Cloud Security Podcast by Google

By Anton Chuvakin

Listen to a podcast, please open Podcast Republic app. Available on Google Play Store.


Category: Technology

Open in Apple Podcasts

Open RSS feed

Open Website
Rate for this podcast
Subscribers: 42
Reviews: 0

Description

Cloud Security Podcast by Google focuses on security in the cloud, delivering security from the cloud, and all things at the intersection of security and cloud. Of course, we will also cover what we are doing in Google Cloud to help keep our users' data safe and workloads secure. We’re going to do our best to avoid security theater, and cut to the heart of real security questions and issues. Expect us to question threat models and ask if something is done for the data subject’s benefit or just for organizational benefit. We hope you’ll join us if you’re interested in where technology overlaps with process and bumps up against organizational design. We’re hoping to attract listeners who are happy to hear conventional wisdom questioned, and who are curious about what lessons we can and can’t keep as the world moves from on-premises computing to cloud computing.

Episode Date
EP72 What Does Good Detection and Response Look Like in the Cloud? Insights from Expel MDR
32:04

Guests:

Topics:

  • Many MDRs claim to be “security from the cloud”, but they actually don’t know much about cloud security. What does good looks like for MDR in the cloud (cloud being a full range from IaaS to SaaS)?
  • What are the key challenges for clients picking an MDR for their cloud environments?  What are the questions to ask your potential MDR?
  • Do clients want the same security outcomes done in the cloud vs on-premise?  
  • Does it mean that MSSP/MDR capabilities must be different for good coverage of the cloud? 
  • Is MDR technology different for Cloud detection and response as opposed to on-prem D&R? 
  • How do you communicate with clients about the importance and value of cloud specific detection vs detection for endpoints running in the cloud? 
  • What are the top threats against client cloud environments that you see, detect and protect from?
  • Which clouds (IaaS?) are easiest for MDR to protect? What makes them easier to handle than the other Clouds?

Resources:

 Jun 27, 2022
EP71 Attacking Google to Defend Google: How Google Does Red Team
22:46

Guest: 

Topics:

  • What is our “red team” testing philosophy and approach at Google? 
  • How did we evolve to this approach? 
  • What is the path from testing to making Google and our users more secure? How does our testing power the improvements we make?
  • What is unique about red teaming at Google?
  • Care to share some fun testing stories or examples from your experience?

Resources:

 Jun 21, 2022
EP70 Special - RSA 2022 Reflections - Securing the Past vs Securing the Future
22:49

Guests: none

Topics:

  • What have we seen at the RSA 2022 Conference?
  • What was the most interesting and unexpected?
  • What was missing?

Resources:

 Jun 16, 2022
EP69 Cloud Threats and How to Observe Them
29:40

Guest:

  • James Condon,  Director of Security Research @  Lacework 

Topics:

  • What are realistic and actually observed cloud threats today? How did you observe them at Lacework?
  • Cloud threats: are they on-premise  style threats to cloud assets? We hate the line “cloud is just somebody else’s computer” but apparently threats actors seem to think so?
  • What is the 2nd most dangerous cloud issue after configuration mistakes?
  • Why is it so common for organizations to have insecure configurations in their cloud environments? 
  • Give me a few examples of the most common mistakes organizations make, and what they can do to avoid those configurations.
  • Cloud malware and  ransomware / RansomOps, are these real risks today?
  • Are we finally seeing the rise of Linux malware at scale (in the cloud)?
  • As multi cloud expands in popularity, what are threat actors doing in this area?
  • Are actors customizing their attacks on a per-cloud basis (AWS, GCP, Azure)?

 Resources:

 Jun 13, 2022
EP68 How We Attack AI? Learn More at Our RSA Panel!
28:12

Guest: 

Topics:

  • What is your threat model for a large-scale AI system? How do you approach this problem? How do you rank the attacks?
  • How do you judge if an attack is something to mitigate? How do you separate realistic from theoretical?
  • Are there AI threats that were theoretical in 2020, but may become a daily occurrence in 2025?
  • What are the threat-derived lessons for securing AI?
  • Do we practice the same or different approaches for secure AI and reliable AI?
  • How does relative lack of transparency in AI helps (or hurts?) attackers and defenders?

Resources:

 Jun 06, 2022
EP67 Cyber Defense Matrix and Does Cloud Security Have to DIE to Win?
25:57

Guest: 

  • Sounil Yu, CISO and Head of Research at JupiterOne

Topics:

  • How does your Cyber Defense Matrix apply to cloud security? Are things easier or harder?
  • Cloud (at least the cloudy-cloud, also called cloud native) definitely supports “Distributed Immutable Ephemeral” (DIE) - your new creation, how does that change security and CDM?
  • Cyber resilience generates a lot of confusion, how do you define and describe it? 
  • BTW, is the cloud more or less cyber resilient based on your definition?
  • Is invisible security a good thing? Can we ever have it? When should security be visible?
  • Intuitively, security and safety are not the same. So, what is the difference between cyber safety and cyber security? What is cyber safety, really?

Resources:

“Security Chaos Engineering” book

 May 31, 2022
EP66 Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance
24:57

Guest:

  • Sandra Guo, Product Manager in Security, Google Cloud

Topics:

  • We have a really interesting problem here: if we make great investments in our use of trusted repositories, and great investments in doing code review on every change, and securing our build systems, and having reproducible builds, how do we know that all of what we did upstream is actually what gets deployed to production?
  • What are the realistic threats that Binary Authorization handles? Are there specific organizations that are more at risk from those?
  • What’s the Google inspiration for this work, both development and adoption? 
  • How do we make this work in practice at a real organization that is not Google? 
  • Where do you see organizations “getting it wrong” and where do you see organizations “getting it right”?
  • We’ve had a lot of conversations about rolling out zero-trust for enterprise applications, how do those lessons (start small, be visible, plan plan plan) translate into deploying Binauthz into blocking mode? 

Resources:

 May 23, 2022
EP65 Is Your Healthcare Security Healthy? Mandiant Incident Response Insights
28:02

Guests:

Topics:

  • What are the current “popular” incidents at healthcare providers that you handled? Any of them involve cloud? 
  • Do healthcare CISOs have time for anything other than ransomware?
  • Does insider threat matter? What can incident response teach us here?
  • How do you think the threat actors benefit from the health data they steal? 
  • Based on your IR experience, what are the more interesting ways in, other than phishing?
  • Give us your IR-informed take on ransomware pay/not pay focused on healthcare, ideally? 

Resources:

 May 16, 2022
EP64 Security Operations Center: The People Side and How to Do it Right
29:25
Guest:
  • Dave Herrald @ Principal Security Strategist, Google Cloud

Topics:

  • What are some tenets of good SOC training? How does this depend on the SOC model (traditional L1/L2/L3, virtual, etc)?
  • How do you make SOC training realistic?
  • Should training be about the toolset or should it be about the analyst’s skills?
  • Should you primarily train for engineering skills or analysis skills?
  • Do you need to code to succeed in a modern SOC?
  • Are competitive events like CTFs effective for SOC training?
  • What role does SOC training play in bringing new, perhaps under-represented people into security operations and promoting inclusivity?

Resources:

 May 09, 2022
EP63 State of Autonomic Security Operations: Are There Sharks in Your SOC?
34:59

Guests:

Topics:

  • It’s been a few months since we launched Autonomic Security Operations (ASO) and it seems like the whitepaper has been going viral in the industry. Tell us what ASO is about?
  • How was the ASO story received by your customers? Any particular reactions?
  • Will the ASO narrative inspire the next generation of practitioners? Where do you envision the market headed?
  • ASO is about transforming the SOC, and that often involves culture change. How do you change the culture and deeper approaches common in security operations?
  • What else can we do to evolve SOC faster than the threats and assets grow?

Resources:

 May 02, 2022
EP62 Protect Modern Applications in the Cloud: Union of APIs and Application Security
27:10

Guest:

  • Etienne De Burgh, Senior Security and Compliance Specialist, Office of the CISO @ Google Cloud

Topics:

  • Why is API security hot now? What happened that made it a priority for many? 
  • Is API security different from application security? Doesn't the first "A" in API  stand for application? 
  • What are the real threats to exposed APIs?
  • APIs are designed for automated use, so how do you tell automated use from automated abuse / attack?
  • What are the biggest challenges that companies are having with API security?
  • What are the components of API security? Is there a “secure by default API”? API threat detection?
  • Just like cloud in general, API misconfigurations seem to be leading to security problems, are APIs hard to configure securely for most organizations?

Resources:

 Apr 25, 2022
EP61 Anniversary Episode - What Did We Learn So Far on Cloud Security Podcast?
26:35

No guests - just Anton and Tim

Topics:

  • Why cloud security? What do we really think about our podcast name and topic, cloud security?
  • Can you once again explain security for the cloud, in the cloud, from the cloud?
  • What is one thing that we learned from doing a podcast?
  • Favorite cloud security trend that we encountered on the podcast? 
  • What did we learn about security from organization's migrating to the cloud?
  • What are our favorite reading materials related to cloud security?
  • What are our favorite tips from the guests on securing the cloud?

Resources:

 Apr 18, 2022
EP60 Impersonating Service Accounts in GCP and Beyond: Cloud Security Is About IAM?
30:31

Guest: 

Topics:

  • Could you explain briefly why identity is so important in the cloud?
  • A skeptic on cloud security once told us that “in the cloud, we are one identity mistake from a breach.” Is this true?
  • For listeners who aren’t familiar with GCP, could you give us the 30 second story on “what is a service account.” How is it different from a regular IAM account?
  • What are service account impersonations?
  • How can I see if my service accounts can be impersonated? How do I detect it?
  • How can I better secure my organization from impersonation attacks?

Resources:

 Apr 11, 2022
EP59 Zero Trust: So Easy Even a Government Can Do It?
27:38

Guest: 

Topics:

  • What is your favorite definition of zero trust?
  • You had posted a blog analyzing the whitehouse ZT a memo on the federal government’s transition to “zero trust”,  what caught your eye about the Zero Trust memo and why did you decide to write about it?
  • What’s behind the federal government’s recommendations to deprecate VPNs and recommend users “authenticate to applications, not networks”?
  • What do these recommendations mean for cloud security, today and in the future?
  • What do you think would be the hardest things to implement in real US Federal IT environments?
  • Are there other recommendations in the memo to think about as organizations design zero trust strategies for their infrastructure? 
  • What are some of the challenges of implementing zero trust in general?

Resources:

 Apr 04, 2022
EP0 New Audio Trailer: Cloud Security Podcast by Google
01:15

New Audio Trailer: Cloud Security Podcast by Google

 Mar 28, 2022
EP58 SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond
28:04

Guests: 

  • Alexi Wiemer,  Senior Manager at Deloitte Cyber Detection and Response Practice
  • Dan Lauritzen,  Senior Manager at Deloitte Cloud Security Practice.

Topics:

  • What is your key learning about the state of SOC today? What one SOC trend are you hearing the most or most interested in? 
  • What is your best advice to SOCs that are permanently and woefully understaffed? 
  • Many SOC analysts are drowning in manual work, and it is easy to give advice that “they   need to automate.” What does this actually entail, in real life?
  • What is, in your view, the most critical technology for a modern SOC? Is it SIEM? Is it SOAR? Is it EDR? 
  • What is the best advice for a SOC that was handed cloud on a platter and was told to monitor it for threats?
  • Occasionally, we hear that “SOC is dead.” What is your response to such dire SOCless predictions? 

Resources:

 Mar 28, 2022
EP57 Stop Zero Days, Save the World: Project Zero's Maddie Stone Speaks
25:24

Guest:

Topics:

  • How do we judge the real risk of being attacked using an exploit for a zero day vulnerability? Does the zero day risk vary by company, industry, etc? 
  • What does pricing for zero days tell us, if anything? Are prices more driven by supply or demand these days?
  • What security controls or defenses are useful against zero days including against chained zero days?
  • Where are the cloud zero days? We get lots of attention on iOS and Android, what about the cloud platforms? 
  • So, how do we solve the paradox of zero days, are they more scary than risky or more risky than scary? Or both?

Resources:

 Mar 21, 2022
EP56 Rebuilding vs Forklifting and How to Secure a Data Warehouse in the Cloud
25:42

Guest: 

  • Erlander Lo, Security and Compliance Specialist @ Google Cloud

Topics:

  • Imagine you are planning a data warehouse in the cloud, how do you think about security?
  • What are the expected threats to a large data store in the cloud?
  • How to create your security approach for a data warehouse project?
  • Are there regulations that force your decisions about security controls or  approaches, no matter what the threats are?
  • How do you approach data governance for this project?
  • What controls are there to implement in Google Cloud for a secure data warehouse effort?

Resources:

 Mar 14, 2022
EP55 The Magic of Cloud Migration: Learn Security Lessons from the Field
26:50

Guests:

  • Brandie Anderson, Global Security Practice Lead @ Google Cloud
  • Renzo Cuadros,  Regional Security Practice Lead @ Google Cloud

Topics:

  • What are your Cloud migration security lessons? Greatest hits? Near misses?
  • What are the most common cloud security mistakes you see? Any practices or tricks to avoid or mitigate them?
  • How do you talk people out of security “lift and shift”?
  • Do clients understand how threat models change when they migrate to the cloud?
  • How clients typically handle compliance in the cloud? What regulations are the most challenging in the cloud?
  • What is the future for cloud migration security? 
  • Do we foresee a future when most data is created in the cloud and there is no need to migrate anything?

Resources:

 Mar 07, 2022
EP54 Container Security: The Past or The Future?
24:14

Guest: 

  • Anna Belak,  Director of Thought Leadership @ Sysdig

Topics:

  • One model for container security is “Infrastructure security  | build security | runtime security” -  which is most important to get right? Which is hardest to get right? 
  • How are you helping users get their infrastructure security right, and what do they get wrong most often here?
  • Your report states that “3⁄4 of running containers have at least one "high" or "critical" vulnerability“ and it  sounds like pre-cloud IT, but this is about containers?  This was very true  before cloud, why is this still true in cloud native?  Aren’t containers easy to “patch” and redeploy? 
  • You say  “Whether the container images originate from private or public registries, it is critical to scan them and identify known vulnerabilities prior to deploying into production.“ but then 75% have critical vulns? Is the problem that 75% of containers go unscanned, or that users just don’t fix things? 
  •  “52% of all images are scanned in runtime, and 42% are initially scanned in the CI/CD pipeline.“ - isn’t pipeline and repo scanning easier and cheaper? Why isn’t this 90/10 but 40/50?
  •  “62% detect shells in containers” sounds (to Anton) that “62% zoos have a dragon in them” i.e. kinda surreal. What’s the real story?
  • Containers are at the forefront of cloud native computing yet your report seems to show a lot of pre-cloud practices? Are containers just VMs and VMs just servers? 

Resources:

 Feb 28, 2022
EP53 Seven Years of SOAR: What's Next?
23:25

Guest: 

  • Amos Stern, CEO of SIEMplify, now part of Google Cloud

Topics:

  • SOAR is in the news again,  so what can we say about the state of SOAR in 2022?
  • What have we learned trying to get SOAR adopted 2015-2022 (that’s 7 years of SOAR-ing for you)?
  • What are the top playbooks to start your SOC automation using SOAR? 
  • What about the links between SOAR as security automation and general IT automation? 
  • Does the level of consolidation in this market mean that SOAR really is a feature of SIEMs and not a product in its own right?

Resources:

 Feb 22, 2022
EP52 Securing AI with DeepMind CISO
22:49

Guest:

Topics:

  • We spend a lot of time on Artificial Intelligence (AI) safety, but what about security? 
  • What are some of the useful frameworks for thinking about AI security?
  • What is different about securing AI vs securing another data-intensive, complex, enterprise application?
  • What do we know about threat modeling for AI applications?
  • What attacks against AI systems do we expect to see first in real life?
  • What issues with AI security should we expect to face in 3-5 years?

Resources:

 Feb 14, 2022
EP51 Policy Intelligence: More Fun and Useful than it Sounds!
24:33

Guest: 

Topics:

  • What is Cloud Organization Policy, and how is it different from IaC and Policy as code (PaC)?
  • What does successful organization policy design look like from a business and human standpoint? From a technical standpoint?
  • Granular policy work is always hard. How is Google helping users get org policy right?  What are the uniquely Google strengths here? 
  • Is the AI involved real or is this marketing pixie dust AI?
  • How do users know if something should be a proactive control like a guardrail or if something should be a reactive control like a detection?

Resources:

 Feb 07, 2022
EP50 The Epic Battle: Machine Learning vs Millions of Malicious Documents
30:47

Guest:

  • Elie Bursztein, security, anti-abuse and privacy researcher @ Google

Topics:

  • This episode draws on a talk available in the podcast materials. Could you summarize the gist of your talk for the audience?
  • What makes the malicious document problem a good candidate for machine learning (ML)? Could you have used rules?
  • “Millions of documents in milliseconds,” not sure how to even parse it - what is involved in making it work?
  • Can you explain to the listeners the motivation for reanalyzing old samples, what ground truth means in ML/detection engineering, and how you are using this technique?
  • How fast do the attackers evolve and does this throw ML logic off?
  • Do our efforts at cat-and-mouse with attackers make the mice harder for other people to catch?  Does massive-scale ML detections accelerate the attacker's evolution?

Resources:

 Jan 31, 2022
EP49 Lifesaving Tradeoffs: CISO Considerations in moving Healthcare to Cloud
27:15

Guest:

Topics:

  • What’s top of mind for healthcare organizations’ CISOs now?
  • What common advice do you find yourself giving most often to security leaders in healthcare? Is there a list of top 3 items or is this all “it depends”?
  • What regulations are shaping the healthcare industry and its adoption of new technology? HIPAA is from 1996, how does it work for the cloud in the 2020s?
  • Why do you think we aren’t seeing more cloud ransomware?
  • Healthcare orgs are sometimes seen as “IT laggards”, what are the key security lessons from their cloud migrations?
  • How do we convince some of these organizations that cloud is more secure as long as they use it securely?
 Jan 24, 2022
EP48 Confidentially Speaking 2: Cloudful of Secrets
29:55

Guest:

  • Nelly Porter, Group Product Manager @ Google Cloud

Topics

  • In the past year, what has changed with Confidential Computing here at Google?
  • Could we please talk about a user or two who has really nailed it with our Confidential Computing? 
  • What have we learned about the threat models of clients who are choosing to deploy Confidential Computing? What are they solving for?
  • Doing Confidential Computing “right” feels like a lot more than having some fancy CPUs with magic math. What challenges do customers face adopting it? 
  • We finally “married” Confidential Computing with EKM. What types of clients are deploying this new technology? What threats are they mitigating?
  • What’s on the horizon for Confidential Computing? 

Resources:

 Jan 18, 2022
EP47 Megatrends, Macro-changes, Microservices, Oh My! Changes in 2022 and Beyond in Cloud Security
26:09

Guest:

  • Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud

Topics:

  • Explain the whole cloud security megatrend concept to us?
  • How can we better explain that “yes, cloud is more secure than most client’s data centers”?
  • Can you please explain "shared fate" one more time?
  • Shared fate seems to require shared incentives. Do we see the incentives to invest in security changing within organizations migrating to Cloud?
  • Cloud as the Digital Immune System sounds really cool, what does it mean for a typical practitioner - security and developers both?
  • What about the risk aggregation (eggs in one basket) argument against relying on CSP for all security?
  • Does software sovereignty mean that Cloud providers are always going to be held to common standards and lose out on the opportunity to sell highly differentiated software on top?

Resources:

 Jan 11, 2022
EP46 Products and Solutions: Helping Our Customers Precipitate Change
22:47

Guests: 

  • Alison Reyes, Director, Security Solutions, Google Cloud
  • Iman Ghanizada, Solutions Manager for Security Operations & Analytics @ Google Cloud

Topics:

  • What is our thinking on solutions vs products for security? Sure, “security is a process, not a product,” but where do solutions fit in?
  • Security as an industry has too many vendors with little understanding of how users secure things, can solutions approach fix that?
  • Google is sometimes known for writing code and just throwing it out there, do solutions change that dynamic for Google Cloud clients who come to us for security?
  • Who are the target users for our security solutions? Why did we choose those solutions and not others?
  • To me, solutions is how our products actually live in the real world. But can we really hope to transform customer operations with solutions?
  • One of the solutions dear to my heart is Autonomic Security Operations that seeks to “10X the SOC”, how was the experience so far? Is 10X real and what does it mean?
  • How do we know if we succeeded, what are metrics for solutions?
  • How do solutions fit with Google Cybersecurity  Action Team launch? Do we need more action figures now?

 Resources:

 Dec 06, 2021
EP45 VirusTotal Insights on Ransomware Business and Technology
22:59

Guests:

Topics:

  • Why GandCrab / REvil was the most popular ransomware  family in 2020?
  • What is ransomware as a service?
  • Is every scary article about ransomware essentially marketing for the criminals?
  • Some ransomware payoffs are huge, how do you think they spend the money?
  • How else do they profit off stolen data apart from double extortion schemes? Are there triple extortion schemes?
  • What is the concept of a “trusted brand in ransomware”, is it better for clients because they will return the data?
  • Why did non-Windows ransomware fail as a business?
  • Do we expect 0day exploits  to become more popular in ransomware?
  • Based on this research, what is the key reason for ransomware’s wild success?

Resources:

 Nov 29, 2021
EP44 Evolving a SIEM for the Future While Learning from the Past
28:16

Guest:

  • Mike Orosz, a Chief Information and Product Security Officer @ Vertiv

Topics:

  • What are your views on modern SIEM?  What should it do and what should it be?

  • Should it even be called SIEM? 

  • Is SaaS/cloud-native SIEM the only way to go?

  • Can anybody build a SIEM in the cloud by installing the regular SIEM on IaaS?

  • What are the top challenges for organizations deploying and operationalizing SIEM today?

  • What are some hidden or commonly forgotten costs for a SIEM deployment?

  • Is open source the answer to SIEM?

  • SIEM today should deliver on detection, hunting and investigation use cases, so what does it mean in terms of practical data retention?

Resources:

 Nov 22, 2021
EP43 Automation as Paved Roads in Cloud Enablement
23:13

Guests:

  • Amber Shafi, Production Manager GSK
  • Svetlin Zamfirov, Senior Platform Engineer at GSK
  • Ivan Angelov, Principal Platform Engineer at GSK

Topics:

  • Tell us about your team, what are you responsible for and how is the team setup to make that happen? What components of cloud security do you cover?
  • Tell us about cloud misconfigurations and why these are different from on- premise misconfiguration?
  • How are you discovering these misconfigurations? 
  • You've automated responses to misconfiguration. Beyond the obvious upsides of reducing team toil and time to response, what are the other benefits? Are there risk in this approach and how are they handled?
  • How did this idea to automate come about, and what lessons did you learn along the way?
  • How have you integrated with the cloud provider security tooling?

Resources:

 Nov 15, 2021
EP42 Missing Diversity Hurts Your Security
23:43

Guest:

  • MK Palmore, Director at Office of the CISO,  Google Cloud, member of Cybersecurity Action Team

Topics:

  • Why is there such a huge gap in security professionals who are women and people of color?
  • How does the lack of women and people of color in tech impact the industry, cybersecurity & tech overall? Are diverse teams better performing, better morale, happier people?
  • Are there kinds of threats that we miss in threat modeling exercises for lack of diverse team members?
  • We’ve seen countless examples where AI/ML systems have had problems with laundering biases and having frankly appalling issues due to biased training data. What are security implications here? 
  • Are there organizations helping to close the representation gap in the security workforce and the cloud workforce?
  • Why do the big tech companies and even the smaller ones have trouble identifying diverse talent? Why is this hard even for people and organizations who clearly want to improve it?
  • Why do companies have a hard time retaining diverse talent? 

Resources:

 Nov 08, 2021
EP41 Beyond Phishing: Email Security Isn't Solved
23:49

Guest:

Topics:

  • When we think about traditional email security, we think anti-spam/phishing. Your company is doing other things, so what are they? In other words, isn’t email security solved with legacy appliance vendors (SEG) and cloud email providers? 
  • What was the combination of technology and security opportunities that really resonated with you and your investors that led to your focus on email security?
  • Security has almost 2000 vendors and they are noisy, how do you get to clients without screaming too loud? How do you build a better security vendor?
  • Related to being better vendors, but more broadly, what can we do as an industry to make it easier to buy and get value out of our investments in new security tooling and technology? 
  • How can we build security tooling that requires less of our precious security team’s time?

 

 Nov 01, 2021
EP40 2021: Phishing is Solved?
31:49

Guests

  • Elie Bursztein, security, anti-abuse and privacy researcher @ Google
  • Kurt Thomas, security, anti-abuse and privacy researcher @ Google

Topics:

  • Can we say that “Multi-Factor Authentication - if done well - fixes phishing for good” or is this too much to say?
  • What are the realistic and seen-in-the-wild bypasses for MFA as a protection?
  • How do you think these controls fare vs top tier attackers (clearly, they work vs commodity threats)?
  • What do we know about burden vs value of MFA today?
  • What can we realistically do to increase MFA/2FA adoption to the 90%s?
  • Can we share anything about what we’re seeing as industry benchmarks on MFA adoption so far? 
  • We’ve seen a lot of ugly debates over the value of SMS as MFA, what is your research-based take on this?

Resources:

 Oct 25, 2021
EP40 2021: Phishing is Solved?

Guests

  • Elie Bursztein, security, anti-abuse and privacy researcher @ Google
  • Kurt Thomas, security, anti-abuse and privacy researcher @ Google

Topics:

  • Can we say that “Multi-Factor Authentication - if done well - fixes phishing for good” or is this too much to say?
  • What are the realistic and seen-in-the-wild bypasses for MFA as a protection?
  • How do you think these controls fare vs top tier attackers (clearly, they work vs commodity threats)?
  • What do we know about burden vs value of MFA today?
  • What can we realistically do to increase MFA/2FA adoption to the 90%s?
  • Can we share anything about what we’re seeing as industry benchmarks on MFA adoption so far? 
  • We’ve seen a lot of ugly debates over the value of SMS as MFA, what is your research-based take on this?

Resources:

 Oct 25, 2021
EP39 From False Positives to Karl Popper: Rationalizing Cloud Threat Detection
30:46

Guest:

  • Jared Atkinson, Adversary Detection Technical Director at SpecterOps

Topics:

  • What are bad/good/great detections? Is this all about the Bianco's pyramid? Is high good and low bad?
  • How should we judge the quality of detections? Can there be a quality framework? Is that judgment going to be site specific?
  • What should we do to build more good directions? Is this all about reducing false positives?
  • Can we really measure false negatives? How can we approach this?
  • How can we test for detection goodness in the real world? What are the methods that work? It can’t be just about paper ATT&CK coverage, right?
  • What are your top 3 tips for improving the detection practice at an organization?

Resources:

 Oct 18, 2021
NEXT Special - 6 Cloud Security PMs (and a Developer Advocate!) Walk into a Studio
31:23

Guests:

  • Stephanie Wong
  • Vicente Diaz, Jerome McFarland
  • Scott Ellis
  • Patrick Faucher
  • Il-Sung Lee, Anoosh Saboori

Topics:

  • What is your session about?
  • Why would audience care?
  • What is special about your security technology?

Resources:

 Oct 14, 2021
NEXT Special - Google Cybersecurity Action Team: What's the Story?
20:48

Guest:

  • Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud

Topics:

  • We are here to talk Google Cybersecurity Action Team, and this is your brainchild, so tell our audience the origin of this idea?
  • How is Cybersecurity Action Team going to help secure GCP enterprise clients?
  • Is there also a “improve the security of the internet” story?
  • Many organizations seem stuck in the pre-cloud thinking and mental models, can Cybersecurity Action Team help them transform their security? How?
  • When we sometimes present our security innovations to clients, they say “but we are not Google”, so how does Cybersecurity Action Team help us bring more of Google Cybersecurity to the world?
  • What else do we plan to do with Cybersecurity Action Team to help customers modernize their security?
  • How should customers engage with Cybersecurity Action Team?

Resources:

 Oct 13, 2021
NEXT Special - Cloud Security and DEI: Being an Ally!
19:01

Guest:

  • Aditi Joshi, Manager in Cloud Security Team @ Google Cloud

Topics:

  • What is Allyship? How is it defined? What is its main goal?
  • Why is allyship important in Cloud Security, specifically? Are there aspects of security that make allyship particularly important?
  • What specifically has Google Cloud Security deployed and operationalized around Allyship?
  • How does effective allyship look like? More personally, how can I be a better ally?
  • How does it fit into Google Cloud Security’s overarching DEI efforts?
 Oct 12, 2021
NEXT Special - Google Cloud NEXT Security: What to Watch?
20:55

Guest:

  • Rob Sadowski, Trust and Security Lead @  Google Cloud

Topics:

  • What are the big security themes at NEXT? Is security still visible?
  • What about invisible security vs autonomic security? Is that just “invisible security” with a neat name?
  • This has got to be your fourth or fifth Next, right? What’s new this year compared to last years, aside from being virtual?
  • Anything particularly uniquely Google we’re talking about?
  • What to watch at NEXT, if you are a CISO?
  • We secure not just GCP with our tools and approaches, so what to watch if not yet a GCP client?
  • If you have only time for 3 security sessions, which 3 to watch?

Resources:

 Oct 11, 2021
EP34 Instrumenting Modern Application Stack for Detection and Response
25:01

Guest:

  • Matt Svensson, Senior Security Engineer @ BetterCloud

Topics:

  • What are the approaches for monitoring serverless and other modern application architectures?
  • What are the challenges with these new environments?
  • What approaches don’t work? What can go wrong with modern stack security monitoring?
  • What should we watch for in a modern application stack?
  • Most new architecture setups are predicated on identities so is identity the center of threat detection here or not?
 Oct 04, 2021
EP33 Cloud Migrations: Security Perspectives from The Field
25:35

Guest:

  • Elliott Abraham, Security and Compliance Specialist @ Google Cloud

Topics:

  • We talk about lift and shift vs cloud native, what are these and are they fair characterizations?
  • Is lift and shift always negative? Does it always harm security?
  • Are security planning needs different between them?
  • What are the fundamentals with security during cloud migration that you have to get right regardless?
  • What’s your advice to a security team to help make a migration work well?
  • How do you account for threat model differences in the cloud? Are cloud threats being more different or more the same to the classic ones?

Resources:

 Sep 27, 2021
EP32 Can You Ever Know Thyself: Cloud Attack Surface Management
23:39

Guest:

Topics:

  • Attack Surface Management (ASM). Why do we need a new toolset and  a new category? Isn’t this just 1980s asset management or CMDB?
  • How do we find those assets that may have been misplaced by the organizations? How can any technology do this reliably?
  • ASM seems to often rely on network layer 3 and 4. Can’t bad guys just hit the app endpoints and all your network is irrelevant then?
  • When you think about the threats organizations face due to unknown assets, is data theft at the top of the stack? What should organizations keep in mind as a priority here?
  • Who at an organization is best set up to receive, triage, investigate, and respond to the  alerts about the attack surface?
  • Are there proactive steps organizations can take to prevent shadow IT, or are we stuck responding to each new signal? Isn’t preventing new assets the same as preventing business?

Resources:

 Sep 20, 2021
EP31 Cloud Certifications, and Cloud Security with TheCertsGuy
22:09

Guest:

  • Iman Ghanizada,   Solutions Manager for Security Operations & Analytics @ Google Cloud

Topics:

  • What is your book “Google Cloud Certified Professional Cloud Architect All-in-One Exam Guide” about? 
  • What was your journey into writing this book, how long did it take?
  • The book seems to be targeted towards Cloud Architects, but you come from a predominantly security background, how has that influenced your writing of this book?
  • What does this have to do with The Certs Guy (14 certs!?)  and what's his mission?
  • What’s the intersectional thinking on certificates and making our industry more accessible and inclusive? Do certs help or hurt this?
  • So what’s your advice on certs for various career stages?
  • What are some of the biggest architectural challenges you’ve seen in the field of Cloud Security?

Resources:

 Sep 13, 2021
EP30 Malware Hunting with VirusTotal
26:19

Guest:

  • Vicente Diaz,  Threat Intelligence Strategist @ VirusTotal

Topics:

  • How would you describe modern threat hunting process?
  • Share some of the more interesting examples of attacker activities or artifacts you've seen?
  • Do we even hunt for malware? What gets you more concerned, malware or human attackers?
  • How do you handle the risk of attackers knowing how you perform hunting?
  • What is the role of threat research role for hunting? Do you need research to hunt well?
  • Does threat research power attribution?
  • How do you tell a good YARA rule from a bad one, and a great one?
  • What’s the evolutionary journey for a YARA rule?
  • What is your view on the future of hunting?

Resources:

 

 Sep 07, 2021
Future of EDR: Is It Reason-able to Suggest XDR?
27:54

Guest: 

  • Sam Curry,  Chief Security Officer @ Cybereason and Visiting Fellow @ National Security Institute

Topics:

  • EDR was “invented” in 2013 and we are now in 2021. What do you consider to be modern EDR components and capabilities?
  • Where has EDR fallen short on its initial hype?
  • How focused are the attackers on bypassing EDR?
  • How do you think EDR works in the cloud?
  • In your view, how would future EDR work for containers, microservices, etc?
  • Why aren’t we winning the war against ransomware?
  • XDR is an interesting concept, so how do you define XDR? Is XDR just EDR++ or is XDR SIEM 4.0?

Resources:

 Aug 30, 2021
Tales from the Trenches: Using AI for Gmail Security
19:14

Guest:

  • Andy Wen, Product Lead for Abuse & Security @ Google Cloud

Topics:

  • What are you doing with AI for security?
  • What kinds of security problems are addressable with AI, and which ones are harder to address with ML techniques?
  • Tell us where you’ve been surprised by AI’s success?
  • Do you expect a) AI use by adversaries and b) attacks focused on disrupting the AI use by defenders?
  • What advice would you give a PM or technical lead starting out on thinking they want to use AI to solve a problem?

Resources:

 Aug 23, 2021
The Mysteries of Detection Engineering: Revealed!
30:09

Guest:

Topics:

  • What is Detection Engineering? How it differs from just building rules/analytics?
  • How to convert threat intelligence into detections? 
  • How to tell good detections from bad? And perhaps also good from great?
  • How to test detections in the real world?
  • Anything special about building detections for cloud environments?
  • What do you think is the role of “rule-less” (such as ML) detections? Is “ML unicorn cavalry” coming?

Resources:

 Aug 16, 2021
SOC in a Large, Complex and Evolving Organization
20:24

Guest:

  • Johnathan Keith, Director of Information Security (CISO) @  ViacomCBS Streaming / Digital (at the time of the recording)

Topics:

  • What is the mission for your SOC? Has it evolved in recent years?
  • How do you rate your state of maturity in security operations?
  • I hear that your organization is complex and decentralized, how do you run a SOC in such a case?
  • How do you approach the balance of people, process and technology in your SOC?
  • What is the role of outsourcing in your SOC? 
  • Is cloud included in your SOC mission scope?
  • What are the immediate things you plan to improve?

Resources:

 Aug 09, 2021
Beyond Compliance: Cloud Security in Europe
27:03

Guest: 

  • John Stone, Chaos Coordinator at the Office of the CISO @ Google Cloud

Topics:

  • What are the top European-specific cloud migration security challenges?
  • Are there interesting cloud adoption barriers related to security in Europe?
  • Are some of these challenges more compliance than security related?
  • Do you think compliance still drives security in the cloud for European companies?
  • Do you think Europe can ever "make their own cloud"?
  • So, what do you make of this entire movement about “data sovereignty”?

 

 Aug 02, 2021
Linking Up The Pieces: Software Supply Chain Security at Google and Beyond
23:03

Guests:

  • Eric Brewer, VP of Infrastructure, and Google Fellow @ Google
  • Aparna Sinha, Director of Product Management @ Google Cloud

Topics:

  • What is software supply chain security and how is it different from other kinds of supply chain security? 
  • What types of organizations need to care about it? Is supply chain security a concern for large, elite enterprises only? 
  • What’s the relationship between what we’re doing here, and what SBOM is?
  • Can you talk us through a quick threat assessment of a supply chain security issue? What are the realistic threats here and who are the threat actors involved?
  • How does Google try to solve these problems internally? Have we succeeded? 
  • How does this translate into our products? By the way, what’s SLSA?

Resources:

 Jul 26, 2021
Threat Detection at Google Cloud Security Summit
21:12

No guests. We interviewed each other!

Topics:

  • What would you say are the most things that Chronicle is trying to address today?
  • What are the good ways to use threat intel to detect threats that do not ruin your SOC?
  • What does “autonomic” security mean, anyway? Is this a fancy way of saying “automatic” or something more?
  • For sure, “the Cloud is not JUST someone else’s computer“ - but how does this apply to threat detection?
  • What makes threat detection “cloud-native”?
  • What kinds of ML magic does your mini UEBA inside SCC use?
  • Can you really do automated remediation in the cloud?

Resources:

 Jul 19, 2021
Securing Multi-Cloud from a CISO Perspective, Part 3
24:13

Guests:

  • Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud 
  • Dave Hannigan, Director, Financial Services Security & Compliance @ Google Cloud 

Topics:

  • As a CISO, would you ever decide to use multiple clouds, if it were in your hands? 
  • How is security typically considered when companies go multi-cloud in their approach?
  • Practically, or operationally, how does one think through securing multiple public cloud environments?
  • What are the top challenges here? Different controls? Lack of tools? Confusing process? Skills on the team?
  • Would you always buy security tools from a 3rd party (not a CSP) if you have to cover more than one cloud provider?
  • Anything to add about compliance across multiple clouds?
  • What is the best approach for securing multiple SaaS services that your company uses?

Resources:

 Jul 12, 2021
Security Marketing? Every Product Needs a Story!
23:45

Guest:

  • Kelly Anderson, Head of Product Marketing, User Protection Services @ Google Cloud

Topics:

  • What is marketing, really? Why is it sometimes reviled by the technologists?
  • What makes a great marketer in cloud security?
  • What’s different about cloud security marketing, as opposed to regular old on-premise security marketing? Is there still FUD in the cloud?
  • Which things are the easiest or hardest to do in Google Cloud Security marketing?
  • How do you talk about products so they stand out from the noise?
  • How’s Google Cloud marketing helping our users stay ahead of the adversaries?

Resources:

 Jul 06, 2021
Security Operations, Reliability, and Securing Google with Heather Adkins
28:27

Guest:

Topics:

  • Your RSA presentation has 3 pillars: zero trust, microservices, automation/zero prod, is this all you need to be secure & reliable in the modern world?
  • Let’s drill down again into the “secure and reliable” concept, are you sure that they are interrelated?
  • Is there a risk that microservices could actually increase attack surface?
  • What are the practical security upsides of “no touch production”? 
  • SRE and DevOps revolutionized IT, can we expect a similar revolution for security? Where would it come from?

Resources:

 Jun 28, 2021
Double-clicking, but not on fire hydrants, with bot fighters
34:04

Guest 1:

  • Sparky Toews, Product Manager for Adobe identity @ Adobe

Topics 1:

  • Why are bots a problem to you? Give us a bit of your bot threat assessment?
  • Can you tell us how you think about and practice securing the user experience?
  • What kind of security products or best practices are involved?
  • How do you see what security professionals do to secure the user experience evolving over time?

Guests 2:

  • Randy Gingeleski, Senior Staff Security Engineer @ HBO Max
  • Brian Lozada, CISO @ HBO Max

Topics 2:

  • Can you tell us how you think about and practice securing the user experience at HBO?
  • What kind of security products or best practices are involved?
  • How does reCAPTCHA Enterprise fit into all of this?
  • How do you see what security professionals do to secure the user experience evolving over time?
 Jun 21, 2021
More Cloud Migration Security Lessons
32:04

Guests:

  • Jane Chung, VP of Cloud @ Palo Alto
  • Joe Crawford, Director of Strategic Technology Partnerships for Google Cloud @ Palo Alto

Topics:

  • What are the top security mistakes you’ve seen during cloud migrations?
  • What is your best advice to security leaders who want to go to the cloud using the on-premise playbook?
  • What security technologies may no longer be needed in the cloud? Which are transformed by the cloud?
  • Cloud often implies agility, but sometimes security slows things down, how to fix that?
  • How do security needs change based on adoption architecture (cloud, hybrid with on-premise, multi-cloud, multi cloud with on-premise)?
  • From a security perspective, is there really any such thing as “lift and shift”?
  • How do we teach cloud to security leaders who “grew up” on-premise?

Resources:

 Jun 14, 2021
Modern Threat Detection at Google
24:13

Guest:

  • Julien Vehent, Security Engineering Manager in the Detection and Response team @ Google

Topics:

  • What is special about detecting modern threats in modern environments?
  • How does the Google team turn the knowledge of threats into detection logic?
  • Run through an example of creating a detection for a new threat?
  • How do we test our detection rules?
  • We use the same people to write detections and to respond to resulting alerts, how is it working?
  • What are the key skills of good security analysts to build cloud threat detection?

Resources:

 

 Jun 07, 2021
Modern Data Security Approaches: Is Cloud More Secure?
28:15

Guests:

  • Tim Dierks, Engineering Director, Data Protection @ Google Cloud

Topics:

  • What are the key components of data security in the public cloud today?
  • Why do companies need specific data security plans and products?
  • Do you think Google Cloud today has enough controls for processing the most sensitive data?
  • Many organizations seem to be unaware of where sensitive data exists in their cloud environments, how do you think this problem will be fixed?
  • What is your view on encryption's role in future cloud security?
  • Do organizations mostly encrypt for security or for compliance?
  • How do we help companies navigate the tradeoffs between complying with nation-state regulations and best practices for availability?
  • I hear you are involved with some interesting key management innovations like HYOK via Cloud EKM, why do these matter for clients today?

Resources:

 Jun 01, 2021
Scaling Google Kubernetes Engine Security
20:48

Guest:

  • Greg Castle, Senior Staff Security Engineer at Google

Topics:

  • How is kubernetes security different from traditional host security?
  • What’s different about securing GKE vs security Kubernetes on-prem?
  • Where does one start with security hardening for GKE?
  • In your view, what are top realistic threats to container deployments?
  • What do users get wrong most often?
  • Did we manage to make containers both more secure and more usable?
 May 24, 2021
Making Compliance Cloud-native
20:11

Guest:

  • Zeal Somani, Security Solutions Manager @ Google Cloud, former PCI QSA

Topics:

  • What are the usable recipes for thinking about compliance in the cloud?
  • What regulations are more challenging for public cloud users?
  • How do you see the client/provider responsibility split for compliance?
  • What is this “shift left” for compliance?
  • How do we educate auditors and regulators who insist on 1980s solutions to 2020s problems?
  • What are the most popular mistakes and blind spots with trying to be compliant in the cloud?

Resources:

 May 19, 2021
Application Security in the Cloud
24:55

Guest:

Topics:

  • How do application security practices change as organizations launch their cloud transformations?
  • What bad things happen to you if you lift/shift your big applications to somebody's IaaS?
  • What unique challenges do containers and serverless deployments create for application security?
  • Is there good news here? How can cloud native technologies make application security easier than a traditional on-prem environment?
  • What can organizations do to ensure the security of cloud-based SaaS solutions?
  • How do DevOps and CI/CD impact the ability to secure cloud-based applications?
  • What is your advice to security leaders who still want to practice appsec for cloud apps in the same manner as they did it for on-premise, the old way?
  • What follow-up reading do you recommend on preparing for an application migration to Cloud?

Resources:

 May 10, 2021
Threat Models and Cloud Security
19:41

Guest:

Topics:

  • How should security teams change their thinking about threats in the cloud?
  • Where and when should an organization start in building their threat model for their cloud environment?
  • What are the key changes of threat models after cloud migration?
  • More specifically, when it comes to identity, credentials, lateral movement, what are the key ways in which cloud security differs from traditional or on-premises security?
  • How should users who are leading the cloud migration help their colleagues think about security in the cloud?
  • When am I "done" with cloud security planning?
 May 03, 2021
Preparing for Cloud Migrations from a CISO Perspective, Part 2
20:54

Guests:

  • Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud
  • Dave Hannigan, Director, Financial Services Security & Compliance @ Google Cloud

Topics:

  • To continue on the theme from Part 1, is “cloud-native” about thinking? Security tools? Systems? Architecture?
  • How do we practically help CISOs “speak cloud”?
  • What are the first steps to cloud thinking for an “on-premise CISO”?
  • What are the areas of security where it is easier to become a cloud-native?
  • How do you see a CISO transition journey from the on-premise thinking and technologies to cloud thinking and technology?
  • How are CISOs thinking about third party security controls vs native, cloud provider security controls?

Resources:

 Apr 26, 2021
SIEM Modernization? Is That a Thing?
24:41

Guest:

Topics:

  • How do you define “modern” SIEM?
  • Does modern SIEM always imply SaaS SIEM? Is there a future for on-premises SIEM?
  • What are your top 3 root causes for SIEM deployment failure today?
  • Modern or not, does SIEM have a future? Can XDR or some other technology drive it off the rails?
  • What features or inputs should SIEM have to detect modern threats such as those to cloud environments but also others?
  • What’s different about threat detection in Cloud?
  • What is your view of the current frenzy about “AI”/ML for security?

Resources:

 Apr 19, 2021
Building a Third Party Platform for Cloud Security
27:53

Guest:

  • Avi Shua, CEO and Co-founder @ Orca Security

Topics:

  • Where do you spend more efforts, on detection of pre-fail issues (like configuration errors) or post-fail issues (like incidents)?
  • How do you prioritize the preventative and detective controls in your platform?
  • When talking to CISOs, how do you explain that cloud threat detection is different from the on-premise type?
  • In your opinion, are agents dead in the cloud?
  • Do you think your customers care more about cloud-specific threats or traditional threats against cloud assets?
  • How do you think about the tradeoff for security teams between using cloud native controls vs a 3rd party vendor like, say, you?

Resources:

 Apr 12, 2021
Zero Trust: Fast Forward from 2010 to 2021
28:10

Guest: 

  • John Kindervag, who is widely considered to be the creator of zero trust model in 2010 (currently works at ON2IT)

Topics:

  • What has changed in the world of zero trust since 2010?
  • What must be trusted for a zero trust (ZT) system to work?
  • What are key ZT project success pre-requisites?
  • What is the first step in ZT implementation that increases the chance of its success?
  • Is zero trust hard for most companies?
  • What’s the most spectacular failure you’ve seen in a ZT project?
  • Where do you see ZT heading in the next 10+ years?

Resource:

 Apr 01, 2021
No One Expects the Malware Inquisition
25:09

Guest:

  • Brandon Levene, Malware Inquisitor @ Google Cloud

Topics covered:

  • Which malware is scarier, state-sponsored or criminal?
  • How do we approach cybercrime mitigation at Google?
  • How do we actually track malware? Don’t we need “attribution” for it?
  • What are the most useful telemetry sources for study in modern malware?
  • Does ransomware have a bright future?
  • Where do you see threat actors making the biggest investments?

Resource:

 Mar 24, 2021
Cloud Security Talks Summarized: A Recap Episode
22:38

Guests: no guests, just Tim and Anton 

Topics covered:

  • Discussion of the interesting presentations from Cloud Security Talks Q1 2021 focused on trusted cloud, container security, cyber insurance, Chronicle, ML for network security, etc

Resources:

 Mar 17, 2021
Preparing for Cloud Migrations from a CISO Perspective, Part 1
20:08

Guests:

  • Phil Venables (@philvenables), Vice President, Chief Information Security Officer (CISO) @ Google Cloud 
  • Nick Godfrey, Director, Financial Services Security & Compliance and a member of Office of the CISO @ Google Cloud

Topics covered:

  • Why do you think so many CISOs of traditional organizations fear cloud migrations?
  • What is your best advice to a CISO who wants to migrate to the cloud using the on-premise playbook, or lift and shift? 
  • What are the real tradeoffs in this decision such as using familiar tools/practices vs cloud benefits/effectiveness? 
  • What would you recommend reading for a CISO managing their first cloud migration

Resources mentioned:

 Mar 11, 2021
Gathering Data for Zero Trust
24:01

Episode 4 “Gathering Data for Zero Trust” focuses on enabling zero trust access in the real world

  • Guest: Max Saltonstall (@maxsaltonstall), Developer Advocate @ Google Cloud  
  • Topics covered:
    • What should be trusted for a zero trust system to work?
    • What is the first thing you need to do to have a zero trust access project succeed?
    • What data needs to be collected for zero trust system operation?
 Feb 24, 2021
Automate and/or Die?
17:37

Episode 3 “Automate and/or Die?” focuses on automated remediation (or is it response!) in the cloud

  • Guest: Joe Crawford, formerly in charge of cloud-native security at a large bank
  • Topics covered:
    • Can we automatically remediate vulnerabilities and threats in the cloud?
    • Did you require humans to be in the loop for your automation? Is that still automation if we do?
    • Does security fear of automation have a place in the cloud?
 Feb 11, 2021
Data Security in the Cloud
19:59

Episode 2 “Data Security in the Cloud” focuses on data security in the cloud 

Guest: Andrew Lance, Sidechain
Topics covered:

  • What is special about data security in the cloud?
  • How data security plays in the shift from perimeter and network security to identity-based security?
  • Can I use detective data security controls and turn them into preventative controls?

Resources: “Designing and deploying a data security strategy with Google Cloud” paper

 Feb 11, 2021
Confidentially Speaking
21:06

“Confidentially Speaking” episode focuses on confidential computing

Guest: Nelly Porter, Group Product Manager @ Google.
Topics covered:

  • What risks are mitigated by confidential computing?
  • What types of organizations must adopt confidential computing?
  • How and where the data is encrypted?

Resources:  Confidential computing at Google Cloud

 Feb 11, 2021