 highlights in a recap from the 2 Day affair for all things AWS Cloud Security! We were lucky enough to be there. This is a recap of the major announcements and highlights from major themes around the event.

Episode YouTube Video - https://www.youtube.com/watch?v=UhVBvnmmfnQ

Cloud Security Podcast Website - ????????????www.cloudsecuritypodcast.tv????????????

FREE CLOUD Security BOOTCAMP - ????????????www.cloudsecuritybootcamp.com????????????

Host Twitter: Ashish Rajan (????????????@hashishrajan????????????)

Podcast Twitter - ????????????@CloudSecPod???????????? ????????????@CloudSecureNews????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ????????????Cloud Security News ????????????

- ????????????Cloud Security BootCamp????????????

Timeline

(00:00) Introduction

(02:20) What is AWS re:inforce?

(04:33) Neha Rungta explains Verified Access

(05:38) Neha Rungta explains Verified Permissions

(07:53) What verified permissions means for you!

(09:35) Amazon EC2 Connect Endpoint

(11:08) Amazon GuardDuty Updates

(12:42) Amazon Inspector Code Scan for Lambda function

(14:26) Amazon Inspector SBOM Export

(17:35) Amazon Code Whisperer

(18:00) Amazon Code Guru

(20:15) Finding groups in Amazon Detective

(22:25) Dual Layer Encryption for AWS S3

(23:18) AWS Global Partner Security Initiative

(26:12) Key Themes from AWS re:inforce

(26:45) Shared Responsibility Model

(27:56) Cloud Security Newsletter

(30:04) Generative AI

(31:29) Amazon Bedrock

(34:04) Shift from ransomware to wiperware

(35:29) Nancy Wang explains AWS Backup Vault Lock

(37:18) Nancy explains double encryption with S3 Bucket

(38:41) Nancy explains how vault helps with data loss.

(40:20) AWS Backup Vault Lock

(41:55) Zero Trust and Identity

(45:03) DevSecOps

(46:47) How GenAI will impact cloud security roles?

(49:32) Amazon Security Lake

(52:26) Quantum Computing

See you at the next episode!

Cloud Security Podcast -  Tanya Janca and Caroline Wong were on a panel with @AshishRajan at @RSAConference 2023. The Topic for the panel discussed what's the space of application security with cloud security or is it more they need to be separate camps.

Episode YouTube Video - https://www.youtube.com/watch?v=WSIykXAy6Z4

Cloud Security Podcast Website - ???????????www.cloudsecuritypodcast.tv???????????

FREE CLOUD Security BOOTCAMP - ???????????www.cloudsecuritybootcamp.com???????????

Host Twitter: Ashish Rajan (???????????@hashishrajan???????????)

Guest Twitter: Tanya Janca (@shehackspurple)

Guest Twitter: Caroline Wong (@CarolineWMWong)

Podcast Twitter - ???????????@CloudSecPod??????????? ???????????@CloudSecureNews???????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ???????????Cloud Security News ???????????

- ???????????Cloud Security BootCamp???????????

See you at the next episode!

AI Security Podcast -  ChatGPT and other Generative AI use Large Language Model (LLM) but can these AI systems be attacked? ? ? . In this 3 part AI Security series from Cloud Security Podcast Original episode, we're going to talk about the importance of AI security and how to protect your Language Model aka llm program from attack. How can LLMs be attacked by malicious threat actors - beyond the phishing email that everyone has been talking about. Who is this episode for? If you work with LLMs used by AI system or working on securing of internal LLM being built; then you would this video helpful in understanding the types of attacks that be used against a LLM.

Useful Resources are listed here: - NIST AI Risk Management Framework - ??https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf ?? - Attack Mitre for LLM - Atlas ??https://atlas.mitre.org/ ?? - OWASP Top 10 LLM - ??https://owasp.org/www-project-top-10-for-large-language-model-applications/descriptions/?? - The AI Attack Surface Map v1.0 - Daniel Miessler, Unsupervised Learning - ??https://danielmiessler.com/blog/the-ai-attack-surface-map-v1-0/??

YouTube Link to the Episode - ??https://youtu.be/Yl9qqt9C5lE??

Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ?????????????www.cloudsecuritypodcast.tv?????????????

FREE CLOUD BOOTCAMPs on ?????????????www.cloudsecuritybootcamp.com?????????????

Host Twitter: Ashish Rajan (?????????????@hashishrajan?????????????)

Podcast Twitter - ?????????????@CloudSecPod????????????? ?????????????@CloudSecureNews?????????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ?????????????Cloud Security News ?????????????

- ?????????????Cloud Security BootCamp?????????????

Spotify TimeStamp for Episode

(00:00) Intro (00:49) LLM Explained (01:40) LLM Application Input Prompts (03:01) Data used by LLM Applications (04:58) LLM Applications Themselves (08:15) Infrastructure used to host LLM Application (11:11) What about Responsive AI (12:05) Ways to protect LLM Applications against these attacks (13:00) Useful Resources for AI Security (13:30) How do you defend against AI Attacks? (13:38) Outro - Thank you for watching & Subscribing

See you at the next episode!

Cloud Security Podcast -  What is DevSecOps in 2023 especially in a world of Cloud and AI which is top of mind for both application security, developers, cybersecurity professionals. In this episode we will share how the updated definition of DevSecOps in 2023 has been redefined with Cloud and AI, also how does one measure success for DevSecOps.

Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ??????????www.cloudsecuritypodcast.tv??????????

FREE CLOUD BOOTCAMPs on ??????????www.cloudsecuritybootcamp.com??????????

Host Twitter: Ashish Rajan (??????????@hashishrajan??????????)

Podcast Twitter - ??????????@CloudSecPod?????????? ??????????@CloudSecureNews??????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ??????????Cloud Security News ??????????

- ??????????Cloud Security BootCamp??????????

Spotify TimeStamp for Episode

(00:00) Intro

(02:01) Did Cloud enable DevSecOps

(03:43) Speed of Security in DevSecOps built on Cloud

(05:05) What is DevSecOps explained for 2023

(05:51) DevSecOps RoadMap

(08:25) DevSecOps Program Components in 2023

(10:55) Chatgpt Joke on Developers and DevSecOps

(11:43) How do you measure DevSecOps success?

(12:21) Generative AI impact on DevSecOps

(14:02) Thank you for watching & Subscribing

See you at the next episode!

Cloud Security Podcast -  we are continuing with our "Kubernetes Security & KubeCon EU 2023" and for the final episode in this series Kubernetes Security Panel from KubeCon EU 2023. Kubernetes Security has evolved since it's inception with many defaults being more secure and some still insecure or has it not evolved at all. Andrew Martin (Control Plane), Matt Jarvis (Snyk), Kerim Satirli (Hashicorp) were on the Kubernetes Security Panel organized by Cloud Security Podcast.

Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ????????www.cloudsecuritypodcast.tv????????

FREE CLOUD BOOTCAMPs on ????????www.cloudsecuritybootcamp.com????????

Host Twitter: Ashish Rajan (????????@hashishrajan????????)

Guest Socials: Andrew Martin (Control Plane), Matt Jarvis (Snyk), Kerim Satirli (Hashicorp)

Podcast Twitter - ????????@CloudSecPod???????? ????????@CloudSecureNews????????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ????????Cloud Security News ????????

- ????????Cloud Security BootCamp????????

Spotify TimeStamp for Interview Questions

(00:00) Introduction

(04:28) A bit about Kerim, Andy and Matt

(05:13) What is Kubernetes?

(06:49) How do you describe Cloud Native Security?

(10:21) How Kubecon and Kubernetes has changed over the years?

(15:56) The growing presence of security in Kubecon

(22:10) Cloud Security and Cloud Native Security

(23:00) Maintenance of Kubernetes

(24:17) Shared Responsibility Model

(27:37) Single Cluster vs Multi Cluster

(34:34) Failure of Workload Identity

(36:11) Recommendations for learning

(42:06) Disaster Recovery for Kubernetes

(47:51) ChatGPT - Problem, Solution or Fad?

See you at the next episode!

Cloud Security Podcast -  we are continuing with our "Kubernetes Security & KubeCon EU 2023" and for the fiveth episode in this series Eve Ben Ezra from The New York Times. GitOps, OPA Conftest, ArgoCD are some of the components to add security to a Cloud Native Security Pipeline! - Eve Ben Ezra from The New York Times shared how we can use these tools to create a Dev Friendly Security Pipeline.

Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ???????www.cloudsecuritypodcast.tv???????

FREE CLOUD BOOTCAMPs on ???????www.cloudsecuritybootcamp.com???????

Host Twitter: Ashish Rajan (???????@hashishrajan???????)

Guest Socials: Eve Ben Ezra (Eve Ben Ezra's Linkedin)

Podcast Twitter - ???????@CloudSecPod??????? ???????@CloudSecureNews???????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ???????Cloud Security News ???????

- ???????Cloud Security BootCamp???????

Spotify TimeStamp for Interview Questions

(00:00) Introduction

(03:10) A bit about Eve

(04:05) Eve's 2nd Kubecon

(04:43) About Eve's talk at Kubecon

(05:29) What is GitOps?

(06:28) What is Argo CD?

(07:19) What is OPA?

(07:34) Why NYTimes has a development platform?

(09:14) Challenges with implementing a shared infrastructure

(11:17) Feedback is one of the challenges

(12:19) Using OPA gatekeeper

(13:30) When should developers get feedback in GitOps operational framework?

(14:52) What does local feedback to developers look like?

(15:54) What is Conftest?

(16:24) How do people get started with OPA?

(18:32) Making security more accessible for developers

(23:02) Managed or self hosted Kubernetes deployment

(24:09) How to get started with this?

(25:08) Starting with OPA vs Starting with CICD

(25:35) Where can you start learning about Kubernetes?

(28:10) The difference between CI and CD

See you at the next episode!

Cloud Security Podcast -  we are continuing with our "Kubernetes Security & KubeCon EU 2023" and for the fourth episode in this series Mackenzie Jackson from GitGuardian. Mackenzie Jackson from GitGuardian was part of a report that found 10 Million secrets stored across the entire Github space on the internet. In this interview we go into how secrets have evolved from just being username/password to API Tokens, AWS Access Keys and whole lot more.

Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ??????www.cloudsecuritypodcast.tv??????

FREE CLOUD BOOTCAMPs on ??????www.cloudsecuritybootcamp.com??????

Host Twitter: Ashish Rajan (??????@hashishrajan??????)

Guest Socials: Shane Lawrence (?Shane's Linkedin?) and Daniele Santos (?Dani's Linkedin?)

Podcast Twitter - ??????@CloudSecPod?????? ??????@CloudSecureNews??????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ??????Cloud Security News ??????

- ??????Cloud Security BootCamp??????

Spotify TimeStamp for Interview Questions

(00:00) Introduction (03:42) A bit about Mackenzie Jackson (04:16) What are secrets? (05:28) How are we dealing with secrets? (07:35) Mackezie talks about GitGuardian's Secret Sprawl Report (11:43) Managing history in Github (12:37) Mackenzie talks about ggcanary (14:09) Common types of secrets found in scans (15:42) Responsibility of Github and CSP providers (17:12) Are people ready to respond to honey token alarms? (20:33) Breaches causes by leaked secrets (23:34) Fun facts found in Secrets Sprawl Report (24:25) Secret sprawl is going to happen (25:09) Where do people start? (26:06) Implementing Git Hook as a security measure (28:08) How to get people to care about secrets (30:06) Where can people learn about secrets protection? (31:25) Where you can reach Mackenzie for more questions on secrets?

See you at the next episode!

Cloud Security Podcast -  we are continuing with our "Kubernetes Security & KubeCon EU 2023" and for the fourth episode in this series Shane Lawrence and Daniele Santos from Shopify explained how kube-audit an open source tool from Shopify. They spoke about how they have used the audit tool to improve security with a developer security lens.

Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ?????www.cloudsecuritypodcast.tv?????

FREE CLOUD BOOTCAMPs on ?????www.cloudsecuritybootcamp.com?????

Host Twitter: Ashish Rajan (?????@hashishrajan?????)

Guest Socials: Shane Lawrence (Shane's Linkedin) and Daniele Santos (Dani's Linkedin)

Podcast Twitter - ?????@CloudSecPod????? ?????@CloudSecureNews?????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ?????Cloud Security News ?????

- ?????Cloud Security BootCamp?????

Spotify TimeStamp for Interview Questions

(00:00) Introduction

(02:52) A bit about Shane

(03:45) A bit about Dani

(04:23) Which kubecons have Shane and Dani attended?

(05:03) A bit about Dani and Shane's talk at Kubecon EU

(06:42) Misconfigurations in Kubernetes

(09:48) Dani talks about the Kubernetes Security Report

(10:13) Use case for Kubernetes Misconfiguration

(11:45) What is Azure Escape?

(12:51) What is container escape?

(15:26) What is kubeaudit?

(15:49) Contributing to kubeaudit

(16:40) The maturity of kubeaudit

(19:04) How would kubeaudit help with an azure escape?

(19:41) The developer experience

(21:34) How shopify uses kubeaudit

(24:59) Getting started with kubeaudit

(25:53) Challenges with implementing kubeaudit

(27:19) Maturity of kubernetes security and kubecon

(30:02) Learning about kubernetes

(34:07) Areas of security not being spoken about enough

(36:16) Open Source and Software supply chain risks

See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Kubernetes Security & KubeCon EU 2023" and for the third episode in this series, we spoke to Liz Rice ( Liz's Linkedin?). Liz Rice from Isovalent speaks about how Network Security can be done in Kubernetes. Kubernetes network security with eBPF, Cilium can be raised to be better than selinux seccomp tcpdump - yes the linux networking security tools. Yes you read that right.

Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ????www.cloudsecuritypodcast.tv????

FREE CLOUD BOOTCAMPs on ????www.cloudsecuritybootcamp.com????

Host Twitter: Ashish Rajan (????@hashishrajan????)

Guest Socials: Andrew Martin (??Andrew's Linkedin??)

Podcast Twitter - ????@CloudSecPod???? ????@CloudSecureNews????

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ????Cloud Security News ????

- ????Cloud Security BootCamp????

Spotify TimeStamp for Interview Questions

(00:00) Introduction

(00:15) A word from our sponsor snyk.io/csp

(03:36) A bit about Liz Rice

(04:36) Liz's path into Cloud Native

(06:22) What is EBPF?

(08:12) Use case for EBPF in on premise

(10:37) SC Linux and EBPF

(11:28) Why we are solving this now with Kubernetes?

(13:22) EBPF in managed vs unmanaged Kubernetes?

(15:37) Implementation of EBPF

(17:38) Access Management and Network Security

(21:02) Challenges with multi cluster Kubernetes deployment

(24:03) Key management in multi cluster

(25:11) Current gaps in Kubernetes security

(27:41) Developer first in the cloud native space

(32:47) The future of EBPF

(34:36) Where can you learn more about EBPF

(36:25) The fun questions

See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Kubernetes Security & KubeCon EU 2023" and for the second episode in this series, we spoke to Andrew Martin (Andrew's Linkedin). Kubernetes Security Best practices built using the OWASP Top 10 for Kubernetes is not enough to deal with new and unknown attack vectors for your Kubernetes deployment. In this episode we have Andrew Martin on how you can deal with Kubernetes attack vectors including supply chain issues.

Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ???www.cloudsecuritypodcast.tv???

FREE CLOUD BOOTCAMPs on ???www.cloudsecuritybootcamp.com???

Host Twitter: Ashish Rajan (???@hashishrajan???)

Guest Socials: Andrew Martin (?Andrew's Linkedin?)

Podcast Twitter - ???@CloudSecPod??? ???@CloudSecureNews???

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ???Cloud Security News ???

- ???Cloud Security BootCamp???

Spotify TimeStamp for Interview Questions

(00:00) Introduction

(00:15) A word from our sponsors - head over to snyk.io/csp to find out more

(02:50) A bit about Andrew Martin

(03:33) What is cloud native security?

(06:31) What is Kubernetes Security?

(10:23) Kubernetes Security vs Cloud Native Security

(11:52) Why is Kubernetes so popular?

(16:20) What are the components of Kubernetes security?

(21:43) Container security in Kubernetes landscape

(26:34) Common attack vectors for Kubernetes

(32:16) Impact of cloud in attack vectors

(35:38) Managed Kubernetes

(38:13) Rationale for using multi cluster

(41:11) Should everyone use Kubernetes?

(44:18) Is Serverless still relevant ?

(47:38) Where can people learn about Kubernetes security?

(53:01) The fun questions

See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Kubernetes Security & KubeCon EU 2023" and for the first episode in this series, we spoke to Kirsten Newcomer (Kirsten's Linkedin). Kirsten Newcomer from Red Hat has been championing Kubernetes security and the role DevSecOps will play in helping improve security for Kubernetes implementations.

Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ??www.cloudsecuritypodcast.tv??

FREE CLOUD BOOTCAMPs on ??www.cloudsecuritybootcamp.com??

Host Twitter: Ashish Rajan (??@hashishrajan??)

Guest Socials: Kirsten Newcomer (?Kirsten's Linkedin?)

Podcast Twitter - ??@CloudSecPod?? ??@CloudSecureNews??

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ??Cloud Security News ??

- ??Cloud Security BootCamp??

Spotify TimeStamp for Interview Questions

(00:00) Introduction

(02:42) Word from our sponsors about Snyk Launch - find out more at snyk.io/events/snyklaunch

(03:08) A bit about Kristen Newcomer

(04:13) How has Kubernetes security evolved ?

(06:57) Is Kubernetes still popular?

(07:45) Why is Kubernetes still popular?

(0:58) Challenges with security Kubernetes

(15:35) How to work effectively with Kubernetes

(18:50) Adoption of IaC for security

(24:30) Maturity of Kubernetes Security

(29:24) Challenges with auditing Kubernetes

(31:55) How to approach Kubernetes security?

(35:08) Zero Trust and Kubernetes

(39:01) Is SBOM bringing more attention to Kubernetes?

(42:51) Where do people start with Kubernetes?

(45:41) Managed vs unmanaged Kubernetes?

(47:05) How you can reach out to Kristen!

See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Cloud Security - the Leadership View" and for the final episode in this series, we spoke to Guy Podjarny ( GuyPo's Linkedin). If you are working on building or securing Cloud resources, can you truly imagine solving the next log4j or AWS/Azure/GCP vulnerability without including the help of Platform Engineers or IT engineers? This is the bigger picture of what we CyberSecurity people have to do day in day out. We work with wider team members

Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ?www.cloudsecuritypodcast.tv?

FREE CLOUD BOOTCAMPs on ?www.cloudsecuritybootcamp.com?

Host Twitter: Ashish Rajan (?@hashishrajan?)

Guest Socials: Guy Podjarny ( ?GuyPo's Linkedin?)

Podcast Twitter - ?@CloudSecPod? ?@CloudSecureNews?

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ?Cloud Security News ?

- ?Cloud Security BootCamp?

Spotify TimeStamp for Interview Questions

A word from our sponsors - you can visit them on ?snyk.io/csp?

(00:00) Introduction

(03:49) A bit about Guy Podjarny

(04:51) What is DevSecOps today?

(07:15) 3 Phases of DevSecOps

(07:44) DevSecOps vs ShiftLeft

(09:15) The maturity of DevSecOps

(11:52) The notion of start left

(13:36) Threat modelling and developers

(14:38) What is Cloud Security?

(16:03) The notion of App Cloud

(17:43) Gartner acronyms and cloud security

(22:21) Security champion program in cloud

(28:33) Future of IaaS, PaaS and SaaS

(32:22) Challenges with Security Championship Program

(42:19) Generative AI and DevSecOps in Cloud

(47:45) Fun Questions

See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Cloud Security - the Leadership View" and this week in this series, we spoke to Larry Whiteside Jr ( Larry's Linkedin ) If you are working on building a CyberSecurity Program in 2023 with Cloud in mind then this episode with Larry who shared his approach to building a CyberSecurity program along with war stories of implementing CyberSecurity in an on-premise world is the episode you need to hear.

Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv

FREE CLOUD BOOTCAMPs on www.cloudsecuritybootcamp.com

Host Twitter: Ashish Rajan (@hashishrajan)

Guest Socials: Larry Whiteside Jr ( Larry's Linkedin )

Podcast Twitter - @CloudSecPod @CloudSecureNews

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- Cloud Security News 

- Cloud Security BootCamp

Spotify TimeStamp for Interview Questions

(00:00) Introduction

(02:50) A word from our sponsors - you can visit them on snyk.io/csp

(04:05) Larry talks about his 1st CISO role

(06:01) Cybersecurity Programs in a Pre Cloud World

(09:07) What were the challenges for CISOs in the past?

(11:05) Cybersecurity Program in 2023

(14:01) There was no NIST CFA

(14:59) Why frameworks are important

(16:59) What is a cybersecurity program?

(21:32) Components of cybersecurity program

(23:02) Has cloud changed things?

(30:01) The value of certifications

(33:14) GRC Automation and Shift Left

(42:53) The auditor's perspective

(44:50) Does GRC need to know coding?

(49:07) Cloud Security Program Playbook

(52:52) The Fun Section

See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Cloud Security - the Leadership View" and first up on this series, we spoke to Bianca Lankford (Bianca's Linkedin) about what does it take to build a Cloud Security program that runs behind your favourite TV Show on an OTT Media Platform like Warner Brother Discovery Cloud . In this episode Bianca Lankford, from Warner Brother Discovery, share her experience on building Cloud Security Program and the importance of developers in the solving the Cloud Security challenge.

Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv

Host Twitter: Ashish Rajan (@hashishrajan)

Guest Socials:  Bianca Lankford (Bianca's Linkedin)

Podcast Twitter - @CloudSecPod @CloudSecureNews

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- Cloud Security News 

- Cloud Security BootCamp

Spotify TimeStamp for Interview Questions

(00:00) Introduction

(03:06) snyk.io/csp

(03:45) A bit about Bianca

(04:27) Challenge of Scale in Media Industry

(06:38) Cloud based security program vs on prem

(08:04) How cloud security can enable businesses

(11:11) Cloud Security Program in Media Industry

(13:45) Getting leadership buy in for cloud security program

(17:05) Explaining cloud security as a business risk

(18:33) Pillars of cloud security program at scale

(20:12) Multi Cloud Security Program

(20:52) Skills required for multi cloud security team

(22:25) The future of application security and cloud security

(24:01) Metrics of operationalising cloud security program at scale

(25:32) Time to detection in Cloud

(26:32) Navigating cloud security program through changing compute

(28:09) Security guardrails vs security gate

(30:53) Stages for a cloud security program

(32:35) The Fun Section

See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Building on the AWS Cloud" and next up on this series, we spoke to Chad Lorenc (Chad's Linkedin) about AWS Security Reference Architecture, Cloud Adoption Framework & Security Maturity Model are 3 ways to level up the maturity you have in Cloud . In this episode Chad Lorenc, from AWS shared lessons and talk about How AWS Customers can prepare to use 3 models to Crawl, Walk & Run their security practice.

Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv

Host Twitter: Ashish Rajan (@hashishrajan)

Guest Twitter:   Chad Lorenc (Chad's Linkedin) 

Podcast Twitter - @CloudSecPod @CloudSecureNews

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- Cloud Security News 

- Cloud Security BootCamp

Spotify TimeStamp for Interview Questions

(00:00) Introduction

(03:35) A word from our sponsors - check them out at snyk.io/csp

(03:51) A bit about Chad

(05:38) How things are different in the Cloud

(07:59) The Maturity framework of AWS

(11:20) How maturity scales in AWS

(13:17) Anti-Patterns when building maturity in Cloud

(15:35) Framework examples on how to build maturity models

(19:27) Mapping maturity models to business objectives

(20:19) The role of cloud native tools

(26:23) Patterns in AWS to watch out for

(28:38) Challenges for security leaders trying to get into cloud

(35:07) Foundational pieces for building maturity in AWS

(37:50) How to implement AWS Control tower?

(43:09) Give developers more freedom in cloud

(47:34) Benchmark scales for security maturity

(51:27) Resources to help you build your own maturity roadmap

See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Building on the AWS Cloud" and next up on this series, we spoke to Patrick Sanders (Patrick's Linkedin) & Jospeh Kjar (Joseph's Linkedin), Snr Cloud Security Engineer at Netflix on what does it take to reimagine multi-account deployments gave them both security and speed.

Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv

Host Twitter: Ashish Rajan (@hashishrajan)

Guest Twitter:  Patrick Sanders (Patrick's Linkedin) & Jospeh Kjar (Joseph's Linkedin)

Podcast Twitter - @CloudSecPod @CloudSecureNews

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- Cloud Security News 

- Cloud Security BootCamp

Spotify TimeStamp for Interview Questions

(00:00) Introduction

(03:06) snyk.io/csp

(03:41) A bit about how Patrick and Joseph got into the Cloud Space

(06:00) Building blocks of scalable AWS infrastructure

(09:14) Should there be a seperate account for forensics

(12:44) Diff AWS Org for dev and prod?

(13:45) How to ensure dedicated IR account is secure?

(15:10) 1st step to building a new startup in AWS

(17:39) Should non prod and prod accounts be seperate?

(21:29) How do you ensure visibility into your AWS organisation?

(25:04) Integrate FIM into AWS

(26:29) Layers for a multi account strategy

(28:23) Challenges from going from one account to multi account

(34:03) Bringing identity to the application

(38:25) The importance of IMDS

(42:07) The security benefit of using IMDS

(45:34) Managed identity in AWS

(46:40) Why developer experience is important?

(49:49) What do cloud security engineers do ?

(53:05) Where you can find Joseph and Patrick?

See you at the next episode!