Cloud Security Today

Send us a textThis episode of the Cloud Security Today podcast is a little different from the others because this time host Matthew Chiodi gives the interviewer’s seat over to Yousuf Khan and they talk about an exciting new development in Matt’s career.Matt announces a big career move and talks about how he’s hoping to fix some of the biggest problems in SaaS security today. He tells Yousuf about his new role and the fresh approach that his new company is bringing to the field. At the end of the episode, they discuss working in a start-up environment and give advice to anyone considering working in a start-up.If you enjoyed this episode, subscribe, or follow Cloud Security Today wherever you get your podcasts.Timestamps[0:28] Matt introduces the topic for today’s episode[1:50] Exciting news from Matt about his latest career move[5:10] Matt explains one of the biggest challenges in app security today[7:25] How have we managed app security up to now?[9:20] So how does Cerby work?[11:32] Matt’s new role at Cerby and an outline of his first few months[12:50] Why Matt likes working in a start-up environment[14:05] How Matt became interested in Cerby[16:20] What’s next for Cerby?[18:10] The advice that Matt would give to anyone looking to join a start-up[20:40] Yousuf adds his thoughts about working for a start-upEpisode LinksRidge VenturesYousuf Khan's Linkedin ProfileCerby's websiteMatt's Linkedin Profile

Send us a textAs the world of cloud security continues to progress at high speed, new challenges and threats arise and morph on a constant basis. The MITRE Corporation is a body tasked by the US government with solving some of the largest threats in cybersecurity and beyond, and we are very lucky to welcome Tracy Bannon to the podcast today, who is the Senior Principal and Software Architect & DevOps Advisor at MITRE. Tracy opens up about her career journey leading up to her current position, what drew her into the work at MITRE, and how the simplicity of the solutions-focused mission has embedded her loyalty and passion within the organization. The conversation also goes some way into exploring the potential and limitations of zero trust, and what it actually means to make progress towards safer environments. Along the way, our guest makes some interesting and quite unique arguments for why words matter, and why change is healthier through a philosophy centered on building. So to catch it all in this fascinating conversation, make sure to join us on Cloud Security Today!Key Points From This Episode:Tracy unpacks a brief history of FFRDCs and their role as objective technology advisors.The two main areas of Tracy's work at MITRE; digital transformation of software factories, and data centricity in data environments.Understanding MITRE's practical application and validation of the principles of zero trust theory. Weighing the validity of the negative reputation that developers have when it comes to security.Issues with the terms DevOps, DevSecOps, and SecDevOps, and the overloading and rushing that often happens on security teams. Why Tracy prioritizes 'culture building' over 'culture change' when thinking about progress. Leading teams, modeling behaviors, and realistic expectations for human error. Tools and safety nets in the cloud-native approach; Tracy's perspective on how much value to assign to these.Why the mission at MITRE initially piqued, and subsequently retained, Tracy's interest! Tweetables:“It’s not a recipe. It's not five things you have to do. It's understanding the principles and then applying them, being able to audit them, and validate consistently that they're happening. MITRE does both sides of that.” — @TracyBannon [0:07:44]“Our job is not to land and expand. It’s impact. At all costs, it's to make impact. If it's one person, or a half of that person, it's really defined by the ability to keep the US safe.” — @TracyBannon [0:09:39]Links Mentioned in Today’s Episode:Tracy Bannon on LinkedInTracy Bannon on TwitterMITRE CorporationRevelationThe Kill ChainZero Trust SecurityThe Software Architect ElevatorThe future of cloud security.Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Send us a textOriginally recorded in September of 2021...today’s guest is Justin Berman, the Vice President of Infrastructure and IT and the CISO at Thirty Madison. Thirty Madison is aiming to be a platform that everyone can use to deal with their chronic healthcare needs. Justin’s main focus is on building out the teams that enable scaling. With his development background, Justin has some unique ideas when it comes to cloud security, which makes for a fascinating interview. You’ll walk away from this episode with a new perspective on how to build security into products from the start and a better understanding of how to transition smoothly from on-prem to the cloud.Tweetables“I see security as an engineering problem. What I mean by that is not that there aren't things that you solve with process, or with policy, or training, but rather that in as many places as possible if you want to have a scaled effect within security, you need to write code to solve a problem.” — @justinmberman [0:06:03]Justin Berman on LinkedInPhoenix ProjectSimon SinekThe future of cloud security.Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Send us a textIn this episode (originally recorded in November of 2021) we speak with Palo Alto Networks, VP of Threat Intel, Ryan Olson. Ryan helps define what threat intelligence actually is and how to get started building a program. He aptly reminds us that producing threat intel for the sake of threat intel is a waste of time. More importantly you first have to ask yourself, “Who’s going to be using this information?”.Tweetables“Producing threat intel for the sake of threat intel is a waste of time. What you should be doing is thinking ‘Who’s going to take the information that I have produced and use that to make a better decision?’ Because that's the goal of threat intelligence, to help a system, or a person, or a team, or a company make better decisions that will help secure them better.” — Ryan Olson [0:04:24]“If I could give people one recommendation, if you can get access to your SSL traffic so that you can decrypt it and you can inspect it, you will have a much better chance at detecting bad stuff in your network than you would without it.” — Ryan Olson [0:29:58]Links Mentioned in Today’s Episode:Ryan Olson on LinkedInUnit 42Unit 42 on TwitterUnit 42 Palo Alto Networks CareersThe future of cloud security.Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Send us a textNearly all companies that have started in the last few years have been cloud-native from the very start. Someone who has experienced this is today’s guest Nate Lee. Nate is the Chief Information Security Officer for Tradeshift, a cloud-based business networking platform for supply chain payments, marketplaces, and applications. In this episode, Nate joins us to talk about the company’s journey, its success, and what he has learned here over the past seven years. Nate explains how Tradeshift’s vision is to digitize and connect everything that happens between a buyer and a seller anywhere in the world, and how being cloud-native from the start has supported this mission. We discuss how you can leverage automation and DevSecOps to scale on some very difficult items like ISO 27000 among other certifications. You will also hear how security has been the key differentiator that led to Tradeshift’s success, how the strategic focus of Tradeshift’s security program has shifted over time and the key metrics that Tradeshift tracks to maintain its certifications and compliance efforts.Tweetables“[The vision] is connecting every company in the world. You can't do that with a bunch of islands running in individual data centers. It was an easy choice to be cloud-native back then, as well as a smart choice in general for any company starting these days.” — @JustAnotherNate [0:08:56]"In security and software development these days, if you're not constantly learning, you're falling behind just as quickly.” — @JustAnotherNate [0:32:48]Links Mentioned in Today’s EpisodeNate's LinkedIn profileTradeshift's websiteNate's blog on Transforming Technical Debt from Burden to ToolThe Unicorn ProjectThe future of cloud security.Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Send us a textIn a world where cyber-attacks are ever-changing, cybersecurity has to adapt accordingly. Joining us today to delve into the world of cloud security for federal agencies is Sandeep Shilawat, Vice President of Cloud and Edge Computing at ManTech. Sandeep has extensive experience in both Commercial and Federal technology markets. We’ll get to hear his predictions on where the cloud world is heading, as well as what the Federal Authority to Operate (ATO) process will look like in the future. We learn the benefits of cloud compliance standards, as well as how FedRAMP is leveling the playing field in federal cloud computing. We also touch on the role of 5G in cloud computing, and why its presence will disrupt going forward. Join us as we pick Sandeep’s brain for some insights into the present and future of federal cybersecurity.Tweetables“Visibility has become [the] single biggest challenge and nobody's dealing with cloud management in a multi-cloud perspective from cradle to grave.” — @Shilawat [0:09:03]“I think that having a managed cloud service is probably the first approach that should be considered by an agency head. I do think that that's where the market is heading. Sooner or later, it will probably become a de facto way of doing cloud security.” — @Shilawat [0:19:43]The future of cloud security.Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Send us a textThe pharmaceutical industry has a reputation for being cautious when it comes to adopting new technologies. However, in this episode, you’ll hear from the CISO at Takeda Pharmaceuticals, Mike Towers, that for Takeda cloud has been a game-changer (albeit not without some challenges). As we like to do, we’ll start by diving into Mike’s background and then pivot to understand where Takeda is today in their cloud journey and where they are going over the next 24 months. Get your pen ready because Mike is going to drop a massive amount of knowledge in a short period of time.Tweetables:“One of the things that's the toughest in the biopharmaceutical industry is focus because it's really easy to get tempted to try to solve a lot of different problems.” — @MichaelATowers [0:02:47]“We’ll be exclusively cloud, within probably, I would say, 15 months from now.” — @MichaelATowers [0:17:51]Links Mentioned in Today’s Episode:Prisma CloudMike Towers on TwitterMike Towers on LinkedInTakedaNavigating the Digital AgeThe future of cloud security.Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Send us a textDespite the media coverage afforded to the SolarWinds and Kaseya breaches, Palo Alto Networks, Unit 42 threat research indicates supply chain security in the cloud continues its growth as an emerging threat. Much remains misunderstood about both the nature of these attacks and the most effective means of defending against them. To better understand how supply chain attacks occur in the cloud, Unit 42 researchers analyzed data from a variety of public data sources around the world and, at the request of a large SaaS provider, executed a red team exercise against their software development environment. As you'll hear in the podcast, overall, the findings indicate that many organizations may still be lulled into a false sense of supply chain security in the cloud. Case in point: Even with limited access to the customer’s development environment, it took a single Unit 42 researcher only three days to discover several critical software development flaws that could have exposed the customer to an attack similar to that of SolarWinds and Kaseya. In the podcast, Unit 42 researchers Nathaniel "Q" Quist and Dr. Jay Chen, draw on Unit 42’s analysis of past supply chain attacks. The Cloud Threat Report explains the full scope of supply chain attacks, discusses poorly understood details about how they occur, and recommends actionable best practices that organizations can adopt today to help protect their supply chains in the cloud. The future of cloud security.Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Send us a textThe journey toward the cloud is filled with challenges, but the benefits it brings make the struggle worthwhile. Today we talk about all things cloud adoption with Rob Brown, CTO at the US Citizenship and Immigration Services Group. We jump in with some introductory comments about who the USCIS are and what they do, with Rob giving listeners an idea of his role within the organization. We hear about the massive move toward digitization at USCIS and some of the biggest challenges the organization is facing as far as cloud adoption. From there, our conversation touches on the benefits of a multi-cloud approach, how USCIS is implementing Zero Trust with regards to cloud security, and how microsegmentation fits into all of this. Tuning in, listeners will also learn about the metrics Rob uses to assess the process of cloud adoption at USCIS, how the shift to the cloud has helped address the issue of siloing, and the benefits of implementing a unified pipeline grounded by standardization. We wrap up with some current initiatives Rob is most occupied with before hearing about how he likes to stay sharp using an approach grounded in experimentation and testing. Rob is filled with insights to help keep teams robust and agile during sticky situations, so be sure to tune in and hear them all.Tweetables“We have got a very good security team and a pretty savvy group of application developers and infrastructure folks that take security and shift it as far to the left as possible.” — Rob Brown [0:17:19]“Standardization, to me, has been critical in creating some of these unified pipelines.” — Rob Brown [0:29:14]Links Mentioned in Today’s Episode:Rob Brown on LinkedInUS Citizenship and Immigration ServicesJobs at USCISThe future of cloud security.Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Send us a textWhen thinking of innovation, the first things that usually come to mind are tech startups. It’s not often you think of examples from the US Government or, more specifically, the Department of Defense. Our guest today has unprecedented insight, not only into what it takes to build a startup but how to create a startup-like culture in massive organizations like the US Department of Defense. Nic Chaillan, has had tremendous success as an entrepreneur and, in 2016, decided to pursue public service when he took a job with the US government. Over the past 20 years, Nic has built hundreds of products that were sold to dozens of Fortune 500 companies. After taking a break from entrepreneurship, Nicolas served as the Chief Software Officer for the US Air Force and Space Force and introduced game-changing innovations to the government’s software operations. In our conversation with Nic, we discuss agile practices and how he used DevSecOps to elevate the Department of Defense’s software security. We unpack how his experience as an entrepreneur motivated him and why it was a commonsense decision to apply those lessons when he started in government.Tweetables:“When you look at the desired outcomes, you realize pretty quickly that DevSecOps is the main enabler to get all of these things done fast while not creating more risk. In fact, I would argue, it reduces both cyber and operational testing risk as well.” — @NicolasChaillan [0:06:30]“That’s also something to think about: what kind of access control do you want to have in place when it comes to these kinds of tools and how do you mitigate the blast radius?” — @NicolasChaillan [0:16:39]“I am also a big believer that education and continuous learning has to drastically change and improve.” — @NicolasChaillan [0:33:59]Nicolas M. Chaillan on LinkedIn