Happy New Year from Cloud Security Podcast - Here's to 2024!

Happy New Year from Cloud Security Podcast!

We hope you had an amazing start to this year!

2023 was an year we would remember for mixed emotions. It was mostly positive filled with support and love we got from everyone who reached out to us on how the interviews helped them get them their cloud security job, topics they need help with to solve in their cloud environment and share what we do to allow us to help more people learn Cloud Security! 🙏🏻

2023 was also the year when Cloud Security Podcast moved or hopped 🦘 our operations across continents - All the way from Melbourne, Australia 🦘 to London, UK 💂🏻‍♀️

A lot of little things didn’t go as plan but a lot of big things did and there was still plenty we are absolutely grateful for this year.

We interviewed some incredible people, got to learn a lot from some exceptional practitioner, attended many conferences across the globe and hit over 1.5 Million downloads and views. Its been a rollercoaster and I am penning down the good, bad and ugly in blog post this week, which you will see soon.

Thank you for your patience and love in 2023, for supporting the podcast and the newsletter. We are looking forward to continuing to add more value to your cloud security career with the Training videos and bunch of other surprises we have planned on Cloud Security Bootcamp in 2024.

In 2024, we are heading into Season 5 - It is wild to think that its been 5 years of sharing Cloud Security Knowledge and learning together and it has all just flown by 😊. We have learnt so much, grown so much and for each of those moments felt incredibly grateful. So for all of that & much more - THANK YOU !!

And before we get into the madness of a New Year! If you didn’t get a chance to do this over the holiday break I would encourage you to take a pause, even if its for a moment to be grateful, to be present.

Here’s a snap I took on 31st morning, the last sunrise of 2023. I took a moment to reflect on all the good that has happened and all the challenges I was able to overcome. I took this picture as a reminder and so I wanted to share it with you, hope it brings you something positive 🙂 

Now onto all things AI and Cloud Security 2024…

Whats ahead in this newsletter…

• Unpacking Software Supply Chain Security, Managed Kubernetes, Zero Trust, AI & More

  • Software Supply Chain Security: Ensuring Integrity from Source to Software

  • Managed Kubernetes: A Question of Responsibility and Expertise

  • Zero Trust: Beyond the Hard Shell, Soft Center Approac

  • AI in Security: Not Just Another Workload

• Managed Kubernetes: A Question of Responsibility and Expertise

  • The Security Dilemma: Restore vs. Isolate in Kubernetes Environments

  • Kubernetes Security: Customizing for Your Needs

  • Multi-Tenancy in Kubernetes: Protecting Your Digital Space

  • Threat Modelling in Kubernetes: A Simplified Approach

• Cloud Attack Surface and Its Evolution

  • A Look Back: The Journey from Traditional IT to Modern Cloud Services

  • Embracing Teamwork and Community in Cloud Security

• Defining Offensive Security in the Cloud and AI Era

  • What is Offensive Security?

  • Building an Effective Offensive Security Roadmap

Cloud Security Podcast 2023 Wrap Up

We finished off 2023 with a bang on Cloud Security Podcast, with some stellar episodes - wrapping some of the key moments and takeaways for you so you get started with 2024 armed with all those key

🌩️ Unpacking Software Supply Chain Security, Managed Kubernetes, Zero Trust, AI & more!

At KubeconNA in Chicago this year, we spoke to Emily Fox, chair on the Cloud Native Computing Foundation’s (CNCF) Technical Oversight Committee (TOC) about Software Supply Chain Security, Managed Kubernetes, the essence of Zero Trust, and the intriguing impact of AI on security.

🔗 Software Supply Chain Security: Ensuring Integrity from Source to Software

• What It Is: A set of practices applied in software development and open-source maintenance. It's all about tracing and verifying the origins and construction of software.

• Key Features:

  • Commit and artifact signing

  • Producing a Software Bill of Materials (SBOM)

• Why It Matters: Helps quickly identify and address vulnerabilities (like the infamous log4j) in your software architecture.

🐳 Managed Kubernetes: A Question of Responsibility and Expertise

• Self-Hosted vs. Managed:

  • Self-Hosted: Like a free puppy — lots of responsibility!

  • Managed: Shared responsibilities and expert support.

• Benefits of Managed Services:

  • Contractual security agreements

  • Opinionated Kubernetes instances for non-experts

🚫 Zero Trust: Beyond the Hard Shell, Soft Center Approach

• Concept: "Zero implicit trust" - Constantly challenge connections and identities.

• Application: Across devices and services, based on verified identities.

• Advantage: More informed decisions on deployment and access control.

🤖 AI in Security: Not Just Another Workload

• Perspective: Treat AI with the same rigor as other software systems.

• Concerns:

  • Data source verification for AI models

  • Accuracy and confidence in AI outputs

• Future Outlook:

  • Developing an "AI Bill of Materials"

  • Addressing AI-specific security challenges like data poisoning.

Resources:

1. Keylime: Enhancing cloud platform integrity.

2. SPIRE/SPIFFE: Identity solutions for your software.

3. Malicious Compliance: Insights on container trust issues. Watch Here

Whats the deal with Kubernetes Network Security for Multi Tenancy?

We spoke to Cailyn Edwards, who is a CNCF Ambassador & Senior Security Engineer at Okta + was a Senior Infrastructure Security Engineer at Shopify

🌐 Security Dilemma: Restore vs. Isolate? 🔄🔒

• The big question: As security pros, we often focus on isolation, but what about rapid restoration of services?

• Businesses need quick restoration to maintain operations.

• Kubernetes and cloud-native solutions sometimes shines here, allowing for speedy rebuilds while isolating the problem.

🐳 Kubernetes Security: Not Just Out of the Box! 🛠️🔐

• Kubernetes isn't inherently secure – it requires customization.

• Security needs vary by company and workload.

• Start by analyzing communication needs and limit them to essentials.

• Coming soon: Kubernetes Hardening Guide for step-by-step security upgrades.

🏘️ Multi-Tenancy: Living with Digital Roommates 🚪👥

• Multi-tenancy is like having roommates with different habits.

• Protect your digital space – lock your doors (i.e., use network policies).

• Cross-namespace communication should be limited and well-defined.

🕵️‍♂️ Threat Modelling in Kubernetes: Simplified 📊🔍

• Start by understanding network and communication needs.

• Implement restrictions based on specific security profiles.

• Utilize tools like Kubernetes network policies and observability tooling.

• Always aim for minimal necessary communication.

• Practical tip: Start with data flow diagrams and tackle the easy targets first.

🔧 Resources & Info for Your Toolbox 🛠️📚

• Check out the Kubernetes security checklist: Kubernetes Security Checklist

• Learn about pentesting your cluster: "Pentesting your own cluster"

🚀 Navigating the Ever-Expanding Cloud Attack Surface

In this episode, we spoke to Alex Jauch, Senior Director at Outshift by CISCO, about the rapidly evolving landscape of cloud infrastructure, particularly the challenges for product and feature teams dealing with increasingly complex systems. Our journey was from using basic cloud services to the integration of advanced technologies like Gen AI

📈 The Ever-Growing Complexity

• Multifaceted Cloud Services: From EC2 to EKS, ECS, Lambda, and Gen AI - our toolkit is expanding, not replacing.

• Constant Acceleration: The growth in cloud service diversity is not slowing down. Practitioners need to keep pace!

🔙 A Look Back in Time

• The 1990s IT Scene: Technology adoption was a slow process, often hindered by operational frictions and delayed decision-making.

• Frictionless Cloud Adoption: Contrastingly, today's cloud services like EKS or Lambda can be deployed almost instantly, removing traditional barriers.

⚠️ The Security Implication

• Explosive Surface Area: This rapid adoption leads to an ever-expanding security surface.

• The Community Approach: Security professionals must embrace community collaboration. No single person can grasp the entirety of their infrastructure.

🤝 Embracing Teamwork and Community

• Seek Support, Not Solitude: Collaborate with peers and hunt in groups. Security is a team sport!

• The Marathon, Not a Sprint: Avoid burnout. The journey is long, and it's okay not to know everything.

Harnessing Offensive Security in the Cloud Era

To wrap up 2023, we spoke to Sam Kirkman from NetSPI about the exciting and ever-evolving world of Offensive Security in the context of cloud computing and AI.

What is Offensive Security? 🛡️🔍

• Defining the Term: Think of offensive security as proactive security. It's more than just penetration testing (pentesting); it's a mindset shift from purely defensive measures to actively seeking potential vulnerabilities and gaps.

• Professional Skepticism: Embrace skepticism in your cybersecurity strategy. Question the effectiveness of your controls and mechanisms. You'll likely uncover gaps in security under various contexts.

• Beyond Pentesting: Include practices like threat modeling and broader assessments. Instead of only defending, ask, "What if we attack this?".

Threat Landscape: Cloud and AI 🌐🤖

• Evolving Complexities: The cloud and AI have transformed our approach to infrastructure and security. The shared responsibility model in the cloud and the rapid advancements in AI require novel security considerations.

• AI Security: With examples like ChatGPT, it's evident that AI security is crucial. Be mindful of input data poisoning and the architecture of AI models.

Offensive Security Roadmap 🗺️💡

• Rethinking Traditional Mindset: As a CISO, view offensive security not as an additional task but as a tool for validating your security strategy.

• Holistic Approach: Understand that securing applications in isolation is insufficient. Develop a roadmap that validates the entire network and interconnected systems.

• Asset Inventory and Threat Modeling: Start with a thorough asset inventory. Knowing what you own and how it connects is the foundation for effective threat modeling.

Where to Start with Your Offensive Security Roadmap? 🚦🛠️

• Identify Gaps: Determine where your security is weakest. Whether it's email, application, or network security, understanding your vulnerabilities is key.

• Evaluation and Testing: Regularly evaluate the effectiveness of your security measures. Offensive security lets you test and validate your defenses proactively.

Incorporating offensive security into your strategy is more than just a checkbox exercise. It's about adopting a proactive, skeptical, and holistic approach to cybersecurity.

Start by understanding your current landscape and work towards a comprehensive offensive security roadmap that complements your defensive strategies.

Remember, the goal is to ensure every aspect of your cybersecurity efforts is robust and effective! 💪

Top Cloud Security News this week!!

We recognise that news should always be as unbiased as possible so we promise to keep this section of our newsletter free of sponsored content. If we do find a vendor news or report relevant to bring in front of your eyes, we will report it here but rest assured that the only reason its here cause we found it interesting and thought you might too 😊

❓What are the AWS Security Services Best Practices?

Quite timely to compliment the episode that we just aired our interview with Chris Farris about AWS Cloud Security Program, this week Clint Gibler his newsletter tl;dr sec, shared the AWS Security Services Best Practices which is a GitHub repository that takes inputs from not just AWS employees but from the wider community.

It sets out the best practices for the popular Amazon Web Services (AWS) Security Services - Detective, GuardDuty, Inspector, Macie and Security Hub. Might be a document you find useful or something you may want to contribute into.

Incase this was forwarded to you? You can signup here for more Cloud Security

We are gearing up for a very exciting 2024, if there is a topic in Cloud Security you wanted to hear about and we are yet to cover it, let us know and we will make sure we have you covered in 2024!

Whats Coming Up!!

Want to learn more about Cloud Security or know someone who wants to, we got you !

If you have been following our journey for a while, you would know that one of the big reasons we started Cloud Security Podcast was to make cloud security knowledge accessible for anyone wanting to learn it.

Have you joined our FREE Monthly Cloud Security Bootcamp yet

Are you liking this new format newsletter? What can we do better? What else would you like to see here?

Our newsletter is on a path of self improvement and reinvention, Ashish and I have challenged ourselves to bring you even more value as we continue to evolve this each week & we would love to hear from you 📢 as to how can we make this newsletter even more awesome for you (On that note! Thank you for subscribing💙)

Hope you are enjoying this new look Cloud Security Newsletter, theres plenty more to come.

Peace!

Shilpi Bhattacharjee

Was this forwarded to you? You can Sign up here, if this was helpful for you.

Want to sponsor the next newsletter edition! Lets make it happen

Have a topic or idea in Cloud Security to share? Submit it here

Need Cloud Security or AI Security on Cloud Security Training or Expertise ? Let’s Connect