Cloud Security Podcast by Google

Guest:  Andrew Hoying, Senior Security Engineering Manager @ Google Topics: What is different about system hardening today vs 20 years ago?  Also, what is special about hardening systems at Google massive scale? Can I just apply CIS templates and be done with it? Part of hardening has to be following up with developers after they have un-hardened things – how do we operationalize that at scale without getting too much in the way of productivity? A part of hardening has got to be responding to new regulation and compliance regimes, how do you incorporate new controls and stay responsive to the changing world around us? Are there cases where we have taken lessons from hardening at scale and converted those into product improvements? What metrics do you track to keep your teams moving, and what metrics do your leads look at to understand how you’re doing? [Spoiler: the answer here is VERY fun!] Resources: “Why Shared Fate is a Better Way to Manage Cloud Risk” article (and this too) CIS for GCP GCP IAM Deny CloudSecList by Marco Lancini

The podcast discusses Chronicle, the Mandiant acquisition, and the balance between products and practices in security operations. They explore leveraging expertise for Chronicle's market position and offer advice for security professionals transitioning into product management.

Guest Rosemary Wang, Developer Advocate at HashiCorp, discusses using Terraform for security automation, applying security best practices, and the relationship between Terraform and policy as code. Tips for getting started and recommendations for enhancing security journey with Terraform are also shared.

Guests:  no guests, all banter, all very fun :-) Topics: How is Google Next this year? What is new in cloud security? Is Google finally a security vendor? What are some of the fun security presentations we've seen, including our own? Any impactful launches in security? What was the most interesting overall? Resources: “Next 2023 Special: Building AI-powered Security Tools - How Do We Do It?” (ep136) “RSA 2023 - What We Saw, What We Learned, and What We're Excited About” (ep119) “Cyber Defense Matrix and Does Cloud Security Have to DIE to Win?” (ep67) “Detecting, investigating, and responding to threats in your Google Cloud environment” at Cloud Next 2023 by Anton “Prevent cloud compromises: Learn how Uber discovers cyber risks and remediates threats” at Cloud Next 2023 by Tim “Generative AI for defenders with Sec-PaLM 2 and Duet AI” at Cloud Next 2023 by Eric Doerr (his episode) “A blueprint for modern security operations” at Cloud Next 2023 by our future guest, Chris… Kevin Mandia at Next keynote (start at 1:15:00) “New AI capabilities that can help address your security challenges” blog

Eric Doerr, VP of Engineering at Google Cloud Security, discusses the exciting prospects of using AI for security and trusting AI in the business context. They also explore threat modeling AI systems and the worst security use cases for GenAI. Teaching AI security and the surprising challenges involved are also covered.

Phil Venables, Google Cloud's Chief Information Security Officer, discusses the game-changing potential of AI in cybersecurity. Topics include the impact of AI and machine learning on security, the use of generative AI to enhance productivity and secure software development, and the asymmetry between attackers and defenders in AI systems. The concept of shared faith in securing AI and the intersection of AI, security, and board governance are also explored.

Guest:  Steph Hay , Director of UX, Google Cloud Security Topics: The importance of User Experience (UX) in security is so obvious – though it isn’t to a lot of people! Could we talk about the importance of UX in security? UX and security in general have an uneasy relationship, and security is harmed by bad UX, it also feels like bad UX can be a security issue. What is your take on this? How do you think about prioritizing your team’s time between day zero vs day n experiences for users of security tools? Some say that cloud security should be invisible, but does this mean no UX at all? What are the intersections between UX for security and invisible security? Can you think of what single UX change in Cloud Security’s portfolio made the biggest impact to actual security outcomes?  We have this new tool/approach for planning called Jobs To Be Done (JTBD)  - give us the value, and the history? In the world of JTBD planning, what gets better? Resources: JTBD Framework GCP IAM Recommender Recaptha Enterprise  

Guest:  Steve McGhee, Reliability Advocate at Google Cloud  Aron Eidelman, Developer Relations Engineer at Google Cloud Topics: What is the shared problem for SRE and security when it comes to alerting? Why is there reluctance to reduce noise? How do SREs, security practitioners, and other stakeholders define “incident” and “risk”? How does involving an “adversary” change the way people think about an incident, even if the impact is identical? Which SRE alerting lessons do NOT apply at all for security? Resources: Video (LinkedIn, YouTube) “Deploy Security Capabilities at Scale: SRE Explains How” (ep85) Steve talk about probability and SLO math at SLOconf   Why Focus on Symptoms, Not Causes? Learning from incidents (LFI) science How to measure anything in cyber security risk book Security chaos engineering book The SRS Book Ch 1 The SRE book Ch 4   

Kelly Shortridge, Senior Principal Engineer at Fastly, discusses the concept of Security Chaos Engineering and its intersection with cloud security. She talks about how chaos engineering can improve software resilience and security alerting. Kelly shares her favorite chaos engineering experiment and how it can break organizations out of their 1990s thinking. The podcast also explores the importance of understanding threat models, iterative approaches to software resilience, and learning from failures.

Guests: Himanshu Khurana, Engineering Manager, Google Cloud Rahul Gupta, Product Manager for Assured OSS, Google Cloud Topics: For the software you’re supporting in Assured Open Source your team discovered 50% of the CVEs reported in them this year. How did that happen?  So what is Assured Open Source? Do we really guarantee its security? What does “guarantee” here mean? What’re users actually paying for here? What’s the Google magic here and why are we doing this?  Do we really audit all code and fuzz for security issues? What’s a supply chain attack and then we’ll talk about how this is plugging into those gaps?  Resources: Assured Open Source Software page “SBOMs: A Step Towards a More Secure Software Supply Chain” (ep116) “Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (ep24) SLSA.dev blog Open Source Security Podcast Mandiant M-Trends 2023