- Cloud Security Newsletter
- Happy New Year from Cloud Security Podcast - Here's to 2024!
Happy New Year from Cloud Security Podcast - Here's to 2024!
Unpacking Managed Kubernetes and AI + Proactive Sketicism
Happy New Year from Cloud Security Podcast!
We hope you had an amazing start to this year!
2023 was an year we would remember for mixed emotions. It was mostly positive filled with support and love we got from everyone who reached out to us on how the interviews helped them get them their cloud security job, topics they need help with to solve in their cloud environment and share what we do to allow us to help more people learn Cloud Security! 🙏🏻
2023 was also the year when Cloud Security Podcast moved or hopped 🦘 our operations across continents - All the way from Melbourne, Australia 🦘 to London, UK 💂🏻♀️
A lot of little things didn’t go as plan but a lot of big things did and there was still plenty we are absolutely grateful for this year.
We interviewed some incredible people, got to learn a lot from some exceptional practitioner, attended many conferences across the globe and hit over 1.5 Million downloads and views. Its been a rollercoaster and I am penning down the good, bad and ugly in blog post this week, which you will see soon.
Thank you for your patience and love in 2023, for supporting the podcast and the newsletter. We are looking forward to continuing to add more value to your cloud security career with the Training videos and bunch of other surprises we have planned on Cloud Security Bootcamp in 2024.
In 2024, we are heading into Season 5 - It is wild to think that its been 5 years of sharing Cloud Security Knowledge and learning together and it has all just flown by 😊. We have learnt so much, grown so much and for each of those moments felt incredibly grateful. So for all of that & much more - THANK YOU !!
And before we get into the madness of a New Year! If you didn’t get a chance to do this over the holiday break I would encourage you to take a pause, even if its for a moment to be grateful, to be present.
Here’s a snap I took on 31st morning, the last sunrise of 2023. I took a moment to reflect on all the good that has happened and all the challenges I was able to overcome. I took this picture as a reminder and so I wanted to share it with you, hope it brings you something positive 🙂
Now onto all things AI and Cloud Security 2024…
Unpacking Software Supply Chain Security, Managed Kubernetes, Zero Trust, AI & More
Software Supply Chain Security: Ensuring Integrity from Source to Software
Managed Kubernetes: A Question of Responsibility and Expertise
Zero Trust: Beyond the Hard Shell, Soft Center Approac
AI in Security: Not Just Another Workload
Managed Kubernetes: A Question of Responsibility and Expertise
The Security Dilemma: Restore vs. Isolate in Kubernetes Environments
Kubernetes Security: Customizing for Your Needs
Multi-Tenancy in Kubernetes: Protecting Your Digital Space
Threat Modelling in Kubernetes: A Simplified Approach
Cloud Attack Surface and Its Evolution
A Look Back: The Journey from Traditional IT to Modern Cloud Services
Embracing Teamwork and Community in Cloud Security
Defining Offensive Security in the Cloud and AI Era
What is Offensive Security?
Building an Effective Offensive Security Roadmap
Cloud Security Podcast 2023 Wrap Up
We finished off 2023 with a bang on Cloud Security Podcast, with some stellar episodes - wrapping some of the key moments and takeaways for you so you get started with 2024 armed with all those key
🌩️ Unpacking Software Supply Chain Security, Managed Kubernetes, Zero Trust, AI & more!
At KubeconNA in Chicago this year, we spoke to Emily Fox, chair on the Cloud Native Computing Foundation’s (CNCF) Technical Oversight Committee (TOC) about Software Supply Chain Security, Managed Kubernetes, the essence of Zero Trust, and the intriguing impact of AI on security.
🔗 Software Supply Chain Security: Ensuring Integrity from Source to Software
What It Is: A set of practices applied in software development and open-source maintenance. It's all about tracing and verifying the origins and construction of software.
Commit and artifact signing
Producing a Software Bill of Materials (SBOM)
Why It Matters: Helps quickly identify and address vulnerabilities (like the infamous log4j) in your software architecture.
🐳 Managed Kubernetes: A Question of Responsibility and Expertise
Self-Hosted vs. Managed:
Self-Hosted: Like a free puppy — lots of responsibility!
Managed: Shared responsibilities and expert support.
Benefits of Managed Services:
Contractual security agreements
Opinionated Kubernetes instances for non-experts
🚫 Zero Trust: Beyond the Hard Shell, Soft Center Approach
Concept: "Zero implicit trust" - Constantly challenge connections and identities.
Application: Across devices and services, based on verified identities.
Advantage: More informed decisions on deployment and access control.
🤖 AI in Security: Not Just Another Workload
Perspective: Treat AI with the same rigor as other software systems.
Data source verification for AI models
Accuracy and confidence in AI outputs
Developing an "AI Bill of Materials"
Addressing AI-specific security challenges like data poisoning.
Whats the deal with Kubernetes Network Security for Multi Tenancy?
We spoke to Cailyn Edwards, who is a CNCF Ambassador & Senior Security Engineer at Okta + was a Senior Infrastructure Security Engineer at Shopify
🌐 Security Dilemma: Restore vs. Isolate? 🔄🔒
The big question: As security pros, we often focus on isolation, but what about rapid restoration of services?
Businesses need quick restoration to maintain operations.
Kubernetes and cloud-native solutions sometimes shines here, allowing for speedy rebuilds while isolating the problem.
🐳 Kubernetes Security: Not Just Out of the Box! 🛠️🔐
Kubernetes isn't inherently secure – it requires customization.
Security needs vary by company and workload.
Start by analyzing communication needs and limit them to essentials.
Coming soon: Kubernetes Hardening Guide for step-by-step security upgrades.
🏘️ Multi-Tenancy: Living with Digital Roommates 🚪👥
Multi-tenancy is like having roommates with different habits.
Protect your digital space – lock your doors (i.e., use network policies).
Cross-namespace communication should be limited and well-defined.
🕵️♂️ Threat Modelling in Kubernetes: Simplified 📊🔍
Start by understanding network and communication needs.
Implement restrictions based on specific security profiles.
Utilize tools like Kubernetes network policies and observability tooling.
Always aim for minimal necessary communication.
Practical tip: Start with data flow diagrams and tackle the easy targets first.
🔧 Resources & Info for Your Toolbox 🛠️📚
In this episode, we spoke to Alex Jauch, Senior Director at Outshift by CISCO, about the rapidly evolving landscape of cloud infrastructure, particularly the challenges for product and feature teams dealing with increasingly complex systems. Our journey was from using basic cloud services to the integration of advanced technologies like Gen AI
📈 The Ever-Growing Complexity
Multifaceted Cloud Services: From EC2 to EKS, ECS, Lambda, and Gen AI - our toolkit is expanding, not replacing.
Constant Acceleration: The growth in cloud service diversity is not slowing down. Practitioners need to keep pace!
🔙 A Look Back in Time
The 1990s IT Scene: Technology adoption was a slow process, often hindered by operational frictions and delayed decision-making.
Frictionless Cloud Adoption: Contrastingly, today's cloud services like EKS or Lambda can be deployed almost instantly, removing traditional barriers.
⚠️ The Security Implication
Explosive Surface Area: This rapid adoption leads to an ever-expanding security surface.
The Community Approach: Security professionals must embrace community collaboration. No single person can grasp the entirety of their infrastructure.
🤝 Embracing Teamwork and Community
Seek Support, Not Solitude: Collaborate with peers and hunt in groups. Security is a team sport!
The Marathon, Not a Sprint: Avoid burnout. The journey is long, and it's okay not to know everything.
Harnessing Offensive Security in the Cloud Era
What is Offensive Security? 🛡️🔍
Defining the Term: Think of offensive security as proactive security. It's more than just penetration testing (pentesting); it's a mindset shift from purely defensive measures to actively seeking potential vulnerabilities and gaps.
Professional Skepticism: Embrace skepticism in your cybersecurity strategy. Question the effectiveness of your controls and mechanisms. You'll likely uncover gaps in security under various contexts.
Beyond Pentesting: Include practices like threat modeling and broader assessments. Instead of only defending, ask, "What if we attack this?".
Threat Landscape: Cloud and AI 🌐🤖
Evolving Complexities: The cloud and AI have transformed our approach to infrastructure and security. The shared responsibility model in the cloud and the rapid advancements in AI require novel security considerations.
AI Security: With examples like ChatGPT, it's evident that AI security is crucial. Be mindful of input data poisoning and the architecture of AI models.
Offensive Security Roadmap 🗺️💡
Rethinking Traditional Mindset: As a CISO, view offensive security not as an additional task but as a tool for validating your security strategy.
Holistic Approach: Understand that securing applications in isolation is insufficient. Develop a roadmap that validates the entire network and interconnected systems.
Asset Inventory and Threat Modeling: Start with a thorough asset inventory. Knowing what you own and how it connects is the foundation for effective threat modeling.
Where to Start with Your Offensive Security Roadmap? 🚦🛠️
Identify Gaps: Determine where your security is weakest. Whether it's email, application, or network security, understanding your vulnerabilities is key.
Evaluation and Testing: Regularly evaluate the effectiveness of your security measures. Offensive security lets you test and validate your defenses proactively.
Incorporating offensive security into your strategy is more than just a checkbox exercise. It's about adopting a proactive, skeptical, and holistic approach to cybersecurity.
Start by understanding your current landscape and work towards a comprehensive offensive security roadmap that complements your defensive strategies.
Remember, the goal is to ensure every aspect of your cybersecurity efforts is robust and effective! 💪
Top Cloud Security News this week!!
We recognise that news should always be as unbiased as possible so we promise to keep this section of our newsletter free of sponsored content. If we do find a vendor news or report relevant to bring in front of your eyes, we will report it here but rest assured that the only reason its here cause we found it interesting and thought you might too 😊
❓What are the AWS Security Services Best Practices?
Quite timely to compliment the episode that we just aired our interview with Chris Farris about AWS Cloud Security Program, this week Clint Gibler his newsletter tl;dr sec, shared the AWS Security Services Best Practices which is a GitHub repository that takes inputs from not just AWS employees but from the wider community.
It sets out the best practices for the popular Amazon Web Services (AWS) Security Services - Detective, GuardDuty, Inspector, Macie and Security Hub. Might be a document you find useful or something you may want to contribute into.
Incase this was forwarded to you? You can signup here for more Cloud Security
We are gearing up for a very exciting 2024, if there is a topic in Cloud Security you wanted to hear about and we are yet to cover it, let us know and we will make sure we have you covered in 2024!
Whats Coming Up!!
Want to learn more about Cloud Security or know someone who wants to, we got you !
If you have been following our journey for a while, you would know that one of the big reasons we started Cloud Security Podcast was to make cloud security knowledge accessible for anyone wanting to learn it.
Have you joined our FREE Monthly Cloud Security Bootcamp yet
Are you liking this new format newsletter? What can we do better? What else would you like to see here?
Our newsletter is on a path of self improvement and reinvention, Ashish and I have challenged ourselves to bring you even more value as we continue to evolve this each week & we would love to hear from you 📢 as to how can we make this newsletter even more awesome for you (On that note! Thank you for subscribing💙)
Hope you are enjoying this new look Cloud Security Newsletter, theres plenty more to come.
Was this forwarded to you? You can Sign up here, if this was helpful for you.
Want to sponsor the next newsletter edition! Lets make it happen
Have a topic or idea in Cloud Security to share? Submit it here
Need Cloud Security or AI Security on Cloud Security Training or Expertise ? Let’s Connect