Cloud Security Podcast by Google

Anton Chuvakin
undefined
Aug 28, 2023 • 22min

EP136 Next 2023 Special: Building AI-powered Security Tools - How We Do It?

Eric Doerr, VP of Engineering at Google Cloud Security, discusses the exciting prospects of using AI for security and trusting AI in the business context. They also explore threat modeling AI systems and the worst security use cases for GenAI. Teaching AI security and the surprising challenges involved are also covered.
undefined
Aug 21, 2023 • 26min

EP135 AI and Security: The Good, the Bad, and the Magical

Phil Venables, Google Cloud's Chief Information Security Officer, discusses the game-changing potential of AI in cybersecurity. Topics include the impact of AI and machine learning on security, the use of generative AI to enhance productivity and secure software development, and the asymmetry between attackers and defenders in AI systems. The concept of shared faith in securing AI and the intersection of AI, security, and board governance are also explored.
undefined
Aug 14, 2023 • 26min

EP134 How to Prioritize UX and Security in the Cloud: UX as a Security Capability

Guest:  Steph Hay , Director of UX, Google Cloud Security Topics: The importance of User Experience (UX) in security is so obvious – though it isn’t to a lot of people! Could we talk about the importance of UX in security? UX and security in general have an uneasy relationship, and security is harmed by bad UX, it also feels like bad UX can be a security issue. What is your take on this? How do you think about prioritizing your team’s time between day zero vs day n experiences for users of security tools? Some say that cloud security should be invisible, but does this mean no UX at all? What are the intersections between UX for security and invisible security? Can you think of what single UX change in Cloud Security’s portfolio made the biggest impact to actual security outcomes?  We have this new tool/approach for planning called Jobs To Be Done (JTBD)  - give us the value, and the history? In the world of JTBD planning, what gets better? Resources: JTBD Framework GCP IAM Recommender Recaptha Enterprise  
undefined
9 snips
Aug 7, 2023 • 36min

EP133 The Shared Problem of Alerting: More SRE Lessons for Security

Guest:  Steve McGhee, Reliability Advocate at Google Cloud  Aron Eidelman, Developer Relations Engineer at Google Cloud Topics: What is the shared problem for SRE and security when it comes to alerting? Why is there reluctance to reduce noise? How do SREs, security practitioners, and other stakeholders define “incident” and “risk”? How does involving an “adversary” change the way people think about an incident, even if the impact is identical? Which SRE alerting lessons do NOT apply at all for security? Resources: Video (LinkedIn, YouTube) “Deploy Security Capabilities at Scale: SRE Explains How” (ep85) Steve talk about probability and SLO math at SLOconf   Why Focus on Symptoms, Not Causes? Learning from incidents (LFI) science How to measure anything in cyber security risk book Security chaos engineering book The SRS Book Ch 1 The SRE book Ch 4   
undefined
13 snips
Jul 31, 2023 • 36min

EP132 Chaos Engineering for Security: How to Improve Software Resilience with Kelly Shortridge

Kelly Shortridge, Senior Principal Engineer at Fastly, discusses the concept of Security Chaos Engineering and its intersection with cloud security. She talks about how chaos engineering can improve software resilience and security alerting. Kelly shares her favorite chaos engineering experiment and how it can break organizations out of their 1990s thinking. The podcast also explores the importance of understanding threat models, iterative approaches to software resilience, and learning from failures.
undefined
Jul 24, 2023 • 26min

EP131 A Deep Dive into Google's Assured OSS: How Google Secures the Software You Use

Guests: Himanshu Khurana, Engineering Manager, Google Cloud Rahul Gupta, Product Manager for Assured OSS, Google Cloud Topics: For the software you’re supporting in Assured Open Source your team discovered 50% of the CVEs reported in them this year. How did that happen?  So what is Assured Open Source? Do we really guarantee its security? What does “guarantee” here mean? What’re users actually paying for here? What’s the Google magic here and why are we doing this?  Do we really audit all code and fuzz for security issues? What’s a supply chain attack and then we’ll talk about how this is plugging into those gaps?  Resources: Assured Open Source Software page “SBOMs: A Step Towards a More Secure Software Supply Chain” (ep116) “Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (ep24) SLSA.dev blog Open Source Security Podcast Mandiant M-Trends 2023  
undefined
15 snips
Jul 17, 2023 • 34min

EP130 Cloud is Secure: Are you Using It Securely - True or False?

Guest:  Steve Riley, Field CTO, Netskope, ex-Gartner Research VP Topics: Analysts (well, like Steve and Anton in the past?) say that “cloud is secure, but clients just aren’t using it securely”, what is your reaction to this today? When clients hear “use cloud securely”, what do you think comes to their minds? How would you approach planning for secure use of the cloud or using cloud securely? What is your view of cloud defense in depth (DiD) or layered defenses? How do you suggest clients think about it? What about DiD for SaaS? What are your thoughts on the evolution of zero trust? How has it changed since its introduction back in 2010? Awareness of and interest in SSE and SASE is growing. But at the same time, plenty of folks seem deeply perplexed by these. How would you explain them to someone not deeply immersed in the details?  Resources: Video (LinkedIn, YouTube) Bruce Schneier books Netskope blog “Deploy Security Capabilities at Scale: SRE Explains How” (ep85) “Zero Trust: Fast Forward from 2010 to 2021” (ep8) “Powering Secure SaaS … But Not with CASB? Cloud Detection and Response?” (ep76) “How to Approach Cloud in a Cloudy Way, not As Somebody Else’s Computer?” (ep115) "Use Cloud Securely? What Does This Even Mean?!" "How to Solve the Mystery of Cloud Defense in Depth?"
undefined
Jul 10, 2023 • 31min

EP129 How CISO Cloud Dreams and Realities Collide

Guest: Rick Doten, VP, Information Security at Centene Corporation, CISO Carolina Complete Health  Topics:  What are the realistic cloud risks today for an organization using public cloud?  Is the vendor lock-in on that list?  What other risks everybody thinks are real, but they are not? What do you tell people who in 2023 still think “they can host Exchange better themselves” and have silly cloud fears? What do you tell people who insist on “copy/pasting” all their security technology stack from data centers to the cloud? Cloud providers have greater opportunity not only to see issues, but to learn how to react well. Do you think this argument holds water?  What are the most challenging security issues for multi-cloud and hybrid cloud security? How does security chasm (between security haves and have-notes) affect cloud security? Your best cloud security advice for an organization with a security team of 0 FTEs and no CISO?  Resources: Video (LinkedIn, YouTube) Rick Doten on YouTube Defining Cloud Security by Rick Doten Cloud Security Alliance materials Mandiant M-Trends 2023  
undefined
Jul 3, 2023 • 27min

EP128 Building Enterprise Threat Intelligence: The Who, What, Where, and Why

Guest:  John Doyle, Principle Intelligence Enablement Consultant at Mandiant / Google Cloud  Topics: You have created a new intelligence class focused on building enterprise threat intelligence capability, so what is the profile of an organization and profile for a person that benefits the most from the class? There are many places to learn threat intel (TI), what is special about your new class?  You talk about country cyber operations in the class, so what is the defender - relevant difference between, say, DPRK and Iran cyber doctrines? More generally, how do defenders benefit from such per country intel? Can you really predict what the state-affiliated attackers would do to your organization based on the country doctrine? In many minds, TI is connected to attribution. What is your best advice on attribution to CISOs of well-resourced organizations? What about mainstream organizations? Overall we see a lot of organizations still failing to operationalize TI, especially strategic TI, how does this help them? Resources: The new class “Inside the Mind of APT” “Navigating Tradeoffs of Attribution” paper Sands Casino hack 2014 "Threat Horizons - How Google Does Threat Intelligence" (ep112)  
undefined
13 snips
Jun 26, 2023 • 30min

EP127 Is IAM Really Fun and How to Stay Ahead of the Curve in Cloud IAM?

Ian Glazer, founder at Weave Identity, discusses the excitement of IAM and its importance in the cloud. He shares advice for newcomers and emphasizes the need for continuous learning. The podcast explores IAM differences in AWS and GCP, challenges of entitlement discovery, and common mistakes in cloud IAM.

The AI-powered Podcast Player

Save insights by tapping your headphones, chat with episodes, discover the best highlights - and more!
App store bannerPlay store banner
Get the app