Cloud Security Podcast by Google

Guest:  Steph Hay , Director of UX, Google Cloud Security Topics: The importance of User Experience (UX) in security is so obvious – though it isn’t to a lot of people! Could we talk about the importance of UX in security? UX and security in general have an uneasy relationship, and security is harmed by bad UX, it also feels like bad UX can be a security issue. What is your take on this? How do you think about prioritizing your team’s time between day zero vs day n experiences for users of security tools? Some say that cloud security should be invisible, but does this mean no UX at all? What are the intersections between UX for security and invisible security? Can you think of what single UX change in Cloud Security’s portfolio made the biggest impact to actual security outcomes?  We have this new tool/approach for planning called Jobs To Be Done (JTBD)  - give us the value, and the history? In the world of JTBD planning, what gets better? Resources: JTBD Framework GCP IAM Recommender Recaptha Enterprise  

Guest:  Steve McGhee, Reliability Advocate at Google Cloud  Aron Eidelman, Developer Relations Engineer at Google Cloud Topics: What is the shared problem for SRE and security when it comes to alerting? Why is there reluctance to reduce noise? How do SREs, security practitioners, and other stakeholders define “incident” and “risk”? How does involving an “adversary” change the way people think about an incident, even if the impact is identical? Which SRE alerting lessons do NOT apply at all for security? Resources: Video (LinkedIn, YouTube) “Deploy Security Capabilities at Scale: SRE Explains How” (ep85) Steve talk about probability and SLO math at SLOconf   Why Focus on Symptoms, Not Causes? Learning from incidents (LFI) science How to measure anything in cyber security risk book Security chaos engineering book The SRS Book Ch 1 The SRE book Ch 4   

Kelly Shortridge, Senior Principal Engineer at Fastly, discusses the concept of Security Chaos Engineering and its intersection with cloud security. She talks about how chaos engineering can improve software resilience and security alerting. Kelly shares her favorite chaos engineering experiment and how it can break organizations out of their 1990s thinking. The podcast also explores the importance of understanding threat models, iterative approaches to software resilience, and learning from failures.

Guests: Himanshu Khurana, Engineering Manager, Google Cloud Rahul Gupta, Product Manager for Assured OSS, Google Cloud Topics: For the software you’re supporting in Assured Open Source your team discovered 50% of the CVEs reported in them this year. How did that happen?  So what is Assured Open Source? Do we really guarantee its security? What does “guarantee” here mean? What’re users actually paying for here? What’s the Google magic here and why are we doing this?  Do we really audit all code and fuzz for security issues? What’s a supply chain attack and then we’ll talk about how this is plugging into those gaps?  Resources: Assured Open Source Software page “SBOMs: A Step Towards a More Secure Software Supply Chain” (ep116) “Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (ep24) SLSA.dev blog Open Source Security Podcast Mandiant M-Trends 2023  

Guest:  Steve Riley, Field CTO, Netskope, ex-Gartner Research VP Topics: Analysts (well, like Steve and Anton in the past?) say that “cloud is secure, but clients just aren’t using it securely”, what is your reaction to this today? When clients hear “use cloud securely”, what do you think comes to their minds? How would you approach planning for secure use of the cloud or using cloud securely? What is your view of cloud defense in depth (DiD) or layered defenses? How do you suggest clients think about it? What about DiD for SaaS? What are your thoughts on the evolution of zero trust? How has it changed since its introduction back in 2010? Awareness of and interest in SSE and SASE is growing. But at the same time, plenty of folks seem deeply perplexed by these. How would you explain them to someone not deeply immersed in the details?  Resources: Video (LinkedIn, YouTube) Bruce Schneier books Netskope blog “Deploy Security Capabilities at Scale: SRE Explains How” (ep85) “Zero Trust: Fast Forward from 2010 to 2021” (ep8) “Powering Secure SaaS … But Not with CASB? Cloud Detection and Response?” (ep76) “How to Approach Cloud in a Cloudy Way, not As Somebody Else’s Computer?” (ep115) "Use Cloud Securely? What Does This Even Mean?!" "How to Solve the Mystery of Cloud Defense in Depth?"

Guest: Rick Doten, VP, Information Security at Centene Corporation, CISO Carolina Complete Health  Topics:  What are the realistic cloud risks today for an organization using public cloud?  Is the vendor lock-in on that list?  What other risks everybody thinks are real, but they are not? What do you tell people who in 2023 still think “they can host Exchange better themselves” and have silly cloud fears? What do you tell people who insist on “copy/pasting” all their security technology stack from data centers to the cloud? Cloud providers have greater opportunity not only to see issues, but to learn how to react well. Do you think this argument holds water?  What are the most challenging security issues for multi-cloud and hybrid cloud security? How does security chasm (between security haves and have-notes) affect cloud security? Your best cloud security advice for an organization with a security team of 0 FTEs and no CISO?  Resources: Video (LinkedIn, YouTube) Rick Doten on YouTube Defining Cloud Security by Rick Doten Cloud Security Alliance materials Mandiant M-Trends 2023  

Guest:  John Doyle, Principle Intelligence Enablement Consultant at Mandiant / Google Cloud  Topics: You have created a new intelligence class focused on building enterprise threat intelligence capability, so what is the profile of an organization and profile for a person that benefits the most from the class? There are many places to learn threat intel (TI), what is special about your new class?  You talk about country cyber operations in the class, so what is the defender - relevant difference between, say, DPRK and Iran cyber doctrines? More generally, how do defenders benefit from such per country intel? Can you really predict what the state-affiliated attackers would do to your organization based on the country doctrine? In many minds, TI is connected to attribution. What is your best advice on attribution to CISOs of well-resourced organizations? What about mainstream organizations? Overall we see a lot of organizations still failing to operationalize TI, especially strategic TI, how does this help them? Resources: The new class “Inside the Mind of APT” “Navigating Tradeoffs of Attribution” paper Sands Casino hack 2014 "Threat Horizons - How Google Does Threat Intelligence" (ep112)  

Ian Glazer, founder at Weave Identity, discusses the excitement of IAM and its importance in the cloud. He shares advice for newcomers and emphasizes the need for continuous learning. The podcast explores IAM differences in AWS and GCP, challenges of entitlement discovery, and common mistakes in cloud IAM.

Guests:  Dominik Richter, the founder and head of product at Mondoo Cooked questions: What is a policy, is that the same as a control, or is there a difference? And what’s the gap between a policy and a guardrail?  We have IaC, so what is this Policy as Code? Is this about security policy or all policies for cloud? Who do I hire to write and update my policy as code? Do I need to be a coder to create policy now? Who should own the implementation of Policy as Code? Is Policy as Code something that security needs to be driving? Is it the DevOps or Platform Engineering teams? How do organizations grow into safely rolling out new policy as code code?  You [Mondoo] say that "cnspec assesses your entire infrastructure's security and compliance"  and this problem has been unsolved for as long as the cloud existed. Will your toolset change this?  There are other frameworks that exist for security testing like HashiCorp’s sentinel, Open Policy Agent, etc and you are proposing a new one with MQL. Why do we need another security framework? What are some of the success metrics when adopting  Policy as Code?  Resources: Live video (LinkedIn, YouTube) “Why Infrastructure as Code Is Setting You up to Make Bad Things Faster” blog

Guest: David Swift, Security Strategist at Netenrich Topics: Which old Security Information and Event Management (SIEM) lessons apply today? Which old SIEM lessons absolutely do not apply today and will harm you? What are the benefits and costs of SIEM in 2023? What are the top cloud security use cases for SIEM in 2023? What are your favorite challenges with SIEM in 2023 special in the cloud? Are they different from, say, 2013 or perhaps 2003? Do you think SIEM can ever die?   Resources: Live video (LinkedIn, YouTube) “Debating SIEM in 2023, Part 1” and  “Debating SIEM in 2023, Part 2” blogs “Detection as Code? No, Detection as COOKING!” blog “A Process for Continuous Security Improvement Using Log Analysis” (old but good) “UEBA, It's Just a Use Case” blog “Situational Awareness Is Key to Faster, Better Threat Detection” blog and other SIEM reading MITRE 15 detection techniques paper