Learn Cloud Security in Public Cloud the unbiased way from CyberSecurity Experts solving challenges at Cloud Scale. We can be honest because we are not owned by...
At HashiConf 2024 in Boston, our host Ashish Rajan had a great chat over some cannolis and a game of Jenga with AJ Oller, AVP of Engineering at The Hartford about how automation, mainframes, and compliance intersect to drive innovation in regulated industries like insurance. They spoke about why regulations aren't barriers but frameworks to prevent failure, the human side of engineering and how to manage change fatigue during transformations and how automation enhances security, disaster recovery, and operational efficiency.
Guest Socials: AJ' s Linkedin
Podcast Twitter - @CloudSecPod
If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:
- Cloud Security Podcast- Youtube
- Cloud Security Newsletter
- Cloud Security BootCamp
Questions asked:
(00:00) Introduction
(01:53) A bit about AJ Oller
(02:17) The Cannoli taste test
(04:38) Technology in the Insurance industry
(10:19)What is a platform?
(11:46) What skillsets do you need in platform team?
(14:19) Maturity for building platform teams
(19:5)8 Business case for investing in Automation
(24:49) Does Automation help with security regulations?
(28:10) Leaders communicating automation value to business
(30:37) Cheerleading for digital transformation
(32:32) The Fun Section
--------
36:32
Dynamic Permission Boundaries: A New Approach to Cloud Security
In this episode, Ashish spoke with Kushagra Sharma, Staff Cloud Security Engineer, to delve into the complexities of managing Identity Access Management (IAM) at scale. Drawing on his experiences from Booking.com and other high-scale environments, Kushagra shares insights into scaling IAM across thousands of AWS accounts, creating secure and developer-friendly permission boundaries, and navigating the blurred lines of the shared responsibility model.
They discuss why traditional IAM models often fail at scale and the necessity of implementing dynamic permission boundaries, baseline strategies, and Terraform-based solutions to keep up with ever-evolving cloud services. Kushagra also explains how to approach IAM in multi-cloud setups, the challenges of securing managed services, and the importance of finding a balance between security enforcement and developer autonomy.
Guest Socials: Kushagra's Linkedin
Podcast Twitter - @CloudSecPod
If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:
- Cloud Security Podcast- Youtube
- Cloud Security Newsletter
- Cloud Security BootCamp
Questions asked:
(00:00) Introduction
(02:31) A bit about Kushagra
(03:29) How large can the scale of AWS accounts be?
(03:49) IAM Challenges at scale
(06:50) What is a permission boundary?
(07:53) Permission Boundary at Scale
(13:07) Creating dynamic permission boundaries
(18:34) Cultural challenges of building dev friendly security
(23:05) How has the shared responsibility model changed?
(25:22) Different levels of customer shared responsibility
(29:28) Shared Responsibility for MultiCloud
(34:05) Making service enablement work at scale
(43:07) The Fun Section
--------
46:05
Building a Resilient Cloud Security Program after Merger and Acquisition
In this episode, host Ashish Rajan sits down with Prahathess Rengasamy, a cloud security expert with extensive experience at companies like Credit Karma, Block, and Apple. Together, they explore the challenges and best practices for scaling cloud security, especially in the complex scenarios of mergers and acquisitions.
Starting with foundational elements like CSPMs and security policies, Prahathess breaks down the evolution of cloud security strategies. He explains why cloud security cannot succeed in isolation and emphasizes the need for collaboration with platform and infrastructure engineering teams. The conversation delves into real-world examples, including managing AWS and GCP security post-acquisition and navigating the cultural and technical challenges that come with multi-cloud environments.
Guest Socials: Prahathess's Linkedin
Podcast Twitter - @CloudSecPod
If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:
- Cloud Security Podcast- Youtube
- Cloud Security Newsletter
- Cloud Security BootCamp
Questions asked:
(00:00) Introduction
(02:02) A bit about Prahathess
(02:36) How does Cloud Security Scale?
(07:51) Where do we see just in time provisioning?
(10:05) Cloud Security for Mergers and Acquisitions
(14:31) Should people become MultiCloud Experts?
(15:28) The need for data insights
(16:54) Data sources to have as part of data insights
(21:06) Benefits of Data insights for Cloud Security Teams
(21:30) How to bring the new team along the cloud security journey?
(24:29) How to learn about data insights?
(26:35) How to maximize security efforts with data?
(36:21) The Fun Section
--------
39:14
Building Data Perimeter in Cloud in 2024
In this episode, Ashish gets into the critical topic of data perimeters in AWS with our guest, Tyler Warren, a Lead Cloud Security Engineer at USAA. As cloud environments continue to evolve, the importance of securing your data through trusted networks and identities has never been more crucial.
Tyler shares his insights on the challenges and strategies involved in building effective data perimeters, emphasizing the need for a holistic security approach that includes both preventative and detective controls. We explore how concepts like trusted resources, networks, and identities play a pivotal role in safeguarding your cloud infrastructure and why these elements should be at the core of your security strategy. Join us as we discuss practical steps for implementing and managing data perimeters, the significance of understanding your zones of trust, and how to scale your security measures as your cloud footprint grows.
Guest Socials: Tyler's Linkedin
Podcast Twitter - @CloudSecPod
If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:
- Cloud Security Podcast- Youtube
- Cloud Security Newsletter
- Cloud Security BootCamp
Questions asked:
(00:00) Introduction
(02:28) A bit about Tyler
(04:22) Data Perimeter in Cloud Security
(08:18) Why was there a need to look into data perimeter?
(09:39) Should people look at data perimeter from the beginning?
(12:16) Starting point for data perimeter
(15:42) Defining boundaries of Zone of Trust
(21:25) Data perimeter in hybrid environments
(24:47) Challenges in setting up data perimeter
(31:31) Should you start in dev, test or prod?
(34:55) How often should you review your SCPs?
(36:05) What Skillsets does the team need?
(37:26) Are Data Perimeters Developer Friendly?
(40:06) Technical challenges with detective and preventative controls
(42:14) Getting stakeholders onboard
(46:56) Levels of maturity for data perimeter strategy
(49:30) The Fun Section
Resources spoken about during the interview:
AWS Data Perimeter at USAA: Things we knew, things we thought we knew and things you should know!
--------
56:14
Navigating NIST CSF 2.0: Guide to Frameworks and Governance
In this episode, we sat down with Lukasz Gogolkiewicz, an Australia-based Cybersecurity Leader and former pentester, to explore his journey from offensive security into cybersecurity leadership. Lukasz, also a speaker coach at BlackHat USA, brings valuable insights into what it takes to shift from being technical to managing compliance, governance, and broader security programs in industries like retail and advertising.
Throughout the conversation, we dive into the specific challenges of transitioning from a purely cloud-based tech company to a bricks-and-mortar retail operation, highlighting how the threat models differ dramatically between these environments. Lukasz shares his unique perspective on cybersecurity frameworks like NIST CSF 2.0, essential for building resilient programs, and offers practical advice for selecting the right framework based on your organization's needs.
Guest Socials: Lukasz's Linkedin
Podcast Twitter - @CloudSecPod
If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:
- Cloud Security Podcast- Youtube
- Cloud Security Newsletter
- Cloud Security BootCamp
Questions asked:
(00:00) Introduction
(03:00) A bit about Lukasz
(04:32) Security Challenges for Tech First advertising company
(05:16) Security Challenges for Retail Industry
(06:00) Difference between the two industries
(07:01) Best way to build Cybersecurity Program
(09:44) NIST CSF 2.0
(13:02) Why go with a framework?
(16:26) Which framework to start with for your cybersecurity program?
(18:33) Technical CISO vs Non Technical CISO
(25:37) The Fun Section
Resources spoken about during the interview:
NIST CSF 2.0
CIS Benchmark
ASD Essential Eight
Mapping between the frameworks
https://www.cisecurity.org/insights/white-papers/cis-controls-v8-mapping-to-nist-csf-2-0
https://www.cisecurity.org/insights/white-papers/cis-controls-v8-mapping-to-asds-essential-eight
Verizon Data Breach Investigations Report (DBIR)
Lukasz Woodwork Channel
BSides Melbourne
Learn Cloud Security in Public Cloud the unbiased way from CyberSecurity Experts solving challenges at Cloud Scale. We can be honest because we are not owned by Cloud Service Provider like AWS, Azure or Google Cloud.
We aim to make the community learn Cloud Security through community stories from small - Large organisations solving multi-cloud challenges to diving into specific topics of Cloud Security.
We LIVE STREAM interviews on Cloud Security Topics every weekend on Linkedin, YouTube, Facebook and Twitter with over 150 people watching and asking questions and interacting with the Guest.