Cloud Security Podcast by Google

Guests Evan Gilman and Eli Nesterov discuss workload identity, zero trust, and SPIFFE in a lively podcast. They delve into the challenges faced by large organizations, the benefits of adopting modern security paradigms like SPIFFE, and the importance of reimagining traditional technologies for cloud environments. The conversation also touches on the concept of 'solving the bottom turtle' in workload identity and security.

Ahmad Robinson, Cloud Security Architect at Google, discusses 'Pets vs Cattle' mentality in cloud operations, shifting left in cloud security, and the confusion around Policy as Code. He emphasizes the importance of scalability, standardization, and collaboration among teams for efficient security practices.

Exploring the looming threats of quantum computing on cryptography, the podcast delves into the urgency of adopting post-quantum algorithms. NIST standards, skepticism vs. reality in quantum computing, and proactive data safeguarding measures are discussed. The importance of discerning truth from hype and practical tips on post-quantum cryptography are highlighted.

Exploring cloud security megatrends with a focus on AI integration, governance, and AI for security. Discussing the contentious nature of certain megatrends, the simplicity of cloud over on-premise IT, and the role of AI in enhancing security practices. Delving into questions CISOs should be asking about AI and the transformative potential of AI in improving data governance and scalability.

Explore the complexities of IAM in cloud security with expert Kat Traxler. Discuss why people still struggle with IAM mistakes, resource hierarchy, and management. Learn about the importance of assigning roles at the lowest resource-level possible and how the 'big 3' got it wrong.

Guest: Victoria Geronimo, Cloud Security Architect, Google Cloud Topics: You work with technical folks at the intersection of compliance, security, and cloud. So  what do you do, and where do you find the biggest challenges in communicating across those boundaries? How does cloud make compliance easier? Does it ever make compliance harder?  What is your best advice to organizations that approach cloud compliance as they did for the 1990s data centers and classic IT? What has been the most surprising compliance challenge you’ve helped teams debug in your time here?  You also work on standards development –can you tell us about how you got into that and what’s been surprising in that for you?  We often say on this show that an organization’s ability to threat model is only as good as their team’s perspectives are diverse: how has your background shaped your work here?   Resources: Video (YouTube) EP14 Making Compliance Cloud-native EP25 Beyond Compliance: Cloud Security in Europe  Fordham University Law and Technology site IAPP  site  

Guest: Merritt Baer, Field CTO,  Lacework, ex-AWS, ex-USG Topics: How can organizations ensure that their security posture is maintained or improved during a cloud migration? Is cloud migration a risk reduction move? What are some of the common security challenges that organizations face during a cloud migration? Are there different gotchas between the three public clouds? What advice would you give to those security leaders who insist on lift/shift or on lift/shift first? How should security and compliance teams approach their engineering and DevOps colleagues to make sure things are starting on the right foot? In your view, what is the essence of a cloud-native approach to security? How can organizations ensure that their security posture scales as their cloud usage grows? Resources: Video (LinkedIn, YouTube) EP69 Cloud Threats and How to Observe Them EP138 Terraform for Security Teams: How to Use IaC to Secure the Cloud EP67 Cyber Defense Matrix and Does Cloud Security Have to DIE to Win? 9 Megatrends drive cloud adoption—and improve security for all Darknet Diaries podcast  

Guests: Emre Kanlikilicer, Senior Engineering Manager @ Google Sophia Gu, Engineering Manager at Google  Topics Workspace makes the claim that unlike other productivity suites available today, it’s architectured for the modern threat landscape. That’s a big claim! What gives Google the ability to make this claim? Workspace environments would have many different types of data, some very sensitive. What are some of the common challenges with controlling access to data and protecting data in hybrid work?  What are some of the common mistakes you see customers making with Workspace security? What are some of the ways context aware access and DLP (now SDP) help with this? What are the cool future plans for DLP and CAA? Resources: Google Workspace blog & Workspace Update blog EP99 Google Workspace Security: from Threats to Zero Trust CISA Zero Trust Maturity Model 2.0  

Jason Solomon, Security Engineer at Google, discusses the challenges of cloud forensics, including establishing a chain of custody and knowing when to call for help. He shares advice for security leaders on how to prepare for incidents and highlights recommended reading for cloud forensics.

Guest: Arie Zilberstein, CEO and Co-Founder at Gem Security Topics:  How does Cloud Detection and Response (CDR) differ from traditional, on-premises detection and response? What are the key challenges of cloud detection and response? Often we lift and shift our teams to Cloud, and not always for bad reasons, so  what’s your advice on how to teach the old dogs new tricks: “on-premise-trained” D&R teams and cloud D&R? What is this new CIRA thing that Gartner just cooked up?  Should CIRA exist as a separate market or technology or is this just a slice of CDR or even SIEM perhaps? What do you tell people who say that “SIEM is their CDR”? What are the key roles and responsibilities of the CDR team? How is the cloud D&R process related to DevOps and cloud-style IT processes?  Resources: Video version of this episode Cloud breaches databases EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster? EP103 Security Incident Response and Public Cloud - Exploring with Mandiant EP76 Powering Secure SaaS … But Not with CASB? Cloud Detection and Response? 9 Megatrends drive cloud adoption—and improve security for all “Emerging Tech: Security — Cloud Investigation and Response Automation (CIRA) Offers Transformation Opportunities” (Gartner access required) “Does the World Need Cloud Detection and Response (CDR)?” blog