Episode Summary

11:11 Systems Director of Cloud Market Intelligence Brian Knudtson is joined by guests Zoë Rose, Ryan Laverdiere, and John Grange for a conversation about securely configuring the cloud. They discuss how to avoid leaking data, how important it is to change default configurations, and where to find guidance. The takeaway: never, never, never (well, almost never) accept the default configuration settings for your cloud provider workloads.

Panel

Cloud Conversations

Topic 1

[02:48]  What do people need to know when setting up cloud systems and storage to avoid leaking data?

Topic 2

[08:56] Talk a little bit about where cloud configuration defaults can be trusted and maybe where they absolutely should always be changed.

Topic 3

[17:45] Do you have any recommendations out there that people should look for to find information that they need to properly configure or set their environment up so that they can secure their data?

Cloud Bites

[04:33] “Security isn’t a one time thing. It’s an ongoing thing.”  — Zoë Rose 

[05:41] “If you…have a plan…upfront, I think it can be actually much simpler in the long run to actually have these things be secure.” — John Grange 

[07:15] “remember, when the cloud providers add a new feature to their storage product, that is a new configuration change. So your posture has changed from before.” — John Grange

[08:22] “The very first part is: bring security from the beginning of the discussion.” — Zoë Rose

[09:23] “While we all have the same goal of ensuring confidentiality, integrity and availability, we’re all making decisions around what our organization’s acceptable risk level is” — Ryan Laverdiere

[10:52] “I think there’s a lot of room for improvement with security defaults among cloud providers. But I think it’s also nearly impossible to create a default configuration that meets the needs of all organizations.” — Ryan Laverdiere

[12:43] “It’s unlikely that defaults are going to work for you every time across the board. And if that’s the case, that means you probably just need to automate as much as you possibly can.” — John Grange

[14:31] “I would argue actually default should never be accepted. Even if the default works for you at this point in time, it should always be assessed first before deploying anyway.” — Zoë Rose

[18:26] “A lot of the industry guidance has coalesced a lot around the Center for Internet Security Benchmarks, and particularly the ones that they have for the various cloud providers.” — John Grange

[20:57] “The provider is in the best position to provide information about the vulnerabilities that you could face and also the areas of weakness you could improve upon.” — Ryan Laverdiere 

[23:25] “when you’re going to a third party. You’re not actually getting rid of the responsibility of security, which I think is often forgotten.” — Ryan Laverdiere