Cloud Security Podcast Cloud Security

eBPF is recent graduate in the CNCF family and this means that the world of Cloud and Kubernetes, networking looks very different with more security capabilities. Cilium the project from Isovalent has been gaining traction for network security for kubernetes as blindsides have been called out in the managed kubernetes deployments. This episode was recorded at KubeCon NA with Thomas Graf from Isovalent to share what the blindsides are and why eBPF provides better network security capability for kubernetes deployments of any scale.



Guest Socials: Thomas's Linkedin ⁠(⁠@ThomasGraf⁠⁠)⁠

Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠



Questions asked:

(00:00) Introduction

(03:42) A bit about Thomas

(04:11) Traditional Networking in Kubernetes

(06:52) What is Cilium?

(07:52) What is eBPF?

(08:46) What do people use Cilium for?

(11:31) Starting with network security in Kubernetes

(13:02) Complexities with Scale

(16:02) How do projects graduate?

(17:02) The eBPF documentary

(17:27) Opensource to Company

(18:52) Practitioner to Founder

(19:57) Building an open source project

(21:13) The Fun Questions!



You can check out the The eBPF Documentary here

Kubernetes security cannot just be Kubernetes but it is like security of a datacenter within another datacenter. In this episode with Tim Miller we spoke about CNAPP, how to approach kubernetes security.



Thank you to our episode sponsor ⁠Outshift by Cisco



Guest Socials: Tim's Linkedin ⁠(⁠@timothyemiller⁠)⁠

Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠



Questions asked:

(00:00) Introduction

(02:42) A bit about Tim Miller

(03:35) What is CNAPP?

(04:30) Traditional Kubernetes Security

(05:18) Where to put a CNAPP?

(06:20) CSPM vs CNAPP

(09:00) Attack Path Analysis

(11:05) Kubernetes Attack Path

(12:43) The team you need

(14:06) Resources to learn more

(16:24) Fun Question

SaaS Applications support large companies, small startups. We inevitably accumulate SAAS applications to manage our employees, payroll, communication with things like Workday, Slack, Salesforce and now even things like ChatGPT. But how do you find out what you have and if they are secure. We spoke about all things SSPM with Max Feldman who has done Product Security for years at companies like Slack, Salesforce and now AppOmni.



Thank you to our episode sponsor AppOmni

You can get a copy of their SaaS Security Posture Management Report 2023 here

Guest Socials: Max's Linkedin ⁠(@maxfeldman14)⁠

Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠



Questions asked:

(00:00) Introduction

(04:20) A bit about Max

(04:48) What is a SaaS application?

(05:45) What is SSPM?

(09:33) When to consider a SSPM?

(15:45) SaaS and the Cloud

(16:39) SaaS Attack Surface

(19:34) CASB vs SSPM

(24:00) Is ChatGPT a SaaS application?

(25:07) SSPM vs CSPM + CNAPP

(27:33) SSO and Onboarding

(29:21) Starting a SaaS Security Program

(36:48) Challenges with SaaS Security Program

(41:50) Where you can find Max!

Threat detection is often limited to popular cloud services, so whats happening to all the "not so popular or commonly known" cloud services in your environment? We are speaking to Suresh Vasudevan, CEO of Sysdig about challenges typically companies find with this space and what should be the approach for threat detection. If you feel you are looking at threats from all cloud services you might want to hear this episode to know you actually are.Thank you to our episode sponsor Vanta and Sysdig

You can find out more about Sysdig here!

Find out more about Vanta here!



Guest Socials: Suresh's Linkedin (@suvasudevan)

Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp



Questions asked:

(00:00) Introduction

(03:41) A bit about Suresh

(05:14) How was threat detection done traditionally?

(07:33) How does threat detection translate to cloud?

(08:47) Uncommon services attack vector examples

(11:00) Uncommon services explained

(11:31) Problems with threat detection in cloud

(16:53) How to approach prioritisation?

(19:48) Bridging Cloud and Applications



Resources discussed during the episode!

LabRatAmberSquidScarleteelThe 2023 Global Threat Research

Not Escaping Containers but escaping Clusters - Managed Kubernetes distributions such as Amazon EKS, Google Kubernetes Engine (GKE) and Azure Kubernetes Service (AKS) attack vectors can allow you to reach the underlying AWS Account etc. In conversation with Christophe Tafani-Dereeper & Nick Frichette, from Datadog on how this is possible in Amazon EKS and achieving potentially the same in GKE & AKS too.



Thank you to our episode sponsor Sagetap



Guest Socials: Nick's and Christophe's Linkedin (⁠⁠⁠⁠⁠⁠⁠⁠⁠Nick Frichette + Christophe Tafani-Dereeper)

Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp

Questions asked:
(00:00) Introduction

(04:11) A bit about Christophe

(04:37) A bit about Nick

(05:03) What is managed Kubernetes?

(06:26) Security of managed Kubernetes

(09:02) Comparison between different managed Kubernetes

(10:41) Service accounts and managed Kubernetes

(14:22) What is container escape?

(18:20) IMDSv2 for EKS

(19:51) IMDSv2 in EKS vs AKES and GKE

(22:01) Benchmark compliance for Kubernetes architecture

(24:49) Low hanging fruits for container escape

(27:17) Shared responsibility for managed Kubernetes

(29:34) Fargate for Managed Kubernetes

(32:00) Different ways to run containers

(33:37) Escaping Managed Kubernetes cluster

(38:39) Find more about this attack path

(42:38) Escalation priviledge in EKS cluster

(44:19) Reducing the Kubernetes attack service

(44:58) MKAT for Kubernetes Security

(48:23) Preventing AWS AuthConfig

(50:11) Propagation Security

(54:55) The fun section

(57:47) Resources for latest Kubernetes updates



Resources spoken about during the episode

Nick Frichette's Blog - Hacking the Cloud

Christophe Tafani-Dereeper' Blog

Corey Quinn's - 17 ways to run containers on AWS

MKAT

cloudseclist newsletter

You know that feeling when you are unsure if you AWS secret that leaked is still available for use. There is no easy way to check this apart from looking in AWS to see if anyone used it. Turns out there could be another way.We have Ziad Ghalleb from GitGuardian to share free tool they released to help people look up if their secret was exposed on Github



Thank you to our episode sponsors GitGuardian and Sysdig



Guest Socials: Ziad's Linkedin (@ghallebziad)

Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠

Questions asked:
(00:00) Introduction

(04:53) A bit about Ziad

(05:47) What are secrets?

(07:37) Has my secret leaked

(08:46) How would users know?

(10:31) Whats the risk?

(15:43) What do orgs do for secrets?

(18:01) Keeping tab on your secrets

(20:33) Secrets management maturity

(22:43) Scaling Secrets management program

(25:20) Where to learn more ?



Resources spoken about during the episode

hasmysecretleaked

Secrets Detection Learning Center