Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.

Transcript

Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.

Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.

My recent experience prepping a commercial space for a state fire marshal office inspection and approval has me thinking about compliance and security and ever-present ‘temporary’ fix for things. How many times have we said, “Oh, I’ll just do this quick fix to get us by,” and that quick fix becomes the de facto supported production implementation? Repeat after me: all changes are permanent until replaced. All changes are permanent until replaced.

Anything we alter at all, whether it in computing or in real life, is a permanent alteration until it is replaced by a new alteration, or by a natural corrective or evolutionary process, like decay. We cut our hair and it grows back. We weed our gardens and the weeds return. If you don’t want temporary changes happening in your environment, then implement hard controls that will correct any aberrations that come up. Cloud-native architectures give us the tools to force this by making it seamless to close down and erased from existence anything that veers from your ideal. Take advantage of this now.

Meanwhile, in the news. Password reset code brute force vulnerability in AWS Cognito. If you use this AWS service, you should read this one. Although it is now patched, it’s good to understand how AWS Cognito works more closely, which is true for any other security service you rely upon that is hosted by your cloud provider or other vendor.

Task force seeks to disrupt a ransomware payment. This is tangentially related to cloud security because both Amazon and Microsoft has joined up on this one, but I’m personally fascinated by strange frenemy combinations who work together on these things. I’m watching for either interesting things to happen with their recommendations that could have an impact on disclosure of ransomware incidents, or for it all to fizzle out to do nothing.

Is your cloud raining sensitive data? Kubernetes generally needs securing like any other service. Time to stop ignoring your newest infrastructure and lock Kubernetes down. However, if you want real security for your Kubernetes clusters, you should look at a robust solution like Fairwinds Insights. I’m a big fan of outsourcing tool development to experts.

Enterprise lift and shift to the public cloud requires a newer type of API and cloud security program to prevent data breaches. Ignoring some glaring editing mistakes, which is rather difficult for me to do, I’d like this easy-to-read case study of a traditional on-prem infrastructure going through a lift-and-shift cloud migration. This piece specifically addresses some of the serious security implications of doing this, and how your attack surface changes dramatically in the process.

NOAA shifts some key environmental data processing to the cloud. This one is important to me personally. Years ago, when I was a security engineer for the United States Department of Energy Oak Ridge National Laboratory High-Performance Computing Group—boy, that’s a mouthful—I helped ensure security for one of the National Oceanic and Atmospheric Administration—or NOAA—supercomputers doing climate research. NOAA moving any of its compute systems supporting global research is a very big deal, and this is a great example of why AWS GovCloud is helping the US federal government modernize and move to the cloud. Also, mixing an acronym-heavy industry wit