Cloud Security Podcast by Google

Guests: Jane Chung, VP of Cloud @ Palo Alto Joe Crawford, Director of Strategic Technology Partnerships for Google Cloud @ Palo Alto Topics: What are the top security mistakes you’ve seen during cloud migrations? What is your best advice to security leaders who want to go to the cloud using the on-premise playbook? What security technologies may no longer be needed in the cloud? Which are transformed by the cloud? Cloud often implies agility, but sometimes security slows things down, how to fix that? How do security needs change based on adoption architecture (cloud, hybrid with on-premise, multi-cloud, multi cloud with on-premise)? From a security perspective, is there really any such thing as “lift and shift”? How do we teach cloud to security leaders who “grew up” on-premise? Resources: Use “Move and Improve” Instead of “Lift an Shift” “Data Security in the Cloud” (Episode 2) “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age” book CSA CCM v4

Guest: Julien Vehent, Security Engineering Manager in the Detection and Response team @ Google Topics: What is special about detecting modern threats in modern environments? How does the Google team turn the knowledge of threats into detection logic? Run through an example of creating a detection for a new threat? How do we test our detection rules? We use the same people to write detections and to respond to resulting alerts, how is it working? What are the key skills of good security analysts to build cloud threat detection? Resources: “Site Reliability Engineering" book (free) “Building Secure & Reliable Systems” book (free) “Securing DevOps“ by our very guest Julien Vehent  

Guests: Tim Dierks, Engineering Director, Data Protection @ Google Cloud Topics: What are the key components of data security in the public cloud today? Why do companies need specific data security plans and products? Do you think Google Cloud today has enough controls for processing the most sensitive data? Many organizations seem to be unaware of where sensitive data exists in their cloud environments, how do you think this problem will be fixed? What is your view on encryption's role in future cloud security? Do organizations mostly encrypt for security or for compliance? How do we help companies navigate the tradeoffs between complying with nation-state regulations and best practices for availability? I hear you are involved with some interesting key management innovations like HYOK via Cloud EKM, why do these matter for clients today? Resources: Forrester report “The Forrester Wave™: Unstructured Data Security Platforms, Q2 2021”  “New whitepaper: Designing and deploying a data security strategy with Google Cloud” “Hold your own key with Google Cloud External Key Manager” “Building Secure and Resilient Systems” book (free)

Guest: Greg Castle, Senior Staff Security Engineer at Google Topics: How is kubernetes security different from traditional host security? What’s different about securing GKE vs security Kubernetes on-prem? Where does one start with security hardening for GKE? In your view, what are top realistic threats to container deployments? What do users get wrong most often? Did we manage to make containers both more secure and more usable?

Guest: Zeal Somani, Security Solutions Manager @ Google Cloud, former PCI QSA Topics: What are the usable recipes for thinking about compliance in the cloud? What regulations are more challenging for public cloud users? How do you see the client/provider responsibility split for compliance? What is this “shift left” for compliance? How do we educate auditors and regulators who insist on 1980s solutions to 2020s problems? What are the most popular mistakes and blind spots with trying to be compliant in the cloud? Resources: Whitepaper “Risk governance of digital transformation: guide for risk, compliance & audit teams”

Guest: Alyssa Miller,  BISO @ S&P Global Ratings Topics: How do application security practices change as organizations launch their cloud transformations? What bad things happen to you if you lift/shift your big applications to somebody's IaaS? What unique challenges do containers and serverless deployments create for application security? Is there good news here? How can cloud native technologies make application security easier than a traditional on-prem environment? What can organizations do to ensure the security of cloud-based SaaS solutions? How do DevOps and CI/CD impact the ability to secure cloud-based applications? What is your advice to security leaders who still want to practice appsec for cloud apps in the same manner as they did it for on-premise, the old way? What follow-up reading do you recommend on preparing for an application migration to Cloud? Resources: Cloud security trainings DevOps.com

Guest: Seth Vargo, Security Engineer @ Google Cloud Topics: How should security teams change their thinking about threats in the cloud? Where and when should an organization start in building their threat model for their cloud environment? What are the key changes of threat models after cloud migration? More specifically, when it comes to identity, credentials, lateral movement, what are the key ways in which cloud security differs from traditional or on-premises security? How should users who are leading the cloud migration help their colleagues think about security in the cloud? When am I "done" with cloud security planning?

Guests: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud Dave Hannigan, Director, Financial Services Security & Compliance @ Google Cloud Topics: To continue on the theme from Part 1, is “cloud-native” about thinking? Security tools? Systems? Architecture? How do we practically help CISOs “speak cloud”? What are the first steps to cloud thinking for an “on-premise CISO”? What are the areas of security where it is easier to become a cloud-native? How do you see a CISO transition journey from the on-premise thinking and technologies to cloud thinking and technology? How are CISOs thinking about third party security controls vs native, cloud provider security controls? Resources: “Preparing for Cloud Migrations from a CISO Perspective, Part 1” “CISO’s guide to Cloud Security Transformation”

Guest: Eric Foster, President at CYDERES, a Fishtech Group company Topics: How do you define “modern” SIEM? Does modern SIEM always imply SaaS SIEM? Is there a future for on-premises SIEM? What are your top 3 root causes for SIEM deployment failure today? Modern or not, does SIEM have a future? Can XDR or some other technology drive it off the rails? What features or inputs should SIEM have to detect modern threats such as those to cloud environments but also others? What’s different about threat detection in Cloud? What is your view of the current frenzy about “AI”/ML for security? Resources: “Cyderes CNAP Makes SIEM Modernization a Snap”

Guest: Avi Shua, CEO and Co-founder @ Orca Security Topics: Where do you spend more efforts, on detection of pre-fail issues (like configuration errors) or post-fail issues (like incidents)? How do you prioritize the preventative and detective controls in your platform? When talking to CISOs, how do you explain that cloud threat detection is different from the on-premise type? In your opinion, are agents dead in the cloud? Do you think your customers care more about cloud-specific threats or traditional threats against cloud assets? How do you think about the tradeoff for security teams between using cloud native controls vs a 3rd party vendor like, say, you? Resources: “The Orca Security 2020 State of Public Cloud Security Report“