In this episode, Kinnaird McQuade, Lead Cloud Security Engineer at Salesforce, joins us to talk about his tools Cloudsplaining and Policy Sentry. Policy Sentry provides a framework for writing IAM policies to make it easier to create least privilege policies. Cloudsplaining can help find policies that may allow more access than required.

Keith Monihen joins hosts Scott Alexander and Shaug Evans this episode to talk about the Stelligent book club and how it helps create a culture of learning and shared connection among employees.

Episode Notes

Hosted by Scott Alexander (@salexpdx) and Shaug Evans (@ohshaughnessy)

Interview Guest: Kinnaird McQuade @kmcquade3

Stelligent Guest: Keith Monihen @KeithMonihen

Episode Timeline

  • 00:00 Podcast Introduction and welcome
  • 01:00 Kinnaird McQuade interview
  • 28:15 Discussion of Interview with Scott, Shaug, and Keith
  • 33:00 Recent Blog Post
  • 36:50 Stelligent Book Club
  • 48:00 Closing Contact Information

 

Relevant Links

Blog posts:

Books:

Episode Details:

Kinnaird McQuade interview – Discussing cloud security with a focus on two tools that he has released through his employer SalesForce.  Key call outs from the discussion with Kinnaird

  • Policy Sentry – Open source tool focused on authoring secure IAM policies and creating policies with least privileges by default. This tool was inspired by his own experience trying to build out production systems and helping customers try and write these policies.
  • Cloudsplaining – Helps identify where someone could exfiltrate data (like s3:getObject being open to everyone), privilege escalation opportunities, and unrestricted infrastructure modification. It identifies places where overly permissive AWS managed policies are being used that may be able to be limited.  This tool can help auditors also by allowing them to look at what roles would have permissions if their goal is to get access to data in an S3 bucket.
  • When looking to the future, we need to be making security as self service as possible.  We should be creating tools to help make it easier for the developers to create secure software and easier for the security team to ensure that proper standards are being met
  • Writing on technical topics can be difficult but is a critical skill for technology workers to have. Pursuing his Bachelors and Masters degrees from Marymount University (A liberal arts college) helped make writing on technical topics one of his strong skills.
  • Creating Open Source at Salesforce, they have a team dedicated to helping open source projects from internal tools. Open sourcing security automation tools helps increase the security at many places.
  • Salesforce is hiring.  Check out their careers page for more information or reach out to Kinnaird on Twitter
  • If you have a really cool security tool you’ve been working on internally, definitely open source it so that people outside the company can benefit, and even people inside your company find out about it.

Post interview discussion

Shaug – Many enterprise companies are finding the value of open sourcing internal products as a way to ensure that projects have a higher standard.

Recent Blog Post

  • Our Trend Micro Smart Scan blog post uses a “Sample Virus” that is recognized by all engines so you can safely generate positive results to ensure that your processes stop if they find a virus in the image.
  • Two posts on Amazon Inspector are now live: introducing Amazon Inspector and then Implementing Amazon Inspector in Automated AMI Pipelines.
  • CFN-Leaprog post from Eric Kascic about automating the process to find the least privileges possible to deploy a CloudFormation template.
  • Stelligent’s founder Paul Duvall has an article posted in Forbes about the Cyber Security skills gap and ways to address it.

Stelligent Book Club

  • The book club was started by Keith during a year when he was trying to read 100 books.  He wanted some place to share and discuss what he was reading and didn’t have one.
  • The group has read four books so far: Clean Architecture (people preferred Clean Code more), Accelerate (great book), People Centric Security (more for C-level executives), and The Year without Pants (a break from more technical topics)
  • The book club provides a social outlet to members even if they haven’t completed the week’s reading. The social aspect is especially valuable for remote workers.
  • If you have a book club, make sure to extend an invitation on a regular basis for anyone who may be new to the company or may have not had the time to join previously.

 

Closing Contact Information

On Twitter, you can find O’Shaughnessy (Shaug) Evans @ohshaughnessy and Scott Alexander @salexpdx. Keith Monihen @KeithMonihen. For more information about Mphasis Stelligent, visit stelligent.com

 

Intro/Outtro music – Atmosphere by Mi77er

Stelligent Amazon Pollycast
Voiced by Amazon Polly