Cloud Security Podcast by Google focuses on security in the cloud, delivering security from the cloud, and all things at the intersection of security and cloud. Of course, we will also cover what we are doing in Google Cloud to help keep our users' data safe and workloads secure.
We’re going to do our best to avoid security theater, and cut to the heart of real security questions and issues. Expect us to question threat models and ask if something is done for the data subject’s benefit or just for organizational benefit.
We hope you’ll join us if you’re interested in where technology overlaps with process and bumps up against organizational design. We’re hoping to attract listeners who are happy to hear conventional wisdom questioned, and who are curious about what lessons we can and can’t keep as the world moves from on-premises computing to cloud computing.
20 Subscribers
Podcast hosts
- anton_google
@anton_google
© Copyright Google Cloud
Cloud Security Podcast by Google
Read more
20 Subscribers
Reviews
MarBoSun
1 out of 5 stars
Not up to date
Missing podcast
Podcast information
- Amount of episodes
- 124
- Subscribers
- 20
- Verified
- Yes
- Website
- Explicit content
- No
- Episode type
- serial
- Podcast link
- https://podvine.com/link/..
- Last upload date
- May 29, 2023
- Last fetch date
- May 31, 2023 3:16 PM
- Upload range
- WEEKLY
- Author
- Anton Chuvakin
- Copyright
- Copyright Google Cloud
susbcribers
- EP123 The Good, the Bad, and the Epic of Threat Detection at Scale with PantherGuest: Jack Naglieri, Founder and CEO at Panther Topics: What is good detection, defined at micro-level for a rule or a piece of detection content? What is good detection, defined at macro-level for a program at a company? How to reliably produce good detection content at scale? What is a detection content lifecycle that reliably produces good detections at scale? What is the purpose of a SIEM today? Where do you stand on a classic debate on vendor-written vs customer-created detection content? Resources: “Essentialism” book “The 5 AM Club” book “Good to Great” book “Why Is Threat Detection Hard” blog “Think Like a Detection Engineer, Pt. 2: Rule Writing” blog “Detection as Code? No, Detection as COOKING!” blog Open Cybersecurity Schema Framework (OCSF)0 comments0
- EP122 Firewalls in the Cloud: How to Implement Trust Boundaries for Access ControlGuest: Michele Chubirka, Senior Cloud Security Advocate, Google Cloud Topics: So, if somebody wakes you up at 3AM (“Anton’s 3AM test”) and asks “Do we need firewalls in the cloud?” what would you say? Firewalls (=virtual appliances in the cloud or routing cloud traffic through physical firewalls) vs firewalling (=controlling network access) in the cloud, do they match the cloud-native realities? How do you implement trust boundaries for access control with cloud-native options? Can you imagine a modern cloud native security architecture that includes a firewall? Can you imagine a modern cloud native security architecture that excludes any firewalling? Firewall, NIDS, NIPS, NGFW …. How do these other concepts map to the cloud? How do you build a "traditional-like" network visibility layer in the cloud (and do we need to)? Resources: Video version of this episode: LinkedIn or YouTube “Security Architect View: Cloud Migration Successes, Failures and Lessons” (ep105) “Love it or Hate it, Network Security is Coming to the Cloud” with Martin Roesch (ep113) Gartner Bimodal IT definition Ross Anderson “Security Engineering” book The New Stack blog Trireme tool CNCF site security landscape Google Cloud Firewall0 comments0
- Cloud Security Podcast by Google May 15 · 31m EP121 What Happens Here Stays Here: Confidential City (and Space)Guests: Nelly Porter, Group Product Manager, Google Cloud Rene Kolga, Senior Product Manager, Google Cloud Topics: Could you remind our listeners what confidential computing is? What threats does this stop? Are these common at our clients? Are there other use cases for this technology like compliance or sovereignty? We have a new addition to our Confidential Computing family - Confidential Space. Could you tell us how it came about? What new use cases does this bring for clients? Resources: “Confidentially Speaking” (ep1) “Confidentially Speaking 2: Cloudful of Secrets” (ep48) “Introducing Confidential Space to help unlock the value of secure data collaboration” Confidential Space security overview “The Is How They Tell Me The World Ends” by Nicole Perlroth NIST 800-233 “High-Performance Computing (HPC) Security: Architecture, Threat Analysis, and Security Posture”0 comments0
- EP120 Building Secure Cloud and Building Security Products: Finding the BalanceGuest: Jeff Reed, VP of Product, Cloud Security @ Google Cloud Topics: You’ve had a long career in software and security, what brought you to Google Cloud Security for this role? How do you balance the needs of huge global financials that often ask for esoteric controls (say EKM with KAJ) vs the needs of SMBs that want easy yet effective, invisibility security? We’ve got an interesting split within our security business: some of our focus is on making Google Cloud more secure, while some of our focus is on selling security products. How are you thinking about the strategy and allocation between these functions for business growth? What aspects of Cloud security have you seen cloud customers struggle with the most? What’s been the most surprising or unexpected security challenge you’ve seen with our users? “Google named a Leader in Forrester Wave™ IaaS Platform Native Security” - can you share a little bit about how this came to be and what was involved in this? Is cloud migration a risk reduction move? Resources: “Google named a Leader in Forrester Wave™ IaaS Platform Native Security” “Sunil Potti on Building Cloud Security at Google” (ep102) Books by Haruki Murakami We are hiring product managers!0 comments0
- EP119 RSA 2023 - What We Saw, What We Learned, and What We're Excited AboutGuest: Connie Fan, Senior Product and Business Strategy Lead, Google Cloud Topics: We were at RSA 2023, what did we see that was notable and surprising? Cloud security showed up with three startups with big booths, and one big player with a small demo station. What have we learned here? What visitors might have seen at the Google Cloud booth that we're really excited about? Could you share why we chose these two AI cases - generation of code and summarization of complex content - out of all the possibilities and the sometimes zany things we saw elsewhere on the floor? Could you share a story or two that highlights how we came to this AI launch and what it looked like under the surface? Resources: “RSA 2023 - How to Protect Your Organization from Cyberattacks in Time of Political Turmoil” (ep118) “RSA 2022 Reflections - Securing the Past vs Securing the Future” (ep70) “How We Attack AI? Learn More at Our RSA Panel!” (ep68) “Security Operations, Reliability, and Securing Google with Heather Adkins” (ep20)0 comments0
- EP118 RSA 2023 - How to Protect Your Organization from Cyberattacks in a Time of Political TurmoilGuests: Shanyn Ronis, Head of the Mandiant Communication Center John Miller, Head of Mandiant Intelligence Analysis Topics: It seems like we’re seeing more cyber activity taking place in the context of geopolitical events. A lot of organizations struggle to figure out if/how to respond to these events and any related cyber activity. What advice do you have for these organizations and their leadership? A lot of threat intel (TI) suffers from “What does this event mean for threats to our organization?” - sort of how to connect CNN to your IDS? What is your best advice on this to a CISO? TI also suffers from “1. Get TI 2. ??? 3. Profit!” - how does your model help organizations avoid this trap? Surely there are different levels of granularity here to TI and its relevance. Is what a CISO needs different from what an IR member needs? Do you differentiate your feed along those axes? What does success look like? How will organizations know when they’re successful? What are good KPIs for these types of threat intelligence? In other words, how would customers know they benefit from it? Is there anything unique that cloud providers can do in this process? Resources: RSA 2023 Session “Intelligently Managing the Geopolitics and Security Interplay” on Wed Apr 26 9:40AM “Sandworm” by Andy Greenberg “Reading Mandiant M-Trends 2023”0 comments0
- EP117 Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity?Guest: Maxime Lamothe-Brassard, Founder @ LimaCharlie Topics: What does an engineering-centric approach to cybersecurity mean? What to tell people who want to "consume" rather than "engineer" security? Is “engineering-centric” approach the same as evidence-based or provable? In practical terms, what does it mean to adopt an "engineering-centric approach" to cybersecurity for an organization? How will it differ from what we have today? What will it enable? Can you practice this with a very small team? How about a very small team of “non engineers”? You seem to say that tomorrow's cybersecurity will look a lot like software engineering. Where do we draw the line between these two? Resources: Atomic Red Team Sigma rules/content LimaCharlie blog 8 Megatrends drive cloud adoption—and improve security for all The Cybersecurity Defenders Podcast0 comments0
- EP116 SBOMs: A Step Towards a More Secure Software Supply ChainGuest: Isaac Hepworth, PM focused on Software Supply Chain Security @ Google Cooked questions: Why is everyone talking about SBOMs all of a sudden? Why does this matter to a typical security leader? Some software vendors don’t want SBOM, and this reminds us of the food safety rules debates in the past, how does this analogy work here? One interesting challenge in the world of SBOMs and unintended consequences is that large well resourced organizations may be better equipped to produce SBOMs than small independent and open source projects. Is that a risk? Is the SBOM requirement setting the government up to be overly reliant on megacorps and are we going to unintentionally ban open source from the government? What is the relationship between SBOM and software liability? Is SBOM a step to this? Won’t software liability kill open source? How does Google prepare for EO internally; how do we use SBOM and other related tools? To come back to the food analogy, SBOMs are all well and good, but the goal is not that consumers know they’re eating lead, but rather that our food becomes healthier. Where are we heading in the next five years to improve software supply chain "health and safety"? Resources: Full video of this episode ( YouTube / LinkedIn) “Executive Order on Improving the Nation’s Cybersecurity” “M-22-18 Memorandum For The Heads of Executive Departments and Agencies“ SLSA.dev “How to SLSA Part 3 - Putting it all together” Assured Open Source Software NIST Secure Software Development Framework (SSDF) “Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (ep24) “2022 Accelerate State of DevOps Report and Software Supply Chain Security” (ep100)0 comments0
- Cloud Security Podcast by Google Apr 3 · 35m EP115 How to Approach Cloud in a Cloudy Way, not As Somebody Else’s Computer?Guest: Rafal Los, Head of Services Strategy @ Extrahop and Founder of Down the Security Rabbit Hole podcast Topics: You had a very fun blog where you reminded the world that many organizations still approach cloud as a rented data center, do you still see it now? Do you think this will persist for 3, 5, 10 years? Other than microservices, what’re the most important differences between public cloud and a rented data center for a CISO to keep in mind? Analysts say that “cloud is secure, but clients just aren’t using it securely”, what is your reaction to this? Actually, how do you define “use cloud securely”? Have you met any CISOs who are active cloud fans who prefer cloud for security reasons? You also work for an NDR vendor, do you think NDR in the cloud has a future? Resources: Full video of this episode ( YouTube / LinkedIn) Down the Security Rabbithole Podcast (DtSR) podcast “A Little Truth About the Cloud” “Megatrends drive cloud adoption—and improve security for all” “CISO Walks Into the Cloud: And The Magic Starts to Happen!” (ep104) “Threat Models and Cloud Security” (ep12) “Security Architect View: Cloud Migration Successes, Failures and Lessons” (ep105) “Patrolling Cyberspace” book (2006)0 comments0
- EP114 Minimal Viable Secure Product (MVSP) - Is That a Thing?Guest: Chris John Riley, Senior Security Engineer and a Technical Debt Corrector @ Google Topics: We’ve heard of MVP, what is MVSP or Minimal Viable Secure Product? What problem is MVSP trying to solve for the industry, community, planet, etc? How does MVSP actually help anybody? Who is the MVSP checklist for? Leaders or engineers? How does MVSP differ from compliance standards like ISO 27001, or even SOC 2? How does Google use MVSP? Has it improved our security in some way? How to balance the dynamic nature of security with minimal security basics? The working group has recently completed a control refresh for 2022, what are some highlights? Resources: Mvsp.dev SLSA Levels MVSP (Minimum Viable Secure Product) Compliance “Phantoms in the Brain” book ”Strengthen Basic Security Hygiene With a Two-Pronged Security Architecture Approach” FIRST Impressions podcast0 comments0
- EP113 Love it or Hate it, Network Security is Coming to the CloudGuest: Martin Roesch, CEO at Netography, creator of Snort Topics: What is the role of network security in the public cloud? Networks used to be the perimeter, now we have an API and identity driven perimeter. Are networks still relevant as a layer of defense? We often joke that “you don’t need to get your firewalls with you to the cloud”, is this really true? How do you do network access control if not with firewalls? What about the NIDS? Does NIDS have a place in the cloud? So we agree that some network security things drop off in the cloud, but are there new network security threats and challenges? There’s cloud architecture and then there’s multi cloud and hybrid architectures–how does this story change if we open the aperture to network security for multi cloud and hybrid? Should solutions that provide cloud network security be in the cloud themselves? Is this an obvious question? Resources: Book “Who: The A Method for Hiring” by Geoff Smart, Randy Street Netography resources Snort ““Hacking Google”, Op Aurora and Insider Threat at Google” (ep91) “Zero Trust: Fast Forward from 2010 to 2021” (ep8) “Gathering Data for Zero Trust” (ep4)0 comments0
- EP112 Threat Horizons - How Google Does Threat IntelligenceGuest: Charles DeBeck, Cyber Threat Intel Expert @ Google Cloud Topics: What is unique about Google Cloud approach to threat intelligence? Is it the sensor coverage? Size of the team? Other things? Why is Threat Horizons report unique among the threat reports released by other organizations? Based on your research, what are the realistic threats to cloud environments today? What threats are prevalent and what threats are most damaging? Where do you see things in 2023? What should companies look for? What’s one thing that surprised you when preparing the report? What do you think will surprise audiences? What is the most counter-intuitive hardening and operational advice can we glean from this Threat Horizons report? What's most important to know when it comes to understanding OT and cloud? Resources: Google Threat Horizons Reports One, Two, Three, Four, Five “Demystifying ‘shared Fate’ - A New Approach To Understand Cybersecurity” Corey Quinn on cloud billing alerts0 comments0
- EP111 How to Solve the Mystery of Application Security in the Cloud?Guest: Brandon Evans, Infosec Consultant and Certified Instructor and Course Author at SANS Topics: What got you interested in security and motivated you to make this your area of focus? You came from a developer background, right? Occasionally, we hear the sentiment that “developers don’t care about security,” how would you counter it (and would you?)? How do we encourage developers and operations to use the appropriate security controls and settings in the cloud? Is “encourage” the right word? Can we really do “secure by default” but for developers? What do you think are the main application security issues that developers need to deal with in the cloud? You mentioned software supply chain security, do you treat this as a part of application security? How important is this, realistically, for an average organization and its developers? Going to our favorite subject of threat detection, how do you think we can better encourage developers to supply the logs necessary for our detection and response teams to act upon? Resources: “Cloud Security: Making Cloud Environments a Safer Place” ebook by SANS SANS.org/cloud site “The Phoenix Project” book by Gene Kim et al “The Unicorn Project” book by Gene Kim “Next Special - Log4j Reflections, Software Dependencies and Open Source Security” (EP87) “2022 Accelerate State of DevOps Report and Software Supply Chain Security” (EP100) “Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (EP24)0 comments0
- EP110 Detection and Response in a High Velocity and High Complexity EnvironmentGuest: David Seidman, Head of Detection and Response @ Robinhood Toipics: Tell us about joining Robinhood and prioritizing focus areas for detection in your environment? Tim and Anton argue a lot about what kind of detection is best - fully bespoke and homemade, or scalable off-the-shelf. First, does our framework here make sense, and second, looking at your suite of detection capabilities, how have you chosen to prioritize detection development and detection triage? You're operating in AWS: there are a lot of vendors doing detection in AWS, including AWS themselves. How have you thought about choosing your detection approaches and data sources? Finding people with as much cloud expertise as you can't be easy: how are you structuring your organization to succeed despite cloud detection and response talent being hard to find? What matters more: detection skills or cloud skills? What has been effective in ramping up your D&R team in the cloud? What are your favorite data sources for detection in the cloud? Resources: “Detection as Code? No, Detection as COOKING!” “On Threat Detection Uncertainty” “Radical Candor” by Kim Scott “Daring Greatly” by Brene Brown “Extreme Ownership” by Jocko Willink “Drive” by Daniel Pink0 comments0
- Cloud Security Podcast by Google Feb 20 · 27m EP109 How Google Does Vulnerability Management: The Not So Secret Secrets!Guest: Ana Oprea, Staff Security Engineer, European Lead of Vulnerability Coordination Center @ Google Topics: What is the scope for the vulnerability management program at Google? Does it cover OS, off-the-shelf applications, custom code we wrote … or all of the above? Our vulnerability prioritization includes a process called “impact assessment.” What does our impact assessment for a vulnerability look like? How do we prioritize what to remediate? How do we decide on the speed of remediation needed? How do we know if we’ve done a good job? When we look backwards, what are our critical metrics (SLIs and SLOs) and how high up the security stack is the reporting on our progress? What of the “Google Approach” should other companies not try to emulate? Surely some things work because of Google being Google, so what are the weird or surprising things that only work for us? Resources: SRS Book, Chapter 20: Understanding Roles and Responsibilities and Chapter 21: Building a Culture of Security and Reliability Why Google Stores Billions of Lines of Code in a Single Repository SRE book and SRE Workbook “How Google Secures It's Google Cloud Usage at Massive Scale” (ep107) “Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance” (ep66) “How We Scale Detection and Response at Google: Automation, Metrics, Toil” (ep75)0 comments0
- EP108 How to Hunt the Cloud: Lessons and Experiences from Years of Threat HuntingGuest: John Stoner, Principal Security Strategist @ Google Cloud Topics: Please define threat hunting for us quickly, the term has been corrupted a bit What are your favorite beginner hunts to jump start the effort at a new team? How to incorporate hunting lessons in detection? What are the differences for hunting in the cloud? Are there specific data sources you prefer to have access to when threat hunting? In the cloud? Should every organization threat hunt? What are traits you might look for in a threat hunter? Resources: “The Who, What, Where, When, Why and How of Effective Threat Hunting” Awesome Threat Detection and Hunting “My “Aha!” Moment - Methods, Tips, & Lessons Learned in Threat Hunting” video NIST Computer Security Incident Handling Guide 800-61 “Threat Hunting Is Not for Everyone” (2020) “Formulating An Intelligence-Driven Threat Hunting Methodology” video0 comments0
- EP 107 How Google Secures It's Google Cloud Usage at Massive ScaleGuest: Karan Dwivedi , Security Engineering Manager, Enterprise Infrastructure Protection @ Google Cloud Topics: Google’s use of Google Cloud is a massive cloud environment with wildly diverse use cases. Could you share, for our listeners, a few examples of the different kinds of things we’re running in GCP? Given that we’re doing these wildly different things in GCP, how do we think about scaling the right security guardrails to the right places in our GCP org? How do you work with application engineering teams and project owner teams to make sure the right controls are there but not getting in the way of business? How do we scale this exemption management process? Are there things we do here that don’t make sense at a smaller scale? Are there emergent challenges that only we would face? How do you correctly federate security responsibilities between the central team defining policy and the constituent user teams actually using the platform? Burnout is a perennial challenge for security teams–what’re you doing to keep your people happy and engaged? Resources: “How We Scale Detection and Response at Google: Automation, Metrics, Toil” (ep75) ““Hacking Google”, Op Aurora and Insider Threat at Google” (ep91) Google Cloud security foundations guide0 comments0
- EP106 Beyond BeyondProd - How Do You Zero Trust Your Workloads?Guest: Anoosh Saboori, former Product Manager at Google Cloud Topics: We had zero trust episodes before and definitions vary! When we say zero trust, what do we mean? What about zero trust for workloads in production? When you say “workload,” what do you mean? What is BeyondProd, for those that are unfamiliar with it? And how is this different from BeyondCorp? How has BeyondProd actually been implemented at Google? What threats does it help with? Is this real threats or compliance? Why is now a good time to be thinking about zero trust for production systems? Companies have many security tools deployed, including microsegmentation and firewalls, how does this toolset fit? Does it replace anything they have deployed? Resources: BeyondProd papers “Zero Trust: Fast Forward from 2010 to 2021” (ep8) “Gathering Data for Zero Trust” (ep4) “Google Workspace Security: from Threats to Zero Trust” (ep99) “Zero Trust: So Easy Even a Government Can Do It?” (ep59) “Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance” (ep66)0 comments0
- EP105 Security Architect View: Cloud Migration Successes, Failures and LessonsGuest: Michele Chubirka , Senior Cloud Security Advocate, Google Cloud Topics: We are here to talk about cloud migrations and we are here to talk about failures. What are your favorites? What are your favorite cloud security process failures? What are your favorite cloud security technical failures? What are your favorite cloud security container and k8s failures? Is "lift and shift" always wrong from the security point of view? Can it at least work as step 1 for a full cloud transformation? Resources: “Automate and/or Die?” (ep3) “More Cloud Migration Security Lessons” (ep18) “The Magic of Cloud Migration: Learn Security Lessons from the Field” (ep55) “Preparing for Cloud Migrations from a CISO Perspective, Part 1” (ep5) “Cloud Migrations: Security Perspectives from The Field” (ep33) "Dune" by Frank Herbert "The Science of Organizational Change" by Paul Gibbons "Servant Leadership: A Journey into the Nature of Legitimate Power and Greatness" by Robert K. Greenleaf "Finding the Sweet Spot for Change" State of Devops (DORA) Report 20220 comments0
- EP104 CISO Walks Into the Cloud: And The Magic Starts to Happen!Guest: Gary Hayslip, CISO at Softbank Topics: "So we're talking about your journey as a CISO migrating to Cloud. Could you give us the 30 second overview of What triggered your organization's migration to the cloud? When did you and the security organization get brought in? How did you plan your security organization's journey to the cloud? Did you take going to cloud as an opportunity to change things beyond the tools you were using? As you got going into the cloud, what was the hardest part for your organization? If that was hardest, what was most surprising? Good surprise and bad surprise? Let’s shift to some tactical gears: How did you design security controls for the cloud? Did your data security practice change? Did your detection / response practice change? How has the CISO role evolved and is evolving due to the cloud? Having covered all that tactical terrain, one final strategic question: is moving to Cloud a net risk reduction? Can it be? Resources: “CISO Desk Reference Guide” book by Gary Hayslip “The Essential Guide to Cybersecurity for SMBs” book by Gary Hayslip “Develop Your Cybersecurity Career Path” book by Gary Hayslip0 comments0
- Cloud Security Podcast by Google Jan 9 · 24m EP103 Security Incident Response and Public Cloud - Exploring with MandiantGuest: Nader Zaveri, Senior Manager of IR and Remediation at Mandiant, now part of Google Cloud Topics: Could we start with a story of a cloud incident response (IR) failure and where things went wrong? What should that team have done to get it right? Are there skills that matter more in cloud incidents than they do for on-prem incidents? Are there on-prem instincts that will lead incident responders astray in cloud? What 3 things an IR team leader needs to do to prepare his team for IR in the cloud? Are there on-premise tools that can stay on prem and not join us in the cloud? What processes should we leave behind? Keep with us? What logs and context should we prepare for cloud IR? What access should we have behind “break glass”? While doing IR, what things should we look at in the cloud logs (which logs, also?) to expedite the investigation? Resources: “How to Cloud IR or Why Attackers Become Cloud Native Faster?” (ep98) “How to prepare for detection & response in the cloud” Google Cloud Next 2022 presentation “Security Incident Response in the Cloud: A Few Ideas” blog GCP Cloud Logging “Security at Scale: Logging in AWS” paper “AWS Security Incident Response Whitepaper” paper0 comments0
- EP102 Sunil Potti on Building Cloud Security at GoogleGuest: Sunil Potti , VP / GM, Google Cloud Topics: One of the biggest shifts we’ve noticed is the shift from building security because we think security is good, to building security as a business. How did you make that cultural shift happen in our organization? With organizations migrating to cloud we have a set of tradeoffs between meeting security teams where they are with on-prem expectations of security vs cloud-native approaches. How do you think about investing in next generation products vs holding the hands of CISOs just stepping into the cloud? What matters more to you as a leader, secure cloud (GCP, Workspace) or security products (Chronicle SecOps, BCE, SCC, etc)? Is invisible security the same as “building security in”? Aren’t there security controls where the value is derived from them being visible to users? Mandiant brings services expertise to Google Cloud, typically not our strong area and not our DNA, how do we plan to make the most of Mandiant within Google’s culture? Resources: Simon Sinek “Start With Why” book0 comments0
- EP101 Cloud Threat Detection Lessons from a CISOGuest: Jim Higgins , CISO at Snap, former CISO at Square Topics: You were at Google for a long time, and at Google you sat between Google security and Cloud. Now that you're leading security for a major company, how are you prioritizing your focus between your on-premise resources and your cloud resources? How are you thinking about threat detection in the Cloud? In detection, how has your technology changed? How has your process changed? What threats do you mostly focus on? Why don’t we talk about the role of automation in detection and response (D&R)? How do you approach automation and eliminating toil? As you're scaling teams, processes and technology for your cloud footprint, what has been easiest to get right and what's been hardest to get right? How do you approach measuring security? What cloud metrics are you sharing upwards to your board? Resources: BeyondCorp Enterprise “Ghost in the Wires: My Adventures as the World's Most Wanted Hacker” book0 comments0
- EP100 2022 Accelerate State of DevOps Report and Software Supply Chain SecurityGuests: John Speed Meyers , Security Data Scientist, Chainguard Todd Kulesza, User Experience Researcher, Google Topics: How did you get involved with this year’s Accelerate State of DevOps Report ( DORA report )? So what is DORA and why did you decide to focus on supply chain security for the 2022 report? What are the big learnings from this year’s report ? What’s the difference between SLSA and SSDF? Is one spicy and the other savory? How’re companies adopting these and how is adoption going? Are there other areas that DevOps can be a contributor in the overall security landscape? How can CISOs rope DevOps fully into their security gang? Operationally, how should security and developers and DevOps come together to keep vulnerabilities out in the first place? How should security and developers and DevOps come together to respond quickly to vulnerabilities when they’re discovered? How do security and developers and DevOps come together to prove to their auditors and customers that they’re doing a good job of the above? Resources: 2022 Accelerate State of DevOps Report "New insights for defending the software supply chain" blog (and new report ) SLSA.dev site Secure Software Development Framework at NIST “Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (ep24) “Sharing The Mic In Cyber with STMIC Hosts Lauren and Christina: Representation, Psychological Safety, Security” (ep92) Go vulncheck tool “Reflections on Trusting Trust” paper (1984)0 comments0
- EP99 Google Workspace Security: from Threats to Zero TrustGuests: Nikhil Sinha, Group Product Manager, Workspace Security Kelly Anderson, Product Marketing Manager, Workspace Security Topics: We are talking about Google Workspace security today. What kinds of threats do we have to care about here? Are there compliance-related motivations for security here too? Is compliance in the cloud changing? How’s adoption of hardware keys for MFA going for your users, and how are you helping them? Is phishing finally solved because of that? Can you explain why hardware security FIDO/WebAuthn is such a step function compared to, say, RSA number generator tokens? Have there been assumptions in the Workspace security model we had to change because of WFH? And what changes with RTO and permanent hybrid? Resources: Google BeyondCorp Enterprise “Make zero trust a reality with Google Workspace security solutions” Next 2022 video “2021: Phishing is Solved?” (ep40) “Zero Trust: Fast Forward from 2010 to 2021” (ep8)0 comments0
Podcast hosts
- anton_google
@anton_google
© Copyright Google Cloud
