POPULARITY
121 episodes with cloud security podcast
4 episodes with cloud security podcast
5 episodes with cloud security podcast
2 episodes with cloud security podcast
2 episodes with cloud security podcast
In this episode of the Cloud Security Podcast, host Ashish Rajan speaks to James Berthoty, founder of Latio.Tech and an engineer-driven analyst, for a discussion on cloud security tools. In this episode James breaks down CNAPP and what it really means for engineers, if kubernetes secuity is the new baseline for cloud security and runtime security vs vulnerability management. Guest Socials: James's Linkedin Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Podcast- Youtube - Cloud Security Newsletter - Cloud Security BootCamp If you are interested in AI Cybersecurity, you can check out our sister podcast - AI Cybersecurity Podcast Questions asked: (00:00) Introduction (02:26) A bit about James (03:20) What in Cloud Security in 2025? (04:51) What is CNAPP? (07:01) Differentiating a vulnerability from misconfiguration (11:51) Vulnerability Management in Cloud (15:38) Is Kubernetes becoming the default? (21:50) Is there a good way to do platformization? (24:16) Should CNAPP include Kubernetes? (28:07) What is AI Security in 2025? (35:06) Tool Acronyms for 2025 (37:27) Fun Questions
In this episode, Meg Ashby, a senior cloud security engineer shares how her team tackled AWS's centralized VPC interface endpoints, a design often seen as an anti-pattern. She explains how they turned this unconventional approach into a cost-efficient and scalable solution, all while maintaining granular controls and network visibility. She shares why centralized VPC endpoints are considered an AWS anti-pattern, how to implement granular IAM controls in a centralized model and the challenges of monitoring and detecting VPC endpoint traffic. Guest Socials: Meg's Linkedin Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Podcast- Youtube - Cloud Security Newsletter - Cloud Security BootCamp Questions asked: (00:00) Introduction (02:48) A bit about Meg Ashby (03:44) What is VPC interface endpoints? (05:26) Egress and Ingress for Private Networks (08:21) Reason for using VPC endpoints (14:22) Limitations when using centralised endpoint VPCs (19:01) Marrying VPC endpoint and IAM policy (21:34) VPC endpoint specific conditions (27:52) Is this solution for everyone? (38:16) Does VPC endpoint have logging? (41:24) Improvements for the next phase Thank you to our episode sponsor Wiz. Cloud Security Podcast listeners can also get a free cloud security health scan by going to wiz.io/csp
Guest: Rich Mogull, SVP of Cloud Security at Firemon and CEO at Securosis Topics: Let's talk about cloud security shared responsibility. How to separate the blame? Is there a good framework for apportioning blame? You've introduced the Cloud Shared Irresponsibilities Model, stating cloud providers will be considered partially responsible for breaches even if due to customer misconfigurations. How do you see this impacting the relationship between cloud providers and their customers? Will it lead to more collaboration or more friction? We both know the Jay Heiser 2015 classic “cloud is secure, but you not using it securely.” In your view, what does “use cloud securely” mean for various organizations today? Here is a very painful question: how to decide what cloud security should be free with cloud and what security can be paid? You dealt with cloud security for a long time, what is your #1 lesson so far on how to make the cloud more secure or use the cloud more securely? What is the best way to learn how to cloud? What is this CloudSLAW thing? Resources: EP201 Every CTO Should Be a CSTO (Or Else!) - Transformation Lessons from The Hoff The Cloud Shared Irresponsibilities Model 2002 Trustworthy computing memo Use Cloud Securely? What Does This Even Mean?! EP145 Cloud Security: Shared Responsibility, Shared Fate, Shared Faith? No Snow, No Flakes: Pondering Cloud Security Shared Responsibility, Again! Cloud Security Lab a Week (S.L.A.W) Megatrends drive cloud adoption—and improve security for all Shared fate main page Defining the Journey—the Four Cloud Adoption Patterns Celebrating 200 Episodes of Cloud Security Podcast by Google and Thanks for all the Listens!
This episode is special. We collaborated with the folks behind the Cloud Security Podcast from Google, Anton Chuvakin(LinkedIn)and Tim Peacock, to bring you a joint episode. We had the pleasure to jointly interview Michelle Chubirka, a Cloud Security Developer Advocate. We talked about VM and Container security, debunked some myths about isolation, attack surfaces, immutability of containers, and more. Do you have something cool to share? Some questions? Let us know: - web: kubernetespodcast.com - mail: kubernetespodcast@google.com - twitter: @kubernetespod News of the week Nvidia NIM on GKE Kubernetes Steering Committee Election Results for 2024 The schedule for KubeCon and CloudNativeCon India Diagrid Catalyst Beta Dapr on the Kubernetes Podcast with Salaboy Links from the interview Cloud Security Podcast Anton Chuvakin Tim Peacock Michelle Chubirka Dora report Container Security: It's All About the Supply Chain - Michele Chubirka Software composition analysis (SCA) DevSecOps Decisioning Principles Kubernetes CIS Benchmark Cloud-Native Consumption Principles State of WebAssembly outside the Browser - Abdel Sghiouar Why Perfect Compliance Is the Enemy of Good Kubernetes Security - Michele Chubirka - KubeCon NA 2024 Links from the post-interview chat Cloud Code Skaffold Introduction to Distributed ML Workloads with Ray on Kubernetes - Mofi Rahman & Abdel Sghiouar - KubeCon NA 2024
In this episode of the Cloud Security Podcast, Ashish sat down with Art Poghosyan, CEO and co-founder of Britive, to explore the changing world of identity and access management (IAM) in the cloud era. With over two decades of experience in the identity space, Art breaks down the challenges of traditional Privileged Access Management (PAM) and how cloud-native environments require a rethinking of security strategies. From understanding the complexities of cloud infrastructure entitlements to unpacking the differences between on-premise and cloud-based PAM, Art explains why "Identity is the new perimeter" and how modern organizations must adapt. They dive deep into the importance of Just-in-Time (JIT) access, non-human identities, and the critical role identity plays as the first and last line of defense in cloud security. Guest Socials: Art's Linkedin Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Podcast- Youtube - Cloud Security Newsletter - Cloud Security BootCamp Questions asked: (00:00) Introduction (01:53) A bit about Art (02:51) What is IAM? (04:02) What is Cloud Privilege Access Management? (06:08) Why do we need CloudPAM in 2024? (07:52) Non Human Identities (08:39) Privilege in Cloud vs On Premise (09:49) SAML vs PAM (12:21) Just in Time provisioning in Cloud (17:17) Making Access Management Developer Friendly (19:12) What should security team be looking at ? (21:22) Communicating IAM vulnerabilities (23:45) Tactical steps to level up IAM (27:20) Zero Trust and IAM (30:56) Fun Questions
Why does Cloud Security Research matter in 2024? At fwd:cloudsec EU in Brussels, we sat down with Scott Piper, a renowned cloud security researcher at Wiz, to discuss the growing importance of cloud security research and its real-world impact. Scott spoke to us about the critical differences between traditional security testing and cloud security research, explaining how his team investigates cloud providers to find out vulnerabilities, improve detection tools, and safeguard data. Guest Socials: Scott's Linkedin + Scott's Twitter Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Podcast- Youtube - Cloud Security Newsletter - Cloud Security BootCamp Questions asked: (00:00) Introduction (02:07) A bit about Scott Piper (02:48) What is a Cloud Security Research Team? (04:30) Difference between traditional and Cloud Security Research (07:21) Cloud Pentesting vs Cloud Security Research (08:10) What is request collapsing? (10:26) GitHub Actions and OIDC Research (13:47) How has cloud security evolved? (17:02) Tactical things for Cloud Security Program (18:41) Impact of Kubernetes and AI on Cloud (20:37) How to become a Cloud Security Researcher (22:46) AWS Cloud Security Best Practices (26:35) Trends in AWS Cloud Security Research (28:11) Fun Questions (30:22) A bit about fwd:cloudsec Resources mentioned during the interview: Wiz.io - Cloud Security Podcast listeners can also get a free cloud security health scan PEACH framework Wiz Research Blog Avoiding security incidents due to request collapsing A security community success story of mitigating a misconfiguration Cloudmapper flaws.cloud fwd:cloudsec CTFs The Big IAM Challenge Prompt Airlines , AI Security Challenge Kubernetes LAN Party
In this episode of the Cloud Security Podcast, we bring together an incredible panel of experts to explore the evolving landscape of cloud security in 2024. Hosted by Ashish Rajan, the discussion dives deep into the challenges and realities of today's multi-cloud environments. With perspectives ranging from seasoned veterans to emerging voices this episode offers a broad spectrum of insights from cloud security practitioners who are living and breathing cloud security everyday. We are very grateful to our panelist who took part in 1st of its kind edition for the State of Cloud Security - Meg Ashby, Damien Burks, Chris Farris, Rich Mogull, Patrick Sanders, Ammar Alim and Abdie Mohamed. The conversation covers essential topics such as the pitfalls of multi-cloud adoption, the persistent security issues that remain even as cloud technologies advance, and the importance of specializing in one cloud platform while maintaining surface-level knowledge of others. The panelists also share their thoughts on the future of cloud security, including the increasing relevance of Kubernetes and edge security. Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Podcast- Youtube - Cloud Security Newsletter - Cloud Security BootCamp Questions asked: (00:00) Introduction (02:22) How much has Cloud Security Changed? (07:05) Is the expectation to be MultiCloud? (19:07) What's top of mind in Cloud Security in 2024? (27:17) The current Cloud Service Provider Landscape (39:26) Where to start in Cloud Security ? (52:10) The Fun Section Resources discussed during the episode: fwd:cloudsec conference Cloud Security Bootcamp DevSecBlueprint YouTube Channel - Damien Burks Rich Mogull's Cloud Security Lab of the Week
Guests Ashish and Shilpi from the Cloud Security Podcast converse with Ned and Kyler on how humor and relatability can foster an engaging and collaborative environment in DevOps. The conversation also covers the importance of foundational knowledge in technology, the impact of AI on careers, and the value of just being human and learning from... Read more »
Guests Ashish and Shilpi from the Cloud Security Podcast converse with Ned and Kyler on how humor and relatability can foster an engaging and collaborative environment in DevOps. The conversation also covers the importance of foundational knowledge in technology, the impact of AI on careers, and the value of just being human and learning from... Read more »
Guests Ashish and Shilpi from the Cloud Security Podcast converse with Ned and Kyler on how humor and relatability can foster an engaging and collaborative environment in DevOps. The conversation also covers the importance of foundational knowledge in technology, the impact of AI on careers, and the value of just being human and learning from... Read more »
Dive into the world of AI and Kubernetes with Shopify's Shane Lawrence in this episode of the Cloud Security Podcast. Shane, shares his experience in the security team at Shopify and working on the intersection of AI, Large Language Models (LLMs), and Kubernetes security. Shopify is looking to pioneer the use of AI to streamline developer operations, enhance productivity, and bolster security measures in multi-tenant Kubernetes environments. This episode will be valuable for you if you work in Kubernetes, Security and looking for how AI can build efficiency in your team. Guest Socials: Shane's Linkedin (Shane's Linkedin) Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Podcast- Youtube - Cloud Security Newsletter - Cloud Security BootCamp Questions asked: (00:00) Introduction to AI and Kubernetes (01:32) Shane Lawrence and Shopify's AI Journey (02:21) AI and Developer Efficiency in Kubernetes (04:39) AI-Driven Automation for Security (06:34) Challenges of AI in Kubernetes Environment (11:22) Case Studies for AI in Kubernetes (13:43) The Future of Kubernetes and AI (15:59) Learning and Experimenting with AI in Kubernetes (17:49) Closing Thoughts and Fun Q&A
Cloud Security Podcast just got back from AWS re:invent 2023, there was a lot of chat around, you guessed it - GenAI but along with that there were plenty of security updates and announcement. Shilpi and Ashish broke them all down for you and what it all actually means for all security practitioners. Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Newsletter - Cloud Security BootCamp Questions asked: (00:00) Introduction (04:49) GenAI at AWS re:Invent (06:01) No new security service announced (06:48) Updates from CEO and CTO Keynotes (11:29) What is Amazon Inspector? (12:10) Amazon Inspector Security Updates (15:09) What is AWS Security Hub? (15:52) AWS Security Hub Security Updates (18:52) What is Amazon GuardDuty? (20:10) Amazon GuardDuty Security Updates (22:49) What is Amazon Detective? (23:45) Amazon Detective Security Updates (26:22) What is IAM Access Analyser? (28:06) IAM Access Analyser Security Updates (30:33) What is AWS Config? (31:25) AWS Config Security Updates (32:35) Other Security Updates (33:46) 3 Layers of AI (35:21) What is Amazon CodeWhisperer? (36:36) Amazon Application Composer (37:34) Guardrails for Bedrock (38:13) Amazon Q (41:17) Zero Trust (41:45) Ransomware (44:29) Security Talks (45:54) Input filtering and validation for WAF (50:31) Enterprise IAM and data perimeter (53:00) Conclusion and find out more! You can check out the Top announcements of AWS re:Invent 2023 + AWS re:Invent 2023 - Security Compliance & Identity
Host: Stephanie Wong, Product Manager, Google Cloud Guests (yes, really, we are the guests!): Anton Chuvakin Tim Peacock Topics: Could you tell us how you ended up in security? What was the moment you realized that Cloud security was different from well, regular, security? Anton is always asking this “3AM test”, where did that come from? How do you source topics for the podcast? What advice would you give to folks who are interested in getting into security? … and other fun questions! Resources: Video (LinkedIn, YouTube) Cloud Security Podcast by Google / Twitter / LinkedIn
Cloud Security Pentest is not just a Cloud configuration review ! Blackhat 2023 & Defcon 31 conversations included Cloud Security Podcast asking traditional and experienced pentesters about their opinion on cloud security pentesting and the divide was between it being a config review or a product pentest. For this episode we have Seth Art from Bishop Fox to clarify the myth. Episode YouTube: Video Link Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Seth Art's Linkedin (Seth Art Linkedin) Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Newsletter - Cloud Security BootCamp Spotify TimeStamp for Interview Question (00:00) Introduction (05:17) A bit about Seth Art (06:44) Network vs Infrastructure Security Pentest (08:00) Internal vs External Network Security Pentest (10:26) Assumed vs Objective Based Pentest (12:51) Is network pentest dead? (14:04) How to approach network and cloud pentests? (20:12) Cloud pentest is more than config review (24:04) Examples of cloud pentest findings (30:07) Scaling pentests in cloud (32:25) Traditional skillsets to cloud pentest (36:58) A bit about cloudfoxable (39:31) Cloud pentest and Zero Trust (40:54) Staying ahead of CSP releases (44:31) Third party shared responsibility (47:35) 1 fun question (48:36) Boundary for cloud pentest (52:21) Last 2 fun questions These are some of the resources that Seth shared during the episode along with the tools he has created CloudFox CloudFoxable flAWS flAWS 2 iamvulnerable Cloud Goat See you at the next episode!
Cloud Security Podcast - What is DevSecOps in 2023 especially in a world of Cloud and AI which is top of mind for both application security, developers, cybersecurity professionals. In this episode we will share how the updated definition of DevSecOps in 2023 has been redefined with Cloud and AI, also how does one measure success for DevSecOps. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv FREE CLOUD BOOTCAMPs on www.cloudsecuritybootcamp.com Host Twitter: Ashish Rajan (@hashishrajan) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security BootCamp Spotify TimeStamp for Episode (00:00) Intro (02:01) Did Cloud enable DevSecOps (03:43) Speed of Security in DevSecOps built on Cloud (05:05) What is DevSecOps explained for 2023 (05:51) DevSecOps RoadMap (08:25) DevSecOps Program Components in 2023 (10:55) Chatgpt Joke on Developers and DevSecOps (11:43) How do you measure DevSecOps success? (12:21) Generative AI impact on DevSecOps (14:02) Thank you for watching & Subscribing See you at the next episode!
Send us a Text Message.Cloud security is a big topic, and there's a lot of advice out there. In this episode of The Cyberman Show Ashish Rajan from the Cloud Security Podcast joins me to discuss getting started with cloud security. We spoke about #cloud, #cloudsecurity and #appsec basics, cloud sec learning path for kids getting out of school/college, trends in cloud sec, Impact of AI, books we reading, a new restaurant he tried and more.If you're interested in learning more about Cloud Security, then be sure to listen to this episode! It's a great way to start your journey into the world of cloud security.Here is the link to Cloud Security Podcast https://www.youtube.com/@CloudSecurityPodcasthttps://open.spotify.com/show/6LZgeh4GecRYPc0WrwMB4ISupport the Show.Google Drive link for Podcast content:https://drive.google.com/drive/folders/10vmcQ-oqqFDPojywrfYousPcqhvisnkoMy Profile on LinkedIn: https://www.linkedin.com/in/prashantmishra11/Youtube Channnel : https://www.youtube.com/@TheCybermanShow Twitter handle https://twitter.com/prashant_cyber PS: The views are my own and dont reflect any views from my employer.
Cloud Security Podcast - we are continuing with our "Kubernetes Security & KubeCon EU 2023" and for the final episode in this series Kubernetes Security Panel from KubeCon EU 2023. Kubernetes Security has evolved since it's inception with many defaults being more secure and some still insecure or has it not evolved at all. Andrew Martin (Control Plane), Matt Jarvis (Snyk), Kerim Satirli (Hashicorp) were on the Kubernetes Security Panel organized by Cloud Security Podcast. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv FREE CLOUD BOOTCAMPs on www.cloudsecuritybootcamp.com Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Andrew Martin (Control Plane), Matt Jarvis (Snyk), Kerim Satirli (Hashicorp) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (04:28) A bit about Kerim, Andy and Matt (05:13) What is Kubernetes? (06:49) How do you describe Cloud Native Security? (10:21) How Kubecon and Kubernetes has changed over the years? (15:56) The growing presence of security in Kubecon (22:10) Cloud Security and Cloud Native Security (23:00) Maintenance of Kubernetes (24:17) Shared Responsibility Model (27:37) Single Cluster vs Multi Cluster (34:34) Failure of Workload Identity (36:11) Recommendations for learning (42:06) Disaster Recovery for Kubernetes (47:51) ChatGPT - Problem, Solution or Fad? See you at the next episode!
Cloud Security Podcast - we are continuing with our "Kubernetes Security & KubeCon EU 2023" and for the fiveth episode in this series Eve Ben Ezra from The New York Times. GitOps, OPA Conftest, ArgoCD are some of the components to add security to a Cloud Native Security Pipeline! - Eve Ben Ezra from The New York Times shared how we can use these tools to create a Dev Friendly Security Pipeline. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv FREE CLOUD BOOTCAMPs on www.cloudsecuritybootcamp.com Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Eve Ben Ezra (Eve Ben Ezra's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (03:10) A bit about Eve (04:05) Eve's 2nd Kubecon (04:43) About Eve's talk at Kubecon (05:29) What is GitOps? (06:28) What is Argo CD? (07:19) What is OPA? (07:34) Why NYTimes has a development platform? (09:14) Challenges with implementing a shared infrastructure (11:17) Feedback is one of the challenges (12:19) Using OPA gatekeeper (13:30) When should developers get feedback in GitOps operational framework? (14:52) What does local feedback to developers look like? (15:54) What is Conftest? (16:24) How do people get started with OPA? (18:32) Making security more accessible for developers (23:02) Managed or self hosted Kubernetes deployment (24:09) How to get started with this? (25:08) Starting with OPA vs Starting with CICD (25:35) Where can you start learning about Kubernetes? (28:10) The difference between CI and CD See you at the next episode!
Cloud Security Podcast - we are continuing with our "Kubernetes Security & KubeCon EU 2023" and for the fourth episode in this series Mackenzie Jackson from GitGuardian. Mackenzie Jackson from GitGuardian was part of a report that found 10 Million secrets stored across the entire Github space on the internet. In this interview we go into how secrets have evolved from just being username/password to API Tokens, AWS Access Keys and whole lot more. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv FREE CLOUD BOOTCAMPs on www.cloudsecuritybootcamp.com Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Shane Lawrence (Shane's Linkedin) and Daniele Santos (Dani's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (03:42) A bit about Mackenzie Jackson (04:16) What are secrets? (05:28) How are we dealing with secrets? (07:35) Mackezie talks about GitGuardian's Secret Sprawl Report (11:43) Managing history in Github (12:37) Mackenzie talks about ggcanary (14:09) Common types of secrets found in scans (15:42) Responsibility of Github and CSP providers (17:12) Are people ready to respond to honey token alarms? (20:33) Breaches causes by leaked secrets (23:34) Fun facts found in Secrets Sprawl Report (24:25) Secret sprawl is going to happen (25:09) Where do people start? (26:06) Implementing Git Hook as a security measure (28:08) How to get people to care about secrets (30:06) Where can people learn about secrets protection? (31:25) Where you can reach Mackenzie for more questions on secrets? See you at the next episode!
Cloud Security Podcast - we are continuing with our "Kubernetes Security & KubeCon EU 2023" and for the fourth episode in this series Shane Lawrence and Daniele Santos from Shopify explained how kube-audit an open source tool from Shopify. They spoke about how they have used the audit tool to improve security with a developer security lens. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv FREE CLOUD BOOTCAMPs on www.cloudsecuritybootcamp.com Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Shane Lawrence (Shane's Linkedin) and Daniele Santos (Dani's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (02:52) A bit about Shane (03:45) A bit about Dani (04:23) Which kubecons have Shane and Dani attended? (05:03) A bit about Dani and Shane's talk at Kubecon EU (06:42) Misconfigurations in Kubernetes (09:48) Dani talks about the Kubernetes Security Report (10:13) Use case for Kubernetes Misconfiguration (11:45) What is Azure Escape? (12:51) What is container escape? (15:26) What is kubeaudit? (15:49) Contributing to kubeaudit (16:40) The maturity of kubeaudit (19:04) How would kubeaudit help with an azure escape? (19:41) The developer experience (21:34) How shopify uses kubeaudit (24:59) Getting started with kubeaudit (25:53) Challenges with implementing kubeaudit (27:19) Maturity of kubernetes security and kubecon (30:02) Learning about kubernetes (34:07) Areas of security not being spoken about enough (36:16) Open Source and Software supply chain risks See you at the next episode!
On this episode of the Cybersecurity Defenders podcast we have a conversation around the history of security tooling with Dr. Anton Chuvakin, Security Advisor at Office of the CISO, Google Cloud.Dr. Anton Chuvakin is currently involved with security solution strategy at Google Cloud, where he arrived via Chronicle Security (an Alphabet company) acquisition in July 2019. He is also a co-host of Cloud Security Podcast http://www.twitter.com/CloudSecPodcastUntil June 2019, Dr. Anton Chuvakin was a Research VP and Distinguished Analyst at Gartner for Technical Professionals (GTP) Security and Risk Management Strategies (SRMS) team. At Gartner he covered a broad range of security operations and detection and response topics, and is credited with inventing the term "EDR." He is a recognized security expert in the field of SIEM, log management and PCI DSS compliance. He is an author of books "Security Warrior", "PCI Compliance", "Logging and Log Management" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and others. Anton has published dozens of papers on log management, SIEM, correlation, security data analysis, PCI DSS, honeypots, etc. His blog securitywarrior.org was one of the most popular in the industry. In addition, Anton taught classes (including his own SANS SEC434 class on log management) and presented at many security conferences across the world; he recently addressed audiences in United States, UK, Singapore, Spain, Russia and other countries. He worked on emerging security standards and served on the advisory boards of several security start-ups.Before joining Gartner in 2011, Anton was running his own security consulting practice www.securitywarriorconsulting.com, focusing on SIEM, logging and PCI DSS compliance for security vendors and Fortune 500 organizations. Anton earned his Ph.D. degree from Stony Brook University.The Cybersecurity Defenders Podcast: a show about cybersecurity and the people that defend the internet.
Guest: Connie Fan, Senior Product and Business Strategy Lead, Google Cloud Topics: We were at RSA 2023, what did we see that was notable and surprising? Cloud security showed up with three startups with big booths, and one big player with a small demo station. What have we learned here? What visitors might have seen at the Google Cloud booth that we're really excited about? Could you share why we chose these two AI cases - generation of code and summarization of complex content - out of all the possibilities and the sometimes zany things we saw elsewhere on the floor? Could you share a story or two that highlights how we came to this AI launch and what it looked like under the surface? Resources: “RSA 2023 - How to Protect Your Organization from Cyberattacks in Time of Political Turmoil” (ep118) “RSA 2022 Reflections - Securing the Past vs Securing the Future” (ep70) “How We Attack AI? Learn More at Our RSA Panel!” (ep68) “Security Operations, Reliability, and Securing Google with Heather Adkins” (ep20)
Cloud Security Podcast - This month we are talking about "Kubernetes Security & KubeCon EU 2023" and for the third episode in this series, we spoke to Liz Rice ( Liz's Linkedin). Liz Rice from Isovalent speaks about how Network Security can be done in Kubernetes. Kubernetes network security with eBPF, Cilium can be raised to be better than selinux seccomp tcpdump - yes the linux networking security tools. Yes you read that right. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv FREE CLOUD BOOTCAMPs on www.cloudsecuritybootcamp.com Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Andrew Martin (Andrew's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (00:15) A word from our sponsor snyk.io/csp (03:36) A bit about Liz Rice (04:36) Liz's path into Cloud Native (06:22) What is EBPF? (08:12) Use case for EBPF in on premise (10:37) SC Linux and EBPF (11:28) Why we are solving this now with Kubernetes? (13:22) EBPF in managed vs unmanaged Kubernetes? (15:37) Implementation of EBPF (17:38) Access Management and Network Security (21:02) Challenges with multi cluster Kubernetes deployment (24:03) Key management in multi cluster (25:11) Current gaps in Kubernetes security (27:41) Developer first in the cloud native space (32:47) The future of EBPF (34:36) Where can you learn more about EBPF (36:25) The fun questions See you at the next episode!
Cloud Security Podcast - This month we are talking about "Kubernetes Security & KubeCon EU 2023" and for the second episode in this series, we spoke to Andrew Martin (Andrew's Linkedin). Kubernetes Security Best practices built using the OWASP Top 10 for Kubernetes is not enough to deal with new and unknown attack vectors for your Kubernetes deployment. In this episode we have Andrew Martin on how you can deal with Kubernetes attack vectors including supply chain issues. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv FREE CLOUD BOOTCAMPs on www.cloudsecuritybootcamp.com Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Andrew Martin (Andrew's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (00:15) A word from our sponsors - head over to snyk.io/csp to find out more (02:50) A bit about Andrew Martin (03:33) What is cloud native security? (06:31) What is Kubernetes Security? (10:23) Kubernetes Security vs Cloud Native Security (11:52) Why is Kubernetes so popular? (16:20) What are the components of Kubernetes security? (21:43) Container security in Kubernetes landscape (26:34) Common attack vectors for Kubernetes (32:16) Impact of cloud in attack vectors (35:38) Managed Kubernetes (38:13) Rationale for using multi cluster (41:11) Should everyone use Kubernetes? (44:18) Is Serverless still relevant ? (47:38) Where can people learn about Kubernetes security? (53:01) The fun questions See you at the next episode!
Cloud Security Podcast - This month we are talking about "Kubernetes Security & KubeCon EU 2023" and for the first episode in this series, we spoke to Kirsten Newcomer (Kirsten's Linkedin). Kirsten Newcomer from Red Hat has been championing Kubernetes security and the role DevSecOps will play in helping improve security for Kubernetes implementations. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv FREE CLOUD BOOTCAMPs on www.cloudsecuritybootcamp.com Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Kirsten Newcomer (Kirsten's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (02:42) Word from our sponsors about Snyk Launch - find out more at snyk.io/events/snyklaunch (03:08) A bit about Kristen Newcomer (04:13) How has Kubernetes security evolved ? (06:57) Is Kubernetes still popular? (07:45) Why is Kubernetes still popular? (0:58) Challenges with security Kubernetes (15:35) How to work effectively with Kubernetes (18:50) Adoption of IaC for security (24:30) Maturity of Kubernetes Security (29:24) Challenges with auditing Kubernetes (31:55) How to approach Kubernetes security? (35:08) Zero Trust and Kubernetes (39:01) Is SBOM bringing more attention to Kubernetes? (42:51) Where do people start with Kubernetes? (45:41) Managed vs unmanaged Kubernetes? (47:05) How you can reach out to Kristen! See you at the next episode!
Cloud Security Podcast - This month we are talking about "Cloud Security - the Leadership View" and for the final episode in this series, we spoke to Guy Podjarny ( GuyPo's Linkedin). If you are working on building or securing Cloud resources, can you truly imagine solving the next log4j or AWS/Azure/GCP vulnerability without including the help of Platform Engineers or IT engineers? This is the bigger picture of what we CyberSecurity people have to do day in day out. We work with wider team members Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv FREE CLOUD BOOTCAMPs on www.cloudsecuritybootcamp.com Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Guy Podjarny ( GuyPo's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security BootCamp Spotify TimeStamp for Interview Questions A word from our sponsors - you can visit them on snyk.io/csp (00:00) Introduction (03:49) A bit about Guy Podjarny (04:51) What is DevSecOps today? (07:15) 3 Phases of DevSecOps (07:44) DevSecOps vs ShiftLeft (09:15) The maturity of DevSecOps (11:52) The notion of start left (13:36) Threat modelling and developers (14:38) What is Cloud Security? (16:03) The notion of App Cloud (17:43) Gartner acronyms and cloud security (22:21) Security champion program in cloud (28:33) Future of IaaS, PaaS and SaaS (32:22) Challenges with Security Championship Program (42:19) Generative AI and DevSecOps in Cloud (47:45) Fun Questions See you at the next episode!
Cloud Security Podcast - This month we are talking about "Cloud Security - the Leadership View" and this week in this series, we spoke to Larry Whiteside Jr ( Larry's Linkedin ) If you are working on building a CyberSecurity Program in 2023 with Cloud in mind then this episode with Larry who shared his approach to building a CyberSecurity program along with war stories of implementing CyberSecurity in an on-premise world is the episode you need to hear. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv FREE CLOUD BOOTCAMPs on www.cloudsecuritybootcamp.com Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Larry Whiteside Jr ( Larry's Linkedin ) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (02:50) A word from our sponsors - you can visit them on snyk.io/csp (04:05) Larry talks about his 1st CISO role (06:01) Cybersecurity Programs in a Pre Cloud World (09:07) What were the challenges for CISOs in the past? (11:05) Cybersecurity Program in 2023 (14:01) There was no NIST CFA (14:59) Why frameworks are important (16:59) What is a cybersecurity program? (21:32) Components of cybersecurity program (23:02) Has cloud changed things? (30:01) The value of certifications (33:14) GRC Automation and Shift Left (42:53) The auditor's perspective (44:50) Does GRC need to know coding? (49:07) Cloud Security Program Playbook (52:52) The Fun Section See you at the next episode!
Cloud Security Podcast - This month we are talking about "Cloud Security - the Leadership View" and first up on this series, we spoke to Bianca Lankford (Bianca's Linkedin) about what does it take to build a Cloud Security program that runs behind your favourite TV Show on an OTT Media Platform like Warner Brother Discovery Cloud . In this episode Bianca Lankford, from Warner Brother Discovery, share her experience on building Cloud Security Program and the importance of developers in the solving the Cloud Security challenge. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Bianca Lankford (Bianca's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (03:06) snyk.io/csp (03:45) A bit about Bianca (04:27) Challenge of Scale in Media Industry (06:38) Cloud based security program vs on prem (08:04) How cloud security can enable businesses (11:11) Cloud Security Program in Media Industry (13:45) Getting leadership buy in for cloud security program (17:05) Explaining cloud security as a business risk (18:33) Pillars of cloud security program at scale (20:12) Multi Cloud Security Program (20:52) Skills required for multi cloud security team (22:25) The future of application security and cloud security (24:01) Metrics of operationalising cloud security program at scale (25:32) Time to detection in Cloud (26:32) Navigating cloud security program through changing compute (28:09) Security guardrails vs security gate (30:53) Stages for a cloud security program (32:35) The Fun Section See you at the next episode!
Cloud Security Podcast - This month we are talking about "Building on the AWS Cloud" and next up on this series, we spoke to Chad Lorenc (Chad's Linkedin) about AWS Security Reference Architecture, Cloud Adoption Framework & Security Maturity Model are 3 ways to level up the maturity you have in Cloud . In this episode Chad Lorenc, from AWS shared lessons and talk about How AWS Customers can prepare to use 3 models to Crawl, Walk & Run their security practice. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Chad Lorenc (Chad's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (03:35) A word from our sponsors - check them out at snyk.io/csp (03:51) A bit about Chad (05:38) How things are different in the Cloud (07:59) The Maturity framework of AWS (11:20) How maturity scales in AWS (13:17) Anti-Patterns when building maturity in Cloud (15:35) Framework examples on how to build maturity models (19:27) Mapping maturity models to business objectives (20:19) The role of cloud native tools (26:23) Patterns in AWS to watch out for (28:38) Challenges for security leaders trying to get into cloud (35:07) Foundational pieces for building maturity in AWS (37:50) How to implement AWS Control tower? (43:09) Give developers more freedom in cloud (47:34) Benchmark scales for security maturity (51:27) Resources to help you build your own maturity roadmap See you at the next episode!
Cloud Security Podcast - This month we are talking about "Building on the AWS Cloud" and next up on this series, we spoke to Patrick Sanders (Patrick's Linkedin) & Jospeh Kjar (Joseph's Linkedin), Snr Cloud Security Engineer at Netflix on what does it take to reimagine multi-account deployments gave them both security and speed. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Patrick Sanders (Patrick's Linkedin) & Jospeh Kjar (Joseph's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (03:06) snyk.io/csp (03:41) A bit about how Patrick and Joseph got into the Cloud Space (06:00) Building blocks of scalable AWS infrastructure (09:14) Should there be a seperate account for forensics (12:44) Diff AWS Org for dev and prod? (13:45) How to ensure dedicated IR account is secure? (15:10) 1st step to building a new startup in AWS (17:39) Should non prod and prod accounts be seperate? (21:29) How do you ensure visibility into your AWS organisation? (25:04) Integrate FIM into AWS (26:29) Layers for a multi account strategy (28:23) Challenges from going from one account to multi account (34:03) Bringing identity to the application (38:25) The importance of IMDS (42:07) The security benefit of using IMDS (45:34) Managed identity in AWS (46:40) Why developer experience is important? (49:49) What do cloud security engineers do ? (53:05) Where you can find Joseph and Patrick? See you at the next episode!
Cloud Security Podcast - This month we are talking about "Building on the AWS Cloud" and next up on this series, we spoke to Alexis Robinson (Alexis's Linkeidn), Senior Manager, Regulatory Compliance at AWS. FEDRAMP AWS environment can be made easy with the right security assessment framework for your organization. Alexis shared lessons and talk about How AWS Customers can prepare to increase their chances of getting FedRamp certified. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Alexis Robinson (Alexis's Linkeidn) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (05:35) A bit about Alexis (08:20) What is FedRAMP and why people care about it? (11:05) Scope of companies included in FedRAMP? (13:12) Zero Trust Architecture and FedRAMP (14:07) The concept of Controlled Inheritance (15:43) Working with Authorising Officials (16:44) Working with Security Control Officers (17:46) AO Checklist to full compliance (20:42) Conflicts in FedRAMP (25:59) Common pitfalls to avoid on FedRAMP Journey (31:38) The anti-patterns in getting FedRAMP Compliant (35:34) FedRAMP is not just GovCloud (38:12) Requirements with FedRAMP (39:48) Where do people fall short with FedRAMP? (41:26) How to make FedRAMP more developer friendly? (44:17) How is FedRAMP different for Govcloud? (47:21) What skillsets do you require in a team for FedRAMP? (49:07) How to learn about FedRAMP (53:09) Fun Questions See you at the next episode!
Cloud Security Podcast - This month we are talking about "Building on the AWS Cloud" and next up on this series, we spoke to Mrunal Shah (Mrunal's Linkedin), Head of Container Security at Warner Bros. Discovery. We talk about how to build a Container or K8s security program while best practices are maintained and team have the right capability and tools. 4 Cs - Cloud, Container & Cluster, Code can be foundational to this Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Mrunal Shah (Mrunal's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Intro (02:01) https://snyk.io/csp (02:30) Mrunal's Professional Background (03:04) Why containers are popular (technical reasons) (04:05) Why containers are popular (leadership reasons) (05:39) Challenges with running a Container Security Program (Leadership) (06:34) Team skill challenge in a Container Security Program (08:57) When to pick AWS ECS vs AWS EKS? (10:53) ECS or EKS for building Banking Applications? (13:12) Would Kubernetes/ Containers be preferred for security reasons? (15:04) What would Amazon's responsibility be for security with ECS/EKS? (16:13) What is bad about working with Containers in AWS? (19:40) Is there a need for anti-virus in a container world? (20:36) Balance of security when working with containers? (22:08) Threat Detection and Prevention in a Container Security Program (22:57) Using AWS Services for Threat Detection with Containers? (25:14) Runtime Threat Discovery vs Agentless Threat Discovery for containers in Cloud? (29:11) Prevention on the left vs Detection on the right of SDLC (29:22) Cluster Misconfig vs Service Misconfigurations? (30:19) Vulnerability Management vs Misconfiguration Management? (31:50) Inspector in a Container Security Program? (32:36) Detective in a Container Security Program? (35:36) Can AWS Services help when Non-AWS services are in use? See you at the next episode!
Cloud Security Podcast - This month we are talking about "Breaking the AWS Cloud" and next up on this series, we spoke to Seth Art (Seth's Linkedin) Cloud Penetration Testing Lead (Principal) at Bishop Fox. AWS cloud project to pentest AWS cloud architecture are not spoken about much - this stops today. We have Seth who works in the Cloud Penetration testing space to talk about open source tools and what Cloud pentesting is all about. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Seth Art (Seth's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Introduction (04:24) A bit about Seth (06:10) Web App Pentesting vs Cloud Pentesting (08:11) Working with scale of multiple AWS accounts (10:20) What can you expect to find with Cloud Pentesting? (12:14) Foundational pieces about approaching pentesting in Cloud (15:19) How to start a Cloud Pentest? (18:25) The importance of IAM (23:43) Common services in AWS to look at (25:58) Mistakes people make for scoping (29:18) The role of shared responsibility in Cloud Pentesting (32:38) Boundaries for AWS pentesting (35:13) Nmap between 2 EC2 instances (36:37) How do you explain the findings? (40:26) Skillsets required to transition to Cloud Pentesting (45:41) Transitioning from Kubernetes to Cloud Pentesting (48:55) Resources for learning about Cloud Pentesting. (49:47) The Fun Section See you at the next episode!
Cloud Security Podcast - This month we are talking about "Breaking the AWS Cloud" and next up on this series, we spoke to Nishant Sharma (Nishant's Linkedin), Director, Lab Platform, INE. If you have tried pentesting in AWS Cloud or want to start today with AWS Goat, then this episode with Nishant, behind AWS Goat will help you understand how you can upskill and maybe even show others how to be better at pentesting AWS Cloud. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Nishant Sharma (Nishant's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Introduction (03:51) snyk.io/csp (04:51) What is Cloud Pentesting? (06:19) Cloud pentesting vs Web App & Network (08:37) What is AWS Goat? (13:12) Do you need permission from AWS to do pentesting? (14:03) Pentesting an application vs pentesting AWS S3 (15:40) What is AWS Goat testing? (18:14) Cloud penetration testing tools (19:59) How useful is a metadata of a cloud instance? (22:24) AWS Pentesting and OWASP Top 10 (25:31) How to build internal training for Cloud Security? (29:43) Keep building knowledge on AWS Goat (30:33) Using CloudShell for AWS pentesting (34:09) ChatGPT for cloud pentesting (36:28) Vulnerable serverless application (39:40) Pentesting Amazon ECS (43:01) How do you protect against ECS misconfigurations? (47:38) What is the future plan for AWS Goat? (50:28) Fun Questions See you at the next episode!
Cloud Security Podcast - This month we are talking about "Breaking the AWS Cloud" and next up on this series, we spoke to Gafnit Amiga (Gafnit's Linkedin), VP of Security Research at Lightspin who recently discovered the AWS Elastic Container Registry Public (ECR Public) vulnerability. She spoke to us about how she goes about doing cloud security research and what AWS ECS and ECR is. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Gafnit Amiga (Gafnit's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Introduction (02:28) snyk.io/csp (02:57) A bit about Gafnit (05:15) What is AWS ECS and ECR? (08:18) Why do people use ECS and ECR? (09:58) The ECR vulnerability Gafnit discovered (15:16) Vulnerability scanning for containers in AWS ECR (16:42) How do you find undocumented APIs in AWS? (17:58) Attack techniques in AWS (22:43) How to protect your AWS accounts? (25:14) Focus areas for Cloud Security Research in 2023 (25:48) Finding vulnerability through research (29:00) Resources for Cloud Security Research (31:04) The Fun Section See you at the next episode!
Cloud Security Podcast - If Hacking the Cloud is on your mind for 2023 then in this "Breaking the AWS Cloud" month we are kicking things with Nick Frichette (Nick's Linkedin), a Senior Security Researcher from DataDog who is also maintains the site Hacking the Cloud linking offensive security research for AWS, Azure, GCP. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Nick Frichette (Nick's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Introduction (02:38) snyk.io/csp (03:26) A bit about Nick (04:15) How is Security research different? (05:55) How to approach cloud security research? (07:24) How to pick the service you want to research? (08:51) What is AWS AppSync? (09:30) What is Confused Deputy Vulnerability? (10:16) The AppSync Vulnerability (12:09) Cross Account in AWS (13:41) Blue Teaming Controls when doing research (14:22) Framework for detective controls (16:01) What to do if you find an AWS vulnerability? (17:20) Legal constraints of security research (20:13) Where to get started in Cloud Security Research? (22:45) Are some misconfigurations becoming less common? (24:59) What is IMDSv2 and how is it different to IMDSv1? (27:00) Why is SSRF bad? (28:52) Cloud Pentesting Platforms (29:57) The story being hacking the cloud (31:25) Who should think about breaking the cloud? (34:02) Cloud Security Research Tools (36:38) How to access AWS environment for research? (39:12) Security Lab Resources (40:04) The Fun Questions See you at the next episode!
In this episode of the Virtual Coffee with Ashish edition, we spoke with Shilpi Bhattacharjee (Cloud Security Podcast, Producer). We spoke about Announcements from AWS Reinvent for - new security products announced, updates to existing security products, security addition to existing products and products to lookout for. --Announcing Cloud Security Villains Project-- We are always looking to find creative ways to educate folks in Cloud Security and the Cloud Security Villains is part of this education pieces. Cloud Security Villains are coming, you can learn how to defeat them in this YouTube Playlist link Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Justin Garrison (Personal Website) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security Academy Spotify TimeStamp for Interview Questions
In this episode of the Virtual Coffee with Ashish edition, we spoke with Justin Garrison (Personal Website) from AWS to talk about what scenarios make sense to choose AWS EKS vs AWS ECS vs AWS Fargate vs bare metal Kubernetes & everything you need to understand for implementing AWS EKS in your environment. --Announcing Cloud Security Villains Project-- We are always looking to find creative ways to educate folks in Cloud Security and the Cloud Security Villains is part of this education pieces. Cloud Security Villains are coming, you can learn how to defeat them in this YouTube Playlist link Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Justin Garrison (Personal Website) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00 introduction (02:31 snyk.io/csp (03:10 Justin's path into Tech (08:14) What is AWS EKS? (10:32) EKS vs ECS vs Fargate (14:52) Why pick EKS vs ECS vs Fargate? (23:05) Security Kubernetes API vs on-prem deployment? (34:26) What's involved in deploying EKS? (38:50) EKS clusters when scaling Kubernetes (42:52) How clusters are structured? (47:02) Cluster availability when upgrading (49:00) Why people struggle with EKS? (51:31) How can people learn more about EKS? (52:57) The Fun Section
Brandon Evans and fellow cloud security podcaster Ashish Rajan, host of the Cloud Security Podcast and Principal Cloud Security Advocate for Snyk, chat about developer-first security, multicloud abstraction layers, cybersecurity conferences, and the 5 Cs of cloud security products (CASB, CIEM, CNAPP, CSPM, and CWPP).Our Guest - Ashish RajanAshish Rajan is the host of the wildly popular Cloud Security Podcast, a CISO, CyberSecurity Influencer, a SANS Trainer for Cloud Security and an outspoken opinion leader on all things Cloud Security & DevSecOps. He is a frequent contributor on topics related to public cloud transformation, DevSecOps, Future Tech and the associated security challenges for practitioners and CISOs.Follow AshishTwitterLinkedInWebSponsor's Note:Support for Cloud Ace podcast comes from SANS Institute. If you like the topics covered in this podcast and would like to learn more about cloud security, SANS Cloud Security curriculum is here to support your journey into building, deploying, and managing secure cloud infrastructure, platforms, and applications. Whether you are on a technical flight plan, or a leadership one, SANS Cloud Security curriculum has resources, training, and certifications to fit your needs.Focus on where the cloud is going, not where it is today. Your organization is going to need someone with hands-on technical experience and cloud security-specific knowledge. You will be prepared not only for your current role, but also for a cutting-edge future in cloud security.Review and Download Cloud Security Resources: sans.org/cloud-security/Join our growing and diverse community of cloud security professionals on your platform of choice:Discord | Twitter | LinkedIn | YouTubeSPONSER NOTE: Support for Cloud Ace podcast comes from SANS Institute. If you like the topics covered in this podcast and would like to learn more about cloud security, SANS Cloud Security curriculum is here to support your journey into building, deploying, and managing secure cloud infrastructure, platforms, and applications. Whether you are on a technical flight plan, or a leadership one, SANS Cloud Security curriculum has resources, training, and certifications to fit your needs. Focus on where the cloud is going, not where it is today. Your organization is going to need someone with hands-on technical experience and cloud security-specific knowledge. You will be prepared not only for your current role, but also for a cutting-edge future in cloud security. Review and Download Cloud Security Resources: sans.org/cloud-security/ Join our growing and diverse community of cloud security professionals on your platform of choice: Discord | Twitter | LinkedIn | YouTube
In this episode of the Virtual Coffee with Ashish edition, we spoke with Ashish Desai (Ashish Desai's Linkedin) about how much of the on-premise can work in Cloud, what the online world is saying versus the reality of what businesses are experiencing. --Announcing Cloud Security Villains Project-- We are always looking to find creative ways to educate folks in Cloud Security and the Cloud Security Villains is part of this education pieces. Cloud Security Villains are coming, you can learn how to defeat them in this YouTube Playlist link Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Ashish Desai (@ashishlogmaster) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Intro (05:50) Ashish Desai's Professional Background (06:21) Academic Freedom and no firewall (07:12) What are the roles and responsibilities of an AWS cloud security architect? (09:27) Difference between managing permissions between onpremise vs Cloud service provider (13:02) Running Windows 2003 on AWS EC2 Bare Metal (13:28) Running Old Virtual Servers on AWS (14:13) Cloud is secure by default (14:54) CI/CD with Github and Terraform is not common (15:28) Do people use CI/CD? (15:37) Traditional on-premise staff is your new cloud engineer (16:50) Business are not fully advanced (17:47) Failed Kubernetes Deployment in production example (18:45) Managed and Bare Metal Kubernetes can only maintain 1 replica (19:10) What is 1 replica in Kubernetes? (20:36) Problem with stateful app running on Kubernetes (21:35) Change Management in Cloud (21:57) Deployment phases in Cloud (22:34) Why was ServiceNow required? (24:39) Why ServiceNow couldn't keep up? (26:33) Native Solutions bypass Change Management (28:43) Role of Security Architect in a New Cloud World (29:53) DevExperience is holding Cloud Adoption success (32:08) CyberProfessionals to know atleast 1 language to be succesful (32:27) Do Architect need to know how to code in Enterprise context? (33:24) Knowing Code to understand the lay of the land (35:22) Has the Architecture Frameworks changed in the Cloud world? (37:15) What other skillsets outside of coding is required to be successful in Cloud (39:54) Should we care about being Cloud agnostic? (40:41) Architecture for Operational side of Cloud Security? (43:51) Practical things for advancing Cloud skills? (48:36) Can anyone come out of uni and become a Cloud Security Architect (50:32) Resources for education on Cloud security architects (51:36) Fun Section
About AshishAshish has over 13+yrs experience in the Cybersecurity industry with the last 7 focusing primarily helping Enterprise with managing security risk at scale in cloud first world and was the CISO of a global Cloud First Tech company in his last role. Ashish is also a keynote speaker and host of the widely poplar Cloud Security Podcast, a SANS trainer for Cloud Security & DevSecOps. Ashish currently works at Snyk as a Principal Cloud Security Advocate. He is a frequent contributor on topics related to public cloud transformation, Cloud Security, DevSecOps, Security Leadership, future Tech and the associated security challenges for practitioners and CISOs.Links Referenced: Cloud Security Podcast: https://cloudsecuritypodcast.tv/ Personal website: https://www.ashishrajan.com/ LinkedIn: https://www.linkedin.com/in/ashishrajan/ Twitter: https://twitter.com/hashishrajan Cloud Security Podcast YouTube: https://www.youtube.com/c/CloudSecurityPodcast Cloud Security Podcast LinkedIn: https://www.linkedin.com/company/cloud-security-podcast/ TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by our friends at Thinkst Canary. Most folks find out way too late that they've been breached. Thinkst Canary changes this. Deploy canaries and canary tokens in minutes, and then forget about them. Attackers tip their hand by touching them, giving you one alert, when it matters. With zero administrative overhead to this and almost no false positives, Canaries are deployed and loved on all seven continents. Check out what people are saying at canary.love today. Corey: This episode is bought to you in part by our friends at Veeam. Do you care about backups? Of course you don't. Nobody cares about backups. Stop lying to yourselves! You care about restores, usually right after you didn't care enough about backups. If you're tired of the vulnerabilities, costs and slow recoveries when using snapshots to restore your data, assuming you even have them at all living in AWS-land, there is an alternative for you. Check out Veeam, thats V-E-E-A-M for secure, zero-fuss AWS backup that won't leave you high and dry when it's time to restore. Stop taking chances with your data. Talk to Veeam. My thanks to them for sponsoring this ridiculous podcast.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. This promoted episode is brought to us once again by our friends at Snyk. Snyk does amazing things in the world of cloud security and terrible things with the English language because, despite raising a whole boatload of money, they still stubbornly refuse to buy a vowel in their name. I'm joined today by Principal Cloud Security Advocate from Snyk, Ashish Rajan. Ashish, thank you for joining me.Corey: Your history is fascinating to me because you've been around for a while on a podcast of your own, the Cloud Security Podcast. But until relatively recently, you were a CISO. As has become relatively accepted in the industry, the primary job of the CISO is to get themselves fired, and then, “Well, great. What's next?” Well, failing upward is really the way to go wherever possible, so now you are at Snyk, helping the rest of us fix our security. That's my headcanon on all of that anyway, which I'm sure bears scant, if any, resemblance to reality, what's your version?Ashish: [laugh]. Oh, well, fortunately, I wasn't fired. And I think I definitely find that it's a great way to look at the CISO job to walk towards the path where you're no longer required because then I think you've definitely done your job. I moved into the media space because we got an opportunity to go full-time. I spoke about this offline, but an incident inspired us to go full-time into the space, so that's what made me leave my CISO job and go full-time into democratizing cloud security as much as possible for anyone and everyone. So far, every day, almost now, so it's almost like I dream about cloud security as well now.Corey: Yeah, I dream of cloud security too, but my dreams are of a better world in which people didn't tell me how much they really care about security in emails that demonstrate how much they failed to care about security until it was too little too late. I was in security myself for a while and got out of it because I was tired of being miserable all the time. But I feel that there's a deep spiritual alignment between people who care about cost and people who care about security when it comes to cloud—or business in general—because you can spend infinite money on those things, but it doesn't really get your business further. It's like paying for fire insurance. It isn't going to get you to your next milestone, whereas shipping faster, being more effective at launching a feature into markets, that can multiply revenue. That's what companies are optimized around. It's, “Oh, right. We have to do the security stuff,” or, “We have to fix the AWS billing piece.” It feels, on some level, like it's a backburner project most of the time and it's certainly invested in that way. What's your take on that?Ashish: I tend to disagree with that, for a couple reasons.Corey: Excellent. I love arguments.Ashish: I feel this in a healthy way as well. A, I love the analogy of spiritual animals where they are cost optimization as well as the risk aversion as well. I think where I normally stand—and this is what I had to unlearn after doing years of cybersecurity—was that initially, we always used to be—when I say ‘we,' I mean cybersecurity folks—we always used to be like police officers. Is that every time there's an incident, it turns into a crime scene, and suddenly we're all like, “Pew, pew, pew,” with trying to get all the evidence together, let's make this isolated as much—as isolated as possible from the rest of the environment, and let's try and resolve this.I feel like in Cloud has asked people to become more collaborative, which is a good problem to have. It also encourages that, I don't know how many people know this, but the reason we have brakes in our cars is not because we can slow down the car; it's so that we can go faster. And I feel security is the same thing. The guardrails we talk about, the risks that you're trying to avert, the reason you're trying to have security is not to slow down but to go faster. Say for example in an ideal world, to quote what you were saying earlier if we were to do the right kind of encryption—I'm just going to use the most basic example—if we just do encryption, right, and just ensure that as a guardrail, the entire company needs to have encryption at rest, encryption in transit, period, nothing else, no one cares about anything else.But if you just lay that out as a framework and this is our guardrail, no one brakes this, and whoever does, hey we—you know, slap on the wrist and come back on to the actual track, but keep going forward. That just means any project that comes in that meets [unintelligible 00:04:58] criteria. Keeps going forward, as many times we want to go into production. Doesn't matter. So, that is the new world of security that we are being asked to move towards where Amazon re:Invent is coming in, there will be another, I don't know, three, four hundred services that will be released. How many people, irrespective of security, would actually know all of those services? They would not. So, [crosstalk 00:05:20]—Corey: Oh, we've long since passed the point where I can convincingly talk about AWS services that don't really exist and not get called out on it by Amazon employees. No one keeps them on their head. Except me because I'm sad.Ashish: Oh, no, but I think you're right, though. I can't remember who was it—maybe Andrew Vogel or someone—they didn't release a service which didn't exist, and became, like, a thing on Twitter. Everyone—Corey: Ah, AWS's Infinidash. I want to say that was Joe Nash out of Twilio at the time. I don't recall offhand if I'm right on that, but that's how it feels. Yeah, it was certainly not me. People said that was my idea. Nope, nope, I just basically amplified it to a huge audience.But yeah, it was a brilliant idea, just because it's a fake service so everyone could tell stories about it. And amazing product feedback, if you look at it through the right lens of how people view your company and your releases when they get this perfect, platonic ideal of what it is you might put out there, what do people say about it?Ashish: Yeah. I think that's to your point, I will use that as an example as well to talk about things that there will always be a service which we will be told about for the first time, which we will not know. So, going back to the unlearning part, as a security team, we just have to understand that we can't use the old ways of, hey, I want to have all the controls possible, cover all there is possible. I need to have a better understanding of all the cloud services because I've done, I don't know, 15 years of cloud, there is no one that has 10, 15 years of cloud unless you're I don't know someone from Amazon employee yourself. Most people these days still have five to six years experience and they're still learning.Even the cloud engineering folks or the DevOps folks, they're all still learning and the tooling is continuing to evolve. So yeah, I think I definitely find that the security in this cloud world a lot more collaborative and it's being looked at as the same function as a brake would have in car: to help you go faster, not to just slam the brake every time it's like, oh, my God, is the situation isolated and to police people.Corey: One of the points I find that is so aligned between security and cost—and you alluded to it a minute ago—is the idea of helping companies go faster safely. To that end, guardrails have to be at least as easy as just going off and doing it cow-person style. Because if it's not, it's more work in any way, shape, or form, people won't do it. People will not tag their resources by hand, people will not go through and use the dedicated account structure you've got that gets in their way and screams at them every time they try to use one of the native features built into the platform. It has to get out of their way and make things easier, not worse, or people fight it, they go around it, and you're never going to get buy-in.Ashish: Do you feel like cost is something that a lot more people pay a lot more attention to because, you know, that creeps into your budget? Like, as people who've been leaders before, and this was the conversation, they would just go, “Well, I only have, I don't know, 100,000 to spend this quarter,” or, “This year,” and they are the ones who—are some of them, I remember—I used to have this manager, once, a CTO would always be conscious about the spend. It's almost like if you overspend, where do you get the money from? There's no money to bring in extra. Like, no. There's a set money that people plan for any year for a budget. And to your point about if you're not keeping an eye on how are we spending this in the AWS context because very easy to spend the entire money in one day, or in the cloud context. So, I wonder if that is also a big driver for people to feel costs above security? Where do you stand on that?Corey: When it comes to cost, one of the nice things about it—and this is going to sound sarcastic, but I swear to you it's not—it's only money.Ashish: Mmm.Corey: Think about that for a second because it's true. Okay, we wound up screwing up and misconfiguring something and overspending. Well, there are ways around that. You can call AWS, you can get credits, you can get concessions made for mistakes, you can sign larger contracts and get a big pile of proof of concept credit et cetera, et cetera. There are ways to make that up, whereas with security, it's there are no do-overs on security breaches.Ashish: No, that's a good point. I mean, you can always get more money, use a credit card, worst case scenario, but you can't do the same for—there's a security breach and suddenly now—hopefully, you don't have to call New York Times and say, “Can you undo that article that you just have posted that told you it was a mistake. We rewinded what we did.”Corey: I'm curious to know what your take is these days on the state of the cloud security community. And the reason I bring that up is, well, I started about a year-and-a-half ago now doing a podcast every Thursday. Which is Last Week in AWS: Security Edition because everything else I found in the industry that when I went looking was aimed explicitly at either—driven by the InfoSec community, which is toxic and a whole bunch of assumed knowledge already built in that looks an awful lot like gatekeeping, which is the reason I got out of InfoSec in the first place, or alternately was completely vendor-captured, where, okay, great, we're going to go ahead and do a whole bunch of interesting content and it's all brought to you by this company and strangely, all of the content is directly align with doing some pretty weird things that you wouldn't do unless you're trying to build a business case for that company's product. And it just feels hopelessly compromised. I wanted to find something that was aimed at people who had to care about security but didn't have security as part of their job title. Think DevOps types and you're getting warmer.That's what I wound up setting out to build. And when all was said and done, I wasn't super thrilled with, honestly, how alone it still felt. You've been doing this for a while, and you're doing a great job at it, don't get me wrong, but there is the question that—and I understand they're sponsoring this episode, but the nice thing about promoted guest episodes is that they can buy my attention, not my opinion. How do you retain creative control of your podcast while working for a security vendor?Ashish: So, that's a good question. So, Snyk by themselves have not ever asked us to change any piece of content; we have been working with them for the past few months now. The reason we kind of came along with Snyk was the alignment. And we were talking about this earlier for I totally believe that DevSecOps and cloud security are ultimately going to come together one day. That may not be today, that may not be tomorrow, that may not be in 2022, or maybe 2023, but there will be a future where these two will sit together.And the developer-first security mentality that they had, in this context from cloud prospective—developers being the cloud engineers, the DevOps people as you called out, the reason you went in that direction, I definitely want to work with them. And ultimately, there would never be enough people in security to solve the problem. That is the harsh reality. There would never be enough people. So, whether it's cloud security or not, like, for people who were at AWS re:Inforce, the first 15 minutes by Steve Schmidt, CSO of Amazon, was get a security guardian program.So, I've been talking about it, everyone else is talking about right now, Amazon has become the first CSP to even talk about this publicly as well that we should have security guardians. Which by the way, I don't know why, but you can still call it—it is technically DevSecOps what you're trying to do—they spoke about a security champion program as part of the keynote that they were running. Nothing to do with cloud security, but the idea being how much of this workload can we share? We can raise, as a security team—for people who may be from a security background listening to this—how much elevation can we provide the risk in front of the right people who are a decision-maker? That is our role.We help them with the governance, we help with managing it, but we don't know how to solve the risk or close off a risk, or close off a vulnerability because you might be the best person because you work in that application every day, every—you know the bandages that are put in, you know all the holes that are there, so the best threat model can be performed by the person who works on a day-to-day, not a security person who spent, like, an hour with you once a week because that's the only time they could manage. So, going back to the Snyk part, that's the mission that we've had with the podcast; we want to democratize cloud security and build a community around neutral information. There is no biased information. And I agree with what you said as well, where a lot of the podcasts outside of what we were finding was more focused on, “Hey, this is how you use AWS. This is how you use Azure. This is how you use GCP.”But none of them were unbiased in the opinion. Because real life, let's just say even if I use the AWS example—because we are coming close to the AWS re:Invent—they don't have all the answers from a security perspective. They don't have all the answers from an infrastructure perspective or cloud-native perspective. So, there are some times—or even most times—people are making a call where they're going outside of it. So, unbiased information is definitely required and it is not there enough.So, I'm glad that at least people like yourself are joining, and you know, creating the world where more people are trying to be relatable to DevOps people as well as the security folks. Because it's hard for a security person to be a developer, but it's easy for a developer or an engineer to understand security. And the simplest example I use is when people walk out of their house, they lock the door. They're already doing security. This is the same thing we're asking when we talk about security in the cloud or in the [unintelligible 00:14:49] as well. Everyone is, it just it hasn't been pointed out in the right way.Corey: I'm curious as to what it is that gets you up in the morning. Now, I know you work in security, but you're also not a CISO anymore, so I'm not asking what gets you up at 2 a.m. because we know what happens in the security space, then. There's a reason that my area of business focus is strictly a business hours problem. But I'd love to know what it is about cloud security as a whole that gets you excited.Ashish: I think it's an opportunity for people to get into the space without the—you know, you said gatekeeper earlier, those gatekeepers who used to have that 25 years experience in cybersecurity, 15 years experience in cybersecurity, Cloud has challenged that norm. Now, none of that experience helps you do AWS services better. It definitely helps you with the foundational pieces, definitely helps you do identity, networking, all of that, but you still have to learn something completely new, a new way of working, which allows for a lot of people who earlier was struggling to get into cybersecurity, now they have an opening. That's what excites me about cloud security, that it has opened up a door which is beyond your CCNA, CISSP, and whatever else certification that people want to get. By the way, I don't have a CISSP, so I can totally throw CISSP under the bus.But I definitely find that cloud security excites me every morning because it has shown me light where, to what you said, it was always a gated community. Although that's a very huge generalization. There's a lot of nice people in cybersecurity who want to mentor and help people get in. But Cloud security has pushed through that door, made it even wider than it was before.Corey: I think there's a lot to be said for the concept of sending the elevator back down. I really have remarkably little patience for people who take the perspective of, “Well, I got mine so screw everyone else.” The next generation should have it easier than we did, figuring out where we land in the ecosystem, where we live in the space. And there are folks who do a tremendous job of this, but there are also areas where I think there is significant need for improvement. I'm curious to know what you see as lacking in the community ecosystem for folks who are just dipping their toes into the water of cloud security.Ashish: I think that one, there's misinformation as well. The first one being, if you have never done IT before you can get into cloud security, and you know, you will do a great job. I think that is definitely a mistake to just accept the fact if Amazon re:Invent tells you do all these certifications, or Azure does the same, or GCP does the same. If I'll be really honest—and I feel like I can be honest, this is a safe space—that for people who are listening in, if you're coming to the space for the first time, whether it's cloud or cloud security, if you haven't had much exposure to the foundational pieces of it, it would be a really hard call. You would know all the AWS services, you will know all the Azure services because you have your certification, but if I was to ask you, “Hey, help me build an application. What would be the architecture look like so it can scale?”“So, right now we are a small pizza-size ten-people team”—I'm going to use the Amazon term there—“But we want to grow into a Facebook tomorrow, so please build me an architecture that can scale.” And if you regurgitate what Amazon has told you, or Azure has told you, or GCP has told you, I can definitely see that you would struggle in the industry because that's not how, say every application is built. Because the cloud service provider would ask you to drink the Kool-Aid and say they can solve all your problems, even though they don't have all the servers in the world. So, that's the first misinformation.The other one too, for people who are transitioning, who used to be in IT or in cybersecurity and trying to get into the cloud security space, the challenge over there is that outside of Amazon, Google, and Microsoft, there is not a lot of formal education which is unbiased. It is a great way to learn AWS security on how amazing AWS is from AWS people, the same way Microsoft will be [unintelligible 00:19:10], however, when it comes down to actual formal education, like the kind that you and I are trying to provide through a podcast, me with the Cloud Security Podcast, you with Last Week in AWS in the Security Edition, that kind of unbiased formal education, like free education, like what you and I are doing does definitely exist and I guess I'm glad we have company, that you and I both exist in this space, but formal education is very limited. It's always behind, say an expensive paid wall sometimes, and rightly so because it's information that would be helpful. So yeah, those two things. Corey: This episode is sponsored in part by our friends at Uptycs. Attackers don't think in silos, so why would you have siloed solutions protecting cloud, containers, and laptops distinctly? Meet Uptycs - the first unified solution prioritizes risk across your modern attack surface—all from a single platform, UI, and data model. Stop by booth 3352 at AWS re:Invent in Las Vegas to see for yourself and visit uptycs.com. That's U-P-T-Y-C-S.com. Corey: One of the problems that I have with the way a lot of cloud security stuff is situated is that you need to have something running to care about the security of. Yeah, I can spin up a VM in the free tier of most of these environments, and okay, “How do I secure a single Linux box?” Okay, yes, there are a lot of things you can learn there, but it's very far from a holistic point of view. You need to have the infrastructure running at reasonable scale first, in order to really get an effective lab that isn't contrived.Now, Snyk is a security company. I absolutely understand and have no problem with the fact that you charge your customers money in order to get security outcomes that are better than they would have otherwise. I do not get why AWS and GCP charge extra for security. And I really don't get why Azure charges extra for security and then doesn't deliver security by dropping the ball on it, which is neither here nor there.Ashish: [laugh].Corey: It feels like there's an economic form of gatekeeping, where you must spend at least this much money—or work for someone who does—in order to get exposure to security the way that grownups think about it. Because otherwise, all right, I hit my own web server, I have ten lines in the logs. Now, how do I wind up doing an analysis run to figure out what happened? I pull it up on my screen and I look at it. You need a point of scale before anything that the modern world revolves around doesn't seem ludicrous.Ashish: That's a good point. Also because we don't talk about the responsibility that the cloud service provider has themselves for security, like the encryption example that I used earlier, as a guardrail, it doesn't take much for them to enable by default. But how many do that by default? I feel foolish sometimes to tell people that, “Hey, you should have encryption enabled on your storage which is addressed, or in transit.”It should be—like, we have services like Let's Encrypt and other services, which are trying to make this easily available to everyone so everyone can do SSL or HTTPS. And also, same goes for encryption. It's free and given the choice that you can go customer-based keys or your own key or whatever, but it should be something that should be default. We don't have to remind people, especially if you're the providers of the service. I agree with you on the, you know, very basic principle of why do I pay extra for security, when you should have already covered this for me as part of the service.Because hey, technically, aren't you also responsible in this conversation? But the way I see shared responsibility is that—someone on the podcast mentioned it and I think it's true—shared responsibility means no one's responsible. And this is the kind of world we're living in because of that.Corey: Shared responsibility has always been an odd concept to me because AWS is where I first encountered it and they, from my perspective, turn what fits into a tweet into a 45-minute dog-and-pony show around, “Ah, this is how it works. This is the part we're responsible for. This is the part where the customer responsibility is. Now, let's have a mind-numbingly boring conversation around it.” Whereas, yeah, there's a compression algorithm here. Basically, if the cloud gets breached, it is overwhelmingly likely that you misconfigured something on your end, not the provider doing it, unless it's Azure, which is neither here nor there, once again.The problem with that modeling, once you get a little bit more business sophistication than I had the first time I made the observation, is that you can't sit down with a CISO at a company that just suffered a data breach and have your conversation be, “Doesn't it suck to be you—[singing] duh, duh—because you messed up. That's it.” You need that dog-and-pony show of being able to go in-depth and nuance because otherwise, you're basically calling out your customer, which you can't really do. Which I feel occludes a lot of clarity for folks who are not in that position who want to understand these things a bit better.Ashish: You're right, Corey. I think definitely I don't want to be in a place where we're definitely just educating people on this, but I also want to call out that we are in a world where it is true that Amazon, Azure, Google Cloud, they all have vulnerabilities as well. Thanks to research by all these amazing people on the internet from different companies out there, they've identified that, hey, these are not pristine environments that you can go into. Azure, AWS, Google Cloud, they themselves have vulnerabilities, and sometimes some of those vulnerabilities cannot be fixed until the customer intervenes and upgrades their services. We do live in a world where there is not enough education about this as well, so I'm glad you brought this up because for people who are listening in, I mean, I was one of those people who would always say, “When was the last time you heard Amazon had a breach?” Or, “Microsoft had a breach?” Or, “Google Cloud had a breach?”That was the idea when people were just buying into the concept of cloud and did not trust cloud. Every cybersecurity person that I would talk to they're like, “Why would you trust cloud? Doesn't make sense.” But this is, like, seven, eight years ago. Fast-forward to today, it's almost default, “Why would you not go into cloud?”So, for people who tend to forget that part, I guess, there is definitely a journey that people came through. With the same example of multi-factor authentication, it was never a, “Hey, let's enable password and multi-factor authentication.” It took a few stages to get there. Same with this as well. We're at that stage where now cloud service providers are showing the kinks in the armor, and now people are questioning, “I should update my risk matrix for what if there's actually a breach in AWS?”Now, Capital One is a great example where the Amazon employee who was sentenced, she did something which has—never even [unintelligible 00:25:32] on before, opened up the door for that [unintelligible 00:25:36] CISO being potentially sentenced. There was another one. Because it became more primetime news, now people are starting to understand, oh, wait. This is not the same as it used to be. Cloud security breaches have evolved as well.And just sticking to the Uber point, when Uber has that recent breach where they were talking about, “Hey, so many data records were gone,” what a lot of people did not talk about in that same message, it also mentioned the fact that, hey, they also got access to the AWS console of Uber. Now, that to me, is my risk metrics has already gone higher than where it was before because it just not your data, but potentially your production, your pre-prod, any development work that you were doing for, I don't know, self-driving cars or whatever that Uber [unintelligible 00:26:18] is doing, all that is out on the internet. But who was talking about all of that? That's a much worse a breach than what was portrayed on the internet. I don't know, what do you think?Corey: When it comes to trusting providers, where I sit is that I think, given their scale, they need to be a lot more transparent than they have been historically. However, I also believe that if you do not trust that these companies are telling you the truth about what they're doing, how they're doing it, what their controls are, then you should not be using them as a customer, full stop. This idea of confidential computing drives me nuts because so much of it is, “Well, what if we assume our cloud provider is lying to us about all of these things?” Like, hypothetically there's nothing stopping them from building an exact clone of their entire control plane that they redirect your request to that do something completely different under the hood. “Oh, yeah, of course, we're encrypting it with that special KMS key.” No, they're not. For, “Yeah, sure we're going to put that into this region.” Nope, it goes right back to Virginia. If you believe that's what's going on and that they're willing to do that, you can't be in cloud.Ashish: Yeah, a hundred percent. I think foundational trust need to exist and I don't think the cloud service providers themselves do a great job of building that trust. And maybe that's where the drift comes in because the business has decided they're going to cloud. The cyber security people are trying to be more aware and asking the question, “Hey, why do we trust it so blindly? I don't have a pen test report from Amazon saying they have tested service.”Yes, I do have a certificate saying it's PCI compliant, but how do I know—to what you said—they haven't cloned our services? Fortunately, businesses are getting smarter. Like, Walmart would never have their resources in AWS because they don't trust them. It's a business risk if suddenly they decide to go into that space. But the other way around, Microsoft may decides tomorrow that they want to start their own Walmart. Then what do you do?So, I don't know how many people actually consider that as a real business risk, especially because there's a word that was floating around the internet called supercloud. And the idea behind this was—oh, I can already see your reaction [laugh].Corey: Yeah, don't get me started on that whole mess.Ashish: [laugh]. Oh no, I'm the same. I'm like, “What? What now?” Like, “What are you—” So, one thing I took away which I thought was still valuable was the fact that if you look at the cloud service providers, they're all like octopus, they all have tentacles everywhere.Like, if you look at the Amazon of the world, they not only a bookstore, they have a grocery store, they have delivery service. So, they are into a lot of industries, the same way Google Cloud, Microsoft, they're all in multiple industries. And they can still have enough money to choose to go into an industry that they had never been into before because of the access that they would get with all this information that they have, potentially—assuming that they [unintelligible 00:29:14] information. Now, “Shared responsibility,” quote-unquote, they should not do it, but there is nothing stopping them from actually starting a Walmart tomorrow if they wanted to.Corey: So, because a podcast and a day job aren't enough, what are you going to be doing in the near future given that, as we record this, re:Invent is nigh?Ashish: Yeah. So, podcasting and being in the YouTube space has definitely opened up the creative mindset for me. And I think for my producer as well. We're doing all these exciting projects. We have something called Cloud Security Villains that is coming up for AWS re:Invent, and it's going to be released on our YouTube channel as well as my social media.And we'll have merchandise for it across the re:Invent as well. And I'm just super excited about the possibility that media as a space provides for everyone. So, for people who are listening in and thinking that, I don't know, I don't want to write for a blog or email newsletter or whatever the thing may be, I just want to put it out there that I used to be excited about AWS re:Invent just to understand, hey, hopefully, they will release a new security service. Now, I get excited about these events because I get to meet community, help them, share what they have learned on the internet, and sound smarter [laugh] as a result of that as well, and get interviewed where people like yourself. But I definitely find that at the moment with AWS re:Invent coming in, a couple of things that are exciting for me is the release of the Cloud Security Villains, which I think would be an exciting project, especially—hint, hint—for people who are into comic books, you will definitely enjoy it, and I think your kids will as well. So, just in time for Christmas.Corey: We will definitely keep an eye out for that and put a link to that in the show notes. I really want to thank you for being so generous with your time. If people want to learn more about what you're up to, where's the best place for them to find you?Ashish: I think I'm fortunate enough to be at that stage where normally if people Google me—and it's simply Ashish Rajan—they will definitely find me [laugh]. I'll be really hard for them not find me on the internet. But if you are looking for a source of unbiased cloud security knowledge, you can definitely hit up cloudsecuritypodcast.tv or our YouTube and LinkedIn channel.We go live stream every week with a new guest talking about cloud security, which could be companies like LinkedIn, Twilio, to name a few that have come on the show already, and a lot more than have come in and been generous with their time and shared how they do what they do. And we're fortunate that we get ranked top 100 in America, US, UK, as well as Australia. I'm really fortunate for that. So, we're doing something right, so hopefully, you get some value out of it as well when you come and find me.Corey: And we will, of course, put links to all of that in the show notes. Thank you so much for being so generous with your time. I really appreciate it.Ashish: Thank you, Corey, for having me. I really appreciate this a lot. I enjoyed the conversation.Corey: As did I. Ashish Rajan, Principal Cloud Security Advocate at Snyk who is sponsoring this promoted guest episode. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an insulting comment pointing out that not every CISO gets fired; some of them successfully manage to blame the intern.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.
In this episode of the Virtual Coffee with Ashish edition, we spoke with Kat Traxler (Kat's Linkedin) about the skillset, certification and knowledge base required to become a cloud security architect in 2023. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Kat Traxler (Kat's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (02:28) https://snyk.io/csp (02:46) A bit about Kat (05:35) What does a security architect do? (06:46 )The difference in the Cloud Security Architect role (11:08) The building blocks of building an application in AWS (13:41) Are there DMZs in Cloud Architecture? (15:54) Cybercriminal and Cloud exploitation (19:04) How to keep with rapid changes in cloud? (20:08) AWS pre:invent update (21:39) Why is IAM important in Cloud? (25:03) Do cloud security architects need to know coding and automation? (27:38) How important are certifications? (31:49) Getting in cloud security with no experience (33:41) What are important skills for architect? (35:33) SANS certifications for Cloud Security Architects (37:04) How important is ist to have multi cloud knowledge (40:44) Frameworks to build cloud architecture (42:59) Do you need to know software development? (44:19) Roadmap to become a cloud security architect (45:32) What is the most difficult thing related to architecture? (49:32) The Fun Section
In this episode of the Virtual Coffee with Ashish edition, we spoke with Rodrigo Montoro (Rodrigo's linkedin) about threat modelling and incident response involving the uncommon AWS services which still may be widely used in your organisation and increase your attack surface. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Rodrigo Montoro (Rodrigo's linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (02:10) https://snyk.io/csp (03:19) A bit about Rodrigo (04:37) Detection in On-Premise (06:51) The role of API in Cloud (08:06) Common Services in AWS (15:22) Managing unused services (17:38) Incident response for AWS Appstream ? (20:57) integration of services with Cloudtrail (27:14) AWS Pass role (31:38) Incident Response for services (34:00) Pre-signed URL (36:23) How to get started in AWS threat detection? (39:10) Where can people learn more about this? (41:37) How to do AWS threat detection at Scale? (43:30) The Fun Section
In this episode of the Virtual Coffee with Ashish edition, we spoke with Nandesh Guru (Nandesh's Linkedin) about ransomware and supply chain attack mechanisms in AWS and how the world of CSPM have evolved to address the increasing complexities of cloud security Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Nandesh Guru (Nandesh's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (02:09) https://snyk.io/csp (03:11 )A bit about Nandesh (05:01) 4 Components of Supply Chain Risks (06:47)Example of AWS Supply Chain Attack (10:08) Evaluating code scanning tools (12:30) What is ransomware? (13:06) Ransomware in AWS (14:55) Attacks on encryption in AWS (19:27) What is a CSPM? (20:46) The role of CSPM and CNAPP in supply chain attacks (22:56) Is CIS Benchmark still a good starting point? (26:38) The evolution of CSPMs (29:47) Complexity of Cloud Security (32:59)Where can you learn more about supply chain risks? (33:50) Fun Questions
In this episode of the Virtual Coffee with Ashish edition, we spoke with Christophe Parisel (Christophe's Linkedin) about what how to transition from being a technical architect on premise to a cloud security architect and then a cloud native security architect. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Christophe Parisel (Christophe's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (02:21) https://snyk.io/csp (03:18) A little bit about Christophe (05:08) What is Cloud Native? (07:27) Why Cloud Native is important? (09:34) Responsibilities of Cloud Native Architect (13:15) Solution Architect vs Cloud Native Architect (15:32) Culture to move into Cloud Native Environment (18:09) Designing an application in Cloud (21:41) Designing an application using Kubernetes Cluster (24:39) Learning Kubernetes as an Architect (28:09) Common services people should standardise (31:50) Frameworks for Kubernetes Architecture (34:06) Logging with Kubernetes at Scale (38:24) Challenge with transitioning to Cloud Native Security Architect (39:43)Should we trust the cloud? (43:37) Bottlerocket in Kubernetes (46:00) Certifications for Cloud Native Security Architect
In this episode of the Virtual Coffee with Ashish edition, we spoke with Jim Bugwadia (Jim's Twitter) about policy management and compliance as code for Kubernetes and how you can use open source tools like Kyverno and OPA for policy management Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Jim Bugwadia (Jim's Twitter) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (03:20) https://snyk.io/csp (05:23) What is Kubernetes Control Plane? (06:51) What is an admission controller? (08:01) What do you need policy management in Kubernetes? (10:13) Pod Security and Policy management (11:57) Policy Management in Managed Kubernetes (13:54) Scaling Policy Management for Kubernetes (19:34) Common use cases for policy management (25:30) Compliance in Kubernetes (32:04) Levels of Maturity in Kubernetes Policy Management (36:47) Future of policy as code (38:46) Kyverno vs OPA (43:39) Kyverno vs gatekeeper (45:15) Where to start with policy management? (46:11) Where you can find Jim
In this episode of the Virtual Coffee with Ashish edition, we spoke with Luke Hinds (Luke's Twitter) the open source Sigstore project and how it is helping with software signing and protecting the software supply chain Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Luke Hinds (Luke's Twitter) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (01:39) https://snyk.io/csp (05:21) What is the software supply chain and why is it important? (08:20) Common supply chain attacks in Kubernetes (09:53) Codecov attack (11:14 )Kubernetes and API (14:10) Vulnerability scanning tools (16:38) Explaining the importance of supply chain security (19:19) What is a signing service (19:56 )The SLSA framework (20:42) Importance of signing service (23:35) What is Sigstore? (27:57) What is Lets Encrypt (31:48) The aim of sigstore (34:39) What is Co-Sign (36:40) Co-Signing and non-repudiation (46:29) Where to start
In this episode of the Virtual Coffee with Ashish edition, we spoke with Jimmy Mesta (Jimmy's Twitter) about OWASP Kubernetes Top 10 and best practices for securing Kubernetes Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Jimmy Mesta (Jimmy's Twitter) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (01:39) https://snyk.io/csp (03:55) What is Kubernetes? (05:15 )Kubernetes vs Containers (06:38) Kubernetes and Docker (09:08) Unmanaged Kubernetes (11:14) Managed Kubernetes (13:39) Security for Kubernetes Clusters (15:42) OWASP top 10 Web Application (17:59) Starting to build Kubernetes Cluster or Pod (23:09) Security Misconfigurations in Kubernetes (28:42) Supply Chain Vulnerabilities in Kubernetes (32:06) RBAC and Policy Enforcement (33:32) Logging and Monitoring in Kubernetes (34:30) Broken Authentication (35:17) Missing network segment approach (36:07) Secrets Management Failure (37:09) Misconfigured Cluster Components (38:15) Outdated and vulnerable kubernetes component (42:37) Asset Inventory for Kubernetes Cluster (44:53) Threat Modelling in Kubernetes (46:20)Cert management in Kubernetes (48:02) Learn more about securing Kubernetes
© 2020-2025 Ivy Podcast Discovery LLC
