Meanwhile in Security

Links:

• How to Bridge On-Premises and Cloud Identity: https://www.darkreading.com/vulnerabilities—threats/how-to-bridge-on-premises-and-cloud-identity-/a/d-id/1341512
• How AWS is helping EU customers navigate the new normal for data protection: https://aws.amazon.com/blogs/security/how-aws-is-helping-eu-customers-navigate-the-new-normal-for-data-protection/
• Cloud security should never be a developer issue: https://www.securitymagazine.com/articles/95641-cloud-security-should-never-be-a-developer-issue
• Tool Sprawl & False Positives Hold Security Teams Back: https://www.darkreading.com/application-security/tool-sprawl-and-false-positives-hold-security-teams-back/d/d-id/1341517
• The what and Why of Cloud-Native Security: https://containerjournal.com/editorial-calendar/cloud-native-security/the-what-and-why-of-cloud-native-security/
• OSPAR 2021 report now available with 127 services in scope: https://aws.amazon.com/blogs/security/ospar-2021-report-now-available-with-127-services-in-scope/
• Researchers Create New Approach to Detect Brand Impersonation: https://www.darkreading.com/endpoint/researchers-create-new-approach-to-detect-brand-impersonation/d/d-id/1341549
• Privacy Law Update: Colorado Privacy Bill Becomes Law: How does it Stack Up Against California and Virginia?: https://www.adlawaccess.com/2021/07/articles/privacy-law-update-colorado-privacy-bill-becomes-law-how-does-it-stack-up-against-california-and-virginia/
• CISA Launches New Website to Aid Ransomware Defenders: https://www.darkreading.com/threat-intelligence/cisa-launches-new-website-to-aid-ransomware-defenders/d/d-id/1341539
• stopransomware.gov: https://stopransomware.gov

Transcript

Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.

Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.

Jesse: There are several larger topics within the realm of cybersecurity that come up constantly. Subscribers of MiS are likely seeing these emerge from topics I cover. Some of the most common themes lately are compliance, privacy, ransomware, and DevSecOps. So, we are all working from common definitions, let’s elaborate a bit on each.

Compliance is the process of meeting some list or lists of requirements, usually have an outside agency of some sort. Most people think about this in terms of laws like GDPR, SOC, HIPAA, FERPA, and others. These are great examples, but compliance includes meeting certification requirements like SOC 2, various ISO certifications, or PCI.

Privacy gets broad in terms of implementation, but at its core, it means the protection of information related to a person or organization. Basically, don’t collect or disclose things you don’t absolutely need to, and always ensure you have permission before any collection or disclosure of information.

Ransomware is the software that will destroy or disclose—or both—your data if you don’t pay someone. DevSecOps is the methodology of writing software with secure practices and systems in mind from the start. It’s that whole shift-left thing.

Meanwhile in the news. How to Bridge On-Premises and Cloud Identity. Identity and access management, or IAM, is difficult without introducing wholly different environments. We have to pick an IAM solution, so we choose what works across all our environments and services. Of course, ultimately, this means implementing Single Sign-On, SSO, of some sort as well.

Sophisticated Malware is Being Used to Spy on Journalists, Politicians and Human Rights Activists. Not all horrible software sneaking into our devices and systems are from hidden criminal or enterprises or nation-state sponsored groups. Some of it sadly comes from for-profit companies. Just like a hammer can be used for horrible things, so can some security software.

A Complex Kind of Spiderweb: New Research Group Focuses on Overlooked API Security. APIs run our whole cloudy world. They’re the glue and crossovers communication mechanisms rolled into one conceptual framework. However, while we may introduce security flaws in our use of the billion APIs we have to use, the APIs themselves might have security vulnerabilities as well. I’m interested in the output from this practical research group to see if this bolsters API use and implementation in general.

How AWS is helping EU customers navigate the new normal for data protection. Managing regulatory compliance is a circus act on a good day. On a bad day, it’s a complex web of sometimes conflicting and sometimes complementary solutions. Many organizations worldwide need to meet EU regulations, so be sure to know if you must as well.

Cloud security should never be a developer issue. I first thought this was the counterargument to the shift-left and DevSecOp movements, but this piece support...