POPULARITY
In this episode of Cybersecurity Today, host Jim Love delves into the topic of SaaS (Software as a Service) security. Sharing his early experiences promoting SaaS, Jim elaborates on its inevitable rise due to cost-effectiveness and shared development resources. The episode highlights security concerns with SaaS, such as shadow IT and weak access control, especially in the face of an influx of AI software. Jim introduces Yoni Shohet, CEO and Co-founder of Valence Security, who discusses the SaaS security landscape, focusing on the independent 'State of SaaS Security' report by the Cloud Security Alliance. Yoni outlines the importance of monitoring API tokens, ensuring proper configurations, and the challenges posed by non-human identities. The discussion underscores the evolving nature of SaaS security, encouraging stronger collaboration between security teams and business units to manage risks effectively. 00:00 Introduction to SaaS Security 00:01 The Evolution and Benefits of SaaS 01:33 Challenges and Security Concerns with SaaS 02:08 Introduction to the State of SaaS Security Report 02:34 Interview with Yoni Shohet: Background and Experience 03:06 Yoni Shohet's Journey in Cybersecurity 08:33 The Rise of SaaS Security Issues 14:03 Key Findings from the SaaS Security Report 17:32 The Importance of SaaS Security Measures 21:36 Managing SaaS Security in Organizations 33:43 Valence Security's Approach to SaaS Security 36:59 Conclusion and Final Thoughts
Looking to network in the cybersecurity world? Fortunately, there's no shortage of industry associations to choose from. Today, we're putting the spotlight on the Cloud Security Alliance, or CSA. The Cloud Security Alliance is the world's leading organization committed to awareness, practical implementation, and certification for the future of cloud and cybersecurity. Whether your goal is to develop a secure cloud strategy, gain customer trust, empower your workforce, enhance brand awareness, or engage in diverse networking opportunities, CSA membership is the solution. To learn more, visit https://cloudsecurityalliance.org. See the full list of associations at https://cybersecurityventures.com/cybersecurity-associations.
The Cloud Security Maturity Model (CSMM) is a practical blueprint for improving the security of your public cloud deployments. Developed in partnership with the Cloud Security Alliance, IANS, and Securosis, the model covers 12 categories, such as network security and application security, across 3 domains. It describes 5 levels of security maturity, and includes process... Read more »
The Cloud Security Maturity Model (CSMM) is a practical blueprint for improving the security of your public cloud deployments. Developed in partnership with the Cloud Security Alliance, IANS, and Securosis, the model covers 12 categories, such as network security and application security, across 3 domains. It describes 5 levels of security maturity, and includes process... Read more »
Tammy Klotz is a cybersecurity leader with over 20 years in IT and a decade as a CISO for global manufacturing firms. She has transformed cybersecurity programs, driven cultural change, and championed women in technology through mentorship and active involvement in groups like WiCyS and the Cloud Security Alliance. At Versum Materials, she developed a cloud-centric cybersecurity strategy, and at Covanta, she built a program from scratch, later serving as CTO and IT co-leader. Currently, as CISO at Trinseo, Tammy oversees cybersecurity for 24 manufacturing sites and 11 R&D facilities. She shares leadership insights in her 2024 book, Leading with Empathy and Grace: Secrets to Developing High-Performing Teams. 00:00 Introduction 02:40 Tammy's origin story 05:06 The harsh truth 08:57 Compliant does not mean secure 14:57 AI has always been around 32:00 Empowerment 41:36 How to communicate properly to your team 48:00 Book signings, follow, and connect with Tammy ------------------------------------------------------------- To learn more about Tammy visit https://www.linkedin.com/in/tammyklotz/ To learn more about Dark Rhiino Security visit https://www.darkrhiinosecurity.com
In this episode, we sit down with StackAware Founder and AI Governance Expert Walter Haydock. Walter specializes in helping companies navigate AI governance and security certifications, frameworks, and risks. We will dive into key frameworks, risks, lessons learned from working directly with organizations on AI Governance, and more.We discussed Walter's pivot with his company StackAware from AppSec and Supply Chain to a focus on AI Governance and from a product-based approach to a services-oriented offering and what that entails.Walter has been actively helping organizations with AI Governance, including helping them meet emerging and newly formed standards such as ISO 42001. Walter provides field notes, lessons learned and some of the most commonly encountered pain points organizations have around AI Governance.Organizations have a ton of AI Governance and Security resources to rally around, from OWASP, Cloud Security Alliance, NIST, and more. Walter discusses how he recommends organizations get started and where.The U.S. and EU have taken drastically different approaches to AI and Cybersecurity, from the EU AI Act, U.S. Cyber EO, Product Liability, and more. We discuss some of the pros and cons of each and why the U.S.'s more relaxed approach may contribute to economic growth, while the EU's approach to being a regulatory superpower may impede their economic growth.Walter lays our key credentials practitioners can explore to demonstrate expertise in AI security, including the IAPP AI Governance credential, which he recently took himself.You can find our more about Walter Haydock by following him on LinkedIn where he shares a lot of great AI Governance and Security insights, as well as his company website www.stackaware.com
Send us a textNate Lee discusses his transition from a CISO role to fractional CISO work, emphasizing the importance of variety and exposure in his career. He delves into the rise of AI, particularly large language models (LLMs), and the associated security concerns, including prompt injection risks. Nate highlights the critical role of orchestrators in managing AI interactions and the need for security practitioners to adapt to the evolving landscape. He shares insights from his 20 years in cybersecurity and offers recommendations for practitioners to engage with AI responsibly and effectively.TakeawaysNate transitioned to fractional CISO work for variety and exposure.Prompt injection is a major vulnerability in LLM systems.Orchestrators are essential for managing AI interactions securely.Security practitioners must understand how LLMs work to mitigate risks.Nate emphasizes the importance of human oversight in AI systems.Link to Nate's research with the Cloud Security Alliance.The future of cloud security.Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.
A new assessment standard to guide how Pentagon components evaluate and approve zero-trust cybersecurity solutions for responsible use will soon be finalized and ready for release, according to a senior official overseeing its making. During FedTalks 2024, hosted by Scoop News Group on Tuesday, Les Call — director of the DOD's Zero Trust Portfolio Management Office — provided the latest update on his team's unfolding pursuits to drive this implementation, and to continue “progressing at a fast rate.” Call said Pentagon officials are working closely with a range of industry partners and representatives, including the Cloud Security Alliance, to pinpoint compliant capabilities that can accelerate DOD components' paths to fully achieving zero trust. A key component of the landmark executive order on artificial intelligence issued by President Joe Biden last year was to meet a handful of requirements aimed at bolstering the AI talent pool throughout the federal government. And according to a new Government Accountability Office report, those benchmarks have been cleared. The congressional watchdog said Monday that 13 AI management and talent requirements in Biden's order were fully implemented by the March 2024 deadline, checking off boxes that the GAO said would effectively lay the groundwork for governmentwide AI efforts. The Daily Scoop Podcast is available every Monday-Friday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on on Apple Podcasts, Soundcloud, Spotify and YouTube.
Guests: Jim Reavis, CEO at Cloud Security Alliance [@cloudsa]On LinkedIn | https://www.linkedin.com/in/jimreavis/Illena Armstrong, President at at Cloud Security Alliance [@cloudsa]On LinkedIn | https://www.linkedin.com/in/illenaarmstrong/____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesJoin Sean Martin as he hosts an in-depth discussion with Illena Armstrong, President of Cloud Security Alliance, and Jim Reavis, CEO and Founder. Illena shares her excitement for celebrating the 15th anniversary of the organization while highlighting the industry's shift towards cloud adoption and AI technology. She emphasizes the importance of maintaining security controls, especially in the context of regulatory compliance and cloud provider obligations. The conversation also touches on the rising trend of zero trust security frameworks and the global perspective on AI integration in cybersecurity practices.Jim Reavis adds valuable insights into the intersection of AI and cloud security, highlighting the need for a holistic approach that combines human intelligence with AI capabilities. He emphasizes the role of security as a catalyst for innovation and business transformation, citing examples of innovative approaches taken by European banks. The discussion also covers thesignificance of shared responsibility in cybersecurity and the collaborative efforts required to address evolving threats.The CSA AI Summit promises an engaging lineup of speakers, including industry leaders from Google, Microsoft, and Zscaler, who will shed light on key topics such as incident response, secure development, and business transformation. The full-day event, which kicks off the week at RSA Conference, aims to bring together a diverse audience, ranging from C-suite executives to developers and compliance professionals, fostering meaningful discussions and knowledge sharing. Attendees can expect thought-provoking sessions that explore the intersection of AI and cybersecurity, providing valuable insights for enhancing security practices in the digital age.Be sure to follow our Coverage Journey and subscribe to our podcasts!____________________________Follow our RSA Conference USA 2024 coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverageOn YouTube:
Guests: Jim Reavis, CEO at Cloud Security Alliance [@cloudsa]On LinkedIn | https://www.linkedin.com/in/jimreavis/Illena Armstrong, President at at Cloud Security Alliance [@cloudsa]On LinkedIn | https://www.linkedin.com/in/illenaarmstrong/____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesJoin Sean Martin as he hosts an in-depth discussion with Illena Armstrong, President of Cloud Security Alliance, and Jim Reavis, CEO and Founder. Illena shares her excitement for celebrating the 15th anniversary of the organization while highlighting the industry's shift towards cloud adoption and AI technology. She emphasizes the importance of maintaining security controls, especially in the context of regulatory compliance and cloud provider obligations. The conversation also touches on the rising trend of zero trust security frameworks and the global perspective on AI integration in cybersecurity practices.Jim Reavis adds valuable insights into the intersection of AI and cloud security, highlighting the need for a holistic approach that combines human intelligence with AI capabilities. He emphasizes the role of security as a catalyst for innovation and business transformation, citing examples of innovative approaches taken by European banks. The discussion also covers thesignificance of shared responsibility in cybersecurity and the collaborative efforts required to address evolving threats.The CSA AI Summit promises an engaging lineup of speakers, including industry leaders from Google, Microsoft, and Zscaler, who will shed light on key topics such as incident response, secure development, and business transformation. The full-day event, which kicks off the week at RSA Conference, aims to bring together a diverse audience, ranging from C-suite executives to developers and compliance professionals, fostering meaningful discussions and knowledge sharing. Attendees can expect thought-provoking sessions that explore the intersection of AI and cybersecurity, providing valuable insights for enhancing security practices in the digital age.Be sure to follow our Coverage Journey and subscribe to our podcasts!____________________________Follow our RSA Conference USA 2024 coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverageOn YouTube:
Hello and welcome to Get It Started Get It Done, the Banyan Security podcast covering the security industry and beyond. In this episode, our host and Banyan's Chief Security Officer Den Jones speaks with John Yeoh. John is the Cloud Security Alliance's Global Vice President of Research, a position that allows him to share important industry analysis from a nonprofit perspective. We hope you enjoy Den's discussion with John Yeoh. About John: With over 20 years of experience in research and technology, John provides executive-level leadership, relationship management, and board strategy development. He is a published author, technologist, and researcher with areas of expertise in cybersecurity, cloud computing, information security, and next-generation technology (IoT, DevOps, Blockchain, Quantum). John specializes in risk management, third-party assessment, threat intelligence, data protection, incident response, and business development within multiple industry sectors, including the government. His works and collaborations have been presented in the Wall Street Journal, Forbes, SC Magazine, USA Today, CBS, Information Week, and others. John's contributions continue with involvement in professional organizations such as CSA, IAPP, ISSA, ISC2, and ISACA. John sits on numerous technology committees in government and industry with the FCC, NIST, ISO, CSA, IEEE, and CIS. He represents the US as a delegate for cybersecurity relations to other nation-states.
Federal Tech Podcast: Listen and learn how successful companies get federal contracts
The first part of this interview is a fascinating description of how John Kindervag produced the concept of Zero Trust. In the early days of networking, many users were described as “trusted users.” John questioned as to why they did not take the next step and verify then. The response was classic – because it would be rude. Fast forward a few decades and we see countless breaches and billions of dollars of intellectual property lost because of fear of offending the sensitivities of users. Back to 2011. Interfaces on firewalls could have varying levels of trust associated with them; the question from John Kindervag was, “why any levels at all?” His idea of zero trust resonated in the commercial and federal marketplace. For example, an Executive Order was issued in May of 2021 mandating the adoption of zero trust for the federal government. During the interview John Kindervag presents a fascinating contrast between the attack surface and the protect surface. This is a framework to allow federal leaders to prioritize what data to protect. To gain a better understanding of how to deploy Zero Trust, The National Security Telecommunications Advisory Committee was established. It presents a five-step model and shows how to build Zero Trust one protects surface at a time. Listen and learn about the Cloud Security Alliance and myriad ways to develop expertise in the nuances around incorporating Zero Trust into your federal network. Mentioned in the interview: What is Zero Trust Architeture? https://www.illumio.com/blog/what-is-a-zero-trust-architecture
Chris and I cover all kinds of items in this one. Why should we care that there is a ZT certification now from the Cloud Security Alliance? Is that a good thing? What about other certifications? Why is the industry still doing the same stuff and nothing changes? Do the big players muscle out the little guys to the detriment of us all? Those and more on this one!
Episode SummaryIn today's episode, AI Safety Initiative Chair at Cloud Security Alliance, Caleb Sima, joins Matt to talk about some of the myths surrounding the quickly evolving world of AI. With two decades of experience in the cybersecurity industry, Caleb has held many high-level roles, including VP of Information Security at Databricks, CSO at Robinhood, Managing VP at CapitalOne, and Founder of both SPI Dynamics and Bluebox Security.Today, Caleb talks about his inspiring career after dropping out of high school, dealing with imposter syndrome, and becoming the Chair of the CSA's AI Safety Initiative. Is AI and Machine Learning the threat that we think it is? Hear about the different kinds of LLMs, the poisoning of LLMs, and how AI can be used to improve security. Timestamp Segments· [01:31] Why Caleb dropped out high school· [06:16] Dealing with imposter syndrome.· [11:43] The hype around AI and Machine Learning.· [14:55] AI 101 terminology.· [17:42] Open source LLMs.· [20:31] Where to start as a security practitioner.· [24:46] What risks should people be thinking about?· [28:24] Taking advantage of AI in cybersecurity.· [32:32] How AI will affect different SOC functions.· [35:00] Is it too late to get involved?· [36:29] CSA's AI Safety Initiative.· [38:52] What's next? Notable Quotes· “There is no way this thing is not going to change the world.”· “The benefit that you're going to get out of LLMs internally is going to be phenomenal.”· “It doesn't matter whether you get in now or in six months.” Relevant LinksLinkedIn: Caleb Sima Resources:Skipping College Pays Off For Few Teen Techiesllm-attacks.orgSecure applications from code to cloud. Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.
Cloud security is essential to safeguarding sensitive data and ensuring the reliability of digital services in an increasingly interconnected and data-driven world. In this episode, Sean Heide shares some of the top threats to cloud computing that he's seeing as technical research director at the Cloud Security Alliance. Resources: CSA's 2022 Top Threats to Cloud Computing report CIS Critical Security Controls Shared Responsibility Model in the Age of Cloud
Join Lois Houston and Nikita Abraham, along with special guests Nancy Kramer and Betina Tagle from Oracle's corporate security organization, as they discuss the steps you can take to evaluate your organization's security, privacy, and compliance requirements using Oracle Cloud Infrastructure. They also talk about the resources that are available to help you do so. Oracle MyLearn: https://mylearn.oracle.com/ Oracle University Learning Community: https://education.oracle.com/ou-community Subscribe to Security Updates: https://www.oracle.com/security-alerts/ Oracle Trust Center: https://www.oracle.com/trust/ OCI CAIQ: https://www.oracle.com/corporate/security-practices/cloud LinkedIn: https://www.linkedin.com/showcase/oracle-university/ Twitter: https://twitter.com/Oracle_Edu Special thanks to Arijit Ghosh, David Wright, and the OU Studio Team for helping us create this episode. -------------------------------------------------------- Episode Transcript: 00;00;00;00 - 00;00;38;16 Welcome to the Oracle University Podcast, the first stop on your cloud journey. During this series of informative podcasts, we'll bring you foundational training on the most popular Oracle technologies. Let's get started. Hello and welcome to the Oracle University Podcast. I'm Nikita Abraham, Principal Technical Editor with Oracle University, and with me is Lois Houston, Director of Product Innovation and Go to Market Programs. 00;00;38;20 - 00;01;01;13 Hi there. In today's special episode, we're going to talk about all the steps you can take to evaluate your organization's security, privacy, and compliance requirements using Oracle Cloud Infrastructure. We'll also explore some of the resources that are available to help you do so. And to tell us all about it, we're joined by two guests from Oracle's corporate security organization. 00;01;01;16 - 00;01;32;25 Nancy Kramer is a Senior Director in Global Information Security. She has 20 years of experience in risk management, security, privacy, and compliance audits involving complex business processes and IT systems. She also provides thought leadership, including engagement with industry organizations. Dr. Betina Tagle is also with Global Information Security. She has over 20 years of experience with cybersecurity and compliance in both the private and public sector. 00;01;32;27 - 00;01;52;26 Thank you so much, Nancy and Betina, for being with us today. Yes, this is such an important topic to learn more about. I'm really interested in what you have to share with us. Thank you so much for having us. We are delighted to help our customers learn more about how to securely reap the benefits of cloud. Thanks for this opportunity, Niki and Lois. 00;01;52;28 - 00;02;25;26 As organizations adopt cloud services, they're seeking guidance on evaluating cloud service providers. Our goal is to offer helpful insights on the approach. Let's start with setting some context. What kind of challenges do organizations face in their cloud adoption journey? Organizations continue to migrate business-critical applications and workloads to the cloud. The benefits are compelling. Leveraging the cloud lets organizations focus on their core mission and minimize capital expenditure. 00;02;25;29 - 00;03;08;09 With cloud services, organizations still own their data while leveraging the expertise, economy of scale, technical flexibility, and scalability offered by their cloud providers. When organizations are considering their cloud strategy, they need to consider their security, privacy, and compliance objectives from internal and external sources, compiling their requirements for the cloud service providers. For example, external requirements may include applicable laws and regulations based on the organization's location, their customer location, industry, or the type of data they process. 00;03;08;12 - 00;03;50;02 Organizations would benefit from a thorough analysis of the regulatory environment by their legal team. Internal requirements may be defined by the organization's Board of Directors, CEO, CISO, and other executives, as well as internal policies and contractual commitments to their customers. Oracle Cloud Infrastructure, or OCI, provides services, features, and documentation resources to support these customer obligations. Oracle University and OCI also offer helpful courses to guide customers through securing their cloud tendencies using various OCI features and services. 00;03;50;03 - 00;04;22;19 I want to come back to those courses later, but first, who does what in the cloud? Which operational technology management tasks are handled by the cloud provider and which are the customer's responsibility? I think it will help if I start by defining the categories of Oracle offerings and summarizing who does what per category. This will clarify the notion of the shared management model that is predominant in the cloud as well as the relative scope of available security assurance validations. 00;04;22;22 - 00;04;57;08 OCI services can be used to build and operate computing environments, which include data analysis, storage, system integrations, enterprise workloads, and cloud native or containerized applications. Oracle manages the hosted tools, but the customer is responsible for how they build, configure, and use these tools, and for the data processed in their tenancies. Some examples of OCI services are compute and autonomous database. 00;04;57;10 - 00;05;30;11 Exactly right, Betina. In contrast, cloud applications are hosted using a Software as a Service or SaaS model in which the cloud provider, such as Oracle, manages the cloud applications and the underlying infrastructure. Customers are responsible for how they configure and use these SaaS applications and for the data processed in their cloud tendencies. Examples of these services include Enterprise Resource Planning, ERP, and Human Capital Management, or HCM. 00;05;30;13 - 00;05;59;11 Customers are also responsible for securing any third-party integration associated with these SaaS offerings, as well as any custom code extension scripts that they add to the applications. Let me highlight the differences a bit more in relation to the traditional on-premises model where companies such as Oracle provide hardware and software that customers install, deploy, and manage in their own computing environments. 00;05;59;13 - 00;06;25;23 The customer is wholly responsible for the management of the entire technology environment in which those products are deployed and operated, as well as the data they process. That makes sense. Right, Lois. And Oracle strongly recommends that customers protect the computing environment they manage by installing security updates delivered through the Critical Patch Update, CPU, and Security Alert programs without delay. 00;06;25;26 - 00;06;59;08 Customers can view and even subscribe to notifications about these security updates at oracle.com/security-alerts. Just to summarize, cloud providers are responsible for the security of the cloud, and customers are responsible for security in the cloud. They still decide on what data to process, where, and how. No matter what type of cloud service, OCI or SaaS, customers should still do the following. 00;06;59;08 - 00;07;34;01 Implement settings for authentication and authorization per their security and privacy requirements for accounts and passwords. Manage access for user accounts, including auditing which user accounts have access to what data. Monitor the available logs and reports, and respond to security events as well as determine what data to process and manage that data per their organization's security and privacy objectives. And you're going to be joining us in the Oracle University Learning Community soon for a special live event to talk about all of this in more detail, right? 00;07;34;02 - 00;07;57;13 Yes, we are. We are so excited to talk to everyone in the community. We're going to look at this topic in-depth in the special live event that is scheduled for June 29th. We will walk you through a tour of relevant resources on oracle.com so you can make sure to plan ahead and attend. And you'll need to be a member of the community if you want to attend. 00;07;57;14 - 00;08;17;13 So be sure you join and register for the event today. If you're not already a member of the community, you can sign up by visiting mylearn.oracle.com. You'll find all the live events, including the one Nancy and Betina will be hosting, on the community home page. So Betina, how can people see a preview of those oracle.com resources? 00;08;17;14 - 00;08;52;08 Oracle offers a wealth of security and cloud compliance information on the Oracle Trust Center found at oracle.com/trust. The site includes Oracle Corporate security practices, the cloud compliance site of third-party independent attestations to various global and regional compliance frameworks, and the Oracle Security blog. You can view the independent third-party certifications for OCI in the Trust Center by clicking the Attestations link under the Cloud Compliance heading. 00;08;52;10 - 00;09;22;06 Please note that each attestation is scoped to a particular set of cloud services and data center regions. Clicking on a compliance framework name retrieves a general description and the link to the entity providing the compliance framework. Some examples of global compliance frameworks include ISO 27001, SOC 2, Cloud Security Alliance Star, and Payment Card Industry Data Security Standards or PCI DSS. 00;09;22;08 - 00;09;45;23 This site also includes geography-specific standards, such as US FedRAMP, UK CyberEssentials, European Union Cloud Code of Conduct for Privacy, and IRAP for Australia. Obviously, this information is subject to change and is updated frequently. 00;09;45;25 - 00;10;11;16 Want to learn more about modern best practices for cloud applications? Oracle University offers business processes training for Human Capital Management, Financials, Customer Experience, Supply Chain, and Procurement. From now through August 31st, you can take the training for any of these areas and get certified for free as well. Oracle Cloud training and certifications empower you to explore limitless possibilities in the cloud landscape. 00;10;11;17 - 00;10;29;10 Gain the knowledge and skills needed to design, deploy, secure, and operate modern cloud infrastructure and applications with confidence. Go to education.oracle.com for more details. What are you waiting for? Get certified today. 00;10;29;12 - 00;11;04;29 Welcome back. Let's say there's a customer who wants to view OCI compliance attestations. I know they can always contact Sales to get these audit reports, but are there any self-service options? Yes. OCI customers can download OCI attestations of compliance to various compliance frameworks, including global information security standards, via the OCI Console and the Compliance Documents screen. There are multiple types of compliance documents available depending on the compliance framework or standard. 00;11;05;02 - 00;11;50;21 These include audit reports, attestations of compliance, and certificates of compliance. While logged in to the OCI Console for your tenancy, open the navigation menu. Click Identity and Security from the left menu that appears and then click Compliance on the screen that appears. The Compliance Documents page displays all available documents. You can filter, sort, and download the compliance documents of interest from this page via the command line interface and using the OCI API. Instructions for accessing compliance documents are also in the OCI product documentation at docs.oracle.com. 00;11;50;21 - 00;12;20;04 Thanks, Betina. That's great to know. Nancy, what else does Oracle offer to help our customers secure their cloud workloads running on OCI? I can offer two additional recommendations. The first is to take advantage of the in-depth OCI courses available through Oracle University. The OCI learning subscription includes introductory as well as expert-level courses. 00;12;20;06 - 00;12;59;02 To get started, there's an OCI Foundations learning path that describes the types of services OCI offers, has some basic recommendations for configuring your tenancy so that you meet your organization's security and privacy and compliance objectives. There are some key terminology you'll be introduced to in that learning path, as well as recommendations for architecture that provide resilience and business continuity. For example, OCI regions typically have multiple availability domains which each, in turn, have multiple fault domains. 00;12;59;05 - 00;13;31;01 OCI designed these availability and fault domains to have redundant systems so that a disruption of service in one availability domain does not result in a disruption to all availability domains in that region. These kinds of architectural and system design choices will help organizations avoid disruption of their operations when using systems running in OCI. A more advanced Oracle University offering is the Cybersecurity and Oracle Cloud learning path. 00;13;31;03 - 00;13;58;21 This group of courses explains the various OCI services that can be used to implement information security controls for identity management, networks, managing encryption keys, network firewalls, vulnerability scanning, compartment management practices, and so much more. And all of our OCI training in MyLearn is available free to anyone. So, there are really no barriers to learning if you're interested in diving in. 00;13;58;23 - 00;14;36;09 Those are some great course recommendations, Nancy and Bettina. So, Nancy, you said you had two recommendations. What's the other one? My second suggestion is for customers to evaluate the suitability of OCI cloud services by downloading and reading the detailed information about security practices from oracle.com. Oracle published Consensus Assessment Initiative Questionnaires, also called CAIQ or “CAKE” for various cloud services, including for OCI. CAIQs are industry-standard questionnaires from the Cloud Security Alliance. 00;14;36;12 - 00;15;11;14 That is a global organization which defined a set of controls companies can use to evaluate all types of cloud services to essential security controls in a fair and consistent manner. Each CAIQ answers several hundred questions, encompassing important information security control domains such as audit and assurance, application security, business continuity, change management, data center physical controls, human resources, identity and access management, incident management, and finally, threat and vulnerability management. 00;15;11;14 - 00;15;38;22 These publicly-available CAIQs encompass a broad set of information security policies and practices that are most relevant for cloud services. You can download the OCI CAIQ from oracle.com/trust by drilling down on the Security Practices for Cloud section. We will also add it in the show notes so that it's easily accessible. 00;15;38;25 - 00;16;07;16 Thank you, Betina and Nancy. This has been a very informative conversation. I had no idea about all the details that went into corporate security. I can't wait for the live tour of these oracle.com public resources in the Oracle University Learning Community on June 29th. We're very much looking forward to that event as well. Thank you so much for giving us a chance to share guidance about how organizations can evaluate the security, compliance, and privacy of cloud service providers. 00;16;07;18 - 00;16;31;02 We look forward to being back here again. We'd love that. Thanks again! In our next episode, we'll look at Oracle Machine Learning with Cloud Engineer Nick Commisso. Until then, this is Nikita Abraham and Lois Houston signing off. That's all for this episode of the Oracle University Podcast. If you enjoyed listening, please click Subscribe to get all the latest episodes. 00;16;31;04 - 00;19;04;01 We'd also love it if you would take a moment to rate and review us on your podcast app. See you again on the next episode of the Oracle University Podcast.
Cloud continues to evolve, but so too do the human organizations that depend on it. Companies expand into new territories, they buy other companies, or get bought, and the vendors with whom they drew up contracts also change, evolve, and farm out work. It's a landscape of shifting sands where you can never be quite sure of who you're really dealing with. Host Steve Prentice invites Sean Heide from Cloud Security Alliance and Chris Holland, VP Cloud Services Thales, to weigh in.
Earlier this year Cloud Security Alliance covered the big debate around should you buy or build for your Cyber Asset Attack Surface Management (CAASM) solution. As luck would have it, Ken Liao recently reached out to me regarding the new company that he works for who handles this very topic. In this episode I had a chance to talk with Sevco Security's Chief Strategy Officer, Brian Contos, on this very topic. The timeliness is very apt, as Gartner recently named CAASM as an emerging technology that enables security teams to solve persistent asset visibility and vulnerability changes.Talking Points:What is Asset Intelligence?How has it evolved Various Use Cases Where it's heading (Security, IT Ops, Risk Management) Is 4D Intelligence is more than just marketing fluffEpisode Sponsor: This episode is sponsored by Sevco Security. Sevco Security is a CAASM security vendor based out of Austin Texas.Episode Charity:This episode's charity is Latinas in Cyber. LAIC is focused on continuing to break barriers and open paths for those who chose to pursue careers in cybersecurity. Our mission is to empower through mentorship, networking, support, and representation.
Rich Mogull, SVP of Cloud Security at FireMon, joins Corey on Screaming in the Cloud to discuss his career in cybersecurity going back to the early days of cloud. Rich describes how he identified that cloud security would become a huge opportunity in the early days of cloud, as well as how cybersecurity parallels his other jobs in aviation and emergency medicine. Rich and Corey also delve into the history of Rich's involvement in the TidBITS newsletter, and Rich unveils some of his insights into the world of cloud security as a Gartner analyst. About RichRich is the SVP of Cloud Security at FireMon where he focuses on leading-edge cloud security research and implementation. Rich joined FireMon through the acquisition of DisruptOps, a cloud security automation platform based on his research while as CEO of Securosis. He has over 25 years of security experience and currently specializes in cloud security and DevSecOps, having starting working hands-on in cloud over 12 years ago. He is also the principle course designer of the Cloud Security Alliance training class, primary author of the latest version of the CSA Security Guidance, and actively works on developing hands-on cloud security techniques. Prior to founding Securosis and DisruptOps, Rich was a Research Vice President at Gartner on the security team. Prior to his seven years at Gartner, Rich worked as an independent consultant, web application developer, software development manager at the University of Colorado, and systems and network administrator.Rich is the Security Editor of TidBITS and a frequent contributor to industry publications. He is a frequent industry speaker at events including the RSA Security Conference, Black Hat, and DefCon, and has spoken on every continent except Antarctica (where he's happy to speak for free -- assuming travel is covered).Links Referenced: FireMon: https://www.firemon.com/. Twitter: https://twitter.com/rmogull Mastodon: [https://defcon.social/@rmogull](https://defcon.social/@rmogull) FireMon Blogs: https://www.firemon.com/blogs/ Securosis Blogs: https://securosis.com/blog TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. My guest today is Rich Mogull, SVP of Cloud Security over at FireMon now that I'm a bit too old to be super into Pokémon, so I forget which one that is. Rich, thanks for joining me. I appreciate it.Rich: Thank you. Although I think we need to be talking more Digimon than Pokémon. Not that I want to start a flame war on the internet in the first two minutes of the conversation.Corey: I don't even have the level of insight into that. But I will say one of the first areas where you came to my notice, which I'm sure you'll blame yourself for later, is that you are the security editor behind TidBITS, which is, more or less, an ongoing newsletter longer than I've been in the space, to my understanding. What is that, exactly?Rich: So, TidBITS is possibly the longest-running—one of the longest-running newsletters on the internet these days and it's focused on all things Apple. So, TidBITS started back in the very early days as kind of more of an email, I think like, 30 years ago or something close to that. And we just write a lot about Apple and I've been reading about Apple security there.Corey: That's got to be a bit of an interesting experience compared to my writing about AWS because people have opinions about AWS, particularly, you know, folks who work there, but let's be clear, there is nothing approaching the zealotry, I think I want to call it, of certain elements of the Apple ecosystem whenever there is the perception of criticism about the company that they favor. And I want to be clear here to make sure I don't get letters myself for saying this: if there's an Apple logo on a product, I will probably buy it. I have more or less surrounded myself with these things throughout the course of the last ten years. So, I say this from a place of love, but I also don't wind up with people threatening me whenever I say unkind things about AWS unless they're on the executive team.Rich: So, it's been a fascinating experience. So, I would say that I'm on the tail end of being involved with kind of the Mac journalist community. But I've been doing this for over 15 years is kind of what I first started to get involved over there. And for a time, I wrote most of the security articles for Macworld, or a big chunk of those, I obviously was writing over a TidBITS. I've been very lucky that I've never been on the end of the death threats and the vitriol in my coverage, even though it was balanced, but I've also had to work a lot—or have a lot of conversations with Apple over the years.And what will fascinate you is at what point in time, there were two companies in the world where I had an assigned handler on the PR team, and one was Apple and then the other was AWS. I will say Apple is much better at PR than [laugh] AWS, especially their keynotes, but we can talk about re:Invent later.Corey: Absolutely. I have similar handlers at a number of companies, myself, including of course, AWS. Someone has an impossible job over there. But it's been a fun and exciting world. You're dealing with the security side of things a lot more than I am, so there's that additional sensitivity that's tied to it.And I want to deviate for a second here, just because I'm curious to get your take on this given that you are not directly representing one of the companies that I tend to, more or less, spend my time needling. It seems like there's a lot of expectation on companies when people report security issues to them, that you're somehow going to dance to their tune and play their games the entire time. It's like, for a company that doesn't even have a public bug bounties process, that feels like it's a fairly impressively high bar. On some level, I could just report this via Twitter, so what's going on over there? That feels like it's very much an enterprise world expectation that probably means I'm out of step with it. But I'm curious to get your take.Rich: Out of step with which part of it? Having the bug bounty programs or the nature of—Corey: Oh, no. That's beside the point. But having to deal with the idea of oh, an independent security researcher shows up. Well, now they have to follow our policies and procedures. It's in my world if you want me to follow your policies and procedures, we need a contract in place or I need to work for you.Rich: Yeah, there is a long history about this and it is so far beyond what we likely have time to get into that goes into my history before I even got involved with dealing with any of the cloud pieces of it. But a lot about responsible disclosure, coordinated disclosure, no more free bugs, there's, like, this huge history around, kind of, how to handle these pieces. I would say that the core of it comes from, particularly in some of the earlier days, there were researchers who wanted to make their products better, often as you criticize various things, to speak on behalf of the customer. And with security, that is going to trigger emotional responses, even among vendors who are a little bit more mature. Give you an example, let's talk about Apple.When I first started covering them, they were horrific. I actually, some of the first writing I did that was public about Apple was all around security and their failures on security disclosures and their inability to work with security researchers. And they may struggle still, but they've improved dramatically with researcher programs, and—but it was iterative; it really did take a cultural change. But if you really want to know the bad stories, we have to go back to when I was writing about Oracle when I was a Gartner analyst.Corey: Oh, dear. I can only imagine how that played out. They have been very aggressive when it comes to smacking down what they perceive to be negative coverage of anything that they decide they like.Rich: Yeah, you know, if I would look at how culturally some of these companies deal with these things when I was first writing about some of the Oracle stuff—and remember, I was a Gartner analyst, not a vulnerability researcher—but I'm a hacker; I go to Blackhat and DEF CON. I'm friends with the people who are smarter than me at that or have become friends with them over the years. And I wrote a Gartner research note saying, “You probably shouldn't buy any more Oracle until they fix their vulnerability management process.” That got published under the Gartner name, which that may have gotten some attention and created some headaches and borderline legal threats and shade and all those kinds of things. That's an organization that looks at security as a PR problem. Even though they say they're more secure, they look at security as a PR problem. There are people in there who are good at security, but that's different. Apple used to be like that but has switched. And then Amazon is… learning.Corey: There is a lot of challenge around basically every aspect of communication because again, to me, a big company is one that has 200 people. I think that as soon as you wind up getting into the trillion-dollar company scale, everything you say gets you in trouble with someone, somehow, somewhere, so the easiest thing to do is to say nothing. The counterpoint is that on some point of scale, you hit a level where you need a fair bit of scrutiny; it's deserved at this point because you are systemically important, and them's the breaks.Rich: Yeah, and they have improved. A lot of the some of the larger companies have definitely improved. Microsoft learned a bunch of those lessons early on. [unintelligible 00:07:33] the product in Azure, maybe we'll get there at some point. But you have to—I look at it both sides a little bit.On the vendor side, there are researchers who are unreasonable because now that I'm on the vendor side for the first time in my career, if something gets reported, like, it can really screw up plans and timing and you got to move developer resources. So, you have outside influences controlling you, so I get that piece of it. But the reality is if some researcher discovered it, some China, Russia, random criminals are going to discover it. So, you need to deal with those issues. So, it's a bit of control. You lose control of your messaging and everything; if marketing gets their hands in this, then it becomes ugly.On the other hand, you have to, as a vendor, always realize that these are people frequently trying to make your products better. Some may be out just to extort you a little bit, whatever. That's life. Get used to it. And in the end, it's about putting the customers first, not necessarily putting your ego first and your marketing first.Corey: Changing gears slightly because believe it or not, neither you nor I have our primary day jobs focused on, you know, journalism or analyst work or anything like that these days, we focus on these—basically cloud, for lack of a better term—through slightly different lenses. I look at it through cost—which is of course architecture—and you look at it through the lens of security. And I will point out that only one of us gets called at three in the morning when things get horrible because of the bill is a strictly business-hours problem. Don't think that's an accident as far as what I decided to focus on. What do you do these days?Rich: You mean, what do I do in my day-to-day job?Corey: Well, it feels like a fair question to ask. Like, what do you do as far as day job, personal life et cetera. Who is Rich Mogull? You've been a name on the internet for a long time; I figured we'd add some color and context to it.Rich: Well, let's see. I just got back from a flying lesson. I'm honing in on my getting ready for my first solo. My side gig is as a disaster response paramedic. I dressed up as a stormtrooper for the 501st Legion. I've got a few kids and then I have a job. I technically have two jobs. So—Corey: I'm envious of some of those things. I was looking into getting into flying but that path's not open to me, given that I have ADHD. And there are ways around it in different ways. It's like no, no, you don't understand. With my given expression of it, I am exactly the kind of person that should not be flying a plane, let's be very clear here. This is not a regulatory thing so much as it is a, “I'm choosing life.”Rich: Yeah. It's a really fascinating thing because it's this combination of a physical and a mental challenge. And I'm still very early in the process. But you know, I cracked 50, it had always been a life goal to do this, and I said, “You know what? I'm going to go do it.”So, first thing, I get my medical to make sure I can actually pass that because I'm over 50, and then from there, I can kind of jump into lessons. Protip though: don't start taking lessons right as summer is kicking in in Phoenix, Arizona, with winds and heat that messes up your density altitude, and all sorts of fun things like that because it's making it a little more challenging. But I'm glad I'm doing it.Corey: I have to imagine. That's got to be an interesting skill set that probably doesn't have a huge amount of overlap with the ins and outs of the cloud business. But maybe I'm wrong.Rich: Oh God, Corey. The correlations between information security—my specialty, and cloud security as a subset of that—aviation, and emergency medicine are incredible. These are three areas with very similar skill sets required in terms of thought processes. And in the case of both the paramedic and aviation, there's physical skills and mental skills at the same time. But how you look at incidents, how you process things algorithmically, how you—your response times, checklists, the correlations.And I've been talking about two of those three things for years. I did a talk a couple years ago, during Covid, my Blackhat talk on the “Paramedics Guide to Surviving Cybersecurity,” where I talked a lot about these kinds of pieces. And now aviation is becoming another part of that. Amazing parallels between all three. Very similar mindsets are required.Corey: When you take a look at the overall sweep of the industry, you've been involved in cloud for a fairly long time. I have, too, but I start off as a cynic. I started originally when I got into the space, 2006, 2007, thinking virtualization was a flash in the pan because of the security potential impact of this. Then cloud was really starting to be a thing and pfff, that's not likely to take off. I mean, who's going to trust someone else to run all of their computing stuff?And at this point, I've learned to stop trying to predict the future because I generally get it 180 degrees wrong, which you know, I can own that. But I'm curious what you saw back when you got into this that made you decide, yeah, cloud has legs. What was that?Rich: I was giving a presentation with this guy, Chris Hoff, a good friend of mine. And Chris and I joined together are individual kind of research threads and were talking about, kind of, “Disruptive Innovation and the Future of Security.” I think that was the title. And we get that at RSA, we gave that at SOURCE Boston, start kind of doing a few sessions on this, and we talked about grid computing.And we were looking at, kind of, the economics of where things were going. And very early, we also realized that on the SaaS side, everybody was already using cloud; they just didn't necessarily know it and they called them Application Service Providers. And then the concepts of cloud in the very early days were becoming compelling. It really hit me the first time I used it.And to give you perspective, I'd spent years, you know, seven years as a Gartner analyst getting hammered with vendors all the time. You can't really test those technologies out because you can never test them in a way that an enterprise would use them. Even if I had a lab, the lab would be garbage; and we know this. I don't trust things coming out of labs because that does not reflect operational realities at enterprise scale. Coming out of Gartner, they train me to be an enterprise guy. You talk about a large company being 200? Large companies start at 3000 to 5000 employees.Corey: Does that map to cloud services the way that AWS expresses? Because EKS, you're going to manage that differently in an enterprise environment—or any other random AWS service; I'm just picking EKS as an example on this. But I can spin up a cluster and see what it's like in 15 minutes, you know, assuming the cluster gets with the program. And it's the same type of thing I would use in an enterprise, but I'm also not experiencing it in the enterprise-like way with the processes and the gating and the large team et cetera, et cetera, et cetera. Do you think it's still a fair comparison at that point?Rich: Yeah, I think it absolutely is. And this is what really blew my mind. 11 or 12 years ago, when I got my first cloud account setup. I realized, oh, my God. And that was, there was no VPC, there was no IAM. It was ephemeral—and—no, we just had EBS was relatively new, and IAM was API only, it wasn't in the console yet.Corey: And the network latency was, we'll charitably call it non-deterministic.Rich: That was the advantage of not running anything at scale, wasn't an issue at the time. But getting the hands-on and being able to build what I could build so quickly and easily and with so little friction, that was mind-blowing. And then for me, the first time I've used security groups I'm like, “Oh, my God, I have the granularity of a host firewall with the manageability of a network firewall?” And then years later, getting much deeper into how AWS networking and all the other pieces were—Corey: And doesn't let it hit the host, which I always thought a firewall that lets—Rich: Yes.Corey: —traffic touch the host is like a seatbelt that lets your face touch the dashboard.Rich: Yeah. The first thing they do, they go in, they're going to change the rules. But you can't do that. It's those layers of defense. And then I'm finding companies in the early days who wanted to put virtual appliances in front of everything. And still do. I had calls last week about that.But those are the things that really changed my mind because all of a sudden, this was what the key was, that I didn't fully realize—and it's kind of something that's evolved into something I call the ‘Grand Unified Theory of Cloud Governance,' these days—but what I realized was those barriers are gone. And there is no way to stop this as people want to build and test and deploy applications because the benefits are going to be too strong. So, grab onto the reins, hold on to the back of the horse, you're going to get dragged away, and it's your choice if your arm gets ripped off in the process or if you're going to be able to ride that thing and at least steer it in the general direction that you need it to go in.Corey: One of the things that really struck me when I started playing around with cloud for more than ten minutes was everything you say is true, but I can also get started today to test out an idea. And most of them don't work, but if something hits, suddenly I don't have the data center constraints, whereas today, I guess you'd call it, I built my experiment MVP on top of a Raspberry Pi and now I have to wait six weeks for Dell to send me something that isn't a piece of crap that I can actually take production traffic on. There's no okay, and I'll throw out the junky hardware and get the good stuff in once you start hitting a point of scale because you're already building on that stuff without the corresponding massive investment of capital to get there.Rich: Yeah well, I mean, look, I lived this, I did a startup that was based on demos at a Blackhat—sorry, at a Blackhat. Blackhat. Did some demos on stage, people were like, “We want your code.” It was about cloud security automation. That led to doing your startup, the thing called DisruptOps, which got acquired, and that's how I ended up at FireMon. So, that's the day job route where I ended up.And what was amazing for that is, to add on to what you said, first of all, the friction was low; once we get the architecture right, scalability is not something we are hugely concerned with, especially because we're CI/CD. Oh, no, we hit limits. Boom, let's just stand up a new version and redirect people over there. Problem solved. And then the ability to, say, run multiple versions of our platform simultaneously? We're doing that right now. We just had to release an entirely free version of it.To do that. It required back-end architectural changes for cost, not for scalability so much, but for a lot around cost and scheduling because our thing was event-driven, we're able to run that and run our other platform fully in parallel, all shared data structures, shared messaging structures. I can't even imagine how hard that would have not been to do in a traditional data center. So, we have a lot of freedom, still have those cost constraints because that's [laugh] your thing, but the experimentation, the ability to integrate things, it's just oh, my God, it's just exciting.Corey: And let's be clear, I, having spent a lot of time as a rat myself in these data centers, I don't regret handing a lot of that responsibility off, just because, let's not kid ourselves, they are better at replacing failed or failing hardware than I will ever be. That's part of the benefit you get from the law of large numbers.Rich: Yeah. I don't want to do all of that stuff, but we're hovering around something that is kind of—all right, so former Gartner analyst means I have a massive ego, and because of that, I like to come up with my own terms for things, so roll with me here. And it's something I'm calling the ‘Grand Unified Theory of Cloud Governance' because you cannot possibly get more egotistical than referring to something as your solution to the biggest problem in all of physics. The idea is, is that cloud, as we have just been discussing, it drops friction and it decentralizes because you don't have to go ask somebody for the network, you don't have to ask somebody for the server. So, all of a sudden, you can build a full application stack without having to call somebody for help. We've just never had that in IT before.And all of our governance structures—and this includes your own costs, as well as security—are built around scarcity. Scarcity of resources, natural choke points that evolved from the data center. Not because it was bad. It wasn't bad. We built these things because that's what we needed for that environment at the data center.Now, we've got cloud and it's this whole new alien technology and it decentralizes. That said, particularly for us on security, you can build your whole application stack, of course, we have completely unified the management interfaces in one place and then we stuck them on the internet, protected with nothing more than a username and password. And if you can put those three things together in your head, you can realize why these are such dramatic changes and so challenging for enterprises, why my kids get to go to Disney a fair bit because we're in demand as security professionals.Corey: What does FireMon do exactly? That's something that I'm not entirely up to speed on, just because please don't take this the wrong way, but I was at RSA this year, and it feels like all the companies sort of blend together as you walk between the different booths. Like, “This is what you should be terrified of today.” And it always turns into a weird sales pitch. Not that that's what you do, but it at some point just blinds me and overloads me as far as dealing with any of the cloud security space.Rich: Oh, I've been going to RSA for 20 years. One of our SEs, I was briefly at our booth—I'm usually in outside meetings—and he goes, “Do you see any fun and interesting?” I go—I just looked at him like I was depressed and I'm like, “I've been to RSA for 20 years. I will never see anything interesting here again. Those days are over.” There's just too much noise and cacophony on that show floor.What do we do? So—Corey: It makes re:Invent's Expo Hall look small.Rich: Yeah. I mean, it's, it's the show over at RSA. And it wasn't always. I mean, it was—it's always been big as long as I've been there, but yeah, it's huge, everyone is there, and they're all saying exactly the same thing. This year, I think the only reason it wasn't all about AI is because they couldn't get the printers to reprint the banners fast enough. Not that anybody has any products that would do anything there. So—you look like you want to say something there.Corey: No, no. I like the approach quite a bit. It's the, everything was about AI this year. It was a hard pivot from trying to sell me a firewall, which it seems like everyone was doing in the previous year. It's kind of wild. I keep saying that there's about a dozen companies that exhibit at RSA. A guess, there are hundreds and hundreds of booths, but it all distills down to the same 12 things. They have different logos and different marketing stories, but it does seem like a lot of stuff is very much just like the booth next to it on both sides.Rich: Yeah. I mean, that's—it's just the nature. And part of—there's a lot of reasons for this. We used to, when I was—so prior to doing the startup thing and then ending up at FireMon, I did Securosis, which was an analyst firm, and we used to do the Securosis guide to RSA every year where we would try and pick the big themes. And the reality is, there's a reason for that.I wrote something once the vendors lied to you because you want them to. It's the most dysfunctional relationship because as customers, you're always asking, “Well, what are you doing for [unintelligible 00:22:16]? What are you doing for zero trust? What are you doing for AI?” When those same customers are still just working on fundamental patch management and firewall management. But it doesn't stop them from asking the questions and the vendors have to have answers because that's just the nature of that part of the world.Corey: I will ask you, over are past 12 years—I have my own thoughts on this, but I want to hear your take on it—what's changed in the world of cloud security?Rich: Everything. I mean, I was one of the first to be doing this.Corey: Oh, is that all?Rich: Yeah. So, there's more people. When I first started, very few people doing it, nobody knew much about it outside AWS, we all knew each other. Now, we've got a community that's developed and there's people that know what they're doing. There's still a shortage of skills, absolutely still a shortage of skills, but we're getting a handle on that, you know? We're getting a bit of a pipeline.And I'd say that's still probably the biggest challenge faced. But what's improved? Well, it's a give-and-take. On one hand, we now have strategies, we have tools that are more helpful, unfortunately—I'll tell you the biggest mistake I made and it ties to the FireMon stuff in my career, in a minute; relates directly to this question, but we're kind of getting there on some of the tool pieces.On the other hand, that complexity is increasing faster. And that's what's made it hard. So, as much as we're getting more skilled people, better at tooling, for example, we kind of know—and we didn't have CloudTrail when I started. We didn't have the fundamental things you need to actually implement security at the start of cloud. Most of those are there; they may not be working the way we wish they always worked, but we've got the pieces to assemble it, depending on which platform you're on. That's probably the biggest change. Now, we need to get into the maturity phase of cloud, and that's going to be much more difficult and time-consuming to kind of get over that hump.Corey: It's easy to wind up saying, “Oh, I saw the future so clearly back then,” but I have to ask, going back 12 years, the path the world would take was far from certain. Did you have doubts?Rich: Like, I had presented with Chris Hoff. We—we're still friends—presented stuff together, and he got a job that was kind of clouding ancillary. And I remember calling him up once and going, “Chris, I don't know what to do.” I was running my little analyst firm—little. We were doing very, very well—I could not get paid to do any work around cloud.People wanted me to write shitty papers on DLP and take customer inquiries on DLP because I had covered that at the Gartner days, and data encryption and those pieces. That was hard. And fortunately, a few things started trickling in. And then it was a flood. It completely changed our business and led to me, you know, eventually going down into the vendor path. But that was a tough day when I hit that point. So, absolutely I knew it was the future. I didn't know if I was going to be able to make a living at it.Corey: It would seem that you did.Rich: Yeah. Worked out pretty well [laugh].Corey: You seem sprightly to me. Good work. You're not on death's door.Rich: No. You know, in fact, the analyst side of it exploded over the years because it turns out, there weren't people who had this experience. So, I could write code to the APIs, but they'll still talk with CEOs and boards of directors around these cloud security issues and frame them in ways that made sense to them. So, that was wonderful. We partnered up with the Cloud Security Alliance, I actually built a bunch of the CSA training, I wrote the current version of the CSA guidance, we're writing the next version of that, did a lot of research with them. They've been a wonderful partner.So, all that went well. Then I got diverted down onto the vendor path. I had this research idea and then it came out, we ended up founding that as a startup and then it got, as I mentioned, acquired by FireMon, which is interesting because FireMon, you asked what we did, it's firewall policy management is the core of the company. Yet the investors realize the company was not going in the right direction necessarily, to deal with the future of cloud. They went to their former CEO and said, “Hey, can you come back”—the founder of the company—“And take this over and start moving us in the right direction?”Well, he happened to be my co-founder at the startup. And so, we kind of came in and took over there. And so, now it's a very interesting position because we have this one cloud-native thing we built for all these years. We made one mistake with that, which I'll talk about which ties back to your predicting the future piece if you want to go into it, but then we have the network firewall piece now extending into hybrid, and we have an asset management moving into the attack surface management space as well. And both of those products have been around for, like, 15-plus years.Corey: No, I'm curious to your thoughts on it because it's been one of those weird areas where there's been so much change and so much evolution, but you also look at today's “OWASP Top 10” list of vulnerabilities, and yeah, they updated a year or so ago, but it still looks basically like things that—from 2008—would have made sense to me when I'm looking at this. Well, insomuch as they do now. I didn't know then, nor do I now what a cross-site scripting attack might be, but other than that, I find that there's, “Oh, you misconfigured something and it winds up causing a problem.” Well, no kidding. Imagine that.Rich: Yeah. Look, the fundamentals don't change, but it's still really easy to screw up.Corey: Oh, having done so a lot, I believe you.Rich: There's a couple of principles, and I'll break it into two sides. One is, a lot of security sounds simple. There's nothing simple at scale. Nothing simple scales. The moment you get up to even 200 employees, everything just becomes ridiculously harder. That's the nature of reality. Simplicity doesn't scale.The other part is even though it's always the same, it's still easy to think you're going to be different this time and you're not going to screw it up, and then you do. For example, so cloud, we were talking about the maturity. I assumed CSPM just wasn't going to be a thing. For real. The Cloud Security Posture Management. Because why would the cloud providers not just make that problem go away and then all the vulnerability assessment vendors and everybody else? It seemed like it was an uninteresting problem.And yet, we were building a cloud security automation thing and we missed the boat because we had everything we needed to be one of the very first CSPM vendors on the market and we're like, “No, no. That problem is going to go away. We'll go there.” And it ties back to what you said, which is it's the same stuff and we just outsmarted ourselves. We thought that people would go further faster. And they don't and they aren't.And that's kind of where we are today. We are dramatically maturing. At the same time, the complexity is increasing dramatically. It's just a huge challenge for skills and staffing to adjust governance programs. Like I think we've got another 10 to 20 years to go on this cloud security thing before we even get close. And then maybe we'll get down to the being bored by the problems. But probably not because AI will ruin us.Corey: I'd like to imagine, on some level, that AI could be that good. I mean, don't get me wrong. It has value and it is transformative for a bunch of things, but I also think a lot of the fear-mongering is more than a little overblown.Rich: No, I agree with you. I'm trying to keep a very close eye on it because—I can't remember if you and I talked about this when we met face-to-face, or… it was somebody at that event—AI is just not just AI. There's different. There's the LLMs, there's the different kinds of technologies that are involved. I mean, we use AI all over the place already.I mean my phone's got it built in to take better pictures. It's a matter of figuring out what the use cases and the, honestly, some of the regulatory structure around it in terms of copyright and everything else. I'm not worried about Clippy turning into Skynet, even though I might make jokes about that on Mastodon, maybe someday there will be some challenges, but no, it's just going to be another tech that we're going to figure out over time. It is disruptive, so we can't ignore that part of it.Corey: I really want to thank you for taking the time to speak with me. If people want to learn more, where's the best place to find you that isn't one of the Disney parks?Rich: That really is kind of the best place to find—no. So, these days, I do technically still have a Twitter presence at @rmogull. I'm not on there much, but I will get DMs if people send those over. I'm more on Mastodon. It's at @rmogull defcon.social. I write over at FireMon these days, as well as occasionally still over Securosis, on those blogs. And I'm in the [Cloud Security Slack community 00:30:49] that is now under the banner for CloudSec. That's probably the best place if you want to hit me up and get quick answers on anything.Corey: And I will, of course, include links to all of that in the show notes. Thank you so much for taking the time to speak with me today. I really appreciate it.Rich: Thanks, Corey. I was so happy to be here.Corey: Rich Mogull, SVP of Cloud Security at FireMon. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry comment talking about how at Dell these days, it does not take six weeks to ship a server. And then I will get back to you in six to eight weeks.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.
“When we test cars no one would ever say that a brake test replaces a safety belt test. That would be silly. But when you get into software, sometimes people go, oh well I ran one tool. Why do I need these other ones? It's because you're testing different things. Maybe we do a disservice to our people that we work with of not clearly explaining that in understandable ways. You can say ‘Software component analysis' which makes sense to people in our industry.But if you're an executive may not make any sense.”In this episode we hear from Dennis Hurst, the Founder and President of Saltworks Security.He's been an application security leader since the earliest days of the industry. With over 30 years of experience across the entire software development lifecycle, he has helped launch startups and traveled the globe to aide multinational enterprises in successfully implementing their application security programs. Dennis is a recognized and trusted advisor for Fortune 500 companies that span multiple industries and concerns.Dennis is a founding member of the Cloud Security Alliance where he co-authored the first two versions of its Application Security guidelines. He is also a contributor and advocate for the Open Web Application Security Project.Rate and review the show on Apple Podcasts.Share the show with others in the cybersecurity world.Get in touch via reimaginingcyber@gmail.com
This week on Ask A CISO Podcast, Dr. Lee Hi Yang, Executive Vice President at Cloud Security Alliance Government Affairs joins host Jonar Marzan, Cyber Strategy Consultant at Horangi, to talk about the cloud control matrix (CCM), Cloud Security Alliance and what it does, and how they seek to educate users to use the cloud securely. - About Horangi Cybersecurity -- More information about the Ask A CISO podcast: https://www.horangi.com/resources/ask-a-ciso-podcast About Horangi Cyber Security: https://www.horangi.com - About the Guests -- Dr. Lee's LinkedIn: https://sg.linkedin.com/in/hing-yan-lee-b8a42b Website: https://cloudsecurityalliance.org/
This case study highlights Dell Technologies' journey towards adopting the Cloud Security Alliance's (CSA) Security, Trust, and Assurance Registry (STAR) program to enhance its cloud security. Dell Technologies addressed the continued challenges of the cloud by adopting the CSA STAR program, which provided a framework for assessing and documenting cloud providers' security and compliance posture. Join us as we talk to Andrea Doherty; Technical lead for the Dell Technologies Security and Resiliency Organization's Trusted Cloud and Services program where she discusses Dell's challenges, objectives, and implementation outcomes.Find out how they were able to enhance their comprehensive security and compliance program, gain a competitive advantage, and enhance customer trust.
In this episode of the We Hack Purple podcast host Tanya Janca met with Frank from Phoenix Security in the UK! We talked about this latest white paper ‘SLAs are Dead, Long Live SLAs!', how AppSec folks aren't necessarily ‘great' at maintaining their own SLAs, and how to empower a team to do their own governance and be responsible for their own risk. We talked about how to figure out the security maturity model you are looking for, and what kind of language we can use to help a client decide it for themselves. We also talked about how to get several industry experts to work on the same document together: spoiler alert, it's hard! Listen to hear more!The White Paper: SLAs are Dead, Long Live SLAs! Data Driven Vulnerability ManagementFrank's Podcast: Cyber Security and Cloud PodcastSeveral MORE White Papers from Phoenix Security:Priority: https://phoenix.security/whitepapers-resources/vulnerability-management-in-application-cloud-security/ Vulnerability management and regulation: https://phoenix.security/whitepapers-resources/whitepaper-vulnerability-management-in-application-cloud-security/ Upcoming Webinars with Frank!16/02 - 4m GMT - Brooks Shoenfield - SLA, application security and data driven programs : https://youtube.com/live/dfANH8WKavY?feature=share22/2 - 5 PM GMT - Chris Romeo - Data Driven Application security programs, how to measure maturity and scale : https://youtube.com/live/wqlC-cClqYE?feature=shareFrank's Bio:Francesco is a seasoned entrepreneur, CEO of the Application Security Risk based posture management Appsec Phoenix, author of several books, host of multi award Cyber Security & Cloud Podcast, speaker and known in the in the cybersecurity industry and recognized for his visionary views. He currently serves as Chapter Chair UK&I of the Cloud Security Alliance. Previously, Francesco headed the application and cloud security at HSBC and was Senior Security Consultant at AWS. Francesco has been keynoting at global conferences, have authored and co-authored of a number of books. Outside of work, you can find me running marathons, snowboarding on the Italian slopes, and enjoying single malt whiskeys in one of my favourite London clubs. Very special thanks to our sponsor: Phoenix Security!Phoenix Security ingests data from any security tool, cloud, or code, correlates vulnerabilities, contextualizes, prioritizes and translates into risk. Phoenix Algorithm selects the subset of vulnerabilities more likely to get exploited in the next 30 days, delivering them to the engineers' backlog. From Code to cloud contextualize, Prioritize enables security engineers to act on the risk that matters most without burning out. Join We Hack Purple!Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find We Hack Purple Podcast, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!
Cloud Service Providers have no problem sharing with you the number of data centers they own, the flexibility of options, and the ease to start in the cloud. However, what is never overtly stated is that the federal technology manager is responsible for the security of their data if it is on the server down the hall or in the cloud. The conversational phrase is, “they are not on the hook for the security of your data.” Today, we have several perspectives on understanding how to protect federal data in the cloud. Experts from three areas provide their views on data protection, standards, and working in a cloud environment. When it comes to protecting data in the cloud, Skip Bailey from the U.S. Census Bureau thinks that one needs to approach it strategically first. Each of the three main Cloud Service Providers has proprietary ways of handling aspects of data control. If you think you are going into a multiple cloud environment and plan or relying on one set of rules, you are mistaken. You will need staffing to support these multiple clouds. As in other endeavors, standards bodies can provide guidance that can assist in coming to terms with handling heterogeneous environments, in this case, varying cloud providers. Craig Hurter from the State of Colorado suggests that one should get comfortable with ISO specifications like the ISO 17789 as well as some of the general guidelines from the Cloud Security Alliance. That way, you can compare the terms of service for each Cloud Service Provider with whatever standards you choose. It seems likely that a multi-cloud world is where federal data lives. If that is the case, then it would behoove managers to be able to evaluate each Cloud Service Provider's capabilities. Each cloud may have options to allow control, the key is to understand how those cloud provider's proprietary offerings compare to commercial ones. Sterling Wilson suggests that you start with three questions. What happens if you delete data. How easy is it to deploy Multi-Factor Authentication? What about the security of data in transit? One concept that Craig Hurter brings up is the idea of architecting data storage in depth. The idea is that the initial system is solid, but, over time, something called “drift” takes place. Updates may not all be installed promptly; other maintenance can be delayed. What may happen is you can lose security over time, while still holding to the initial design specifications. You may have “drifted” without knowing it.
Maarten Van Horenbeeck, who is the chief information security officer at Zendesk, has more than 15 years of experience managing security organizations, which includes building the cybersecurity-threat intelligence team at Amazon, and working on the security teams at Google and Microsoft. He is also a former board member and Chairman of the Forum of Incident Response and Security Teams (FIRST). LinkedIn: https://www.linkedin.com/in/maartenv/Chaos Computer Club: https://en.wikipedia.org/wiki/Chaos_Computer_Club NIST: https://www.nist.gov MITRE: https://www.mitre.org Rand Institute: https://www.rand.org FIRST: https://www.first.org Cloud Security Alliance: https://cloudsecurityalliance.org
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: IBM's and Ponemon's annual Cost of a Data Breach Report summary, analysis, and implications for healthcare Updated NIST guidance on HIPAA compliance approaches and expected practices Facebook (Meta) and healthcare providers targeted with multiple lawsuits over health data privacy practices GAO report warns of catastrophic financial loss due to cyber insurers backing out of covering damages from cyberattacks $100m cost reported for Tenet Healthcare's 2022 cyberattack Major breaches with healthcare vendors OneTouchPoint and Avamere impacting more than 1.5m people Cloud Security Alliance weighs in on third-party risk management in healthcare Large-scale cyberattack campaign targeting over 10,000 organizations in phishing and financial fraud scheme HHS Health Sector Cybersecurity Coordination Center alert about an increase in web application attacks on the healthcare sector New ransomware task force report targeting government interventions to disrupt ransomware attacks OCR issues 11 new financial penalties over HIPAA Right of Access failures
Bill Brown is an accomplished information technology and information security leader with experience leading M&A Security Due Diligence Response and Remediation, and leading global teams in start-up, mid-size, and Fortune 1000 companies. Currently he is CISO and CIO at Abacus Insights and an advisory board member to ThreatWarrior. He has also held security leadership positions in ClickSoftware, Houghton Mifflin Harcourt, Veracode, and Iron Mountain. LinkedIn: https://www.linkedin.com/in/billbrownusa/ HIPPA: https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act Hiitrust: https://en.wikipedia.org/wiki/HITRUST PII: https://www.techtarget.com/searchsecurity/definition/personally-identifiable-information-PII Cyber Warrior: https://www.cyberwarrior.com/ Cloud Security Alliance: https://success.impartner.com/English/Customer/home.aspx
This episode talks about some exciting news for the Security In Five and your host's new roles. Cloud Security Alliance of MN - https://www.csamn.com/ Be aware, be safe. *** Support the podcast with a cup of coffee *** - Ko-Fi Security In Five or become a patron https://www.patreon.com/SecurityInFive Don't forget to subscribe to the Security In Five Newsletter. —————— Where you can find Security In Five —————— Security In Five Reddit Channel r/SecurityInFive Podcast RSS Twitter @binaryblogger YouTube, Stitcher Email - bblogger@protonmail.com
James Carder is an experienced Chief Security Officer, research and development leader, cyber security services expert, and go to market executive with over 26 years in both corporate security and consulting for public and private companies across various industries, the Fortune 500, and U.S. Government. Currently, he is the Chief Security Officer at iOffice + SpaceIQ. James also served in the Air Force. LinkedIn: https://www.linkedin.com/in/carderj/ Twitter: https://twitter.com/carderjames ISSA: https://www.issa.org/OWASP: https://owasp.org/ Cloud Security Alliance: https://cloudsecurityalliance.org/ BSides: https://bsideslv.org/ U Minnesota Certificate Program: https://bootcamp.umn.edu/cybersecurity/
In this special Pre-Cloud Con episode we mix things up a little. Rather than joining me as a co-host, the Cloud Security Alliance of West Michigan's own Anthony Coggins, sits on the other side of the mic. He along with the ever knowledgeable Tim O'Connor, discuss the current state of cybersecurity insurance in 2022. Anthony is the Senior Manager of the Security Operations Team at Grand Rapid's own rocket ship insurance company, Acrisure. Tim is the Manager of Knowledge Services at Cadre Information Security.Talking Points:What does the industry look like today and why does it look that way?What do you need to know when you are filling out the forms?Do customers truly understand the questions being askedIs the form an indicator of the maturity of the insurance carrier? (Tim talks about the differences in the 20+ insurance forms he has on his desk)Did you know you can carry supplemental insurance like Home and Auto insurance? (Anthony talks about Ransomware Supplemental Form)Is it true insurance carriers lower rates if you have 'X' cybersecurity solution in your ecosystem?Episode Sponsor:This episode is sponsored by Cadre Information Security. Cadre is a trust security partner based out of Cincinnati, Ohio and has been a long time supporter of the podcast. As always, parts of the sponsorship fee goes to Michigan charities.
Daniele Catteddu, Chief Technology Officer with Cloud Security Alliance speaks to Don Witt of the Channel Daily News, a TR publication about the history of the CSA and what they have accomplished over the years and recently with the launch of the Zero Trust Advancement Center. The goal of the ZTAC is provide best practices, recommendations, training and education and awareness on Zero Trust. There is a lot of attention on IoT and IIoT device supply chains, their vulnerabilities as well as potential breaches during production which Daniele addresses. Listen in as he also describes how Zero Trust can help protect IoT and IIoT systems. In addition, he covers certifications for IoT devices, which were not well implemented in the past, but are now becoming available with a recommended IoT security framework. (CSA) IoT control framework V3 Daniele Catteddu About: The Cloud Security Alliance (CSA) is the world's leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA's activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs, and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. For more information, go to: https://cloudsecurityalliance.org/zt/ https://cloudsecurityalliance.org/press-releases/2022/04/26/cloud-security-alliance-updates-internet-of-things-iot-controls-matrix-with-new-incident-management-domain-and-enhanced-technical-clarity-and-referencing/ https://cloudsecurityalliance.org/artifacts/iot-security-controls-framework-v3/ https://cloudsecurityalliance.org/artifacts/guide-to-the-iot-security-controls-framework-v3/
After the RSA showroom floor proved zero trust's popularity as a buzzword, how will its tenants be solidified and standardized to separate true adherents from charlatans? To find out, host Sean Cordero welcomes John Yeoh, global vice president of research at the Cloud Security Alliance, and Lauren Wise, senior director, global executive advisory at Zscaler to discuss the recently announced Zero Trust Advancement Center and its mission to become the vendor-agnostic industry "North Star" for the strategies and solutions that make up zero trust cybersecurity.
Migration of business applications, data, and systems to Cloud are not new ideas. There's been a pretty obvious global trend in migrating business software and systems to Cloud over the past decade or longer. But how do you ensure you're doing cloud migration or modernization the right way? In this episode of the e-Core Connections podcast, our host Bruce Guptill – an IT industry analyst from Addressable Markets LLC and the Global Analyst Syndicate, talks with Tom Scott from the Open Alliance for Cloud Adoption, and the Cloud Security Alliance. Their conversation covers key cloud architecture, maturity, migration, and security issues that enterprise clients need to understand – and know how to work on with services partners. They dive in deeper and discuss topics including: The need to balance the speed of cloud vs. the speed of business The danger that comes with assuming adequate security is included and whether “good enough” is really secure Cloud maturity and adoptions strategies And the importance of having a trusted service provider to help anticipate, adapt, avoid, and fix problems If your business is planning a cloud migration or modernization, this episode will help you make sure you do it right the first time.
Top threats of 2022, Corel acquires Awingu, Cerebras Systems on AI compute in the cloud, and more. Cloud Security Alliance's top threats of 2022 Microsoft 365 function leaves SharePoint, OneDrive files open to ransomware attacks Cisco Live announcement about AppDynamics Ransomware gang creates a site for employees to search for their stolen data Corel acquires Awingu Cerebras Systems Founder and CEO Andrew Feldman on high-performance AI Compute in the cloud Hosts: Louis Maresca, Brian Chee, and Curt Franklin Guest: Andrew Feldman Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: CDW.com/IntelClient nureva.com linode.com/twiet
Top threats of 2022, Corel acquires Awingu, Cerebras Systems on AI compute in the cloud, and more. Cloud Security Alliance's top threats of 2022 Microsoft 365 function leaves SharePoint, OneDrive files open to ransomware attacks Cisco Live announcement about AppDynamics Ransomware gang creates a site for employees to search for their stolen data Corel acquires Awingu Cerebras Systems Founder and CEO Andrew Feldman on high-performance AI Compute in the cloud Hosts: Louis Maresca, Brian Chee, and Curt Franklin Guest: Andrew Feldman Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: CDW.com/IntelClient nureva.com linode.com/twiet
Top threats of 2022, Corel acquires Awingu, Cerebras Systems on AI compute in the cloud, and more. Cloud Security Alliance's top threats of 2022 Microsoft 365 function leaves SharePoint, OneDrive files open to ransomware attacks Cisco Live announcement about AppDynamics Ransomware gang creates a site for employees to search for their stolen data Corel acquires Awingu Cerebras Systems Founder and CEO Andrew Feldman on high-performance AI Compute in the cloud Hosts: Louis Maresca, Brian Chee, and Curt Franklin Guest: Andrew Feldman Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: CDW.com/IntelClient nureva.com linode.com/twiet
Top threats of 2022, Corel acquires Awingu, Cerebras Systems on AI compute in the cloud, and more. Cloud Security Alliance's top threats of 2022 Microsoft 365 function leaves SharePoint, OneDrive files open to ransomware attacks Cisco Live announcement about AppDynamics Ransomware gang creates a site for employees to search for their stolen data Corel acquires Awingu Cerebras Systems Founder and CEO Andrew Feldman on high-performance AI Compute in the cloud Hosts: Louis Maresca, Brian Chee, and Curt Franklin Guest: Andrew Feldman Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: CDW.com/IntelClient nureva.com linode.com/twiet
Upstream: The Software Supply Chain Security Podcast presented by Anchore
In this episode, John Yeoh, Global Vice President of Research at Cloud Security Alliance, joins hosts Kim Weins and Josh Bressers to discuss the state of security in the cloud and how to solve supply chain pain points like misconfigurations, zero trust, and transparency. They explore the need to align best practices and how the Global Security Database initiative is working to unify vulnerability data disclosure across the industry.
Aaron is a DevOps engineer, solution architect, and all-around cybersecurity expert. He works for a global cybersecurity services company, is a member of the Cloud Security Alliance, and is a co-author of the up-and-coming Software Defined Perimeter Specification Version 2. Since last time (episode 18), Aaron was 1.5 years overseas supporting the Army and moved back to the U.S. last year to join Appgate as a Senior Solutions Architect. Topics of Discussion: [4:11] What types of things has Aaron observed that programmers don't typically gravitate towards, but they need to give some attention to in just the overall IT and security space? [9:42] Should developers be thinking about zero trust just for their production environments, or should they be thinking about it for their own working environments, as well? [13:30] Is there a standard set of tags that someone could use from day one? [15:15] A core tenet of Zero Trust is Enterprise Identity Governance. [17:35] Do the cloud providers already have this mechanism of automatically discovering via tags and/or is there something that needs to be added to what they provide? [22:36] What are the pros and cons of working with smaller vs. bigger companies? [24:41] What does Aaron see for the future? Mentioned in this Episode: Architect Tips — New video podcast! Azure DevOps Clear Measure (Sponsor) .NET DevOps for Azure: A Developer's Guide to DevOps Architecture the Right Way, by Jeffrey Palermo — Available on Amazon! Jeffrey Palermo's YouTube Jeffrey Palermo's Twitter — Follow to stay informed about future events! Appgate — The leader in Zero Trust Network Access solutions Zero Trust Thirty EO 14028 — Executive Order on Improving the Nation's Cybersecurity Presidential memo on Moving the U.S. Government Toward Zero Trust Cybersecurity Principles CISA's focus on Zero Trust — 508 search results CISA's Zero Trust Maturity Model document NIST — Implementing Zero Trust Architecture Cloud Security Alliance — Software Defined Perimeter and Zero Trust Platform One — “An official DoD DevSecOps Enterprise Services team for the DoD” leveraging CNAP for secure remote access to cloud resources. Department of Defense (DoD) Cloud Native Access Point (CNAP) Reference Design (RD) Want to Learn More? Visit AzureDevOps.Show for show notes and additional episodes.
Adaptive Sheild along with the Cloud Security Alliance released their 2022 SaaS Security Survey Report. This is a report from over 300 CSA members asking them their concerns about cloud security posture in the industry. This episode goes over some key takeaways. Source - https://www.adaptive-shield.com/2022-saas-security-survey-report Be aware, be safe. Get ExpressVPN, Secure Your Privacy And Support The Show Become A Patron! Patreon Page *** Support the podcast with a cup of coffee *** - Ko-Fi Security In Five —————— Where you can find Security In Five —————— Security In Five Reddit Channel r/SecurityInFive Binary Blogger Website Security In Five Website Security In Five Podcast Page - Podcast RSS Twitter @securityinfive iTunes, YouTube, TuneIn, iHeartRadio,
In this special episode I speak with Peter HJ van Eijk about the CCSK and CCAK cloud security certifications from the Cloud Security Alliance. Peter is the owner of Club Cloud Computing and an authorized CCSK and CCAK trainer.I have personally taken his training course and thought it was one of the best ones out there. He also offers free refresher courses and online focus sessions. If you want to learn more about CSA certifications, then definitely listen in!
Satyavathi has over 24 years' experience in IT and cyber security and is the go-to person for critical security projects at CyberRes, a Micro Focus line of business, and spearheads enterprise security architecture and cloud technology. She is an inventor, a thought leader, a noted speaker in international and national forums, & has been recognized as Top 10 Women in Tech Leaders in India, Top 20 Indian Women Security Influencer, Women in Tech - Chief Mentor and more. She also serves on the board of nonprofit organizations i.e., Chairman of Cloud Security Alliance, Bangalore, and Global Advisory Board Member - CTIA at EC-Council. In case you want to reach out to her, you can find her on LinkedIn - https://www.linkedin.com/in/satyad/ Twitter - @Satya_Divadari Follow "Stories of Infosec Journeys" podcast on LinkedIn - Stories of Infosec Journeys Twitter - @InfosecJourneys Instagram & Facebook - @storiesofinfosecjourneys Kindly rate the podcast on Spotify and leave a review on Apple podcast.
Discover how AI-powered automation can guide an enterprise to Modernize their applications and data . Jerry is joined by Dr. Maja Vukovic, an IBM Fellow who leads AI for Application Modernization at IBM. Maja and her team at IBM Research are world renown for the work that they have done in the area of “modernization to cloud” including building advanced AI-powered automation tools, like Mono2Micro.According to a report published by the Cloud Security Alliance, the average enterprise has 464 custom applications deployed today. Even the smallest size organizations, those with 1 to 1000 employees had an average of 22 custom applications. Largest orgs have 1000s of applications. 1000s!Think about all the many technology advancements that have taken place since and the new security risks that we weren't aware of when our apps were originally design. But perhaps more profound, think about how much business has changed during this period of time… Are your applications reflecting the changing times? Listen in to this episode to learn more!Referenced links:IBM Mono2MicroScientific Advantage with IBM Research & ConsultingKonveyor ProjectART OF AUTOMATION BOOK - DONATE HERE!
Even before the pandemic, the majority of businesses were already moving to the cloud. Now, it seems you can't do business without it. Which means cloud security and compliance is more important than ever. That's why I'm speaking to one of the authorities on cloud security, John DiMaria, Assurance Investigatory Fellow at Cloud Security Alliance, in today's episode — to demystify cloud security. Join us as we discuss: How CSA's STAR program can help you strengthen your cloud security The biggest vulnerabilities organizations face when operating in the cloud How landing on CSA's CCM registry can give your organization more visibility To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.
Why are startups different from a security perspective? Join Moshe Ferber, Chairman of the Israel Chapter of the Cloud Security Alliance to learn about how startups can ensure their security is up to par based on your startup phase. Moshe also focuses on application security by discussing how startups generally make the highest percentage of their mistakes from the application layer. We also get into the SDLC and CI/CD pipelines and how to make sure security is top of mind throughout.
Amazon AWS adoption with cybersecurity first principle strategies. In this second session reviewing cloud platforms through the lens of first principle thinking, Rick Howard reviews Amazon Web Services (AWS). He discusses how AWS supports, or doesn't support, strategies of resilience, zero trust, intrusion kill chains, and risk assessments. Cybersecurity professional development and continued education. You will learn about: AWS networking and API techniques, DevSecOps in a cloud environment, AWS services and security tools, AWS strategies that support cybersecurity first principles. CyberWire is the world's most trusted news source for cybersecurity information and situational awareness. Join the conversation with Rick Howard on LinkedIn and Twitter, and follow CyberWire on social media and join our community of security professionals: LinkedIn, Twitter, Youtube, Facebook, Instagram Additional first principles resources for your cybersecurity program. For more Amazon AWS and cybersecurity first principles resources, check the topic essay. Selected Reading: S1E6: 11 MAY: Cybersecurity First Principles S1E7: 18 MAY: Cybersecurity first principles: zero trust S1E8: 26 MAY: Cybersecurity first principles: intrusion kill chains. S1E9: 01 JUN: Cybersecurity first principles - resilience S1E11: 15 JUN: Cybersecurity first principles - risk S2E7: 31 AUG: Identity Management: a first principle idea. S2E8: 07 SEP: Identity Management: around the Hash Table. S4E3: 25 JAN: Microsoft Azure through a first principle lens S4E4: 01 FEB: Microsoft Azure security (Hashtable Interviews) “5 Best Practices for Resiliency Planning Using AWS | Amazon Web Services,” Amazon Web Services, 7 October 2020. “6 Best Practices for Increasing Security in AWS in a Zero Trust World.” by Louis Columbus, Forbes, 4 January 2019. “About: History,” Cloud Security Alliance. “A Brief History of AWS,” by Alec Rojasm, Media Temple, 31 August 2017. “Amrandazz/Attack-Guardduty-Navigator.” by amrandazz, GitHub, 2021. “AWS Networking and Security 101,” by Net Joints, YouTube Video, 2020. “AWS Networking Fundamentals,” by Amazon Web Services, YouTube Video, 2019. “AWS Training and Certification,” by Aws.training, 2021. “Exposed Azure Bucket Leaked Passports, IDs of Volleyball Reporters,” by Ax Sharma, BleepingComputer, February 2021. “How to Connect Your On-Premises Active Directory to AWS Using AD Connector | Amazon Web Services,” by Amazon Web Services, 6 July 2015. “How to Think about Zero Trust Architectures on AWS | Amazon Web Services.” by Amazon Web Services, 20 January 2020. “Leaky AWS S3 Buckets Are so Common, They're Being Found by the Thousands Now – with Lots of Buried Secrets,” by Shaun Nichols, Shaun, Theregister.com, 3 August 2020. “Network Address Translation (NAT) - GeeksforGeeks,” by GeeksforGeeks, 7 May 2018. “Zero Trust Architectures: An AWS Perspective | Amazon Web Services,” by Amazon Web Services, 3 November 2020.
Microsoft Azure adoption with cybersecurity first principle strategies. The cloud revolution is here. How well can we implement our first principle strategies within each environment? Do we need to embrace other security platforms to get it done? In this session, Rick discusses Microsoft Azure through the lens of first principle thinking. He reviews how Azure supports, or doesn't support, strategies of resilience, zero trust, intrusion kill chains, and risk assessments. Cybersecurity professional development and continued education. You will learn about: Microsoft Azure services and security tools, infrastructure as code, Azure strategies that support cybersecurity first principles CyberWire is the world's most trusted news source for cybersecurity information and situational awareness. Join the conversation with Rick Howard on LinkedIn and Twitter, and follow CyberWire on social media and join our community of security professionals: LinkedIn, Twitter, Youtube, Facebook, Instagram Additional first principles resources for your cybersecurity program. For more Microsoft Azure and cybersecurity first principles resources, check the topic essay. Selected Reading: S1E1: 6 APR: Your Security Stack is Moving: SASE is Coming. S1E9: 01 JUN: Cybersecurity first principles - resilience S2E7: 31 AUG: Identity Management: a first principle idea. S2E8: 07 SEP: Identity Management: around the Hash Table. S3E3: 02 NOV: Securing containers and serverless functions. S3E4: 09 NOV: Securing containers and serverless functions: around the Hash Table. S3E5: 16 NOV: SOAR: a first principle idea. S3E6: 23 NOV: SOAR: around the Hash Table. “About: History,” Cloud Security Alliance. “A Brief History of AWS,” by Alec Rojasm, Media Temple, 31 August 2017. “A Look Back At Ten Years Of Microsoft Azure,” by Janakiram, Forbes, 3 February 2020. “An Annotated History of Google's Cloud Platform,” by Reto Meier, Medium, 10 February 2017. “Azure AD Overview,” John Savill, YouTube, 2020. “Azure Virtual Network FAQ,” KumudD, Microsoft.com, 26 June 2020. “Azure Virtual Network Overview,” by John Savill, YouTube, 4 February 2020. “Matrices: Cloud Matrix,” by Mitre ATT&CK. “Microsoft Azure: Security.” by Microsoft. “Thinking about Resiliency in Azure,” John Savill, YouTube Video, June 2019. “Zero Trust Deployment Center,” Gary Centric, Microsoft.com, 30 September 2020.
The Alpha to Zeta Podcast is back with two new hosts - Alyssa Zabawa and Gina Vitacco! In their debut episode, they invite Alpha Kappa Psi-Zeta alum, Olivia Rempe. Olivia recalls her experiences at the University of Nebraska-Lincoln and Alpha Kappa Psi, and how they prepared her for her full-time role as a Community Engagement Specialist at Cloud Security Alliance. Follow AKPsi on Instagram: https://www.instagram.com/unlakpsi/
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: OCR's announcement of new director, Lisa J. Pino FTC expands the Healthcare Breach Rule; implications for healthcare entities and enforcement Healthcare breach highlights including Apple Healthkit, FitBit, GoogleFit, Walgreens, Fortinet, and more Details on “irrecoverable” EHR ransomware event for an Arizona-based healthcare provider Summary of new Cloud Security Alliance guidance on ransomware protections U.S. Treasury takes action against cryptocurrency in a counter-ransomware initiative
Lynn Terwoerds, the Executive Director of the Executive Women's Forum, shares what she's learned about how to make it to the next level in your career. Lynn shares what she hopes will help women see the value in knowing what you want, building a plan to that goal, knowing yourself personally and as others see you, and then being able to tell a consistent story so that everyone you meet, everyone in your current network, even people who bump into your family will see and hear a coherent message about your career direction. So often, we confuse the people around us by being vague, inconsistent or uncertain. Getting to the next level is about making sure you stack the odds in your favor by taking control of the things you have control over and not obsessing over the things you can't control.In this episode, Lynn points us to some great resources including the Critical Thinking Worksheet, Leading Ladies “Why” Tool, and the Networking Worksheet. This episode is full of incredibly helpful, practical, tactical, and strategic things you can do to identify:What do I really want?How do I devise a resilient plan?Where am I in my journey?How do I include my family and friends in this journey?How do I build the right network?About Lynn TerwoerdsLynn Terwoerds, Executive Director, joined the Executive Women's Forum in 2016 after 20+ years as a global cybersecurity expert and leader at Microsoft, Barclays PLC in London, and Oracle. She is a founding member of the Cloud Security Alliance and serves on the nonprofit board and chairs the Audit and Risk Committee for the Northwest Maritime Center. As the Executive Director, Terwoerds has overall strategic and operational responsibility for staff, programs, expansion, and execution of the EWF mission. The Executive Director, in conjunction with the CEO and staff, develops core programs and strategic business plans.