Show cover of Cloud Security Podcast by Google

Cloud Security Podcast by Google

Cloud Security Podcast by Google focuses on security in the cloud, delivering security from the cloud, and all things at the intersection of security and cloud. Of course, we will also cover what we are doing in Google Cloud to help keep our users' data safe and workloads secure. We’re going to do our best to avoid security theater, and cut to the heart of real security questions and issues. Expect us to question threat models and ask if something is done for the data subject’s benefit or just for organizational benefit. We hope you’ll join us if you’re interested in where technology overlaps with process and bumps up against organizational design. We’re hoping to attract listeners who are happy to hear conventional wisdom questioned, and who are curious about what lessons we can and can’t keep as the world moves from on-premises computing to cloud computing.


Confidentially Speaking
“Confidentially Speaking” episode focuses on confidential computing Guest: Nelly Porter, Group Product Manager @ Google. Topics covered: What risks are mitigated by confidential computing? What types of organizations must adopt confidential computing? How and where the data is encrypted? Resources:  Confidential computing at Google Cloud
21:06 02/11/2021
Data Security in the Cloud
Episode 2 “Data Security in the Cloud” focuses on data security in the cloud  Guest: Andrew Lance, Sidechain Topics covered: What is special about data security in the cloud? How data security plays in the shift from perimeter and network security to identity-based security? Can I use detective data security controls and turn them into preventative controls? Resources: “Designing and deploying a data security strategy with Google Cloud” paper
19:59 02/11/2021
Automate and/or Die?
Episode 3 “Automate and/or Die?” focuses on automated remediation (or is it response!) in the cloud Guest: Joe Crawford, formerly in charge of cloud-native security at a large bank Topics covered: Can we automatically remediate vulnerabilities and threats in the cloud? Did you require humans to be in the loop for your automation? Is that still automation if we do? Does security fear of automation have a place in the cloud?
17:37 02/11/2021
Gathering Data for Zero Trust
Episode 4 “Gathering Data for Zero Trust” focuses on enabling zero trust access in the real world Guest: Max Saltonstall (@maxsaltonstall), Developer Advocate @ Google Cloud   Topics covered: What should be trusted for a zero trust system to work? What is the first thing you need to do to have a zero trust access project succeed? What data needs to be collected for zero trust system operation?
24:01 02/24/2021
Preparing for Cloud Migrations from a CISO Perspective, Part 1
Guests: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud  Nick Godfrey, Director, Financial Services Security & Compliance and a member of Office of the CISO @ Google Cloud Topics covered: Why do you think so many CISOs of traditional organizations fear cloud migrations? What is your best advice to a CISO who wants to migrate to the cloud using the on-premise playbook, or lift and shift?  What are the real tradeoffs in this decision such as using familiar tools/practices vs cloud benefits/effectiveness?  What would you recommend reading for a CISO managing their first cloud migration Resources mentioned: Paper “CISO’s guide to Cloud Security Transformation”  Book “Building Secure and Reliable Systems: Best Practices for Designing, Implementing, and Maintaining Systems”  Book “Practical Guide to Cloud Migration”
20:08 03/11/2021
Cloud Security Talks Summarized: A Recap Episode
Guests: no guests, just Tim and Anton  Topics covered: Discussion of the interesting presentations from Cloud Security Talks Q1 2021 focused on trusted cloud, container security, cyber insurance, Chronicle, ML for network security, etc Resources: All Q1 2021 Cloud Security Talks “Cloud Risk Panel Discussion” video “A conversation on overcoming risk management challenges in the Cloud” video  “Better together - expanding the Confidential Computing ecosystem” video “Detect potential threats to your containers” video “Supercharge your security telemetry with Chronicle” video “Tales from the trenches: Using machine learning to create safer networks” video “Chrome Enterprise Security - A deep dive” video
22:38 03/17/2021
No One Expects the Malware Inquisition
Guest: Brandon Levene, Malware Inquisitor @ Google Cloud Topics covered: Which malware is scarier, state-sponsored or criminal? How do we approach cybercrime mitigation at Google? How do we actually track malware? Don’t we need “attribution” for it? What are the most useful telemetry sources for study in modern malware? Does ransomware have a bright future? Where do you see threat actors making the biggest investments? Resource: "Crimeware In The Modern Era" paper by Brandon Levene
25:09 03/24/2021
Zero Trust: Fast Forward from 2010 to 2021
Guest:  John Kindervag, who is widely considered to be the creator of zero trust model in 2010 (currently works at ON2IT) Topics: What has changed in the world of zero trust since 2010? What must be trusted for a zero trust (ZT) system to work? What are key ZT project success pre-requisites? What is the first step in ZT implementation that increases the chance of its success? Is zero trust hard for most companies? What’s the most spectacular failure you’ve seen in a ZT project? Where do you see ZT heading in the next 10+ years? Resource: John's original zero trust paper (2010)
28:10 04/01/2021
Building a Third Party Platform for Cloud Security
Guest: Avi Shua, CEO and Co-founder @ Orca Security Topics: Where do you spend more efforts, on detection of pre-fail issues (like configuration errors) or post-fail issues (like incidents)? How do you prioritize the preventative and detective controls in your platform? When talking to CISOs, how do you explain that cloud threat detection is different from the on-premise type? In your opinion, are agents dead in the cloud? Do you think your customers care more about cloud-specific threats or traditional threats against cloud assets? How do you think about the tradeoff for security teams between using cloud native controls vs a 3rd party vendor like, say, you? Resources: “The Orca Security 2020 State of Public Cloud Security Report“
27:53 04/12/2021
SIEM Modernization? Is That a Thing?
Guest: Eric Foster, President at CYDERES, a Fishtech Group company Topics: How do you define “modern” SIEM? Does modern SIEM always imply SaaS SIEM? Is there a future for on-premises SIEM? What are your top 3 root causes for SIEM deployment failure today? Modern or not, does SIEM have a future? Can XDR or some other technology drive it off the rails? What features or inputs should SIEM have to detect modern threats such as those to cloud environments but also others? What’s different about threat detection in Cloud? What is your view of the current frenzy about “AI”/ML for security? Resources: “Cyderes CNAP Makes SIEM Modernization a Snap”
24:41 04/19/2021
Preparing for Cloud Migrations from a CISO Perspective, Part 2
Guests: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud Dave Hannigan, Director, Financial Services Security & Compliance @ Google Cloud Topics: To continue on the theme from Part 1, is “cloud-native” about thinking? Security tools? Systems? Architecture? How do we practically help CISOs “speak cloud”? What are the first steps to cloud thinking for an “on-premise CISO”? What are the areas of security where it is easier to become a cloud-native? How do you see a CISO transition journey from the on-premise thinking and technologies to cloud thinking and technology? How are CISOs thinking about third party security controls vs native, cloud provider security controls? Resources: “Preparing for Cloud Migrations from a CISO Perspective, Part 1” “CISO’s guide to Cloud Security Transformation”
20:54 04/26/2021
Threat Models and Cloud Security
Guest: Seth Vargo, Security Engineer @ Google Cloud Topics: How should security teams change their thinking about threats in the cloud? Where and when should an organization start in building their threat model for their cloud environment? What are the key changes of threat models after cloud migration? More specifically, when it comes to identity, credentials, lateral movement, what are the key ways in which cloud security differs from traditional or on-premises security? How should users who are leading the cloud migration help their colleagues think about security in the cloud? When am I "done" with cloud security planning?
19:41 05/03/2021
Application Security in the Cloud
Guest: Alyssa Miller,  BISO @ S&P Global Ratings Topics: How do application security practices change as organizations launch their cloud transformations? What bad things happen to you if you lift/shift your big applications to somebody's IaaS? What unique challenges do containers and serverless deployments create for application security? Is there good news here? How can cloud native technologies make application security easier than a traditional on-prem environment? What can organizations do to ensure the security of cloud-based SaaS solutions? How do DevOps and CI/CD impact the ability to secure cloud-based applications? What is your advice to security leaders who still want to practice appsec for cloud apps in the same manner as they did it for on-premise, the old way? What follow-up reading do you recommend on preparing for an application migration to Cloud? Resources: Cloud security trainings
24:55 05/10/2021
Making Compliance Cloud-native
Guest: Zeal Somani, Security Solutions Manager @ Google Cloud, former PCI QSA Topics: What are the usable recipes for thinking about compliance in the cloud? What regulations are more challenging for public cloud users? How do you see the client/provider responsibility split for compliance? What is this “shift left” for compliance? How do we educate auditors and regulators who insist on 1980s solutions to 2020s problems? What are the most popular mistakes and blind spots with trying to be compliant in the cloud? Resources: Whitepaper “Risk governance of digital transformation: guide for risk, compliance & audit teams”
20:11 05/19/2021
Scaling Google Kubernetes Engine Security
Guest: Greg Castle, Senior Staff Security Engineer at Google Topics: How is kubernetes security different from traditional host security? What’s different about securing GKE vs security Kubernetes on-prem? Where does one start with security hardening for GKE? In your view, what are top realistic threats to container deployments? What do users get wrong most often? Did we manage to make containers both more secure and more usable?
20:48 05/24/2021
Modern Data Security Approaches: Is Cloud More Secure?
Guests: Tim Dierks, Engineering Director, Data Protection @ Google Cloud Topics: What are the key components of data security in the public cloud today? Why do companies need specific data security plans and products? Do you think Google Cloud today has enough controls for processing the most sensitive data? Many organizations seem to be unaware of where sensitive data exists in their cloud environments, how do you think this problem will be fixed? What is your view on encryption's role in future cloud security? Do organizations mostly encrypt for security or for compliance? How do we help companies navigate the tradeoffs between complying with nation-state regulations and best practices for availability? I hear you are involved with some interesting key management innovations like HYOK via Cloud EKM, why do these matter for clients today? Resources: Forrester report “The Forrester Wave™: Unstructured Data Security Platforms, Q2 2021”  “New whitepaper: Designing and deploying a data security strategy with Google Cloud” “Hold your own key with Google Cloud External Key Manager” “Building Secure and Resilient Systems” book (free)
28:15 06/01/2021
Modern Threat Detection at Google
Guest: Julien Vehent, Security Engineering Manager in the Detection and Response team @ Google Topics: What is special about detecting modern threats in modern environments? How does the Google team turn the knowledge of threats into detection logic? Run through an example of creating a detection for a new threat? How do we test our detection rules? We use the same people to write detections and to respond to resulting alerts, how is it working? What are the key skills of good security analysts to build cloud threat detection? Resources: “Site Reliability Engineering" book (free) “Building Secure & Reliable Systems” book (free) “Securing DevOps“ by our very guest Julien Vehent  
24:13 06/07/2021
More Cloud Migration Security Lessons
Guests: Jane Chung, VP of Cloud @ Palo Alto Joe Crawford, Director of Strategic Technology Partnerships for Google Cloud @ Palo Alto Topics: What are the top security mistakes you’ve seen during cloud migrations? What is your best advice to security leaders who want to go to the cloud using the on-premise playbook? What security technologies may no longer be needed in the cloud? Which are transformed by the cloud? Cloud often implies agility, but sometimes security slows things down, how to fix that? How do security needs change based on adoption architecture (cloud, hybrid with on-premise, multi-cloud, multi cloud with on-premise)? From a security perspective, is there really any such thing as “lift and shift”? How do we teach cloud to security leaders who “grew up” on-premise? Resources: Use “Move and Improve” Instead of “Lift an Shift” “Data Security in the Cloud” (Episode 2) “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age” book CSA CCM v4
32:04 06/14/2021
Double-clicking, but not on fire hydrants, with bot fighters
Guest 1: Sparky Toews, Product Manager for Adobe identity @ Adobe Topics 1: Why are bots a problem to you? Give us a bit of your bot threat assessment? Can you tell us how you think about and practice securing the user experience? What kind of security products or best practices are involved? How do you see what security professionals do to secure the user experience evolving over time? Guests 2: Randy Gingeleski, Senior Staff Security Engineer @ HBO Max Brian Lozada, CISO @ HBO Max Topics 2: Can you tell us how you think about and practice securing the user experience at HBO? What kind of security products or best practices are involved? How does reCAPTCHA Enterprise fit into all of this? How do you see what security professionals do to secure the user experience evolving over time?
34:04 06/21/2021
Security Operations, Reliability, and Securing Google with Heather Adkins
Guest: Heather Adkins, Sr Director, Information Security @ Google Topics: Your RSA presentation has 3 pillars: zero trust, microservices, automation/zero prod, is this all you need to be secure & reliable in the modern world? Let’s drill down again into the “secure and reliable” concept, are you sure that they are interrelated? Is there a risk that microservices could actually increase attack surface? What are the practical security upsides of “no touch production”?  SRE and DevOps revolutionized IT, can we expect a similar revolution for security? Where would it come from? Resources: “Building Secure and Reliable Systems” RSA 2021 presentation by Heather Adkins  “Building Secure and Reliable Systems” book (free) “Modern Threat Detection at Google” (ep 17) Google BeyondCorp Google BeyondProd NIST 800-27 “Zero Trust Architecture”
28:27 06/28/2021
Security Marketing? Every Product Needs a Story!
Guest: Kelly Anderson, Head of Product Marketing, User Protection Services @ Google Cloud Topics: What is marketing, really? Why is it sometimes reviled by the technologists? What makes a great marketer in cloud security? What’s different about cloud security marketing, as opposed to regular old on-premise security marketing? Is there still FUD in the cloud? Which things are the easiest or hardest to do in Google Cloud Security marketing? How do you talk about products so they stand out from the noise? How’s Google Cloud marketing helping our users stay ahead of the adversaries? Resources: Security insights that help customers stay up to date Customer case studies on our security products Quarterly Google Cloud Security Talks  Cloud security webinars on BrightTALK and Cloud OnAir  Identity and security blogs on the Google Cloud blog
23:45 07/06/2021
Securing Multi-Cloud from a CISO Perspective, Part 3
Guests: Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud  Dave Hannigan, Director, Financial Services Security & Compliance @ Google Cloud  Topics: As a CISO, would you ever decide to use multiple clouds, if it were in your hands?  How is security typically considered when companies go multi-cloud in their approach? Practically, or operationally, how does one think through securing multiple public cloud environments? What are the top challenges here? Different controls? Lack of tools? Confusing process? Skills on the team? Would you always buy security tools from a 3rd party (not a CSP) if you have to cover more than one cloud provider? Anything to add about compliance across multiple clouds? What is the best approach for securing multiple SaaS services that your company uses? Resources: “IDC: A multicloud strategy can mitigate regulatory, business risks” “Anthos security” SANS papers on securing multiple clouds (example)
24:13 07/12/2021
Threat Detection at Google Cloud Security Summit
No guests. We interviewed each other! Topics: What would you say are the most things that Chronicle is trying to address today? What are the good ways to use threat intel to detect threats that do not ruin your SOC? What does “autonomic” security mean, anyway? Is this a fancy way of saying “automatic” or something more? For sure, “the Cloud is not JUST someone else’s computer“ - but how does this apply to threat detection? What makes threat detection “cloud-native”? What kinds of ML magic does your mini UEBA inside SCC use? Can you really do automated remediation in the cloud? Resources: Google Cloud Security Summit “Making Invisible Security a Reality with Google” keynote “Security Analytics at Google Speed and Scale” presentation by Anton “Managing Your Security Posture on Google Cloud” presentation by Tim “Stop Trying to Take Humans Out of SOC … Except … Wait… Wait… Wait…” blog Chronicle main site Threat Detection in Logs in Google Cloud SCC video “Modern Threat Detection at Google” (episode 17)  “Automate and/or Die?” (episode 3)
21:12 07/19/2021
Linking Up The Pieces: Software Supply Chain Security at Google and Beyond
Guests: Eric Brewer, VP of Infrastructure, and Google Fellow @ Google Aparna Sinha, Director of Product Management @ Google Cloud Topics: What is software supply chain security and how is it different from other kinds of supply chain security?  What types of organizations need to care about it? Is supply chain security a concern for large, elite enterprises only?  What’s the relationship between what we’re doing here, and what SBOM is? Can you talk us through a quick threat assessment of a supply chain security issue? What are the realistic threats here and who are the threat actors involved? How does Google try to solve these problems internally? Have we succeeded?  How does this translate into our products? By the way, what’s SLSA? Resources: “Container Security: Building trust in your software supply chain” (live event on July 29, 2021) “Tracking The Trail Of Software: The Key To Boosting Security”  “Introducing SLSA, an End-to-End Framework for Supply Chain Integrity” DORA study
23:03 07/26/2021
Beyond Compliance: Cloud Security in Europe
Guest:  John Stone, Chaos Coordinator at the Office of the CISO @ Google Cloud Topics: What are the top European-specific cloud migration security challenges? Are there interesting cloud adoption barriers related to security in Europe? Are some of these challenges more compliance than security related? Do you think compliance still drives security in the cloud for European companies? Do you think Europe can ever "make their own cloud"? So, what do you make of this entire movement about “data sovereignty”?  
27:03 08/02/2021
SOC in a Large, Complex and Evolving Organization
Guest: Johnathan Keith, Director of Information Security (CISO) @  ViacomCBS Streaming / Digital (at the time of the recording) Topics: What is the mission for your SOC? Has it evolved in recent years? How do you rate your state of maturity in security operations? I hear that your organization is complex and decentralized, how do you run a SOC in such a case? How do you approach the balance of people, process and technology in your SOC? What is the role of outsourcing in your SOC?  Is cloud included in your SOC mission scope? What are the immediate things you plan to improve? Resources: Security Summit Talk that this podcast episode is based on (all Google Cloud Security Summit 2021 talks)
20:24 08/09/2021
The Mysteries of Detection Engineering: Revealed!
Guest: Keith McCammon, Co-founder and Chief Security Officer, Red Canary Topics: What is Detection Engineering? How it differs from just building rules/analytics? How to convert threat intelligence into detections?  How to tell good detections from bad? And perhaps also good from great? How to test detections in the real world? Anything special about building detections for cloud environments? What do you think is the role of “rule-less” (such as ML) detections? Is “ML unicorn cavalry” coming? Resources: The Red Canary Blog 2021 Threat Detection Report Alerting and Detection Strategy Framework Atomic Red Team toolset
30:09 08/16/2021
Tales from the Trenches: Using AI for Gmail Security
Guest: Andy Wen, Product Lead for Abuse & Security @ Google Cloud Topics: What are you doing with AI for security? What kinds of security problems are addressable with AI, and which ones are harder to address with ML techniques? Tell us where you’ve been surprised by AI’s success? Do you expect a) AI use by adversaries and b) attacks focused on disrupting the AI use by defenders? What advice would you give a PM or technical lead starting out on thinking they want to use AI to solve a problem? Resources: Andy Wen presentation from Cloud Security Talks 2021 “The Future of Machine Learning and Cybersecurity”
19:14 08/23/2021
Future of EDR: Is It Reason-able to Suggest XDR?
Guest:  Sam Curry,  Chief Security Officer @ Cybereason and Visiting Fellow @ National Security Institute Topics: EDR was “invented” in 2013 and we are now in 2021. What do you consider to be modern EDR components and capabilities? Where has EDR fallen short on its initial hype? How focused are the attackers on bypassing EDR? How do you think EDR works in the cloud? In your view, how would future EDR work for containers, microservices, etc? Why aren’t we winning the war against ransomware? XDR is an interesting concept, so how do you define XDR? Is XDR just EDR++ or is XDR SIEM 4.0? Resources: “The Pyramid of Pain” blog by David Bianco “Named: Endpoint Threat Detection & Response” “Dune” book “The Bomber Mafia“ book
27:54 08/30/2021
EP30 Malware Hunting with VirusTotal
Guest: Vicente Diaz,  Threat Intelligence Strategist @ VirusTotal Topics: How would you describe modern threat hunting process? Share some of the more interesting examples of attacker activities or artifacts you've seen? Do we even hunt for malware? What gets you more concerned, malware or human attackers? How do you handle the risk of attackers knowing how you perform hunting? What is the role of threat research role for hunting? Do you need research to hunt well? Does threat research power attribution? How do you tell a good YARA rule from a bad one, and a great one? What’s the evolutionary journey for a YARA rule? What is your view on the future of hunting? Resources: YARA documentation "Deep Thinking: Where Machine Intelligence Ends and Human Creativity Begins" by Gary Kasparov  
26:19 09/07/2021