Cloud Security Podcast

Cloud Security News this week - 29 September 2021 Amazon Web Services, Google Cloud, IBM, and Microsoft have joined forces this week  with the Enterprise Data Management (EDM) Council to publish a framework for managing data in the cloud. The new cloud data management capabilities (CDMC) framework was developed over the last 18 months with participation from more than 100 leading companies. The framework can be found here Microsoft has published information this week on a new malware it calls FoggyWeb which has been deployed by Russia-linked threat actors Nobelium who are said to be behind the devastating SolarWinds supply chain attack. Microsoft’s published document can be found here For those of you familiar with OWASP (Open Web Application Security Project), OWASP celebrated its 20th anniversary last week with a 24-hour webinar +  launched their top 10 web security vulnerabilities for 2021 updated from 2017. It worth noting that there are a few updates relevant to cloud security - broken access control has moved from #5 to #1, insecure design and server side request forgery have now been added while security misconfiguration has made it to top 5.  You can read more about it here Trufflehog, a git repository scanner from Truffle Security was originally released in 2017. Recently an open source extension for chrome was released for Trufflehog that will help identify API Keys for SaaS and cloud providers that are often making their way into Javascript. Cloud Security Alliance released their The State of Cloud Security Risk, Compliance, and Misconfigurations report this month. Based on over 1000 responses from IT and security professionals. Episode Show Notes on Cloud Security Podcast Website. Podcast Twitter - Cloud Security Podcast (@CloudSecPod) If you want to watch videos of this LIVE STREAMED episode and past episodes, check out: - Cloud Security Podcast: - Cloud Security Academy:

In this episode of the Virtual Coffee with Ashish edition, we spoke with Tanya Janca (@shehackspurple) is an Author,  Security Trainer and Founder of We Hack Purple (@WeHackPurple). Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Tanya Janca (@shehackspurple) Podcast Twitter - Cloud Security Podcast (@CloudSecPod) If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our YouTube Channel: - Cloud Security Podcast: https://www.youtube.com/c/cloudsecuritypodcast?sub_confirmation=1 - Cloud Security Academy: www.cloudsecuritypodcast.tv/cloud-security-academy

Explore the journey of a Threat Analyst in cybersecurity, from uncertified to certified. Learn about the roles of SOC analysts and threat analysts, and the importance of EDR in cloud security. Discover the significance of soft skills and certifications in standing out in cybersecurity careers. Enjoy a lighthearted interview with a cybersecurity professional.

Cloud Security News this week - 22 September 2021 AWS, Google Cloud and Azure have all been busy last few weeks fixing and patching Vulnerabilities. In addition to Azure's OMIGOD flaws which we covered in last week’s episode, Google Cloud reported that some of their load balancers were routing to an Identity-Aware Proxy (IAP) enabled Backend Service which could have been vulnerable to an untrusted party. Google Cloud have confirmed that this issue has been resolved. Rhino Security Labs have discovered a vulnerability in AWS WorkSpaces, amazon’s virtual desktop. Exploiting this vulnerability allows commands to be executed if a victim opens a malicious WorkSpaces URI from their browser.  Rhino reported the vulnerability to Amazon and it was promptly patched. Attackers have begun to exploit critical Microsoft Azure vulnerabilities that were reported in last week’s episode. The OMIGOD flaws, discovered by the Wiz Research Team have since been patched by microsoft. New data indicates that attackers are scanning the Web for Azure Linux virtual machines that are vulnerable. If successful, an attacker could become root on a remote machine. For organisations and enterprises cloud is about improved flexibility, scalability, and cost-effectiveness. For cybercriminals, Cloud is an environment filled with poorly secured enterprise data, applications, and online assets. IBM in their recently released Security X-Force Cloud Threat Landscape Report highlight increased attacker interest in the thriving black market for stolen credentials used to access enterprise accounts and resources on public cloud platforms. IBM X-Force discovered about  30,000 cloud credentials potentially available for sale on Dark Web and Prices for these credentials ranged from a few dollars to more than $15,000 per credential, based on the level of access and the amount of credit associated with an account. Report available here Episode Show Notes on Cloud Security Podcast Website. Podcast Twitter - Cloud Security Podcast (@CloudSecPod) If you want to watch videos of this LIVE STREAMED episode and past episodes, check out: - Cloud Security Podcast: - Cloud Security Academy:

In this episode of the Virtual Coffee with Ashish edition, we spoke with Kaif Ahsan (@KaifAhsan1) is a Security Engineer at Atlassian (@Atlassian). Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Kaif Ahsan (@KaifAhsan1) Podcast Twitter - Cloud Security Podcast (@CloudSecPod) If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our YouTube Channel: - Cloud Security Podcast: https://www.youtube.com/c/cloudsecuritypodcast?sub_confirmation=1 - Cloud Security Academy: www.cloudsecuritypodcast.tv/cloud-security-academy

In this episode of the Virtual Coffee with Ashish edition, we spoke with Gerald Auger (@Linkedin- Gerald Auger) is a CyberSecurity PhD holder, Content Creator at Simply Cyber(@SimplyCyber) and a CyberSecurity Practitioner for over 15yrs . Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Gerald Auger (@Linkedin- Gerald Auger) Podcast Twitter - Cloud Security Podcast (@CloudSecPod) If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our YouTube Channel: - Cloud Security Podcast: https://www.youtube.com/c/cloudsecuritypodcast?sub_confirmation=1 - Cloud Security Academy: www.cloudsecuritypodcast.tv/cloud-security-academy

Cloud Security News this week - 15 September 2021 Oracle Chief Technology Officer and co-founder Larry Ellison told  their investors this week that Oracle Cloud is superior to AWS when it comes to security and cost. He shared that they don't think  an application should talk to five or six separate databases referencing AWS’ database offerings and calling it a  very, very risky security architecture. If you are keen to learn more about how the cloud providers rank, Gartner released a report in July 2021 noting that over 90% of the worldwide cloud market was concentrated in just four cloud providers. Amazon Web Services and Microsoft lead the market with Alibaba and Google as the next closest competitors. The research team at Wiz has recently discovered four vulnerabilities in the  little-known software agent called Open Management Infrastructure (OMI) that is embedded in many popular Azure services.When customers sets up a Linux virtual machine in their cloud, the OMI agent is deployed automatically when they enable certain Azure services. Without a patch, attackers can easily exploit these four vulnerabilities to escalate root or highest privileges and remotely execute malicious code. Microsoft has issued a patch to address this during their Patch Tuesday release on 14 September 2021 Last year at the Reinvent Conference Amazon unveiled Amazon Elastic Kubernetes Service (Amazon EKS) Anywhere. Last week  they announced the general availability of Amazon EKS Anywhere. It's a deployment option for Amazon EKS that enables you to easily create and operate Kubernetes clusters on premises using VMware sphere. Fully supported by AWS, Amazon EKS will enable users to  automate cluster management,  reduce support costs and provide the ability to view all their Kubernetes clusters, running anywhere. Tenable, best known for their IT vulnerability management, has agreed to acquire cloud-native security startup Accurics Inc. for $160 million. Accurics, founded in 2019, states that their platform self-heals cloud native infrastructure by codifying security throughout the development lifecycle. Traditionally, Tenable vulnerability management covers physical and virtual infrastructure , they made a few acquisitions in the last 2 years to extend their coverage to cloud and container in an attempt to  to provide full coverage across risk identification and mitigation. fwd:cloudsec hosted their cloud security conference this week in-person and streamed live. fwd:cloudsec is a non-profit, conference on cloud security. You can view the entire conference on you tube or on their website ww.fwdcloudsec.org for discussions about all the major cloud platforms, both attack and defense research, limitations of security features, the pros and cons of different security strategies. This one is definitely a must attend  for all things cloud security

In this episode of the Virtual Coffee with Ashish edition, we spoke with Lisa Hall (@Lisa_H_), the Head of Security, PagerDuty(@PagerDuty). Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Lisa Hall (@Lisa_H_) Podcast Twitter - Cloud Security Podcast (@CloudSecPod) If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our YouTube Channel: - Cloud Security Podcast: https://www.youtube.com/c/cloudsecuritypodcast?sub_confirmation=1 - Cloud Security Academy: www.cloudsecuritypodcast.tv/cloud-security-academy

Cloud Security News this week - 8 September 2021 Verizon, a multinational telecommunications giant and Microsoft have teamed up to bring on-prem, private 5G edge cloud computing to business. Their offer is a cloud platform that puts compute and storage services at the edge of the network at the customer premises. This has the potential to offer lower lag time and high bandwidth for demanding applications such as virtual and augmented reality and machine learning. In Australia, as part of Macquarie bank path to be  100% cloud for IT infrastructure by 2022, they are embedding a 'secure by design' ethos. Secure by design is an approach to software engineering that is about creating code that is foundationally secure. Read more about Macquarie Bank Cloud Strategy here + here The FBI sent out a notice warning companies in the food and agriculture sector to watch out for ransomware attacks aiming to disrupt supply chains..  Cyber criminal threat actors exploit network vulnerabilities to exfiltrate data and encrypt systems in a sector that is increasingly reliant on smart technologies, industrial control systems, and internet-based automation systems. Acces the full document on our website www.cloudsecuritypodcast.tv - FBI Document here Lenovo has launched Global Everything-as-a-Service Strategy, bringing all of its as-a-Service offerings under one umbrella that makes everything from the pocket to the cloud available via a single contract framework. Read more about it here IBM has launched new generation of IBM Power servers for frictionless, scalable hybrid cloud. The new IBM Power10 processors are designed specifically for hybrid cloud environments. In a statement IBM has stated that the servers come with security enhancements and Red Hat hybrid cloud capabilities. The servers are meant to respond faster to business demands, protect data from core to cloud, streamline insights and automation and maximize availability and reliability.

In this episode of the Virtual Coffee with Ashish edition, we spoke with Zinet Kemal (Linkedin - Zinet-Kemal) is an Associate Cloud Security Engineer at Best Buy (@BestBuy) Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Linkedin:  Zinet Kemal (Linkedin - Zinet-Kemal) Podcast Twitter - Cloud Security Podcast (@CloudSecPod) If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our YouTube Channel: - Cloud Security Podcast: https://www.youtube.com/c/cloudsecuritypodcast?sub_confirmation=1 - Cloud Security Academy: www.cloudsecuritypodcast.tv/cloud-security-academy