Cloud Security Today

In today’s episode, the Creator of Zero Trust, John Kindervag, joins Matt on the show to discuss implementing Zero Trust in your organization. While at Forrester Research in 2010, John developed Zero Trust, promising adequate and effective protection of an organization’s most valuable assets.Today, John talks about the driving force behind Zero Trust, the concept of the Protect Surface, and Kipling Method Policies. Why is trust a vulnerability? Hear about Zero Trust, Shadow IT, and get John’s recommended resources. Timestamp Segments·       [02:20] About John.·       [05:29] How does John define Zero Trust?·       [07:45] Why is trust a vulnerability?·       [09:56] The Protect Surface.·       [12:32] Kipling Method Policies.·       [17:22] The roadmap to Zero Trust at scale.·       [22:56] It’s the inspection that matters.·       [28:26] Zero Trust in the Cloud.·       [31:33] Shadow IT.·       [38:54] Tracking specific metrics.·       [40:58] John’s resource recommendations. Notable Quote"We can never stop cyber attacks from happening, but we can stop them from being successful.”Relevant LinksRecommended Reading:       The Zero Trust Learning Curve.Antifragile, by Nassim Nicholas Taleb. On Grand Strategy, by John Gaddis.Winning in FastTime, by John Warden.LinkedIn:                       full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.

This episode of the Cloud Security Today podcast is a little different from the others because this time host Matthew Chiodi gives the interviewer’s seat over to Yousuf Khan and they talk about an exciting new development in Matt’s career.Matt announces a big career move and talks about how he’s hoping to fix some of the biggest problems in SaaS security today. He tells Yousuf about his new role and the fresh approach that his new company is bringing to the field. At the end of the episode, they discuss working in a start-up environment and give advice to anyone considering working in a start-up.If you enjoyed this episode, subscribe, or follow Cloud Security Today wherever you get your podcasts.Timestamps[0:28] Matt introduces the topic for today’s episode[1:50] Exciting news from Matt about his latest career move[5:10] Matt explains one of the biggest challenges in app security today[7:25] How have we managed app security up to now?[9:20] So how does Cerby work?[11:32] Matt’s new role at Cerby and an outline of his first few months[12:50] Why Matt likes working in a start-up environment[14:05] How Matt became interested in Cerby[16:20] What’s next for Cerby?[18:10] The advice that Matt would give to anyone looking to join a start-up[20:40] Yousuf adds his thoughts about working for a start-upEpisode LinksRidge VenturesYousuf Khan's Linkedin ProfileCerby's websiteMatt's Linkedin Profile

As the world of cloud security continues to progress at high speed, new challenges and threats arise and morph on a constant basis. The MITRE Corporation is a body tasked by the US government with solving some of the largest threats in cybersecurity and beyond, and we are very lucky to welcome Tracy Bannon to the podcast today, who is the Senior Principal and Software Architect & DevOps Advisor at MITRE. Tracy opens up about her career journey leading up to her current position, what drew her into the work at MITRE, and how the simplicity of the solutions-focused mission has embedded her loyalty and passion within the organization. The conversation also goes some way into exploring the potential and limitations of zero trust, and what it actually means to make progress towards safer environments. Along the way, our guest makes some interesting and quite unique arguments for why words matter, and why change is healthier through a philosophy centered on building. So to catch it all in this fascinating conversation, make sure to join us on Cloud Security Today!Key Points From This Episode:Tracy unpacks a brief history of FFRDCs and their role as objective technology advisors.The two main areas of Tracy's work at MITRE; digital transformation of software factories, and data centricity in data environments.Understanding MITRE's practical application and validation of the principles of zero trust theory. Weighing the validity of the negative reputation that developers have when it comes to security.Issues with the terms DevOps, DevSecOps, and SecDevOps, and the overloading and rushing that often happens on security teams. Why Tracy prioritizes 'culture building' over 'culture change' when thinking about progress. Leading teams, modeling behaviors, and realistic expectations for human error. Tools and safety nets in the cloud-native approach; Tracy's perspective on how much value to assign to these.Why the mission at MITRE initially piqued, and subsequently retained, Tracy's interest! Tweetables:“It’s not a recipe. It's not five things you have to do. It's understanding the principles and then applying them, being able to audit them, and validate consistently that they're happening. MITRE does both sides of that.” — @TracyBannon [0:07:44]“Our job is not to land and expand. It’s impact. At all costs, it's to make impact. If it's one person, or a half of that person, it's really defined by the ability to keep the US safe.” — @TracyBannon [0:09:39]Links Mentioned in Today’s Episode:Tracy Bannon on LinkedInTracy Bannon on TwitterMITRE CorporationRevelationThe Kill ChainZero Trust SecurityThe Software Architect ElevatorPeople Before TechComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.

Originally recorded in September of 2021...today’s guest is Justin Berman, the Vice President of Infrastructure and IT and the CISO at Thirty Madison. Thirty Madison is aiming to be a platform that everyone can use to deal with their chronic healthcare needs. Justin’s main focus is on building out the teams that enable scaling. With his development background, Justin has some unique ideas when it comes to cloud security, which makes for a fascinating interview. You’ll walk away from this episode with a new perspective on how to build security into products from the start and a better understanding of how to transition smoothly from on-prem to the cloud.Tweetables“I see security as an engineering problem. What I mean by that is not that there aren't things that you solve with process, or with policy, or training, but rather that in as many places as possible if you want to have a scaled effect within security, you need to write code to solve a problem.” — @justinmberman [0:06:03]Justin Berman on LinkedInPhoenix ProjectSimon SinekComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.

In this episode (originally recorded in November of 2021) we speak with Palo Alto Networks, VP of Threat Intel, Ryan Olson. Ryan helps define what threat intelligence actually is and how to get started building a program. He aptly reminds us that producing threat intel for the sake of threat intel is a waste of time. More importantly you first have to ask yourself, “Who’s going to be using this information?”.Tweetables“Producing threat intel for the sake of threat intel is a waste of time. What you should be doing is thinking ‘Who’s going to take the information that I have produced and use that to make a better decision?’ Because that's the goal of threat intelligence, to help a system, or a person, or a team, or a company make better decisions that will help secure them better.” — Ryan Olson [0:04:24]“If I could give people one recommendation, if you can get access to your SSL traffic so that you can decrypt it and you can inspect it, you will have a much better chance at detecting bad stuff in your network than you would without it.” — Ryan Olson [0:29:58]Links Mentioned in Today’s Episode:Ryan Olson on LinkedInUnit 42Unit 42 on TwitterUnit 42 Palo Alto Networks CareersComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.

Nearly all companies that have started in the last few years have been cloud-native from the very start. Someone who has experienced this is today’s guest Nate Lee. Nate is the Chief Information Security Officer for Tradeshift, a cloud-based business networking platform for supply chain payments, marketplaces, and applications. In this episode, Nate joins us to talk about the company’s journey, its success, and what he has learned here over the past seven years. Nate explains how Tradeshift’s vision is to digitize and connect everything that happens between a buyer and a seller anywhere in the world, and how being cloud-native from the start has supported this mission. We discuss how you can leverage automation and DevSecOps to scale on some very difficult items like ISO 27000 among other certifications. You will also hear how security has been the key differentiator that led to Tradeshift’s success, how the strategic focus of Tradeshift’s security program has shifted over time and the key metrics that Tradeshift tracks to maintain its certifications and compliance efforts.Tweetables“[The vision] is connecting every company in the world. You can't do that with a bunch of islands running in individual data centers. It was an easy choice to be cloud-native back then, as well as a smart choice in general for any company starting these days.” — @JustAnotherNate [0:08:56]"In security and software development these days, if you're not constantly learning, you're falling behind just as quickly.” — @JustAnotherNate [0:32:48]Links Mentioned in Today’s EpisodeNate's LinkedIn profileTradeshift's websiteNate's blog on Transforming Technical Debt from Burden to ToolThe Unicorn ProjectComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.

In a world where cyber-attacks are ever-changing, cybersecurity has to adapt accordingly. Joining us today to delve into the world of cloud security for federal agencies is Sandeep Shilawat, Vice President of Cloud and Edge Computing at ManTech. Sandeep has extensive experience in both Commercial and Federal technology markets. We’ll get to hear his predictions on where the cloud world is heading, as well as what the Federal Authority to Operate (ATO) process will look like in the future. We learn the benefits of cloud compliance standards, as well as how FedRAMP is leveling the playing field in federal cloud computing. We also touch on the role of 5G in cloud computing, and why its presence will disrupt going forward. Join us as we pick Sandeep’s brain for some insights into the present and future of federal cybersecurity.Tweetables“Visibility has become [the] single biggest challenge and nobody's dealing with cloud management in a multi-cloud perspective from cradle to grave.” — @Shilawat [0:09:03]“I think that having a managed cloud service is probably the first approach that should be considered by an agency head. I do think that that's where the market is heading. Sooner or later, it will probably become a de facto way of doing cloud security.” — @Shilawat [0:19:43]Comprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.

The pharmaceutical industry has a reputation for being cautious when it comes to adopting new technologies. However, in this episode, you’ll hear from the CISO at Takeda Pharmaceuticals, Mike Towers, that for Takeda cloud has been a game-changer (albeit not without some challenges). As we like to do, we’ll start by diving into Mike’s background and then pivot to understand where Takeda is today in their cloud journey and where they are going over the next 24 months. Get your pen ready because Mike is going to drop a massive amount of knowledge in a short period of time.Tweetables:“One of the things that's the toughest in the biopharmaceutical industry is focus because it's really easy to get tempted to try to solve a lot of different problems.” — @MichaelATowers [0:02:47]“We’ll be exclusively cloud, within probably, I would say, 15 months from now.” — @MichaelATowers [0:17:51]Links Mentioned in Today’s Episode:Prisma CloudMike Towers on TwitterMike Towers on LinkedInTakedaNavigating the Digital AgeComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.

Despite the media coverage afforded to the SolarWinds and Kaseya breaches, Palo Alto Networks, Unit 42 threat research indicates supply chain security in the cloud continues its growth as an emerging threat. Much remains misunderstood about both the nature of these attacks and the most effective means of defending against them. To better understand how supply chain attacks occur in the cloud, Unit 42 researchers analyzed data from a variety of public data sources around the world and, at the request of a large SaaS provider, executed a red team exercise against their software development environment. As you'll hear in the podcast, overall, the findings indicate that many organizations may still be lulled into a false sense of supply chain security in the cloud. Case in point: Even with limited access to the customer’s development environment, it took a single Unit 42 researcher only three days to discover several critical software development flaws that could have exposed the customer to an attack similar to that of SolarWinds and Kaseya. In the podcast, Unit 42 researchers Nathaniel "Q" Quist and Dr. Jay Chen, draw on Unit 42’s analysis of past supply chain attacks. The Cloud Threat Report explains the full scope of supply chain attacks, discusses poorly understood details about how they occur, and recommends actionable best practices that organizations can adopt today to help protect their supply chains in the cloud. Comprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.

The journey toward the cloud is filled with challenges, but the benefits it brings make the struggle worthwhile. Today we talk about all things cloud adoption with Rob Brown, CTO at the US Citizenship and Immigration Services Group. We jump in with some introductory comments about who the USCIS are and what they do, with Rob giving listeners an idea of his role within the organization. We hear about the massive move toward digitization at USCIS and some of the biggest challenges the organization is facing as far as cloud adoption. From there, our conversation touches on the benefits of a multi-cloud approach, how USCIS is implementing Zero Trust with regards to cloud security, and how microsegmentation fits into all of this. Tuning in, listeners will also learn about the metrics Rob uses to assess the process of cloud adoption at USCIS, how the shift to the cloud has helped address the issue of siloing, and the benefits of implementing a unified pipeline grounded by standardization. We wrap up with some current initiatives Rob is most occupied with before hearing about how he likes to stay sharp using an approach grounded in experimentation and testing. Rob is filled with insights to help keep teams robust and agile during sticky situations, so be sure to tune in and hear them all.Tweetables“We have got a very good security team and a pretty savvy group of application developers and infrastructure folks that take security and shift it as far to the left as possible.” — Rob Brown [0:17:19]“Standardization, to me, has been critical in creating some of these unified pipelines.” — Rob Brown [0:29:14]Links Mentioned in Today’s Episode:Rob Brown on LinkedInUS Citizenship and Immigration ServicesJobs at USCISComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.

When thinking of innovation, the first things that usually come to mind are tech startups. It’s not often you think of examples from the US Government or, more specifically, the Department of Defense. Our guest today has unprecedented insight, not only into what it takes to build a startup but how to create a startup-like culture in massive organizations like the US Department of Defense. Nic Chaillan, has had tremendous success as an entrepreneur and, in 2016, decided to pursue public service when he took a job with the US government. Over the past 20 years, Nic has built hundreds of products that were sold to dozens of Fortune 500 companies. After taking a break from entrepreneurship, Nicolas served as the Chief Software Officer for the US Air Force and Space Force and introduced game-changing innovations to the government’s software operations. In our conversation with Nic, we discuss agile practices and how he used DevSecOps to elevate the Department of Defense’s software security. We unpack how his experience as an entrepreneur motivated him and why it was a commonsense decision to apply those lessons when he started in government.Tweetables:“When you look at the desired outcomes, you realize pretty quickly that DevSecOps is the main enabler to get all of these things done fast while not creating more risk. In fact, I would argue, it reduces both cyber and operational testing risk as well.” — @NicolasChaillan [0:06:30]“That’s also something to think about: what kind of access control do you want to have in place when it comes to these kinds of tools and how do you mitigate the blast radius?” — @NicolasChaillan [0:16:39]“I am also a big believer that education and continuous learning has to drastically change and improve.” — @NicolasChaillan [0:33:59]Nicolas M. Chaillan on LinkedIn

Some of the most pertinent issues in cloud security are also very foundational. Questions like where to start, what works, and also what doesn’t work, can leave teams feeling frustrated and at a loss over how to proceed. Here to help us unpack these important questions is Jonathan Villa, the Cloud Security Practice director at GuidePoint Security. Jonathan’s career wasn’t always in security, he has spent time as an application developer, and as a pentester. All of this led him to build solutions in the cloud over a decade ago which organically transitioned into cloud security. In our conversation with Jonathan, we discuss what he learned about cloud security throughout his career, what he has found to be effective, both in terms of technology and managing teams. We explore important issues like how security has struggled with automation and how to address it. Later we address the challenges facing talent development in security and how to address them, including having leadership take a more long-term view and training junior staff members. Jonathan also discusses the RACI model, why so many companies struggle to implement it correctly and how best to be effective. Today’s episode offers key insight into cloud security, leadership, and the importance of teams, so make sure you tune in today!Jonathan's LinkedIn profile“I think that if security organizations really look to build more, they may attract more talent with development experience.” — Jonathan Villa [0:08:07]“When you look at the average tenure of a CISO, I don't know what it is now, it's like two years or something like that. It's like, how do you build a long-term talent development model if the leaders themselves are gone every two years?” — Jonathan Villa [0:20:39]Comprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.

Today’s guest is Guy Eisenkot and he joins us to talk about how culture is a critical aspect of shift-left security and DevOps. Guy is the Co-Founder of Bridgecrew, a tool that solves the talent shortage gap for building secure infrastructure in the public cloud. Our conversation begins with Guy giving some insight about his path into development and security, and he details his training in the Israeli military and subsequent experience building security tools for the civil market. In today’s discussion, Guy gets into how the security responsibilities of platform and infrastructure teams have changed as well as what security teams are missing when it comes to DevOps security. He shares his insights about how security and DevOps teams have been able to synchronize and also gets into some of the biggest pitfalls in DevOps as far as cybersecurity best practices. We explore how infrastructure as code could be the driver of two paths, one leading to a dangerous amount of freedom, and the other, to the standardization necessary for automation. Toward the end of our conversation, Guy weighs in on the parts of the industry that show maturity as far as DevSecOps versus those that don’t, and he also talks about how the OpenSource tool Checkov helps solve poor security configurations during resource deployment. Tune in today and get ready to take some notes!Tweetables:“We were learning what are the limitations of these orchestration capabilities, and how we can take legacy infrastructure and promote it into a modern stack. And that's where we saw DevOps is practically everywhere.” — @guysenkot [0:06:28]“Bridgecrew essentially builds developer tools that help people from engineering organizations build secure infrastructure in the public cloud.” — @guysenkot [0:12:19]“Where both security and DevOps come together for me is when you realize that in the cloud both of these buckets of initiatives are sitting on the same infrastructure.” — @guysenkot [0:20:38]Links Mentioned in Today’s Episode:Guy EisenkotGuy Eisenkot on TwitterBridgecrewCheckovComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.

Cloud security is essential for any business but particularly for government agencies. On today’s episode, we speak with an expert in the field, Ravi Raghava, who is Chief Cloud Strategist at General Dynamics Information Technology (GDIT). Ravi speaks about his personal experience with dozens of cloud deployments for civil agencies and shares best practices.AcronymsATO = Authority to OperatePOAM = Plan of Action and MilestonesCDM = Continuous Diagnostics and MitigationOCM = Organizational Change ManagementTweetables:“Over the next few years, we will see a lot of traction and we will see accelerated workload migration to the cloud. It's not just one cloud but multiple clouds, and multi-cloud is becoming the new norm.” — Ravi Raghava [0:04:55]“We are very strong advocates of OCM, and we work with our government customers to have a well thought-through strategy, providing the right skills, the right training, right medium of training to people.” — Ravi Raghava [0:25:43]“Having those security frameworks in place, testing infrastructure, having those security tools in place nicely help you automate the entire thing because automation is key.” — Ravi Raghava [0:31:20]Links Mentioned in Today’s Episode:Ravi Raghava on LinkedInGDITJFrogPrisma CloudComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.

In this episode, Nathanial Quist, also known as ‘Q’ returns along with Dr. Jay Chen, both of whom listeners might recognize from our inaugural episode where we discussed how common identity misconfigurations can undermine cloud security. Both Jay and Q are threat researchers with Palo Alto Networks Unit 42. Unit 42 is the global threat intelligence team at Palo Alto Networks and a recognized authority on cyberthreats, frequently sought out by enterprises and government agencies around the world.In our conversation, they discuss what they found in their latest Cloud Threat Report examining the impact of the COVID-19 pandemic. We explore how the tremendous increase in remote work has affected cloud security and why Jay is more concerned over the number of mistakes that people are making, rather than the type of mistakes. Tuning in you’ll hear what organizations can do to curtail the recent rise in security incidents and some interesting observations that Q and Jay learned from their data, such as the fact that even malicious hackers need a holiday and don’t want to spend all their time in front of a computer cryptojacking :-) Key Points From This Episode:Cloud security incidents grew, on average, 188% pre vs. post COVID-19 discovery.Retail organizations saw the greatest increase in security incidents at 402%.The cloud is no longer for low-impact data: 69% of data is PII.Tweetables:“We saw a decrease in crypto mining operations during the holiday period between December 24th through January 3rd. It just kind of goes to show that even malicious crypto miners want to take a holiday.” — Nathanial Quist [0:25:26]“Standardization can help you find the issue but automation can help you to prevent or mitigate [it].” — Jay Chen [0:32:02]Links Mentioned in Today’s Episode:Cloud Threat ReportClip from Tommy BoyNathaniel Quist on LinkedInJay Chen on LinkedInCloud Security TodayComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.

Keeping it simple is Brett’s mantra, and it has led to a great amount of success for him and the company he works for. As a security leader at Zoetis, the world’s largest animal healthcare company, Brett has managed to get ahead of the business in terms of adopting cloud securely. Although it may sound boring, standardizing security processes was a key element in the journey to automation for the Zoetis SOC. In today’s episode, Brett also talks about how he ended up in the world of cybersecurity after majoring in ecommerce, the different facets that make up his current role at Zoetis, as well as some of the tools that are extremely useful to Brett and his team. Brett also opines on how automation has led to a reduction in talent-drain on his team. We also briefly delve into the SolarWinds hack and how this changed the way Brett thinks and approaches supply chain security. Key Points From This Episode:Getting ahead of the business, build it before they come!Standardization MUST come before automation.Automation reduces talent-drain.Metrics that Brett and his team follow up on constantly.Tweetables:“Standardization...I just live and die by our process. We're very process-oriented. You can do that in the cloud but you have to take time to do that, and that's how it should be done.” — Brett Tode [0:10:38]“Your standardized processes are the things that really are going to keep you in control and keep you effective over time. Automation is really cool and great because it's going to save us time. But without that standardized process, you can never get to automation.” — Brett Tode [0:13:04]“In almost everything I do, I try to keep things simple. Don't try to make something so complex from the get-go because it’s just never going to work.” — Brett Tode [0:24:49]“We’re always going to strive to be better. I think everyone should do that because making yourself better is just providing more value for the company. At the end of the day, that's what we're all supposed to be doing.” — Brett Tode [0:25:52]Links Mentioned in Today’s Episode:Brett on LinkedInZoetis CareersComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.

While most companies have significantly increased their investments in SaaS, they have not updated their security controls and processes to ward off threats posed by this medium. Leaving SaaS security to Cloud Access Security Brokers (CASB) is not sufficient. The security controls need to be placed around the data, APIs, and applications that are running inside a cloud environment, not outside its perimeter. This is the kind of security that AppOmni provides and today we have its CEO, Brendan O'Connor on the show to dive deeper into the subject of SaaS security. We begin with Brendan’s journey into IT and security and hear a bit more about what makes him tick. From there, we dive into the subject of security in the cloud as it pertains to SaaS specifically. Brendan does a great job of explaining why SaaS platforms are subject to so many misconfigurations and why these are not being recognized by security teams. He gets into how the cloud infrastructure is set up and uses a few brilliant analogies to describe how an attacker might get into a SaaS platform without security ever realizing. He talks about some basic security measures companies need to take and shares more about how solutions like AppOmni can automate security. For insight into the vulnerabilities of SaaS and how to guard against them, tune in today!Key Areas From This Episode:Curiosity and a love for solving problems is Brendan’s method for keeping his edge.Brendan’s recommendations for security guardrails that always need to be in place.Hear Brendan’s argument about the need for automated SaaS security.Brendan’s recommendations for setting up and measuring SaaS security.Advice from Brendan about how security teams need to adapt in light of Solar Winds.Tweetables:“Companies have significantly expanded their SaaS investment and footprint and the SaaS applications themselves have really grown in complexity. Most companies haven't updated their security controls to support SaaS, or invested in new technology to manage this problem. That's where AppOmni comes in.” — @AppOmniSecurity [0:01:54]“I love solving puzzles. Enterprise security at scale is a hard problem. It's a puzzle. There is not a one-size-fits-all solution.” — @AppOmniSecurity [0:05:29]“SaaS applications are becoming closer to operating systems in the cloud than a single simple web app. You can't watch what every individual is doing. You have got to put guardrails in place.” — @AppOmniSecurity [0:20:30]“SaaS is a fundamentally different architecture than hosting things on-premise. You need to rethink, what is the value that you get from your security tools? How can you get that value today in an automated fashion in these new systems that support that new architecture?” — @AppOmniSecurity [0:24:44]Links Mentioned in Today’s Episode:Matt Chiodi on LinkedInMatt Chiodi on TwitterBrendan O’Connor on LinkedInAppOmniPrisma CloudComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.

Welcome to a brand new cloud security podcast, Cloud Security Today. Instead of focusing on the latest news, we’re exploring a different take on cloud security where we dig deeper into its eclectic “how-to” side. On Cloud Security Today, we are going to talk with experts from all over the community so you can do cloud security better. Today’s experts are Nathaniel Quist (Q) and Jay Chen, and they will be talking about Unit 42’s latest cloud threat research. First up Q and J, as we call them, introduce listeners to their professional histories before telling us how they choose their research projects. We then talk to Q and Jay about findings from their latest report on identity and access management. Together, they explain some of the common vulnerabilities that come with identity and access management, like misconfigured roles. Toward the end of the episode, we talk to Q about cryptojacking, as he explains the nuances to mining coins maliciously, the various teams behind the act, and how they use code against each other.  Key Points From This Episode:●      How to become a threat researcher. Q and Jay share a little bit about their background.●      Watch your roles and look out for wildcards in configurations!●      APIs don’t always behave as expected – test them!Tweetables:“My biggest surprise is that even in a multi-million-dollar enterprise environment with thousands of workloads, thousands of EC2 instances and databases, they still make very fundamental mistakes.” — Jay Chen [0:09:55]“The cloud has the potential to be so much more granularly controlled than just a normal on-prem environment. From the outside looking in, it's very complex. Complexity can bring some obscurity within the cloud environment.” — Nathaniel Quist [0:17:00]Links Mentioned in Today’s Episode: Matt Chiodi on LinkedInMatt Chiodi on TwitterUnit 42 Cloud Threat ReportNathaniel Quist on LinkedInJay Chen on LinkedInIAMFinder tool on GitHubComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.