[05-02-24]--Join us tomorrow for “Hacking the Value of GRC”

Author

Aaron
May 02, 2024

Capture the CISO!
Capture the CISO! Season 2 Episode 3 Out Now!

Capture the CISO, Season 2 is back! Listen to the third episode available now and see the contestant’s videos!

Super Cyber Fridays!
Join us TOMORROW, Friday [05-03-24], for "Hacking the Value of GRC"

Hacking the Value of GRC

Join us TOMORROW, Friday, May 03, 2024, for “Hacking the Value of GRC: An hour of critical thinking of how compliance can kickstart your risk program.”

It all begins at 1 PM ET/10 AM PT on Friday, May 03, 2024 with guests Kim Elias, senior compliance specialist, Vanta and Norman Hunt, deputy CISO, GEICO. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Thanks to our Super Cyber Friday sponsor, Vanta

Vanta

Defense in Depth
Scaling Least Privilege for the Cloud

Scaling Least Privilege for the Cloud

Scaling least privilege in the cloud remains challenging. Throwing more people at the problem isn't feasible, so how are you managing it?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap, CISO, LinkedIn. Joining us is our sponsored guest, Sandy Bird, co-founder and CTO, Sonrai Security. 

A roadmap for scale

You need to have a plan to achieve least privilege in the cloud. But that doesn’t mean you need to do everything at once. Jonathan Waldrop, CISO of The Weather Company laid out a sensible roadmap, saying, "Start small. Select one permission in your environment to test the plan. Once you find success in not breaking things, continue and expand that process. You must have a solid process for requesting the permission.” Automation tools can be part of this, but you also need to account for contingencies where they lock out legitimate users.

The least privilege planes of existence

Organizations need to apply least privilege to both the control and data planes for it to be successful. But this comprehensive approach can create bottlenecks if you don’t plan ahead. "If you have hundreds or thousands of services and want to avoid the identity and access management (IAM) team becoming the bottleneck, you need to enable each service team to manage the permissions. Use permission boundaries to set the maximum permissions allowed," said Clement Chen of HiddenRoad. Managing permissions isn’t just a mechanical action. Samarth Rao of LinkedIn reminds us that this depends on having effective communication to keep it up. "Identify your most critical resources in the cloud and discover who has privileged access to its control and data plane. Enforce policies by opening a communication channel with owners and involving them in authoring proper JIT policies. It's easy for IAM teams to automate this as they know the lay of the land,” said Rao.

The role of access controls

The utility of role-based access control (RBAC) might be on the wane. Vaughan Shanks of Cydarm Technologies pointed out that years of experience with RBAC shows that it leads to unwieldy role proliferation, saying, "An alternative approach is Attribute-Based Access Control (ABAC). You can apply ABAC to manage access to cloud-based resources by utilizing tags as attributes on resources, and group memberships as attributes on user principals and service principals." None of this is possible though if you don’t know what you have. "To secure or limit access to something effectively, you must have a solid data inventory. Then you can work on your IAM policies with a least privilege principle mindset," said Mauricio Ortiz of Merck.

Least privilege in the cloud requires diligence 

It can be easy to wish for a simple solution to enable least privilege. But Amit Arora of AWS points out that the principles are well known, we just need the diligence to stick with them, saying,"Guardrails and more guardrails and monitoring and more monitoring and evaluation and more evaluation. Then have a break glass mechanism because no one wants a bottleneck when your developer wants to debug a compute instance which is infected with malware in production. And the guardrails around break glass and monitor and more monitor."

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, Sonrai Security

Sonrai Security

LIVE!
PREVIEW: CISO Series Podcast LIVE in San Francisco 5-5-24

CISO Series Podcast LIVE in San Francisco 5-5-24

The CISO Series Podcast returns once again to the Bay Area on the eve of RSA Conference as part of the entertainment at BSidesSF! Joining me on stage will be Mike Johnson, CISO, Rivian and Steve Zalewski, co-host, Defense in Depth.

Tickets for BSidesSF are available here.

WHERE: Metreon, theater 13 (135 Fourth Street, San Francisco, California, 94103)

HUGE thanks to our sponsors, Devo, Eclypsium and NetSPI

Devo
Eclypsium
NetSPI

LIVE!
CISO Series Game Show LIVE in San Francisco (05-07-24)

CISO Series Game Show LIVE in San Francisco (05-07-24)

All your favorite games from Super Cyber Friday, brought to the stage for one special afternoon during the week of RSA 2024 in San Francisco. CISO Series will be hosting this event, and David Spark will be the emcee. We’ll have lunch (while it lasts), a bunch of really fun cyber games, and prizes.

EVENT: CISO Series’ Super Cyber Game Show Friday (TUESDAY EDITION)

WHERE: W Hotel,181 3rd St, San Francisco, CA 94103 (2nd Floor)

WHEN: Tuesday, May 7th, 2024 from 12:30pm-1:30pm PT (come early for lunch!)

HUGE thanks to our sponsor and host, Veracode

Veracode

LIVE!
Cyber Security Headlines - Week in Review

CSH Week in Review Phil Beyer

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Phil Beyer, former CISO, Etsy.

Thanks to our Cyber Security Headlines sponsor, Dropzone AI

Dropzone AI

Cyber chatter from around the web...
Jump in on these conversations

"Do Security Engineers and GRC people like each other or is it a secret dislike?" (More here)

"Taking over as the head IT/Cybersecurity guy for a small company" (More here)

"Where do you get your news? Breaches, Threat Reports, how do y'all stay informed?" (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

  • [05-03-24] Hacking the Value of GRC

  • [05-10-24] NO SHOW

  • [05-17-24] Capture the CISO Finale

  • [05-24-24] NO SHOW

  • [05-31-24] Hacking Microsoft Copilot

  • [06-07-24] Hacking SOC 2 vs. ISO 27001

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.