Cloud Security Podcast

How CI/CD Tools can expose your Code to Security Risks? In this episode, we’re joined by Mike Ruth, Senior Staff Security Engineer at Rippling and returning guest, live from BlackHat 2024. Mike dives deep into his research on CI/CD pipeline security, focusing on popular tools like GitHub Actions, Terraform, and Buildkite. He reveals the hidden vulnerabilities within these tools, such as the ability for engineers to bypass code reviews, modify configuration files, and run unauthorized commands in production environments. Mike explains how the lack of granular access control in repositories and CI/CD configurations opens the door to serious security risks. He shares actionable insights on how to mitigate these issues by using best practices like GitHub Environments and Buildkite Clusters, along with potential solutions like static code analysis and granular push rule sets. This episode provides critical advice on how to better secure your CI/CD pipelines and protect your organization from insider threats and external attacks. #infrastructureascode #cicdsecurity #cloudsecurity

🚨 Are You Holding Data Like a Pro? 🚨 We spoke about a topic that with AI gaining momentum, we can no longer ignore - our relationship with data and how to truly achieve data security maturity. 🎙️💡. To tackle this we spoke to Dan Benjamin, Head of Data, Identity and AI Security Inventory First: Before you can secure anything, you need to know what you're dealing with—data and AI services included. It’s time to stop guessing and start cataloging. 📋 Tackling Data Ticking Bombs: Whether it's developer secrets, non-compliance with PCI or PHI, or sensitive information scattered across your environment, cleaning up data is crucial. As humans, we're natural hoarders—and data is no exception. 🧨 Mature Companies Automate: The more mature teams in the space? They’ve operationalized their DSPM (Data Security Posture Management). The goal? Automatically open tickets to the right teams with clear evidence and action steps. A real game changer for organizations with 50+ development teams. 🚀 If Data Security is of interest to you in 2024, then this is definitely a good episode to listen to. We have linked the full episode in the comments below! #datasecurity #dspm #cloudsecurity Palo Alto Networks

🚨 Is MultiCloud the New Norm? 🚨 In today’s fast-moving tech landscape, one question keeps popping up—Is it now expected for companies to go MultiCloud? We spoke about this on our State of Cloud Security Panel 💡 Not by Design, but by Requirement Years ago, the conversation centered around AWS, GCP, and Azure. Now, Oracle, IBM Cloud, and others are part of the mix—whether we like it or not. 🔄 Concentration Risk & Leadership Anxiety When AWS or another CSP goes down, businesses can lose revenue in an instant. Leadership freaks out—and rightfully so. So, is spreading workloads across multiple clouds the solution? Maybe... but it introduces a whole new set of challenges. ⚠️ Complexity vs. Availability “MultiCloud is like becoming an adult. It’s the worst decision you’ll ever make, and it’s going to happen anyway.” 😂 But seriously, juggling different cloud providers can be a nightmare. Fault tolerance? Sure. Sanity? Maybe not. 💥 Myth of the ‘MultiCloud Unicorn’ Let’s face it, no one is a true expert across AWS, GCP, Azure, and beyond. So why are hiring managers still looking for that “MultiCloud Prodigy”? Spoiler alert: They don’t exist. Instead, focus on being a pro at one and understanding the basics of others. 🤝 Enablement Over Expertise Instead of expecting a one-person MultiCloud team, companies should focus on enabling teams to become experts within their specific cloud environments. Governance over micromanagement is key. Thank you to our panelists Damien Burks, Abdie Mohamed, Chris Farris, Rich Mogull, Patrick Sanders, Marguerite (Meg) Ashby, Ammar Alim & Ashish Rajan 🤴🏾🧔🏾♂️ This is a great episode for anyone working in Cloud Security in 2024 and beyond as you will get insights from a broad spectrum of experts in the field. We have linked the full episodes in the comments below!

Cybersecurity Leaders and CISOs are often in the hot seat, so this is our hot take on their stories. In the 2nd Instalment of Season 2 of Hot Takes with CISOs and Cybersecurity Leaders, we had Yasmin Abdi, Security Engineering Lead at Snap Inc. and Founder of noHack giving Ashish some very good competition. #ciso #cybersecurityleaders

🚨The Themes from BlackHatUSA 2024, what are we hearing in the space of Cloud Security and AI Security. if you have been following Cloud Security Podcast and AI CyberSecurity Podcast, you may have caught our BlackHat Recap episodes, this issue gets into all that and a whole lot more as we speak about - 🛡️ Resilience in the Face of Outages 🔑 The rise of Identity Centric Security 🌩️ The Growing Complexity of Cloud Security 🧠 Data Security in the Age of AI 🤖 Automation & AI in Cybersecurity The episode and takeaways tie in very nicely to some of our recent conversations with Srinath K., Ely Kahn and Brigid Johnson and our recent episode on our sister podcast with Ashish Rajan 🤴🏾🧔🏾♂️ and Caleb Sima Did we miss any key trends - would love to hear your thoughts! #aicybersecurity #cloudsecurity #blackhatUSA2024

As promised, as an addition to the BlackHat Recap we had on Cloud Security Podcast, Ashish and Caleb broke down all the AI Cybersecurity Themes from BlackHat, not so much from the briefings but they do get to speak to a lot of leaders in the space during the event and this is a recap of all the things they are seeing. AI CyberSecurity Podcast #aisecurity #aicybersecurity

🚨 Red Team vs. Incident Response: What's the difference?🔒 Imagine a battlefield where the attackers are always one step ahead, testing your defenses, probing your weaknesses, and then slipping away before you even realize they were there. 🎯 On one side, you’ve got the Red Team, mastering the art of stealth and emulating real-world attackers. On the other side? The Incident Response Team, ready to detect, respond, and mitigate the damage before it's too late. It may sound like they do similar things but infact they serve very different purposes Red Team’s tactics: They infiltrate systems, gain access to sensitive data, and mimic the behavior of real attackers. Incident Response: They work to detect these attacks in real-time, piece together the puzzle of how it happened, and prevent future incidents. If you are looking at fine tuning your knowledge for incident response in the cloud, this was a great conversation with Santiago. We have linked the full episode in the comments below! #cloudsecurity #incidentresponse #redteaming

In this episode of the Cloud Security Podcast, we bring together an incredible panel of experts to explore the evolving landscape of cloud security in 2024. Hosted by Ashish Rajan, the discussion dives deep into the challenges and realities of today’s multi-cloud environments. With perspectives ranging from seasoned veterans to emerging voices this episode offers a broad spectrum of insights from cloud security practitioners who are living and breathing cloud security everyday. We are very grateful to our panelist who took part in 1st of its kind edition for the State of Cloud Security - Marguerite (Meg) Ashby, Damien Burks, Chris Farris, Rich Mogull, Patrick Sanders, Ammar Alim and Abdie Mohamed. The conversation covers essential topics such as the pitfalls of multi-cloud adoption, the persistent security issues that remain even as cloud technologies advance, and the importance of specializing in one cloud platform while maintaining surface-level knowledge of others. The panelists also share their thoughts on the future of cloud security, including the increasing relevance of Kubernetes and edge security. #cloudsecurity #cloudsecuritycareers #stateofcloudsecurity

🚀How are we working with MultiCloud environments in 2024? 🌩️🔐 It’s not just AWS, Azure, and Google Cloud anymore—Oracle and IBM are making their presence felt, too. Suddenly, what used to be a "three-cloud" problem has evolved into a five-headed beast. 🐉 So, how do you design a cloud security team that can tackle this growing complexity? 🤔 To answer this and explore the current State of Cloud Security from a leadership perspective, we spoke to Srinath K., Managing Director, Head of Product Security - Cloud Multi-Cloud Experts? 🌍 Is there really such a thing? Can someone truly claim to be an expert across all cloud platforms? Or is it just as tricky as driving with both hands, both feet, and a hand on the roof? 🚗💨 Shared Services Strategy: 🛠️ Should we be thinking of security as a shared service that spans across clouds? Invest once, apply everywhere—sounds ideal, but what about that last mile? Those unique nuances that each cloud provider brings to the table? Efficiency vs. Expertise: ⚙️ As practitioners, we all crave efficiency. But is it possible without bringing in specialized engineers for each cloud? How do you balance a broad, scalable strategy with the need for deep, specific expertise? We explore all this and a lot more on this episode, we have linked the full episode in the comments below! #cloudsecurity #stateofcloudsecurity #ciso

🚨 The concept of Secure Enclave in Confidential Computing! 🎙️ We spoke to ⚓ Marko Zvonko Kaiser, Principal Systems Software Engineer NVIDIA about the world of confidential computing, confidential containers and secure enclave and how they may fit into your environment. Imagine an isolated environment within your system, protected at the hardware level, where not even other virtual machines or devices—like network cards or GPUs—can peek inside. This is the power of Secure Enclave. But it doesn’t stop there; attestation comes into play to ensure that your hardware and software are in a trustworthy state. 🛡️ 🔍 Understanding Isolation: Secure Enclave isolates resources in your node, creating a fortress where sensitive data is shielded from the rest of the system. 🔧 Hardware-Level Security: CPU's secure processor plays a critical role in maintaining this isolation, and it can be more robust than software-only solutions. 🔑 Attestation Insights: Uncover the importance of proving that your system’s hardware and software are exactly as they should be—safe, secure, and trustworthy. If confidential computing is of interest to you, this was a very valuable conversation with Marko, we have linked the full episode in the comments below #cloudsecurity #confidentialcomputing #confidentialcontainers