Cloud Security Today

Matthew Chiodi

The Cloud Security Today podcast features expert commentary and personal stories on the “how” side of cloud security. This is not a news program but rather a podcast that focuses on the practical side of how to launch a cloud security program, how to implement DevSecOps as well as understanding the threats most impacting cloud today. Join the newsletter: https://cloudsecuritytoday.substack.com/

Start Here
Zero trust with no FUD
Jul 21 2022
Zero trust with no FUD
In today’s episode, the Creator of Zero Trust, John Kindervag, joins Matt on the show to discuss implementing Zero Trust in your organization. While at Forrester Research in 2010, John developed Zero Trust, promising adequate and effective protection of an organization’s most valuable assets.Today, John talks about the driving force behind Zero Trust, the concept of the Protect Surface, and Kipling Method Policies. Why is trust a vulnerability? Hear about Zero Trust, Shadow IT, and get John’s recommended resources. Timestamp Segments·       [02:20] About John.·       [05:29] How does John define Zero Trust?·       [07:45] Why is trust a vulnerability?·       [09:56] The Protect Surface.·       [12:32] Kipling Method Policies.·       [17:22] The roadmap to Zero Trust at scale.·       [22:56] It’s the inspection that matters.·       [28:26] Zero Trust in the Cloud.·       [31:33] Shadow IT.·       [38:54] Tracking specific metrics.·       [40:58] John’s resource recommendations. Notable Quote"We can never stop cyber attacks from happening, but we can stop them from being successful.”Relevant LinksRecommended Reading:       The Zero Trust Learning Curve.Antifragile, by Nassim Nicholas Taleb. On Grand Strategy, by John Gaddis.Winning in FastTime, by John Warden.LinkedIn:                       full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.
Zero trust with no FUD
Jul 21 2022
Zero trust with no FUD
In today’s episode, the Creator of Zero Trust, John Kindervag, joins Matt on the show to discuss implementing Zero Trust in your organization. While at Forrester Research in 2010, John developed Zero Trust, promising adequate and effective protection of an organization’s most valuable assets.Today, John talks about the driving force behind Zero Trust, the concept of the Protect Surface, and Kipling Method Policies. Why is trust a vulnerability? Hear about Zero Trust, Shadow IT, and get John’s recommended resources. Timestamp Segments·       [02:20] About John.·       [05:29] How does John define Zero Trust?·       [07:45] Why is trust a vulnerability?·       [09:56] The Protect Surface.·       [12:32] Kipling Method Policies.·       [17:22] The roadmap to Zero Trust at scale.·       [22:56] It’s the inspection that matters.·       [28:26] Zero Trust in the Cloud.·       [31:33] Shadow IT.·       [38:54] Tracking specific metrics.·       [40:58] John’s resource recommendations. Notable Quote"We can never stop cyber attacks from happening, but we can stop them from being successful.”Relevant LinksRecommended Reading:       The Zero Trust Learning Curve.Antifragile, by Nassim Nicholas Taleb. On Grand Strategy, by John Gaddis.Winning in FastTime, by John Warden.LinkedIn:                       full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.
MITRE + Cloud
Jun 21 2022
MITRE + Cloud
As the world of cloud security continues to progress at high speed, new challenges and threats arise and morph on a constant basis. The MITRE Corporation is a body tasked by the US government with solving some of the largest threats in cybersecurity and beyond, and we are very lucky to welcome Tracy Bannon to the podcast today, who is the Senior Principal and Software Architect & DevOps Advisor at MITRE. Tracy opens up about her career journey leading up to her current position, what drew her into the work at MITRE, and how the simplicity of the solutions-focused mission has embedded her loyalty and passion within the organization. The conversation also goes some way into exploring the potential and limitations of zero trust, and what it actually means to make progress towards safer environments. Along the way, our guest makes some interesting and quite unique arguments for why words matter, and why change is healthier through a philosophy centered on building. So to catch it all in this fascinating conversation, make sure to join us on Cloud Security Today!Key Points From This Episode:Tracy unpacks a brief history of FFRDCs and their role as objective technology advisors.The two main areas of Tracy's work at MITRE; digital transformation of software factories, and data centricity in data environments.Understanding MITRE's practical application and validation of the principles of zero trust theory. Weighing the validity of the negative reputation that developers have when it comes to security.Issues with the terms DevOps, DevSecOps, and SecDevOps, and the overloading and rushing that often happens on security teams. Why Tracy prioritizes 'culture building' over 'culture change' when thinking about progress. Leading teams, modeling behaviors, and realistic expectations for human error. Tools and safety nets in the cloud-native approach; Tracy's perspective on how much value to assign to these.Why the mission at MITRE initially piqued, and subsequently retained, Tracy's interest! Tweetables:“It’s not a recipe. It's not five things you have to do. It's understanding the principles and then applying them, being able to audit them, and validate consistently that they're happening. MITRE does both sides of that.” — @TracyBannon [0:07:44]“Our job is not to land and expand. It’s impact. At all costs, it's to make impact. If it's one person, or a half of that person, it's really defined by the ability to keep the US safe.” — @TracyBannon [0:09:39]Links Mentioned in Today’s Episode:Tracy Bannon on LinkedInTracy Bannon on TwitterMITRE CorporationRevelationThe Kill ChainZero Trust SecurityThe Software Architect ElevatorPeople Before TechComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.
Compliant Unicorns
Mar 21 2022
Compliant Unicorns
Nearly all companies that have started in the last few years have been cloud-native from the very start. Someone who has experienced this is today’s guest Nate Lee. Nate is the Chief Information Security Officer for Tradeshift, a cloud-based business networking platform for supply chain payments, marketplaces, and applications. In this episode, Nate joins us to talk about the company’s journey, its success, and what he has learned here over the past seven years. Nate explains how Tradeshift’s vision is to digitize and connect everything that happens between a buyer and a seller anywhere in the world, and how being cloud-native from the start has supported this mission. We discuss how you can leverage automation and DevSecOps to scale on some very difficult items like ISO 27000 among other certifications. You will also hear how security has been the key differentiator that led to Tradeshift’s success, how the strategic focus of Tradeshift’s security program has shifted over time and the key metrics that Tradeshift tracks to maintain its certifications and compliance efforts.Tweetables“[The vision] is connecting every company in the world. You can't do that with a bunch of islands running in individual data centers. It was an easy choice to be cloud-native back then, as well as a smart choice in general for any company starting these days.” — @JustAnotherNate [0:08:56]"In security and software development these days, if you're not constantly learning, you're falling behind just as quickly.” — @JustAnotherNate [0:32:48]Links Mentioned in Today’s EpisodeNate's LinkedIn profileTradeshift's websiteNate's blog on Transforming Technical Debt from Burden to ToolThe Unicorn ProjectComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.
Supply Chain Security
Dec 15 2021
Supply Chain Security
Despite the media coverage afforded to the SolarWinds and Kaseya breaches, Palo Alto Networks, Unit 42 threat research indicates supply chain security in the cloud continues its growth as an emerging threat. Much remains misunderstood about both the nature of these attacks and the most effective means of defending against them. To better understand how supply chain attacks occur in the cloud, Unit 42 researchers analyzed data from a variety of public data sources around the world and, at the request of a large SaaS provider, executed a red team exercise against their software development environment. As you'll hear in the podcast, overall, the findings indicate that many organizations may still be lulled into a false sense of supply chain security in the cloud. Case in point: Even with limited access to the customer’s development environment, it took a single Unit 42 researcher only three days to discover several critical software development flaws that could have exposed the customer to an attack similar to that of SolarWinds and Kaseya. In the podcast, Unit 42 researchers Nathaniel "Q" Quist and Dr. Jay Chen, draw on Unit 42’s analysis of past supply chain attacks. The Cloud Threat Report explains the full scope of supply chain attacks, discusses poorly understood details about how they occur, and recommends actionable best practices that organizations can adopt today to help protect their supply chains in the cloud. Comprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.
Cloud Immigration
Nov 10 2021
Cloud Immigration
The journey toward the cloud is filled with challenges, but the benefits it brings make the struggle worthwhile. Today we talk about all things cloud adoption with Rob Brown, CTO at the US Citizenship and Immigration Services Group. We jump in with some introductory comments about who the USCIS are and what they do, with Rob giving listeners an idea of his role within the organization. We hear about the massive move toward digitization at USCIS and some of the biggest challenges the organization is facing as far as cloud adoption. From there, our conversation touches on the benefits of a multi-cloud approach, how USCIS is implementing Zero Trust with regards to cloud security, and how microsegmentation fits into all of this. Tuning in, listeners will also learn about the metrics Rob uses to assess the process of cloud adoption at USCIS, how the shift to the cloud has helped address the issue of siloing, and the benefits of implementing a unified pipeline grounded by standardization. We wrap up with some current initiatives Rob is most occupied with before hearing about how he likes to stay sharp using an approach grounded in experimentation and testing. Rob is filled with insights to help keep teams robust and agile during sticky situations, so be sure to tune in and hear them all.Tweetables“We have got a very good security team and a pretty savvy group of application developers and infrastructure folks that take security and shift it as far to the left as possible.” — Rob Brown [0:17:19]“Standardization, to me, has been critical in creating some of these unified pipelines.” — Rob Brown [0:29:14]Links Mentioned in Today’s Episode:Rob Brown on LinkedInUS Citizenship and Immigration ServicesJobs at USCISComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.
Innovating at the Speed of Relevance
Oct 18 2021
Innovating at the Speed of Relevance
When thinking of innovation, the first things that usually come to mind are tech startups. It’s not often you think of examples from the US Government or, more specifically, the Department of Defense. Our guest today has unprecedented insight, not only into what it takes to build a startup but how to create a startup-like culture in massive organizations like the US Department of Defense. Nic Chaillan, has had tremendous success as an entrepreneur and, in 2016, decided to pursue public service when he took a job with the US government. Over the past 20 years, Nic has built hundreds of products that were sold to dozens of Fortune 500 companies. After taking a break from entrepreneurship, Nicolas served as the Chief Software Officer for the US Air Force and Space Force and introduced game-changing innovations to the government’s software operations. In our conversation with Nic, we discuss agile practices and how he used DevSecOps to elevate the Department of Defense’s software security. We unpack how his experience as an entrepreneur motivated him and why it was a commonsense decision to apply those lessons when he started in government.Tweetables:“When you look at the desired outcomes, you realize pretty quickly that DevSecOps is the main enabler to get all of these things done fast while not creating more risk. In fact, I would argue, it reduces both cyber and operational testing risk as well.” — @NicolasChaillan [0:06:30]“That’s also something to think about: what kind of access control do you want to have in place when it comes to these kinds of tools and how do you mitigate the blast radius?” — @NicolasChaillan [0:16:39]“I am also a big believer that education and continuous learning has to drastically change and improve.” — @NicolasChaillan [0:33:59]Nicolas M. Chaillan on LinkedIn
What (actually) Works In Cloud Security
Sep 21 2021
What (actually) Works In Cloud Security
Some of the most pertinent issues in cloud security are also very foundational. Questions like where to start, what works, and also what doesn’t work, can leave teams feeling frustrated and at a loss over how to proceed. Here to help us unpack these important questions is Jonathan Villa, the Cloud Security Practice director at GuidePoint Security. Jonathan’s career wasn’t always in security, he has spent time as an application developer, and as a pentester. All of this led him to build solutions in the cloud over a decade ago which organically transitioned into cloud security. In our conversation with Jonathan, we discuss what he learned about cloud security throughout his career, what he has found to be effective, both in terms of technology and managing teams. We explore important issues like how security has struggled with automation and how to address it. Later we address the challenges facing talent development in security and how to address them, including having leadership take a more long-term view and training junior staff members. Jonathan also discusses the RACI model, why so many companies struggle to implement it correctly and how best to be effective. Today’s episode offers key insight into cloud security, leadership, and the importance of teams, so make sure you tune in today!Jonathan's LinkedIn profile“I think that if security organizations really look to build more, they may attract more talent with development experience.” — Jonathan Villa [0:08:07]“When you look at the average tenure of a CISO, I don't know what it is now, it's like two years or something like that. It's like, how do you build a long-term talent development model if the leaders themselves are gone every two years?” — Jonathan Villa [0:20:39]Comprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.
Putting the Sec in DevOps
Aug 10 2021
Putting the Sec in DevOps
Today’s guest is Guy Eisenkot and he joins us to talk about how culture is a critical aspect of shift-left security and DevOps. Guy is the Co-Founder of Bridgecrew, a tool that solves the talent shortage gap for building secure infrastructure in the public cloud. Our conversation begins with Guy giving some insight about his path into development and security, and he details his training in the Israeli military and subsequent experience building security tools for the civil market. In today’s discussion, Guy gets into how the security responsibilities of platform and infrastructure teams have changed as well as what security teams are missing when it comes to DevOps security. He shares his insights about how security and DevOps teams have been able to synchronize and also gets into some of the biggest pitfalls in DevOps as far as cybersecurity best practices. We explore how infrastructure as code could be the driver of two paths, one leading to a dangerous amount of freedom, and the other, to the standardization necessary for automation. Toward the end of our conversation, Guy weighs in on the parts of the industry that show maturity as far as DevSecOps versus those that don’t, and he also talks about how the OpenSource tool Checkov helps solve poor security configurations during resource deployment. Tune in today and get ready to take some notes!Tweetables:“We were learning what are the limitations of these orchestration capabilities, and how we can take legacy infrastructure and promote it into a modern stack. And that's where we saw DevOps is practically everywhere.” — @guysenkot [0:06:28]“Bridgecrew essentially builds developer tools that help people from engineering organizations build secure infrastructure in the public cloud.” — @guysenkot [0:12:19]“Where both security and DevOps come together for me is when you realize that in the cloud both of these buckets of initiatives are sitting on the same infrastructure.” — @guysenkot [0:20:38]Links Mentioned in Today’s Episode:Guy EisenkotGuy Eisenkot on TwitterBridgecrewCheckovComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.
How COVID-19 Impacted Cloud Security
Jun 14 2021
How COVID-19 Impacted Cloud Security
In this episode, Nathanial Quist, also known as ‘Q’ returns along with Dr. Jay Chen, both of whom listeners might recognize from our inaugural episode where we discussed how common identity misconfigurations can undermine cloud security. Both Jay and Q are threat researchers with Palo Alto Networks Unit 42. Unit 42 is the global threat intelligence team at Palo Alto Networks and a recognized authority on cyberthreats, frequently sought out by enterprises and government agencies around the world.In our conversation, they discuss what they found in their latest Cloud Threat Report examining the impact of the COVID-19 pandemic. We explore how the tremendous increase in remote work has affected cloud security and why Jay is more concerned over the number of mistakes that people are making, rather than the type of mistakes. Tuning in you’ll hear what organizations can do to curtail the recent rise in security incidents and some interesting observations that Q and Jay learned from their data, such as the fact that even malicious hackers need a holiday and don’t want to spend all their time in front of a computer cryptojacking :-) Key Points From This Episode:Cloud security incidents grew, on average, 188% pre vs. post COVID-19 discovery.Retail organizations saw the greatest increase in security incidents at 402%.The cloud is no longer for low-impact data: 69% of data is PII.Tweetables:“We saw a decrease in crypto mining operations during the holiday period between December 24th through January 3rd. It just kind of goes to show that even malicious crypto miners want to take a holiday.” — Nathanial Quist [0:25:26]“Standardization can help you find the issue but automation can help you to prevent or mitigate [it].” — Jay Chen [0:32:02]Links Mentioned in Today’s Episode:Cloud Threat ReportClip from Tommy BoyNathaniel Quist on LinkedInJay Chen on LinkedInCloud Security TodayComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.
How to Operationalize Cloud Security
May 10 2021
How to Operationalize Cloud Security
Keeping it simple is Brett’s mantra, and it has led to a great amount of success for him and the company he works for. As a security leader at Zoetis, the world’s largest animal healthcare company, Brett has managed to get ahead of the business in terms of adopting cloud securely. Although it may sound boring, standardizing security processes was a key element in the journey to automation for the Zoetis SOC. In today’s episode, Brett also talks about how he ended up in the world of cybersecurity after majoring in ecommerce, the different facets that make up his current role at Zoetis, as well as some of the tools that are extremely useful to Brett and his team. Brett also opines on how automation has led to a reduction in talent-drain on his team. We also briefly delve into the SolarWinds hack and how this changed the way Brett thinks and approaches supply chain security. Key Points From This Episode:Getting ahead of the business, build it before they come!Standardization MUST come before automation.Automation reduces talent-drain.Metrics that Brett and his team follow up on constantly.Tweetables:“Standardization...I just live and die by our process. We're very process-oriented. You can do that in the cloud but you have to take time to do that, and that's how it should be done.” — Brett Tode [0:10:38]“Your standardized processes are the things that really are going to keep you in control and keep you effective over time. Automation is really cool and great because it's going to save us time. But without that standardized process, you can never get to automation.” — Brett Tode [0:13:04]“In almost everything I do, I try to keep things simple. Don't try to make something so complex from the get-go because it’s just never going to work.” — Brett Tode [0:24:49]“We’re always going to strive to be better. I think everyone should do that because making yourself better is just providing more value for the company. At the end of the day, that's what we're all supposed to be doing.” — Brett Tode [0:25:52]Links Mentioned in Today’s Episode:Brett on LinkedInZoetis CareersComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.
Did You Know You Have a SaaS Problem?
Apr 12 2021
Did You Know You Have a SaaS Problem?
While most companies have significantly increased their investments in SaaS, they have not updated their security controls and processes to ward off threats posed by this medium. Leaving SaaS security to Cloud Access Security Brokers (CASB) is not sufficient. The security controls need to be placed around the data, APIs, and applications that are running inside a cloud environment, not outside its perimeter. This is the kind of security that AppOmni provides and today we have its CEO, Brendan O'Connor on the show to dive deeper into the subject of SaaS security. We begin with Brendan’s journey into IT and security and hear a bit more about what makes him tick. From there, we dive into the subject of security in the cloud as it pertains to SaaS specifically. Brendan does a great job of explaining why SaaS platforms are subject to so many misconfigurations and why these are not being recognized by security teams. He gets into how the cloud infrastructure is set up and uses a few brilliant analogies to describe how an attacker might get into a SaaS platform without security ever realizing. He talks about some basic security measures companies need to take and shares more about how solutions like AppOmni can automate security. For insight into the vulnerabilities of SaaS and how to guard against them, tune in today!Key Areas From This Episode:Curiosity and a love for solving problems is Brendan’s method for keeping his edge.Brendan’s recommendations for security guardrails that always need to be in place.Hear Brendan’s argument about the need for automated SaaS security.Brendan’s recommendations for setting up and measuring SaaS security.Advice from Brendan about how security teams need to adapt in light of Solar Winds.Tweetables:“Companies have significantly expanded their SaaS investment and footprint and the SaaS applications themselves have really grown in complexity. Most companies haven't updated their security controls to support SaaS, or invested in new technology to manage this problem. That's where AppOmni comes in.” — @AppOmniSecurity [0:01:54]“I love solving puzzles. Enterprise security at scale is a hard problem. It's a puzzle. There is not a one-size-fits-all solution.” — @AppOmniSecurity [0:05:29]“SaaS applications are becoming closer to operating systems in the cloud than a single simple web app. You can't watch what every individual is doing. You have got to put guardrails in place.” — @AppOmniSecurity [0:20:30]“SaaS is a fundamentally different architecture than hosting things on-premise. You need to rethink, what is the value that you get from your security tools? How can you get that value today in an automated fashion in these new systems that support that new architecture?” — @AppOmniSecurity [0:24:44]Links Mentioned in Today’s Episode:Matt Chiodi on LinkedInMatt Chiodi on TwitterBrendan O’Connor on LinkedInAppOmniPrisma CloudComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.
How Common Identity Misconfigurations Can Undermine Cloud Security
Mar 10 2021
How Common Identity Misconfigurations Can Undermine Cloud Security
Welcome to a brand new cloud security podcast, Cloud Security Today. Instead of focusing on the latest news, we’re exploring a different take on cloud security where we dig deeper into its eclectic “how-to” side. On Cloud Security Today, we are going to talk with experts from all over the community so you can do cloud security better. Today’s experts are Nathaniel Quist (Q) and Jay Chen, and they will be talking about Unit 42’s latest cloud threat research. First up Q and J, as we call them, introduce listeners to their professional histories before telling us how they choose their research projects. We then talk to Q and Jay about findings from their latest report on identity and access management. Together, they explain some of the common vulnerabilities that come with identity and access management, like misconfigured roles. Toward the end of the episode, we talk to Q about cryptojacking, as he explains the nuances to mining coins maliciously, the various teams behind the act, and how they use code against each other.  Key Points From This Episode:●      How to become a threat researcher. Q and Jay share a little bit about their background.●      Watch your roles and look out for wildcards in configurations!●      APIs don’t always behave as expected – test them!Tweetables:“My biggest surprise is that even in a multi-million-dollar enterprise environment with thousands of workloads, thousands of EC2 instances and databases, they still make very fundamental mistakes.” — Jay Chen [0:09:55]“The cloud has the potential to be so much more granularly controlled than just a normal on-prem environment. From the outside looking in, it's very complex. Complexity can bring some obscurity within the cloud environment.” — Nathaniel Quist [0:17:00]Links Mentioned in Today’s Episode: Matt Chiodi on LinkedInMatt Chiodi on TwitterUnit 42 Cloud Threat ReportNathaniel Quist on LinkedInJay Chen on LinkedInIAMFinder tool on GitHubComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.