— 3-year anniversary, new AI-built CSOH website, policy as code
Quick recap. The Cloud Security Office Hours community celebrated its 3-year anniversary, with Shawn highlighting the growth of the global participant base and introducing a new website built using AI that is now community-editable via GitHub. The group discussed policy as code, with Tyler presenting on infrastructure as code scanning tools and emphasizing the importance of not scanning for things you don't need to act on. Rev shared insights on the challenges of implementing policy as code in multilingual organizations, while the discussion touched on insider threat considerations and the role of auditors in verifying security controls. The conversation concluded with participants sharing perspectives on audit processes and the balance between security controls and business operations.
Show 7 discussion topics
Cloud Security Office Hours Anniversary
The meeting marked the third anniversary of Cloud Security Office Hours, which has grown into a global platform connecting professionals across continents. Shawn expressed gratitude for the program's success and the opportunity to witness participants' career growth and friendships. The meeting began with a brief delay as some participants joined late, and Shawn noted the absence of Chris, attributing it to the late hour for him. The session also included a participant seeking a new role in cloud security, DevSecOps, and security automation, sharing their experience and certifications, and expressing openness to various opportunities. Shawn encouraged anyone new to the meeting to introduce themselves, but no new participants raised their hands.
AI-Powered Cloud Security Website
Shawn presented updates to the Cloud Security Office Hours (CSOH) website, which he rebuilt using AI to simplify content management and make it more community-driven. He explained that the site is now hosted on GitHub, allowing anyone to contribute by creating pull requests with suggested changes or additions. Shawn demonstrated new features including a news section, resource categorization, and buttons for suggesting improvements, while emphasizing that the site can be easily hosted on various platforms. The community discussed potential enhancements like adding a guestbook, visitor counter, and animated GIFs, with Stryker offering to contribute news sources and Charlie inquiring about SEO considerations for the static page.
GitHub Static Website Development
The meeting focused on discussing contributions to a simple static HTML website hosted on GitHub. Shawn explained his goal of creating a secure, community-driven site that could be easily modified through pull requests, without adding databases or complex features. Participants discussed potential improvements, including adding schema for better search engine optimization and implementing features like guestbooks or hit counters. Stryker emphasized the importance of following proper security practices when testing the site, while Shawn encouraged participants to attempt adding content or even defacing the site as a challenge, provided it was done securely and ethically.
Policy as Code Implementation Strategy
The team discussed implementing policy as code, with Neil explaining how this approach can automate security policy enforcement and provide the same benefits as DevOps pipelines. Jay emphasized the importance of coordinating with audit and compliance teams, while also suggesting a scheduled approach to policy changes to avoid surprising stakeholders. Rev shared insights on the challenges of managing narrative policies in multilingual organizations, highlighting the advantages of policy as code for better tracking and verification of compliance.
Policy as Code Implementation Challenges
The group discussed policy as code and its implementation across different cloud platforms. Rev explained the benefits of open policy documentation for collaboration and continuous improvement. Neil highlighted the challenges of authoring policies that apply across multiple cloud providers. Jay shared their experience with implementing policy changes and the need for a hierarchical approach. Frederick discussed the unique challenges of threat detection in a fast-paced, Kubernetes-first environment, particularly for smaller companies focusing on DevSecOps. The conversation touched on the intersection of AI and threat detection, as well as the need for harmonized policies across different cloud platforms.
Policy as Code: Detective vs. Preventative
Tyler presented on policy as code, emphasizing its application to infrastructure and software development. He discussed different types of controls, including detective, preventative, and proactive, and highlighted the importance of shifting policy enforcement as far left as possible. Tyler also shared insights on multi-cloud policy management and the use of open-source and commercial tools for infrastructure as code scanning. The discussion touched on the cost of data breaches and the benefits of using existing policy frameworks rather than creating custom policies.
Policy Transparency and Security Challenges
The meeting focused on discussions around policy as code, insider threats, and audit practices. Neil and Jay debated the merits of publishing policies, with Jay emphasizing the importance of guardrails and automated controls for ensuring compliance. Matt Alvarez raised concerns about insider threats and the potential for policy transparency to aid malicious actors, leading to a broader discussion on balancing security with business processes. The group also touched on the challenges of audits, with Jay highlighting the accountant-like nature of auditors and the need for organizations to be honest in presenting their controls. The conversation ended with reflections on the costs and complexities of audits, as well as a brief tangent on historical nuclear incidents.