The podcast for Security Architecture
Hosted by Moshe Ferber and Ariel Munafo.
The world of software development has changed rapidly in the last years due to various factors – Cloud Computing, Digital Transformation, CI/CD & DevOps – they all changed the way we build new applications. Young startups today got access to enterprise-grade infrastructure enabling them to produce scalable, robust applications faster and cheaper. But as companies innovate faster, security challenges arise. The security community has not mastered yet the full art of developing software fast, at scale, and secure and variety of companies still struggle to found the right foundation for their security posture.
SilverLining podcast was created to help you do just that – find the right combination of people, processes, and technologies to build more secure and reliable services. We will focus on the latest development in infrastructure and software development and talk with people who mastered how to secure those. In each episode, we will host an expert for discussion on the security aspects of new technologies and provide insights, best practices, and knowledge in creating more secure software architecture.
Episode 29: Cloud Identity Governance - understanding challenges
Guest: Arick Goomanovsky
Guest title: Co-Founder & Chief Business Officer
In cloud platforms, identity and permissions are the most important control that customers get to implement. Network segmentation and other traditional controls are often ineffective and access to resources is determined by a mixture of roles & policies. This mixture can become very complex and difficult to lock down. In this episode, we are hosting Arick Goomanovsky, Chief Business Officer at Ermetic, to discuss Cloud identity and access challenges, and to review real life examples of what can happen when neglecting identity and access entitlements in cloud infrastructure.
Mail to: email@example.com
0:00 Introducing our guest and Ermetic
2:21 Understanding Identity Governance
4:40 Cloud identity challenges
10:55 Dealing with identity challenges by adding visualization and analysis of permissions
16:30 Who are the organizational stakeholders relevant?
22:01 Examples for IAM challenges and outbreaks
22:25 Example 1: Protecting sensitive resources
26:25 Example 2: Third party access
29:49 Example 3: The visibility challenge when using SSO
31:30 Summary and final words
Episode 28: Analyzing Cloud Attack Vectors - SaaS Marketplaces and Office 365 BEC
Guest: Ofer Maor
Guest title: Co-Founder & CTO
The recent increase of cloud based attacks gives us an opportunity to examine new attack vectors and how attackers exploit new services. In this episode we talked with Ofer Maor, Co-Founder at Mitiga, about new attack vectors in cloud computing and how attackers exploit new services such as marketplaces, community repos and other examples.
0:00 Introducing our guest and Mitiga
3:32 Preparing for cloud incident response
7:15 Cloud attack vector - malicious AMI
11:00 More attack vectors on marketplaces
13:18 Github attack vectors
18:15 attack vector - Business email compromise on 365
25:44 how to mitigate cloud incidents
27:58 Summary and last words
Episode 27: Protecting Your Cloud Data With Legal Controls
Guest: Dalit Ben Israel
Guest title: Partner, head of IT & Data protection practice
Company: Naschitz Brandes Amir
In the cloud era, the information security officer's new best friends are the lawyers in the legal department. Legal matters such as cross border data transfers, contractual controls and privacy laws becoming critical in cloud migrations. In this episode we talk with Dalit Ben Israel, Partner at NBlaw, about the legal challenges of cloud computing: cross border transfers, the rise of privacy laws and proper contract management and monitoring.
0:00 - Opening
2:03 - Introduction of our guest
4:95 - Considerations of data center location and the effect of the Schrems2 judgement invalidating the Privacy shield
12:50 - The roles and responsibilities of cloud providers and customers
15:27 - Choosing cloud providers - why do we need lawyers in the process and the obligation to enter into DPAs
20:00 - Specific challenges with SaaS and agreements with subprocessors
22:12 – Negotiating cloud contracts - what are the challenges? minimizing risks.
30:32 - Dispute resolution and venue of jurisdiction
33:24 - Ongoing contract monitoring
36:10 - Summary
Connect with Dalit here:
Episode 26: Current Challenges With Cloud
This is a special episode where both of us (Moshe & Ariel – no guests this time) discuss the future of cloud computing and challenges that should be solved. We take a detailed look at shortage in manpower and knowledge, privacy laws and their influence on innovation and technology challenges such as multi tenancy, APi’s, encryption, continuous monitoring and more.
Opening words - 5 min
introducing the podcast - Moshe / Ariel
Introducing our guest - Ariel
Introducing myself - Moshe
Introducing the topic and context of the podcast - Moshe
Shortage in manpower: There are missing jobs for cyber professional and especially application security
Shortage in knowledge: security professional lag behind learning new technologies
Malicious insider - one of the biggest challenges for cloud providers
Shared responsibility model collapsing
Privacy laws are creating islands of data - Privacy laws are limiting the transfer of data
Jurisdiction, Court orders and government access to data - as cloud provider host more data - they are a target for more & more government interest
API security best practices - there will be more & more API’s, we did not master how to protect them
Encryption and key management - the holy grail for holding your own encryption keys is fading
Multi tenancy - we don't have clear practices on building multi tenant applications
Identity based access controls - network access controls are useless in cloud computing, but our ability to create granular access controls based on identity is not mature yet
Automation and devops - Security automation is still maturing. We still don't know how to integrate developers and operation without breaking best practices
Using the wrong tools
Closure (5 min)
Moshe - Summersing
Ariel - closing
Episode 25: From Excessive Permissions To Least Privileges - Automating Your IAM Roles
Guest: Shira Shamban
Guest title: CEO & Co-Founder
In modern cloud environments, Identity and Access Management controls are crucial controls. Many of the access decisions are now made not based on networking structure but rather on roles and permissions. In this episode we talk (again) with Shira Shamban, founder at Solvo about cloud IAM challenges - why is it so hard to get IAM right and how Solvo is planning to revolutionize the IAM management process.
0:00 Introducing our guest
3:00 Introducing cloud identity challenges
6:20 Why role management is not enough
11:40 Why we fail to create least-privilege-roles
15:10 How to manage IAM securly - the people angle
18:13 How to manage IAM securly - the process angle
21:08 How to manage IAM securly - the technology angle
31:08 Summary and last words
Episode 24: Putting The Sec Into DevOps
Guest: Dima Revelis
Guest title: Senior Devops engineer
DevsecOps is accelerating fast as the new buzzword for modern information security practices. In this episode we use the expertise of Dima Revelis in order to dive deep into understanding DevOps practices, what is CI/ CD pipeline and which security tools are relevant for all of those new practices.
0:00 - Introducing our guest
2:50 - What is devops
7:50 - What is deployment pipeline
14:20 - What is CI and which security testing can be implemented
17:20 - What is CD and which security consideration
18:40 - Dive deeper into security testing - QA, code review, static & dynamic analysis
20:45 - So much automation, do we still need manual testing?
22:30 - Additional security aspects: using Jenkins, authentication and authorization, secret management
26:40 - Availability considerations and disaster recovery
33:30 - Summary and final words
Customer ReviewsSee All
תודה על פרקים מצויינים