Cloud Security Podcast

In this episode of the Virtual Coffee with Ashish edition, we spoke with Gaurav Kumar (@gauravphoenix) is the Founder of Dassana (@DassanaSecurity). Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Gaurav Kumar (@gauravphoenix) Podcast Twitter - Cloud Security Podcast (@CloudSecPod) If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our YouTube Channel: - Cloud Security Podcast  - Cloud Security News  - Cloud Security Academy

Cloud Security News this week 06 October 2021 AWS has announced the availability of AWS Cloud Control API - a set of common application programming interfaces (APIs) that are designed to make it easy for developers to manage their AWS and third-party services. AWS Cloud Control API can be used to create, read, update, delete, and list (CRUD-L) your cloud resources that belong to a wide range of services—both AWS and third-party. You won't have to generate code or scripts specific to each individual service responsible for those resources.We have linked in the podcast notes a informative video from AWS that explains more about this The inaugural HashiCorp State of Cloud Strategy Survey with about 3200 responses has shared that multi-cloud is no longer aspirational goal but an everyday reality - with ¾ of the respondents noting that they were using 2 clouds or more, top drivers for multicloud adoption are digital transformation, avoid vendor lock in, cost reduction and scaling, many enterprises  are yet to realise substantial value from their cloud investment and Cloud skills shortage still remains a major challenge Amazon, Google, Microsoft, Atlassian, CISCO, IBM, Salesforce, Slack and SAP have joined forces to establish the Trusted Cloud Principles as a commitment to protect the rights of their customers. AWS tweeted that this is to “help safeguard the interests of organizations and the basic rights of individuals using  cloud services” You can view the Trusted Cloud Principles here. Orca Security has secured $550 million in Series C funding to raise their valuation to $1.8 Billion, investment was led by Temasek, an investment company he adquartered in Singapore. Orca Security has a  patent-pending SideScanning™ technology that collects data directly from cloud provider APIs/ cloud configuration and the workload’s runtime block storage out-of-band to detect vulnerabilities, malware, misconfigurations, lateral movement risk, weak and leaked passwords, and unsecured personal identifiable information.  Episode Show Notes on Cloud Security Podcast Website. Podcast Twitter - Cloud Security Podcast (@CloudSecPod) Instagram - Cloud Security News  If you want to watch videos of this LIVE STREAMED episode and past episodes, check out: - Cloud Security Podcast: - Cloud Security Academy:

In this episode of the Virtual Coffee with Ashish edition, we spoke with David McCaw (Linkedin - David McCaw) is a Co-Founder of Dasera (@DaseraInc). Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  David McCaw (Linkedin - David McCaw) Podcast Twitter - Cloud Security Podcast (@CloudSecPod) If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our YouTube Channel: - Cloud Security Podcast: https://www.youtube.com/c/cloudsecuritypodcast?sub_confirmation=1 - Cloud Security Academy: www.cloudsecuritypodcast.tv/cloud-security-academy

Cloud Security News this week - 29 September 2021 Amazon Web Services, Google Cloud, IBM, and Microsoft have joined forces this week  with the Enterprise Data Management (EDM) Council to publish a framework for managing data in the cloud. The new cloud data management capabilities (CDMC) framework was developed over the last 18 months with participation from more than 100 leading companies. The framework can be found here Microsoft has published information this week on a new malware it calls FoggyWeb which has been deployed by Russia-linked threat actors Nobelium who are said to be behind the devastating SolarWinds supply chain attack. Microsoft’s published document can be found here For those of you familiar with OWASP (Open Web Application Security Project), OWASP celebrated its 20th anniversary last week with a 24-hour webinar +  launched their top 10 web security vulnerabilities for 2021 updated from 2017. It worth noting that there are a few updates relevant to cloud security - broken access control has moved from #5 to #1, insecure design and server side request forgery have now been added while security misconfiguration has made it to top 5.  You can read more about it here Trufflehog, a git repository scanner from Truffle Security was originally released in 2017. Recently an open source extension for chrome was released for Trufflehog that will help identify API Keys for SaaS and cloud providers that are often making their way into Javascript. Cloud Security Alliance released their The State of Cloud Security Risk, Compliance, and Misconfigurations report this month. Based on over 1000 responses from IT and security professionals. Episode Show Notes on Cloud Security Podcast Website. Podcast Twitter - Cloud Security Podcast (@CloudSecPod) If you want to watch videos of this LIVE STREAMED episode and past episodes, check out: - Cloud Security Podcast: - Cloud Security Academy:

In this episode of the Virtual Coffee with Ashish edition, we spoke with Tanya Janca (@shehackspurple) is an Author,  Security Trainer and Founder of We Hack Purple (@WeHackPurple). Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Tanya Janca (@shehackspurple) Podcast Twitter - Cloud Security Podcast (@CloudSecPod) If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our YouTube Channel: - Cloud Security Podcast: https://www.youtube.com/c/cloudsecuritypodcast?sub_confirmation=1 - Cloud Security Academy: www.cloudsecuritypodcast.tv/cloud-security-academy

Explore the journey of a Threat Analyst in cybersecurity, from uncertified to certified. Learn about the roles of SOC analysts and threat analysts, and the importance of EDR in cloud security. Discover the significance of soft skills and certifications in standing out in cybersecurity careers. Enjoy a lighthearted interview with a cybersecurity professional.

Cloud Security News this week - 22 September 2021 AWS, Google Cloud and Azure have all been busy last few weeks fixing and patching Vulnerabilities. In addition to Azure's OMIGOD flaws which we covered in last week’s episode, Google Cloud reported that some of their load balancers were routing to an Identity-Aware Proxy (IAP) enabled Backend Service which could have been vulnerable to an untrusted party. Google Cloud have confirmed that this issue has been resolved. Rhino Security Labs have discovered a vulnerability in AWS WorkSpaces, amazon’s virtual desktop. Exploiting this vulnerability allows commands to be executed if a victim opens a malicious WorkSpaces URI from their browser.  Rhino reported the vulnerability to Amazon and it was promptly patched. Attackers have begun to exploit critical Microsoft Azure vulnerabilities that were reported in last week’s episode. The OMIGOD flaws, discovered by the Wiz Research Team have since been patched by microsoft. New data indicates that attackers are scanning the Web for Azure Linux virtual machines that are vulnerable. If successful, an attacker could become root on a remote machine. For organisations and enterprises cloud is about improved flexibility, scalability, and cost-effectiveness. For cybercriminals, Cloud is an environment filled with poorly secured enterprise data, applications, and online assets. IBM in their recently released Security X-Force Cloud Threat Landscape Report highlight increased attacker interest in the thriving black market for stolen credentials used to access enterprise accounts and resources on public cloud platforms. IBM X-Force discovered about  30,000 cloud credentials potentially available for sale on Dark Web and Prices for these credentials ranged from a few dollars to more than $15,000 per credential, based on the level of access and the amount of credit associated with an account. Report available here Episode Show Notes on Cloud Security Podcast Website. Podcast Twitter - Cloud Security Podcast (@CloudSecPod) If you want to watch videos of this LIVE STREAMED episode and past episodes, check out: - Cloud Security Podcast: - Cloud Security Academy:

In this episode of the Virtual Coffee with Ashish edition, we spoke with Kaif Ahsan (@KaifAhsan1) is a Security Engineer at Atlassian (@Atlassian). Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Kaif Ahsan (@KaifAhsan1) Podcast Twitter - Cloud Security Podcast (@CloudSecPod) If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our YouTube Channel: - Cloud Security Podcast: https://www.youtube.com/c/cloudsecuritypodcast?sub_confirmation=1 - Cloud Security Academy: www.cloudsecuritypodcast.tv/cloud-security-academy

In this episode of the Virtual Coffee with Ashish edition, we spoke with Gerald Auger (@Linkedin- Gerald Auger) is a CyberSecurity PhD holder, Content Creator at Simply Cyber(@SimplyCyber) and a CyberSecurity Practitioner for over 15yrs . Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Gerald Auger (@Linkedin- Gerald Auger) Podcast Twitter - Cloud Security Podcast (@CloudSecPod) If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our YouTube Channel: - Cloud Security Podcast: https://www.youtube.com/c/cloudsecuritypodcast?sub_confirmation=1 - Cloud Security Academy: www.cloudsecuritypodcast.tv/cloud-security-academy

Cloud Security News this week - 15 September 2021 Oracle Chief Technology Officer and co-founder Larry Ellison told  their investors this week that Oracle Cloud is superior to AWS when it comes to security and cost. He shared that they don't think  an application should talk to five or six separate databases referencing AWS’ database offerings and calling it a  very, very risky security architecture. If you are keen to learn more about how the cloud providers rank, Gartner released a report in July 2021 noting that over 90% of the worldwide cloud market was concentrated in just four cloud providers. Amazon Web Services and Microsoft lead the market with Alibaba and Google as the next closest competitors. The research team at Wiz has recently discovered four vulnerabilities in the  little-known software agent called Open Management Infrastructure (OMI) that is embedded in many popular Azure services.When customers sets up a Linux virtual machine in their cloud, the OMI agent is deployed automatically when they enable certain Azure services. Without a patch, attackers can easily exploit these four vulnerabilities to escalate root or highest privileges and remotely execute malicious code. Microsoft has issued a patch to address this during their Patch Tuesday release on 14 September 2021 Last year at the Reinvent Conference Amazon unveiled Amazon Elastic Kubernetes Service (Amazon EKS) Anywhere. Last week  they announced the general availability of Amazon EKS Anywhere. It's a deployment option for Amazon EKS that enables you to easily create and operate Kubernetes clusters on premises using VMware sphere. Fully supported by AWS, Amazon EKS will enable users to  automate cluster management,  reduce support costs and provide the ability to view all their Kubernetes clusters, running anywhere. Tenable, best known for their IT vulnerability management, has agreed to acquire cloud-native security startup Accurics Inc. for $160 million. Accurics, founded in 2019, states that their platform self-heals cloud native infrastructure by codifying security throughout the development lifecycle. Traditionally, Tenable vulnerability management covers physical and virtual infrastructure , they made a few acquisitions in the last 2 years to extend their coverage to cloud and container in an attempt to  to provide full coverage across risk identification and mitigation. fwd:cloudsec hosted their cloud security conference this week in-person and streamed live. fwd:cloudsec is a non-profit, conference on cloud security. You can view the entire conference on you tube or on their website ww.fwdcloudsec.org for discussions about all the major cloud platforms, both attack and defense research, limitations of security features, the pros and cons of different security strategies. This one is definitely a must attend  for all things cloud security