Cloud Security Podcast

Cloud Security News this week 27 October 2021 In case you missed the quarterly earnings updates from last episode, I do encourage you to check it out to see how Google Cloud and Azure faired last Quarter. AWS came out still leading the pack $16.11 billion in the quarter, up almost 39% from a year ago. You can view the report here  Industry Tech giants including Google, Salesforce, Okta and Slack have announced the creation of a “vendor-neutral” security baseline for businesses called ‘Minimum Viable Secure Product’ (MVSP). Its a minimalistic security checklist for B2B software and business process outsourcing supplier designed  to eliminate overhead, complexity and confusion during the procurement and vendor security assessment process by establishing minimum acceptable security baselines. The intention is to increase clarity reduce the onboarding and sales cycle by weeks or even months. You can view the checklist here Remote code execution vulnerability was patched by Gitlab in April 2021 however researchers from Rapid 7 recently found that the exploitations were continuing to this day, with  only 21% of the instances fully patched against the issue. Gitlab strongly recommends updating to the latest version to remedy this. Read more about Rapid 7’s research here and Gitlab’s release here IBM has released their report - Cloud’s Next Leap. They surveyed over 7000 executives in enterprise cloud adoption over 44 countries. 59% of organizations reported that digital transformation has accelerated for them through the pandemic. Not dissimilar to other reports this year, most of their respondents are also yet to fully realize cloud’s full transformational power. Hybrid cloud/multicloud once again is reported to be  the dominant architecture for cloud service delivery. Something rather interesting they reported on is that while many organisations are moving to the cloud, they are often moving to different versions of it.Report here For our sonic hedgehog gaming fans, Tokyo-based Sega is looking to produce large-scale, global games in a next-generation development environment built on Microsoft’s Azure cloud platform. The intent is to create big-budget titles using Microsoft’s know how  - who also own  Xbox cloud gaming tech. Episode Show Notes on Cloud Security Podcast Website. Podcast Twitter - Cloud Security Podcast (@CloudSecPod) Instagram - Cloud Security News  If you want to watch videos of this LIVE STREAMED episode and past episodes, check out: - Cloud Security Podcast: - Cloud Security Academy:

In this episode of the Virtual Coffee with Ashish edition, we spoke with Maximilian Burkhardt (@maxb) is a Staff Security Engineer at Figma (@Figma) Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Maximilian Burkhardt (@maxb) Podcast Twitter - Cloud Security Podcast (@CloudSecPod) If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our YouTube Channel: - Cloud Security Podcast - www.cloudsecuritypodcast.tv - Cloud Security News  - Cloud Security Academy

In this episode of the Virtual Coffee with Ashish edition, we spoke with Chris Hughes (@Linkedin-Profile) is a host of the Resilient Cyber Podcast. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Chris Hughes (@Linkedin-Profile) Podcast Twitter - Cloud Security Podcast (@CloudSecPod) If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our YouTube Channel: - Cloud Security Podcast - Cloud Security News  - Cloud Security Academy

Cloud Security News this week 27 October 2021 UK’s spy agencies have given a contract to AWS to host classified material. Their intention is to boost use of data analytics and artificial intelligence for espionage. The agreement, estimated by industry experts to be worth £500m to £1bn over the next decade. The Guardian has reported that “the contract with Amazon is likely to ignite concerns over sovereignty because the UK’s most secret data will be hosted by a single US tech company” - Quite the interesting comment and Cloud Security News would love to hear your thoughts on this It's also the season for Revenue announcements for Quarter 3 for our big cloud providers. Google announced this week that Google Cloud revenue jumped 45 percent to $4.99 billion in the third quarter compared to the same period last year. You can view the results here Microsoft also announced their Quarter 3 revenue for Intelligent Cloud  to be $17.0 billion, an increase of   31% -  You can view the results here Microsoft shared earlier this month that things remain “Business as usual for Azure customers despite 2.4 Tbps DDoS attack” in Europe. They reported that the attack traffic originated from approximately 70,000 sources and from multiple countries in the Asia-Pacific region. Read the full statement from Microsoft here The Microsoft Threat Intelligence Center (MSTIC) has detected nation-state activity associated with NOBELIUM. It's quite the interesting read and the full blog can be found here. If you use discourse, a popular open source forum software, you should make sure that you update to Discourse versions 2.7.9 or later, as a security bug has been found that affects Discourse versions 2.7.8 and earlier. Read the Discord blog here Episode Show Notes on Cloud Security Podcast Website. Podcast Twitter - Cloud Security Podcast (@CloudSecPod) Instagram - Cloud Security News  If you want to watch videos of this LIVE STREAMED episode and past episodes, check out: - Cloud Security Podcast: - Cloud Security Academy:

In this episode of the Virtual Coffee with Ashish edition, we spoke with Nathan Case ( Linkedin Profile ) is a Senior Director, Security Operations at Resilience. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Nathan Case ( Linkedin Profile ) Podcast Twitter - Cloud Security Podcast (@CloudSecPod) If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our YouTube Channel: - Cloud Security Podcast - Cloud Security News  - Cloud Security Academy

Cloud Security News this week 22 October 2021 Hope you have been enjoying your Cloud Security News this week and in our special third instalment for this week we bring you our best bits from Hashiconf Global 2021, conference held by Hashicorp. Hashicorp is a software company who provide open source tools and products - some of their popular products Vagrant, Terraform, Vault and boundary - You can view the conference and the talks here The opening keynote was delivered by their Co-Founders Mitchell Hashimoto, Armon Dadgar, and CEO Dave McJannet - with key themes around Zero Trust, Hybrid and MultiCloud - looking to make Zero Trust more accessible for users. Mitchell Hashimoto spoke about the challenges Developers face when deploying applications with Kubernetes  and how Waypoint assists with this. They also spoke about the Hashicorp Cloud Platform (HCP) and the packer service which is now in public Beta, available free to use. Some of the features highlighted included remediation, enforcing security checks and maintaining images Shane Petrich from Target in his talk “Managing Target's Secrets Platform” spoke about how Target manages and maintains its enterprise deployment of HashiCorp Vault (Hashicorp’s secret management and data protection product) -- everything from unattended builds, automated maintenance activities, and client onboardings. Identity and account access is one of the first things you set up in the cloud and Austin Burdine, Mike Saraf and Yates Spearman share how Red Ventures implemented a custom Terraform solution to automate access management, meeting the requirements of various compliance frameworks Last year Hashicorp announced Boundary, their secure remote access solution. This year at Hashiconf 2021, Susmitha Girumala and Mike Gaffney from  HashiCorp showcased what is new in Boundary with a demo of key capabilities of identity-based access, integrated secrets management with Vault and dynamic host catalogs. Mark Guan and Ruoran Wang from Stripe’s Service Networking Team spoke about their multi-region service networking tech stack built on Consul (Hashicorp’s service networking solution), how it works across AWS accounts and regions, federated multi-region clusters and on Kubernetes. They also generously shared the challenges they faced. Episode Show Notes on Cloud Security Podcast Website. Podcast Twitter - Cloud Security Podcast (@CloudSecPod) Instagram - Cloud Security News  If you want to watch videos of this LIVE STREAMED episode and past episodes, check out: - Cloud Security Podcast: - Cloud Security Academy:

Cloud Security News this week 21 October 2021 It's a month full of conferences and as promised we are back with our 2nd episode this week to bring you the cloud security highlights from KubeCon. In this episode we will share some of our team’s favourite from Kubecon 2021 North America If you aren't quite familiar with the wonderful world of Kubernetes, there are a few weird and wonderful open source acronyms in today’s episode. TUF refers to The Update Framework, SPIFFE refers to Secure Production Identity Framework for Everyone SPIFFE,  SPIRE  is the SPIFFE’s Runtime Environment). Now that we are all across cool Kube words - lets into the talks Starting off with the talk from Andrew Martin, Co-Founder of Control Plane and Author of Hacking Kubernetes and Kubernetes Threat Modelling. He spoke about Kubernetes Supply Chain Security - he showcased work to build a Kubernetes Software Factory with Tekton and Deep dived on signing and verification approaches to securely build software with  (TUF) SPIFFE, SPIRE and sigstore Ian Coldwater from Twilio; Brad Geesaman & Rory McCune from Aqua Security Duffie Cooley from Isovalent combined  forces to share with the community how they do security research or hacking Kubenetes clusters using a recently discovered Kubernetes CVE (Common Vulnerability and exposure) - Their talk was called Exploiting a Slightly Peculiar Volume Configuration with SIG-Honk Matt Jarvis from Synk shared what to do if your container has a huge number of Vulnerabilities - how to prioritise them and remediate them in his talk My Container Image has 500 Vulnerabilities, Now What?  Talking about containers and Vulnerability scanning If you want to know about how vulnerability scanners work, their blind spots and how to implement a practical risk based approach to remedy vulnerabilities that really matter to your organisation - check out Pushkar Joglekar’s Keeping Up with the CVEs: How to Find a Needle in a Haystack?  If you find yourself asking “How do I access my S3 bucket in AWS from my GCP cluster?” Brandon Lum & Mariusz Sabath, IBM may have the answer for you in their talk Untangling the Multi-Cloud Identity and Access Problem With SPIFFE Tornjak where they talk about a proposed shift in the perspective of workload identity from being “platform specific” to “organization wide” using SPIFFE/SPIRE and the new SPIFFE Tornjak project. Episode Show Notes on Cloud Security Podcast Website. Podcast Twitter - Cloud Security Podcast (@CloudSecPod) Instagram - Cloud Security News  If you want to watch videos of this LIVE STREAMED episode and past episodes, check out: - Cloud Security Podcast: - Cloud Security Academy:

Cloud Security News this week 20 October 2021 Google Cloud is adding new features to their zero trust access solution, BeyondCorp Enterprise which will enable identity and context-aware access to non-web applications running in Google Cloud and non-Google Cloud environments. They also claim to be making it easier for admins to diagnose access failure, triage events, and unblock users with the new Policy Troubleshooter feature.  If you are familiar with XDR - which allows for Extended Detection and Response (XDR) across endpoints, networks, cloud and workspaces. Google also announced a new collaboration with Cybereason to deliver a cloud-native XDR solution . The intent is to automate prevention for common attacks, guide analysts through security operations and incident response, and enables arguably faster threat hunting.  They are also enhancing the integration between Chronicle (a SaaS SIEM built on core Google infrastructure that provides security analytics at the speed) and Security Command Center (SCC) on GCP to allow for centralized alerts and investigative workflows across the two platforms, and enables threat-specific pivots by enriching SCC alerts with intelligence on associated threat actors and entities.  Google is also strengthening their protection of sensitive data through Automatic DLP (data loss prevention) which is in preview and ensuring encryption of data in transit using Ubiquitous Data Encryption, External Key Management, and Cloud Storage products. Google launched a new Build Integrity feature for Cloud Build which allows to  automatically generates a verifiable build manifest that includes a signed certificate describing the sources that went into the build, the hashes of artifacts used, and other parameters.  For Google Workspaces they have also introduced new security features.  Episode Show Notes on Cloud Security Podcast Website. Podcast Twitter - Cloud Security Podcast (@CloudSecPod) Instagram - Cloud Security News  If you want to watch videos of this LIVE STREAMED episode and past episodes, check out: - Cloud Security Podcast: - Cloud Security Academy:

In this episode of the Virtual Coffee with Ashish edition, we spoke with Om Moolchandani (@omaitrika) is a CISO and CTO at Accurics (@AccuricsSec).. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Om Moolchandani (@omaitrika) Podcast Twitter - Cloud Security Podcast (@CloudSecPod) If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our YouTube Channel: - Cloud Security Podcast - Cloud Security News  - Cloud Security Academy

Cloud Security News this week 14 October 2021 It's an eventful month for all things cloud as Google Cloud Next 21 and Kubecon are happening this week. Ashish from Cloud Security Podcast was co-hosting the Capture the Flag today with Magno Logan from Trend Micro, you can check it out here. In next week’s episode we will be bringing to you the best bits from Kubecon and Google Cloud Next 21. You can view these events virtually at the links below Google Cloud Next 21 Kubecon Google Cloud announced the launch of Google Cybersecurity Action Team, a group of experts from across Google that will form what they believe is the world’s premier security advisory team. The role of this team would be to shape security transformation — from roadmap and implementation, through to responding to a major incident, to engineering new solutions. VMware also hosted their annual conference VMworld last week with a big focus on multicloud. They announced their strategy to help customers navigate the multi-cloud era with the launch of VMware Cross-Cloud services. VMware shared that the Cross-Cloud services will deliver three key advantages: an accelerated journey to the cloud, cost efficiency, flexibility and control across any cloud. You can find out more about this here and view VMworld on demand here Amazon owned gaming service Twitch has suffered a huge data leak late last week, with more than 100 gigabytes of data, reportedly taken from 6000 internal Twitch GitHub repositories.The leak has exposed list of Twitch creator payments showing several top earners on the site earned close to $10 million. Some gamers caught up in the leak have verified that the payouts are accurate. Wiz has become the fourth-most-valuable venture-backed cybersecurity company in the world, raising $250 million on a $6 billion valuation Huawei Cloud has become 2nd largest in China and 5th largest in the world according to Gartner Episode Show Notes on Cloud Security Podcast Website. Podcast Twitter - Cloud Security Podcast (@CloudSecPod) Instagram - Cloud Security News  If you want to watch videos of this LIVE STREAMED episode and past episodes, check out: - Cloud Security Podcast: - Cloud Security Academy: