In this episode, Kinnaird McQuade, Lead Cloud Security Engineer at Salesforce, joins us to talk about his tools Cloudsplaining and Policy Sentry. Policy Sentry provides a framework for writing IAM policies to make it easier to create least privilege policies. Cloudsplaining can help find policies that may allow more access than required.
Keith Monihen joins hosts Scott Alexander and Shaug Evans this episode to talk about the Stelligent book club and how it helps create a culture of learning and shared connection among employees.
Episode Notes
Hosted by Scott Alexander (@salexpdx) and Shaug Evans (@ohshaughnessy)
Interview Guest: Kinnaird McQuade @kmcquade3
Stelligent Guest: Keith Monihen @KeithMonihen
Episode Timeline
- 00:00 Podcast Introduction and welcome
- 01:00 Kinnaird McQuade interview
- 28:15 Discussion of Interview with Scott, Shaug, and Keith
- 33:00 Recent Blog Post
- 36:50 Stelligent Book Club
- 48:00 Closing Contact Information
Relevant Links
- CloudSplaining https://cloudsplaining.readthedocs.io/en/latest/
- Policy Sentry https://policy-sentry.readthedocs.io/en/latest/
- Kinnaird McQuade Website https://kmcquade.com/
- Open Source at Salesforce https://opensource.salesforce.com/
- Salesforce Careers https://www.salesforce.com/company/careers/
- AWS Nuke – https://github.com/rebuy-de/aws-nuke
- Cloud Custodian – https://cloudcustodian.io/
- Cloud Tracker – https://github.com/duo-labs/cloudtracker
Blog posts:
- Trend Micro Smart Scan: https://stelligent.com/2020/05/22/is-my-container-image-secure-ci-cd-container-scanning-using-trend-micro-deep-security-smart-check-and-aws-codepipeline/
- Amazon Inspector Introduction: https://stelligent.com/2020/05/08/introduction-to-amazon-inspector/
- Implementing Amazon Inspector in Automated AMI Pipelines: https://stelligent.com/2020/05/08/implementing-amazon-inspector-in-automated-ami-pipelines/
- CFN Leaprog: https://stelligent.com/2020/05/15/generating-least-privileged-iam-roles-for-cloudformation-and-service-catalog-with-cfn-leaprog/
- Paul Duvall’s Forbes Article: https://www.forbes.com/sites/forbestechcouncil/2020/05/01/exponential-cloud-security/
Books:
- The Year without Pants – https://www.amazon.com/Year-Without-Pants-WordPress-com-Future-ebook/dp/B00DVJXI4M
- People Centric Security – https://www.amazon.com/People-Centric-Security-Transforming-Enterprise-Culture-ebook/dp/B015EZ2PT4
- Accelerate – https://www.amazon.com/Accelerate-Software-Performing-Technology-Organizations-ebook/dp/B07B9F83WM
- Clean Code – https://www.amazon.com/Clean-Code-Handbook-Software-Craftsmanship-ebook/dp/B001GSTOAM
- Clean Architecture – https://www.amazon.com/Clean-Architecture-Craftsmans-Software-Structure-ebook/dp/B075LRM681
Episode Details:
Kinnaird McQuade interview – Discussing cloud security with a focus on two tools that he has released through his employer SalesForce. Key call outs from the discussion with Kinnaird
- Policy Sentry – Open source tool focused on authoring secure IAM policies and creating policies with least privileges by default. This tool was inspired by his own experience trying to build out production systems and helping customers try and write these policies.
- Cloudsplaining – Helps identify where someone could exfiltrate data (like s3:getObject being open to everyone), privilege escalation opportunities, and unrestricted infrastructure modification. It identifies places where overly permissive AWS managed policies are being used that may be able to be limited. This tool can help auditors also by allowing them to look at what roles would have permissions if their goal is to get access to data in an S3 bucket.
- When looking to the future, we need to be making security as self service as possible. We should be creating tools to help make it easier for the developers to create secure software and easier for the security team to ensure that proper standards are being met
- Writing on technical topics can be difficult but is a critical skill for technology workers to have. Pursuing his Bachelors and Masters degrees from Marymount University (A liberal arts college) helped make writing on technical topics one of his strong skills.
- Creating Open Source at Salesforce, they have a team dedicated to helping open source projects from internal tools. Open sourcing security automation tools helps increase the security at many places.
- Salesforce is hiring. Check out their careers page for more information or reach out to Kinnaird on Twitter
- If you have a really cool security tool you’ve been working on internally, definitely open source it so that people outside the company can benefit, and even people inside your company find out about it.
Post interview discussion
Shaug – Many enterprise companies are finding the value of open sourcing internal products as a way to ensure that projects have a higher standard.
Recent Blog Post
- Our Trend Micro Smart Scan blog post uses a “Sample Virus” that is recognized by all engines so you can safely generate positive results to ensure that your processes stop if they find a virus in the image.
- Two posts on Amazon Inspector are now live: introducing Amazon Inspector and then Implementing Amazon Inspector in Automated AMI Pipelines.
- CFN-Leaprog post from Eric Kascic about automating the process to find the least privileges possible to deploy a CloudFormation template.
- Stelligent’s founder Paul Duvall has an article posted in Forbes about the Cyber Security skills gap and ways to address it.
Stelligent Book Club
- The book club was started by Keith during a year when he was trying to read 100 books. He wanted some place to share and discuss what he was reading and didn’t have one.
- The group has read four books so far: Clean Architecture (people preferred Clean Code more), Accelerate (great book), People Centric Security (more for C-level executives), and The Year without Pants (a break from more technical topics)
- The book club provides a social outlet to members even if they haven’t completed the week’s reading. The social aspect is especially valuable for remote workers.
- If you have a book club, make sure to extend an invitation on a regular basis for anyone who may be new to the company or may have not had the time to join previously.
Closing Contact Information
On Twitter, you can find O’Shaughnessy (Shaug) Evans @ohshaughnessy and Scott Alexander @salexpdx. Keith Monihen @KeithMonihen. For more information about Mphasis Stelligent, visit stelligent.com
Intro/Outtro music – Atmosphere by Mi77er
Stelligent Amazon Pollycast
|