GitHub Copilot and securing Google Cloud and Cloud Native

Essential Practice for working with GCP, Cloud Native and the call for CoPilot

Author

Shilpi Bhattacharjee
May 02, 2024

Greetings from Cloud Security Podcast!

Will you be at RSA or BSidesSF?

We have a busy couple of weeks coming up with BsidesSF and RSA just around the corner. We will be recording interviews on site at both events so if you are attending or see us around, definitely come say hello. We always love seeing a friendly face.

Both conferences have some great talks scheduled, you can check out the Bsides SF schedule here! They have a bunch of really interesting technical talks and we will be speaking to many of the speakers who are talking about Cloud Security and AI Security !

You may have missed this in our last newsletter so just a friendly reminder.

Our very own Ashish Rajan will be speaking as well at RSA so be sure to check out his talk if you are attending RSA this year

RSA Conference: Breaking the Cloud to Rebuild It: A Tale of 3 ☁️ Breaches!

Watch this quick look video from speaker Ashish Rajan 🤴🏾🧔🏾‍♂️ for a preview of what's to come in his RSAC 2024 session diving into the 2023 cloud "breach" tale that nearly turned into a ransomware crisis.

Session details here!

Whats ahead in this newsletter…

  • Michael Hanley, CSO and SVP of Engineering at GitHub

    • GitHub's efforts to simplify security for developers

    • Key initiatives like the two-factor authentication push

  • Liz Rice, Chief Open Source Officer at Isovalent

    • Introduction to eBPF & Cilium at Kubecon EU Paris 2024

    • Comparative discussion: SE Linux vs. eBPF

  • Jorge Liauw Calo, Practice Lead Google Cloud Security at Xebia

    • Essential practices for securing Google Cloud environments

Cloud Security Podcast April 2024

April kicked off amazingly on Cloud Security Podcast with episodes with
- Fredrick Lee, CISO at Reddit,
- Loris Degioanni, CTO and Founder at Sysdig 
-Abhishek Agrawal, Co-founder of Material Security.

And we have finished equally strong with interviews with
- Michael Hanley. CSO and SVP of Engineering at GitHub,
- Liz Rice, Chief Open Source Officer at Isovalent
- Jorge Liauw Calo, Practice Lead Google Cloud Security at Xebia.

Michael Hanley. CSO and SVP of Engineering at GitHub

Click on the image to watch the full episode

We had the pleasure interviewing Michael Hanley. CSO and SVP of Engineering at Github about how GitHub is working to make security easy for developers!

🌐 GitHub's Triple Mission in Security

  • Security for All: GitHub not only focuses on their own and their users' data security but also actively enhances the security of the open source ecosystem.

  • Helping Hands: Security experts from GitHub are likened to a "volunteer firefighter brigade" aiding open source projects to implement robust security processes.

  • Free Security Tools: GitHub offers essential security tooling at no cost to developers working in open and public repositories.

  • Two-Factor Authentication Push: A massive initiative to enforce two-factor authentication is underway, aiming to secure contributions across GitHub.com without hindering user experience.

🤖 Future of AI in Security

  • AI's Role in Code Quality: The future may see AI not only boosting productivity but also enhancing code quality and security.

  • Shift Left Security: AI is pushing 'shift left' security even further, allowing for real-time security inputs as code is written, potentially preventing vulnerabilities from shipping.

  • Empowering Developers: AI technologies are positioned as partners in code development, offering real-time feedback and reducing the reliance on post-development security testing

🛠️ Practical AI Security Recommendations

  • Assessing AI Risks: Similar risk assessment frameworks used for traditional tools are applicable to AI, focusing on data management and company trustworthiness.

  • Interdepartmental Cooperation: Collaboration with legal and finance teams is crucial to integrate AI securely, moving from a "security department of no" to "security department of yes."

  • Transparency First: Vendors should prioritize openness about AI operations to build trust and manage public expectations effectively.

🧠 Impacting DevSecOps with AI

  • Enhanced Developer Experience: AI is seen as a transformative force in DevSecOps, embedding security more deeply into the development process and reducing the need for later-stage security checks.

  • Natural Language AI: Tools like ChatGPT allow developers to interact with AI seamlessly, asking security-related questions and receiving reliable advice without leaving their coding environment.

🏗️ Strategic Approaches for CISOs Using AI Tools

  • Developer Dialogue: Engaging with developers to understand their needs and challenges can lead to more targeted and effective use of AI tools like GitHub Copilot.

  • Focus on Happiness: Boosting developer satisfaction is key, with AI tools removing mundane tasks and enabling more creative work.

  • Customer Engagement: Understanding customer perceptions and concerns about AI will guide better product development and risk management strategies.

Sponsor

True story: Six junior analysts armed with Purple AI, each winning a head-to-head challenge against the company's top threat hunter. 

That's the power of the industry's most advanced AI security solution. Purple AI is changing the game, helping every analyst of all levels detect and investigate threats like a pro. 

Just ask a question in plain English or click on a hunting quick start, and Purple translates your inputs into structured commands. Get suggested next queries, intelligent summaries to work faster, and save your work in notebooks to better collaborate. It's like a GPS for threat hunting, guiding you every step of the way.

Built on the most performant data lake on the market, Purple AI provides lightning fast queries and leading threat intelligence so you can detect earlier, respond faster, and stay ahead of attacks. 

Ready to start hunting like a pro? Discover the power of Purple AI! 

Liz Rice, Chief Open Source Officer at Isovalent

At Kubecon EU Paris 2024, we spoke to Liz Rice, Chief Open Source Officer at Isovalent and while there were no Macaroons involved 😂, there were plenty of laughs and great insights!

🚀 Exploring the Frontier: What is eBPF & Cilium? 🚀

eBPF (Extended Berkeley Packet Filter) might sound like a complex tech term, but it's a game changer in how we can program the Linux kernel - the core of your operating system!

  • Kernel Whiz: At the heart of every task your application does (like reading a file or sending data over the network), there's the kernel. eBPF acts like a master key, letting developers run custom programs right in the kernel to tweak its operations.

  • Supercharge Your Network: With eBPF, Cilium helps streamline networking operations, boosting efficiency and adding a layer of smart security without a sweat.

⚔️ SE Linux vs eBPF: The Battle for Flexibility ⚔️

SE Linux has long been the go-to for enforcing security policies in Linux environments. But is it flexible enough for today's dynamic needs?

  • Traditional vs. Flexible: SE Linux operates on a fixed policy mechanism - think of it as a rigid guard. eBPF, by contrast, lets you script on the fly, creating policies that adapt to real-time contexts.

  • Custom Rules on the Fly: Hook eBPF to the Linux Security Module interface, and voila! Implement custom, nuanced security policies that think and adapt like a pro.

🌐 Business Case Breakdown 🌐

If Kubernetes is your orchestration tool of choice, Cilium leveraging eBPF technology is like having the best pit crew in a Formula 1 race - ensuring top performance and security.

  • Enhanced Performance: Graphs don't lie! Cilium's use of eBPF can significantly up your networking game, making container communication leaner and meaner.

  • Cluster Mesh Magic: Imagine seamlessly connecting workloads across multiple clusters and clouds without a hitch. From high availability to stateful vs. stateless architecture management, Cilium’s cluster mesh feature is a connectivity wizard.

Jorge Liauw Calo, Practice Lead Google Cloud Security at Xebia.

Click on the image to view the full episode!

Also at Kubecon Paris 2024, we had a fun chat with Jorge Liauw Calo, Practice Lead Google Cloud Security at Xebia.

Google Cloud Security Fundamentals 🚀

We spoke about the essentials of structuring and securing your Google Cloud environment!

🌐 Organizational Structure: Your Security Foundation

  • Hierarchical Organization: Start with a clear structure—Organizations, Folders, and Projects. Differentiate between non-production and production environments to enhance control.

  • Identity Access Management (IAM): Key to user management, from provisioning to deprovisioning. Implement a robust joiner-mover-leaver strategy to keep user access current and secure.

  • Google Cloud Blueprints: Utilize these as guides for setting up your environment's hierarchy and handling workloads and firewall settings.

🔥 Highlighted Google Cloud Security Services 🔥

🔍 Visibility and Compliance: Security Command Center Premium

  • Single Pane of Glass: Monitor misconfigurations, compliance issues, and vulnerabilities.

  • Benchmarking Tools: Compare your setups against CIS standards and identify areas needing attention.

🛡️ Protection Against Threats: Cloud Armor & IDS

  • Cloud Armor: This Web Application Firewall (WAF) shields you from DDoS attacks and other network threats.

  • Cloud IDS: Underutilized yet powerful, it enables packet mirroring to detect and manage malicious activities within your infrastructure.

🔗 Advanced Defense: Next Gen Firewall Plus

  • Integrated Protection: Combines IDS capabilities with intrusion protection to safeguard inline traffic, crucial for scalable security solutions.

📏 Policy Enforcement: Organizational Policy Constraints

  • Custom Constraints: Set rules about service accounts and resource deployment locations (e.g., Paris vs. Groningen).

  • Compliance Automation: Automatically halt non-compliant deployments, streamlining governance and security.

🎯 Actionable Takeaways

  • Audit Your Structure: Review your Google Cloud setup to align with best practices for segmentation and access control.

  • Enhance Monitoring: Leverage Security Command Center Premium to get a comprehensive view of your security posture.

  • Adopt Advanced Defenses: Consider integrating Cloud Armor and Cloud IDS to protect against sophisticated threats.

  • Implement Policy Constraints: Use organizational policies to enforce security protocols and compliance automatically.

🤖 Are you interested in AI Cybersecurity?

Then you should definitely checkout our sister podcast AI Cybersecurity Podcast that is hosted by Ashish Rajan and Caleb Sima.

Cloud Security Training from Practitioners!

Want to learn more about Cloud Security or know someone who wants to, we got you !

If you have been following our journey for a while, you would know that one of the big reasons we started Cloud Security Podcast was to make cloud security knowledge accessible for anyone wanting to learn it.

Have you joined our FREE Monthly Cloud Security Bootcamp yet. There are paid online and corporate trainings available for those looking to hit their Cloud Security goals this year!

Are you liking this new format newsletter? What can we do better? What else would you like to see here?

Our newsletter is on a path of self improvement and reinvention, Ashish and I have challenged ourselves to bring you even more value as we continue to evolve this each week & we would love to hear from you 📢 as to how can we make this newsletter even more awesome for you (On that note! Thank you for subscribing💙)


Hope you are enjoying this new look Cloud Security Newsletter, theres plenty more to come.

Peace!

Was this forwarded to you? You can Sign up here, if this was helpful for you.

Want to sponsor the next newsletter edition! Lets make it happen

Have a topic or idea in Cloud Security or AI CyberSecurity to share? Submit it here

Need Cloud Security or AI Security on Cloud Security Training or Expertise ? Let’s Connect