Cloud Security Podcast by Google

Guest: Wei Lien Dang, GP at Unusual Ventures  Topics:  We have a view at Google that AI for security and security for AI are largely separable disciplines. Do you feel the same way? Is this distinction a useful one for you?  What are some of the security problems you're hearing from AI companies that are worth solving?  AI is obviously hot, and as always security is chasing the hotness. Where are we seeing the focus of market attention for AI security? Does this feel like an area that's going to have real full products or just a series of features developed by early stage companies that get acquired and rolled up into other orgs?  What lessons can we draw on from previous platform shifts, e.g. cloud security, to inform how this market will evolve?  Resources: “What to think about when you’re thinking about securing AI” blog / paper EP135 AI and Security: The Good, the Bad, and the Magical EP136 Next 2023 Special: Building AI-powered Security Tools - How Do We Do It? EP144 LLMs: A Double-Edged Sword for Cloud Security? Weighing the Benefits and Risks of Large Language Models Introducing Google’s Secure AI Framework OWASP Top 10 for Large Language Model Applications Unusual VC Startup Field Guide Demystifing LLMs and Threats by Caleb Sima

Guest: Jay Thoden van Velzen, Strategic Advisor to the CSO, SAP  Topics: What are the challenges with shared responsibility for cloud security? Can you explain "shared" vs "separated" responsibility? In your article, you mention “shared faith”, we have “shared fate”, but we never heard of shared faith. What is this? Can you explain? What about the cloud models (SaaS, PaaS, IaaS), how does this sharing model differ? While at it, what is cloud, really? [yes, we really did ask this!]  Resources: LinkedIn post and  Blog EP132 Chaos Engineering for Security: How to Improve Software Resilience with Kelly Shortridge “Security Chaos Engineering” book Shared responsibility failures blog Shared fate at Google Cloud (also see blogs one and two) National Cyber Security strategy

Kathryn Shih, Group Product Manager in Google Cloud Security, discusses the capabilities and risks of Large Language Models (LLMs). Topics covered include understanding LLMs, their association with intelligence, risks of model tuning, data access control, and security considerations. The podcast provides insights into the nuances and challenges of working with LLMs and offers tips for improving outcomes with them.

In this episode, Tomer Schwartz, CTO at Dazz, discusses the challenges of cloud security remediation, including detecting vulnerabilities, overcoming process breakdowns, and addressing automation. The chapter topics cover difficulties in vulnerability management, patching containers, and the need for alignment between security and development teams.

Guests Anton Chuvakin and Tim Peacock discuss their journeys into security, the '3am test' for effective alerts, sourcing topics for the podcast, and hopes for the future of security.

Jeremiah Kung, Global Head of Information Security at AppLovin, discusses East vs West CISO mentality and the cloud's impact on security. He shares lessons from cloud migrations in 2015 and offers advice for securing clouds in 2023. Kung also provides tips for collaborative mindset and transforming outdated security technology stack.

Guest:  Andrew Hoying, Senior Security Engineering Manager @ Google Topics: What is different about system hardening today vs 20 years ago?  Also, what is special about hardening systems at Google massive scale? Can I just apply CIS templates and be done with it? Part of hardening has to be following up with developers after they have un-hardened things – how do we operationalize that at scale without getting too much in the way of productivity? A part of hardening has got to be responding to new regulation and compliance regimes, how do you incorporate new controls and stay responsive to the changing world around us? Are there cases where we have taken lessons from hardening at scale and converted those into product improvements? What metrics do you track to keep your teams moving, and what metrics do your leads look at to understand how you’re doing? [Spoiler: the answer here is VERY fun!] Resources: “Why Shared Fate is a Better Way to Manage Cloud Risk” article (and this too) CIS for GCP GCP IAM Deny CloudSecList by Marco Lancini

The podcast discusses Chronicle, the Mandiant acquisition, and the balance between products and practices in security operations. They explore leveraging expertise for Chronicle's market position and offer advice for security professionals transitioning into product management.

Guest Rosemary Wang, Developer Advocate at HashiCorp, discusses using Terraform for security automation, applying security best practices, and the relationship between Terraform and policy as code. Tips for getting started and recommendations for enhancing security journey with Terraform are also shared.

Guests:  no guests, all banter, all very fun :-) Topics: How is Google Next this year? What is new in cloud security? Is Google finally a security vendor? What are some of the fun security presentations we've seen, including our own? Any impactful launches in security? What was the most interesting overall? Resources: “Next 2023 Special: Building AI-powered Security Tools - How Do We Do It?” (ep136) “RSA 2023 - What We Saw, What We Learned, and What We're Excited About” (ep119) “Cyber Defense Matrix and Does Cloud Security Have to DIE to Win?” (ep67) “Detecting, investigating, and responding to threats in your Google Cloud environment” at Cloud Next 2023 by Anton “Prevent cloud compromises: Learn how Uber discovers cyber risks and remediates threats” at Cloud Next 2023 by Tim “Generative AI for defenders with Sec-PaLM 2 and Duet AI” at Cloud Next 2023 by Eric Doerr (his episode) “A blueprint for modern security operations” at Cloud Next 2023 by our future guest, Chris… Kevin Mandia at Next keynote (start at 1:15:00) “New AI capabilities that can help address your security challenges” blog