Cloud Security Podcast

Cloud Security Podcast -  This month we are talking about "Kubernetes Security & KubeCon EU 2023" and for the third episode in this series, we spoke to Liz Rice ( Liz's Linkedin⁠). Liz Rice from Isovalent speaks about how Network Security can be done in Kubernetes. Kubernetes network security with eBPF, Cilium can be raised to be better than selinux seccomp tcpdump - yes the linux networking security tools. Yes you read that right. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ⁠⁠⁠⁠www.cloudsecuritypodcast.tv⁠⁠⁠⁠ FREE CLOUD BOOTCAMPs on ⁠⁠⁠⁠www.cloudsecuritybootcamp.com⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠) Guest Socials: Andrew Martin (⁠⁠Andrew's Linkedin⁠⁠) Podcast Twitter - ⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠ ⁠⁠⁠⁠@CloudSecureNews⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠Cloud Security News ⁠⁠⁠⁠ - ⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠ Spotify TimeStamp for Interview Questions (00:00) Introduction (00:15) A word from our sponsor snyk.io/csp (03:36) A bit about Liz Rice (04:36) Liz's path into Cloud Native (06:22) What is EBPF? (08:12) Use case for EBPF in on premise (10:37) SC Linux and EBPF (11:28) Why we are solving this now with Kubernetes? (13:22) EBPF in managed vs unmanaged Kubernetes? (15:37) Implementation of EBPF (17:38) Access Management and Network Security (21:02) Challenges with multi cluster Kubernetes deployment (24:03) Key management in multi cluster (25:11) Current gaps in Kubernetes security (27:41) Developer first in the cloud native space (32:47) The future of EBPF (34:36) Where can you learn more about EBPF (36:25) The fun questions See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Kubernetes Security & KubeCon EU 2023" and for the second episode in this series, we spoke to Andrew Martin (Andrew's Linkedin). Kubernetes Security Best practices built using the OWASP Top 10 for Kubernetes is not enough to deal with new and unknown attack vectors for your Kubernetes deployment. In this episode we have Andrew Martin on how you can deal with Kubernetes attack vectors including supply chain issues. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ⁠⁠⁠www.cloudsecuritypodcast.tv⁠⁠⁠ FREE CLOUD BOOTCAMPs on ⁠⁠⁠www.cloudsecuritybootcamp.com⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠@hashishrajan⁠⁠⁠) Guest Socials: Andrew Martin (⁠Andrew's Linkedin⁠) Podcast Twitter - ⁠⁠⁠@CloudSecPod⁠⁠⁠ ⁠⁠⁠@CloudSecureNews⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠Cloud Security News ⁠⁠⁠ - ⁠⁠⁠Cloud Security BootCamp⁠⁠⁠ Spotify TimeStamp for Interview Questions (00:00) Introduction (00:15) A word from our sponsors - head over to snyk.io/csp to find out more (02:50) A bit about Andrew Martin (03:33) What is cloud native security? (06:31) What is Kubernetes Security? (10:23) Kubernetes Security vs Cloud Native Security (11:52) Why is Kubernetes so popular? (16:20) What are the components of Kubernetes security? (21:43) Container security in Kubernetes landscape (26:34) Common attack vectors for Kubernetes (32:16) Impact of cloud in attack vectors (35:38) Managed Kubernetes (38:13) Rationale for using multi cluster (41:11) Should everyone use Kubernetes? (44:18) Is Serverless still relevant ? (47:38) Where can people learn about Kubernetes security? (53:01) The fun questions See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Kubernetes Security & KubeCon EU 2023" and for the first episode in this series, we spoke to Kirsten Newcomer (Kirsten's Linkedin). Kirsten Newcomer from Red Hat has been championing Kubernetes security and the role DevSecOps will play in helping improve security for Kubernetes implementations. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ⁠⁠www.cloudsecuritypodcast.tv⁠⁠ FREE CLOUD BOOTCAMPs on ⁠⁠www.cloudsecuritybootcamp.com⁠⁠ Host Twitter: Ashish Rajan (⁠⁠@hashishrajan⁠⁠) Guest Socials: Kirsten Newcomer (⁠Kirsten's Linkedin⁠) Podcast Twitter - ⁠⁠@CloudSecPod⁠⁠ ⁠⁠@CloudSecureNews⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠Cloud Security News ⁠⁠ - ⁠⁠Cloud Security BootCamp⁠⁠ Spotify TimeStamp for Interview Questions (00:00) Introduction (02:42) Word from our sponsors about Snyk Launch - find out more at snyk.io/events/snyklaunch (03:08) A bit about Kristen Newcomer (04:13) How has Kubernetes security evolved ? (06:57) Is Kubernetes still popular? (07:45) Why is Kubernetes still popular? (0:58) Challenges with security Kubernetes (15:35) How to work effectively with Kubernetes (18:50) Adoption of IaC for security (24:30) Maturity of Kubernetes Security (29:24) Challenges with auditing Kubernetes (31:55) How to approach Kubernetes security? (35:08) Zero Trust and Kubernetes (39:01) Is SBOM bringing more attention to Kubernetes? (42:51) Where do people start with Kubernetes? (45:41) Managed vs unmanaged Kubernetes? (47:05) How you can reach out to Kristen! See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Cloud Security - the Leadership View" and for the final episode in this series, we spoke to Guy Podjarny ( GuyPo's Linkedin). If you are working on building or securing Cloud resources, can you truly imagine solving the next log4j or AWS/Azure/GCP vulnerability without including the help of Platform Engineers or IT engineers? This is the bigger picture of what we CyberSecurity people have to do day in day out. We work with wider team members Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ⁠www.cloudsecuritypodcast.tv⁠ FREE CLOUD BOOTCAMPs on ⁠www.cloudsecuritybootcamp.com⁠ Host Twitter: Ashish Rajan (⁠@hashishrajan⁠) Guest Socials: Guy Podjarny ( ⁠GuyPo's Linkedin⁠) Podcast Twitter - ⁠@CloudSecPod⁠ ⁠@CloudSecureNews⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠Cloud Security News ⁠ - ⁠Cloud Security BootCamp⁠ Spotify TimeStamp for Interview Questions A word from our sponsors - you can visit them on ⁠snyk.io/csp⁠ (00:00) Introduction (03:49) A bit about Guy Podjarny (04:51) What is DevSecOps today? (07:15) 3 Phases of DevSecOps (07:44) DevSecOps vs ShiftLeft (09:15) The maturity of DevSecOps (11:52) The notion of start left (13:36) Threat modelling and developers (14:38) What is Cloud Security? (16:03) The notion of App Cloud (17:43) Gartner acronyms and cloud security (22:21) Security champion program in cloud (28:33) Future of IaaS, PaaS and SaaS (32:22) Challenges with Security Championship Program (42:19) Generative AI and DevSecOps in Cloud (47:45) Fun Questions See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Cloud Security - the Leadership View" and this week in this series, we spoke to Larry Whiteside Jr ( Larry's Linkedin ) If you are working on building a CyberSecurity Program in 2023 with Cloud in mind then this episode with Larry who shared his approach to building a CyberSecurity program along with war stories of implementing CyberSecurity in an on-premise world is the episode you need to hear. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv FREE CLOUD BOOTCAMPs on www.cloudsecuritybootcamp.com Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Larry Whiteside Jr ( Larry's Linkedin ) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (02:50) A word from our sponsors - you can visit them on snyk.io/csp (04:05) Larry talks about his 1st CISO role (06:01) Cybersecurity Programs in a Pre Cloud World (09:07) What were the challenges for CISOs in the past? (11:05) Cybersecurity Program in 2023 (14:01) There was no NIST CFA (14:59) Why frameworks are important (16:59) What is a cybersecurity program? (21:32) Components of cybersecurity program (23:02) Has cloud changed things? (30:01) The value of certifications (33:14) GRC Automation and Shift Left (42:53) The auditor's perspective (44:50) Does GRC need to know coding? (49:07) Cloud Security Program Playbook (52:52) The Fun Section See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Cloud Security - the Leadership View" and first up on this series, we spoke to Bianca Lankford (Bianca's Linkedin) about what does it take to build a Cloud Security program that runs behind your favourite TV Show on an OTT Media Platform like Warner Brother Discovery Cloud . In this episode Bianca Lankford, from Warner Brother Discovery, share her experience on building Cloud Security Program and the importance of developers in the solving the Cloud Security challenge. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials:  Bianca Lankford (Bianca's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (03:06) snyk.io/csp (03:45) A bit about Bianca (04:27) Challenge of Scale in Media Industry (06:38) Cloud based security program vs on prem (08:04) How cloud security can enable businesses (11:11) Cloud Security Program in Media Industry (13:45) Getting leadership buy in for cloud security program (17:05) Explaining cloud security as a business risk (18:33) Pillars of cloud security program at scale (20:12) Multi Cloud Security Program (20:52) Skills required for multi cloud security team (22:25) The future of application security and cloud security (24:01) Metrics of operationalising cloud security program at scale (25:32) Time to detection in Cloud (26:32) Navigating cloud security program through changing compute (28:09) Security guardrails vs security gate (30:53) Stages for a cloud security program (32:35) The Fun Section See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Building on the AWS Cloud" and next up on this series, we spoke to Chad Lorenc (Chad's Linkedin) about AWS Security Reference Architecture, Cloud Adoption Framework & Security Maturity Model are 3 ways to level up the maturity you have in Cloud . In this episode Chad Lorenc, from AWS shared lessons and talk about How AWS Customers can prepare to use 3 models to Crawl, Walk & Run their security practice. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:   Chad Lorenc (Chad's Linkedin)  Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (03:35) A word from our sponsors - check them out at snyk.io/csp (03:51) A bit about Chad (05:38) How things are different in the Cloud (07:59) The Maturity framework of AWS (11:20) How maturity scales in AWS (13:17) Anti-Patterns when building maturity in Cloud (15:35) Framework examples on how to build maturity models (19:27) Mapping maturity models to business objectives (20:19) The role of cloud native tools (26:23) Patterns in AWS to watch out for (28:38) Challenges for security leaders trying to get into cloud (35:07) Foundational pieces for building maturity in AWS (37:50) How to implement AWS Control tower? (43:09) Give developers more freedom in cloud (47:34) Benchmark scales for security maturity (51:27) Resources to help you build your own maturity roadmap See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Building on the AWS Cloud" and next up on this series, we spoke to Patrick Sanders (Patrick's Linkedin) & Jospeh Kjar (Joseph's Linkedin), Snr Cloud Security Engineer at Netflix on what does it take to reimagine multi-account deployments gave them both security and speed. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Patrick Sanders (Patrick's Linkedin) & Jospeh Kjar (Joseph's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (03:06) snyk.io/csp (03:41) A bit about how Patrick and Joseph got into the Cloud Space (06:00) Building blocks of scalable AWS infrastructure (09:14) Should there be a seperate account for forensics (12:44) Diff AWS Org for dev and prod? (13:45) How to ensure dedicated IR account is secure? (15:10) 1st step to building a new startup in AWS (17:39) Should non prod and prod accounts be seperate? (21:29) How do you ensure visibility into your AWS organisation? (25:04) Integrate FIM into AWS (26:29) Layers for a multi account strategy (28:23) Challenges from going from one account to multi account (34:03) Bringing identity to the application (38:25) The importance of IMDS (42:07) The security benefit of using IMDS (45:34) Managed identity in AWS (46:40) Why developer experience is important? (49:49) What do cloud security engineers do ? (53:05) Where you can find Joseph and Patrick? See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Building on the AWS Cloud" and next up on this series, we spoke to Alexis Robinson (Alexis's Linkeidn), Senior Manager, Regulatory Compliance at AWS. FEDRAMP AWS environment can be made easy with the right security assessment framework for your organization. Alexis  shared lessons and talk about How AWS Customers can prepare to increase their chances of getting FedRamp certified. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Alexis Robinson (Alexis's Linkeidn) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (05:35) A bit about Alexis (08:20) What is FedRAMP and why people care about it? (11:05) Scope of companies included in FedRAMP? (13:12) Zero Trust Architecture and FedRAMP (14:07) The concept of Controlled Inheritance (15:43) Working with Authorising Officials (16:44) Working with Security Control Officers (17:46) AO Checklist to full compliance (20:42) Conflicts in FedRAMP (25:59) Common pitfalls to avoid on FedRAMP Journey (31:38) The anti-patterns in getting FedRAMP Compliant (35:34) FedRAMP is not just GovCloud (38:12) Requirements with FedRAMP (39:48) Where do people fall short with FedRAMP? (41:26) How to make FedRAMP more developer friendly? (44:17) How is FedRAMP different for Govcloud? (47:21) What skillsets do you require in a team for FedRAMP? (49:07) How to learn about FedRAMP (53:09) Fun Questions See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Building on the AWS Cloud" and next up on this series, we spoke to Mrunal Shah (Mrunal's Linkedin), Head of Container Security at Warner Bros. Discovery. We talk about how to build a Container or K8s security program while best practices are maintained and team have the right capability and tools. 4 Cs - Cloud, Container & Cluster, Code can be foundational to this Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Mrunal Shah (Mrunal's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Intro  (02:01) https://snyk.io/csp  (02:30) Mrunal's Professional Background  (03:04) Why containers are popular (technical reasons)  (04:05) Why containers are popular (leadership reasons)  (05:39) Challenges with running a Container Security Program (Leadership)  (06:34) Team skill challenge in a Container Security Program  (08:57) When to pick AWS ECS vs AWS EKS?  (10:53) ECS or EKS for building Banking Applications?  (13:12) Would Kubernetes/ Containers be preferred for security reasons?  (15:04) What would Amazon's responsibility be for security with ECS/EKS?  (16:13) What is bad about working with Containers in AWS?  (19:40) Is there a need for anti-virus in a container world?  (20:36) Balance of security when working with containers?  (22:08) Threat Detection and Prevention in a Container Security Program  (22:57) Using AWS Services for Threat Detection with Containers?  (25:14) Runtime Threat Discovery vs Agentless Threat Discovery for containers in Cloud?  (29:11) Prevention on the left vs Detection on the right of SDLC  (29:22) Cluster Misconfig vs Service Misconfigurations?  (30:19) Vulnerability Management vs Misconfiguration Management?  (31:50) Inspector in a Container Security Program?  (32:36) Detective in a Container Security Program?  (35:36) Can AWS Services help when Non-AWS services are in use? See you at the next episode!