Displaying all 17 episodes

Pirates and Castles

Join Jesse as he talks about the two types of security mindsets and why both are wrong, why you should embrace the principle of least privilege, why you’re going to get owned sooner or later if you don’t secure your credentials, why we should teach kids about cybersecurity so they don’t make dumb decisions when they’re adults, how only 17 percent of organizations are encrypting at least half of their data in the cloud, why zero trust is a horrible name for the concept of dynamic contextual authorization, and more.

Caution with Automation

Join Jesse as he talks about the critical role automation plays in security, why you need to be cautious when automating tasks, why you need to patch your Pulse Secure VPN, the M&A extravaganza going on in the cybersecurity space, why you should just let out a big sign and deploy into a zero-trust architecture today, how it’s important to know wrong behavior but even more useful to know what’s right, how cloud security breaches have officially surpassed on-prem breaches for the first time, why you should enable multi-factor authentication for cloud account access, and more.

Stop Using Passwords, No Really, Stop

Join Jesse as he explains why you should stop using passwords and use a password vault instead, why you should use passphrases when you have to memorize one and what those passphrases should look like, how password vaults are life-changing in remote environments, yet another reason why security teams should shift left, how cybersecurity is an arms race and why teams should implement algorithmic analysis of environments to find suspicious behavior, how there are 193 billion credential stuffing attempts each year, why you should encrypt all data in transit, and more.

A Jump To The Left Not A Step To The Right

Join Jesse as he explores the ins and outs of shifting left and what it means for software development, why you should begin writing code with security top of mind, why you need to check your basic permissions on things like storage and services, how things are changing and security needs to get with the times, how we all struggle to secure all the things and also to secure any of the things, how virtual keyboards can protect you against ransomware attacks, why you should make security training funny, and more.

The Grid Has Fallen and It Can't Get Up

Join Jesse as he examines the importance of infrastructure security and touches upon why it’ll take months or years before it catches up to mainstream cybersecurity, why you should never put keys or passwords into your apps in ways that expose your sensitive data, why your team should be practicing DevSecOps if you aren’t already, why you should always assume your systems are flawed and breakable, the future of nation-state hacking and cracking, how there’s a talent shortage in the security space, why it’s important to understand the way government thinks about cybersecurity and tech, and more.

Meanwhile in Security Trailer

Cloud security is a minefield of news that assumes the word "Security" is lurking somewhere in your job description. It doesn't have to be this way. Weekly cloud security news for people with other jobs to do. Cloud Security For Humans.

All Changes Are Permanent Until Replaced

Join Jesse as he talks about how quick fixes often become de facto supported production implementations, how all changes are permanent until replaced, why you should implement hard controls if you don’t want temporary changes happening in your environment, how Jesse met Duckbill Group CEO Mike Julian, how three of the biggest companies my market capitalization are U.S. tech giants that happen to also be cloud giants, the challenge of securing non-person identities, why you should turn off instances, containers, and cloud services you’re not using, and more.

Hooked on Compliance

Join Jesse as he explores the wonderful world of compliance requirements and talks about why you don’t necessarily need to know the intricate details of every law and framework, some of the best security training and certifications you can get, the NIST cybersecurity framework, why password managers are great as long as you do two things, five objectives for establishing an API-first security strategy, why you need to have your critical services and all of your data in multiple availability zones and spread across multiple regions if possible, why you should always assign permissions to AWS IAM user groups, and more.

ZTA: What's Your Plan?

Join Jesse as he talks about Zero Trust Architecture through the lens of a zombie apocalypse. In this episode, Jesse discusses the basic components of Zero Trust Architecture, how you can go about implementing ZTA, the five key things you need to do to turn ZTA into a reality in your environment, what Zero Trust looks like in the real world, the importance of securing your cloud storage, why you should be auditing your storage on a regular basis, and more.

Zero Trust: Do You Trust Me?

Join Jesse as he takes a look at the Zero Trust model of security and discusses how it works using a multi-tenant office building as a metaphor, how Zero Trust opens possibilities for automating complex access authorization schemes, why Jesse recommends using the NIST ZTA as a foundation for your approach to Zero Trust implementation, how to implement Zero Trust (spoiler: tune in next week!), how the ability to quickly change access rules for accounts connecting to resources or services is at the very core of Zero Trust, and more.

AWS, Verizon, and MEC: Demystified

Join Jesse as talks about Verizon’s deepening partnership with AWS and the launch of a private mobile edge computing (MEC) service. In this episode, he explores what the new MEC service does, the differences between public and private MECs, how AWS Outpost is essentially AWS managed cloud offering in a box or rack of servers in your own data center, the two changes Outpost introduces to the shared security model, AWS Nitro and how it allows for a secure implementation of AWS cloud services while also protecting customer environments and data, the impact MEC might or might not have on your environment, and more.

Know News Is Good News

Join Jesse as he talks about the endless amount of news out there for security professionals and how to find the signal in the noise, how understanding your organizational mission helps you understand your risks, how to develop a news strategy, what your attack surface is and how to think about it, Jesse's recommendation on how to triage your news needs, why you should scan major publications to see what sources are saying across the board before determining what critical elements warrant deeper investigation, and more.

Trilogy of Threes and a New Mantra

Join Jesse as he talks about why it's useful to know how to build a security program from the ground up yet how people never really have the luxury to do so, the difference between security in cloud and on-prem environments, why Jesse encourages newcomers to AWS or the cloud in general to spend ten hours perusing aws.training, the importance of understanding cloud security fundamentals, how securing S3 buckets is the cloud version of securing FTP, why you should always be thinking about the fundamentals of great security, and more.

The Holy Trinity & the CIA Triad

Join Jesse as he explores the Holy Trinity of security: confidentiality, integrity, and availability of all data and services. Find out why Jesse thinks access to and use of services fits under the scope of confidentiality, software supply chain attacks and what you can do to prevent them, DDoS attacks and what you can do to prevent them, how the Golden Triangle of security relates to the Holy Trinity of security, how to ensure your security program is both comprehensive and comprehensible to IT staff and users—not just security professionals and auditors—and more.

The Golden Triangle

In this episode, Jesse opines on the fact that defensive security is much more important than the offensive security that’s portrayed in media, why defending systems is more challenging and rewarding than most people realize, the Golden Triangle and the role people, processes, and technology play in defensive security, what to look for in the people you hire for your security team (spoiler: domain knowledge), how SolarWinds could have protected itself against a recent data breach, why even the smallest of environments still needs tools to monitor incidents, and more.

Welcome and Why Does Security Matter?

Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to. In this episode, Jesse establishes the foundation for an effective security approach while touching upon the importance of security as a mindset instead of a tool, how security is often driven by management or budgetary concerns, which results in waste and frustration, the importance of understanding the why behind security, why organizations often lose sight of the fact that their security plans aren’t the actual goal—protecting data and infrastructure is, Simon Sinek and the neuroscience behind why it’s important to know why you are doing something, how purchasing the right tool is wasted resources without a success plan for implementing said tool, and more.

Introducing Meanwhile in Security

Ever noticed how security tends to be one of those things that isn't particularly welcoming to folks who don't already have the word "security" somewhere in their job title? Introducing our fix to that: Meanwhile in Security. Featuring Jesse Trucks.

Join the newsletter

Cloud Security For Humans

Got it. You're on the list!

Meanwhile in Security is a production of The Duckbill Group. Check out our other publications, Last Week in AWS, Screaming in the Cloud, and AWS Morning Brief.

© The Duckbill Group, 2021