Cloud Security Podcast

In this episode of the Virtual Coffee with Ashish edition, we spoke with Christophe Parisel (Christophe's Linkedin) about what how to transition from being a technical architect on premise to a cloud security architect and then a cloud native security architect. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Christophe Parisel (Christophe's Linkedin)  Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (02:21) https://snyk.io/csp (03:18) A little bit about Christophe (05:08) What is Cloud Native? (07:27) Why Cloud Native is important? (09:34) Responsibilities of Cloud Native Architect (13:15) Solution Architect vs Cloud Native Architect (15:32) Culture to move into Cloud Native Environment (18:09) Designing an application in Cloud (21:41) Designing an application using Kubernetes Cluster (24:39) Learning Kubernetes as an Architect (28:09) Common services people should standardise (31:50) Frameworks for Kubernetes Architecture (34:06) Logging with Kubernetes at Scale (38:24) Challenge with transitioning to Cloud Native Security Architect (39:43)Should we trust the cloud? (43:37) Bottlerocket in Kubernetes (46:00) Certifications for Cloud Native Security Architect

In this episode of the Virtual Coffee with Ashish edition, we spoke with Jim Bugwadia (Jim's Twitter) about policy management and compliance as code for Kubernetes and how you can use open source tools like Kyverno and OPA for policy management Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Jim Bugwadia (Jim's Twitter)  Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (03:20) https://snyk.io/csp (05:23) What is Kubernetes Control Plane? (06:51) What is an admission controller? (08:01) What do you need policy management in Kubernetes? (10:13) Pod Security and Policy management (11:57) Policy Management in Managed Kubernetes (13:54) Scaling Policy Management for Kubernetes (19:34) Common use cases for policy management (25:30) Compliance in Kubernetes (32:04) Levels of Maturity in Kubernetes Policy Management (36:47) Future of policy as code (38:46) Kyverno vs OPA (43:39) Kyverno vs gatekeeper (45:15) Where to start with policy management? (46:11) Where you can find Jim

In this episode of the Virtual Coffee with Ashish edition, we spoke with Luke Hinds (Luke's Twitter) the open source Sigstore project and how it is helping with software signing and protecting the software supply chain Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Luke Hinds (Luke's Twitter)  Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (01:39) https://snyk.io/csp (05:21) What is the software supply chain and why is it important? (08:20) Common supply chain attacks in Kubernetes (09:53) Codecov attack (11:14 )Kubernetes and API (14:10) Vulnerability scanning tools (16:38) Explaining the importance of supply chain security (19:19) What is a signing service (19:56 )The SLSA framework (20:42) Importance of signing service (23:35) What is Sigstore? (27:57) What is Lets Encrypt (31:48) The aim of sigstore (34:39) What is Co-Sign (36:40) Co-Signing and non-repudiation (46:29) Where to start

In this episode of the Virtual Coffee with Ashish edition, we spoke with Jimmy Mesta (Jimmy's Twitter) about OWASP Kubernetes Top 10 and best practices for securing Kubernetes  Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Jimmy Mesta (Jimmy's Twitter) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (01:39) https://snyk.io/csp (03:55) What is Kubernetes? (05:15 )Kubernetes vs Containers (06:38) Kubernetes and Docker (09:08) Unmanaged Kubernetes (11:14) Managed Kubernetes (13:39) Security for Kubernetes Clusters (15:42) OWASP top 10 Web Application (17:59) Starting to build Kubernetes Cluster or Pod (23:09) Security Misconfigurations in Kubernetes (28:42) Supply Chain Vulnerabilities in Kubernetes (32:06) RBAC and Policy Enforcement (33:32) Logging and Monitoring in Kubernetes (34:30) Broken Authentication (35:17) Missing network segment approach (36:07) Secrets Management Failure (37:09) Misconfigured Cluster Components (38:15) Outdated and vulnerable kubernetes component (42:37) Asset Inventory for Kubernetes Cluster (44:53) Threat Modelling in Kubernetes (46:20)Cert management in Kubernetes (48:02) Learn more about securing Kubernetes

Modern Cloud Security Programs hire for builders who can develop tools that help developers walk down a Paved road where security is not a blocker but at the same time prevents developers from making security mistakes. In this episode we spoke with Travis McPeak who shared his experience from his time at Netflix to talk about Modern Cloud Security Teams look like and work on day to day at scale for a large development team and how others can take some insights from this for their own Cloud Security Programs. This episode is better on video - YouTube Link Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Travis McPeak Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy

Azure Cloud Security Architecture (Day 0) ,Custom Azure Role definitions, Azure Privilege Access Management etc can be complex to build. Continuing from part 1 In the part 2 of our This is My Cloud Security Architecture Series Episode we have Sai, a Cloud Security Architect walking us through how to start with an Azure Security Architecture on Day 0 of your Cloud Security Architect role. Part -2 of the episode will go into Day 1+ of managing and scaling what we have created in Day 0. This episode is better on video - YouTube Link - Part 2 Part 1 of the This is My Cloud Security Architecture Series is here - YouTube Link - Part 1  Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Sai Gunaranjan (Sai's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy

Data Lakes as an asset to collect and build threat actors or hiring for Data Scientists/Analyst are not typical things in Cloud Security well unless the organisation is dealing with PetaBytes of data. At a large scale company these are data problem not a security problem at that point even if the problem is in security team. In this episode with Jonathan Rau, CISO of Lightspin we spoke about his previous experience of creating and growing a SecDataOps team with Cloud Security and Ops in IHSMarkit. We spoke about what is this SecDataOps, What is Security Data Lake and if Cloud Native tools are enough for these problems. This episode is better on video - YouTube Link Cloud Security Meetup Amsterdam - Tech Fashion Theme - Sep,2022  Cloud Security Meetup NewYork - Tech Fashion Theme - Sep,2022 Host Twitter: Ashish Rajan (@hashishrajan) Guest Linkedin: Jonathan Rau Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy

Azure Cloud Security Architecture, Azure Policies can be complex to build. In the part 1 of our This is My Cloud Security Architecture Series Episode we have Sai, a Cloud Security Architect walking us through how to start with an Azure Security Architecture on Day 0 of your Cloud Security Architect role. Part -2 of the episode will go into Day 1+ of managing and scaling what we have created in Day 0. This episode is better on video - YouTube Link Cloud Security Meetup NYC - Cloud Security Meetup NewYork - Tech Fashion Theme Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Sai Gunaranjan (Sai's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy

In this episode of the Virtual Coffee with Ashish edition, we spoke with Jack Naglieri (Jack's Twitter) about what Security Monitoring can look like for a Cloud Native Company  Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Jack Naglieri (Jack's Twitter)  Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (02:40) https://snyk.io/csp (02:51) Corey's professional background (03:34) Jack's introduction (06:15 )What is Cloud Native? (07:41) What is a modern security stack? (09:50) Why Cloud Native Security Monitoring? (12:36) The current market for security monitoring (15:45) Cloud Native monitoring for on-prem (18:10) How to start with Cloud Native Security Monitoring? (21:01) Security monitoring in cloud vs traditional (22:51) Challenges with Cloud Native Security Monitoring (25:25) How can SMBs tackle Cloud Native Security Monitoring? (26:52) Are cloud native tools more cost effective than traditional ones? (28:30) Heterogeneous log correlation (30:09) What is a security data lake? (35:25) Does the modern security team need data skills?

In this episode of the Virtual Coffee with Ashish edition, we spoke with Corey Ball (Corey's Twitter) about what does API in a modern software stack looks like and how these can be attacked and protected Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Corey Ball (Corey's Twitter) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (02:40) https://snyk.io/csp (02:51) Corey's professional background (03:11) Corey's journey to be cybersecurity author (04:36) What is API and why its important in 2022? (06:44) Is API is the backend or frontend pf applications? (08:36) What are people doing wrong with APIs? (12:16) Best Practice for API Security? (13:20) Most surprising things being seen in API Security? (14:35) How do you find API keys? (16:07) API gateway as a security control point (18:25) OWASP Top 10 API Security (20:00) Monitoring and detecting for API Security (20:57) How to approach pentesting APIs? (22:35) Learn about API hacking (25:22) API Security in the Cloud (29:05) Rest API vs GraphQL (34:27) Pentest  by consuming application documentation (36:10) Which APIs should be public?