This is a quick “let’s think about it together” post focused on the future of cloud security.

Our logical starting point is: “Through 2025, 99% of cloud security failures will be the customer’s fault.” (source: Gartner) My experience in my analyst days and perhaps today mostly confirms it. I’d say that “it feels right.” So, let’s agree that it describes today’s reality correctly.

Next point: now that we agree that this model describes reality in a useful manner, may I suggest that it indicates a problem. In other words, this means something needs to be changed or fixed. Why? …

This is about the Security Operations Center (SOC). And automation. And of course SOC automation.

Let’s start from a dead-obvious point: you cannot and should not automate away all people from your SOC today. Or, as my esteemed colleague said, “Stop Trying To Take Humans Out Of Security Operations.”

Despite this point being dead-obvious today, I want to present a few arguments to further support it — it will be clear why in the end…

We need humans because the attackers are humans with their own creativity, irrationality, weirdness, etc. As one vendor once said, “you have an adversary problem…

Those who follow me on social media already knows this, but we have launched THE Cloud Security Podcast.


Find this on Google Podcasts, Apple Podcasts, Spotify, Stitcher and wherever else podcasts can be found. You can also download the episodes directly here. Follow @CloudSecPodcast.

The whole story from our GCP blog is cross-posted below:

Security continues to be top of mind for large enterprises as well as smaller organizations and businesses. Furthermore, cloud security continues to puzzle many security leaders and technologists. That is why we are excited to announce the launch of the Cloud Security Podcast by Google.

As I mentioned in Detection Coverage and Detection-in-Depth, the topic of threat detection coverage has long fascinated me. Back in my analyst days, we looked at it as a part of a security use case lifecycle process. For example, we focused on things like number and quality of alerts per SIEM use case, false/useless alert (“false positive”) numbers and ratios (to useful alerts), escalations to incident response, tuning, etc.

But what about a more comprehensive look at detection coverage inside each tool? Is there a way to assess the net threat coverage represented by the aggregate detection coverage inside each…

Here is another very fun resource we created (jointly with Andrew Lance from Sidechain), a paper on designing and running data security strategy on Google Cloud.

— —

William Gibson said it best: “The future is already here — it’s just not evenly distributed.”

The cloud has arrived. Data security in the cloud is too often a novel problem for our customers. Well-worn paths to security are lacking. We often see…

I got into a very insightful debate with somebody who will remain nameless in the beginning of this post, but will perhaps be revealed later. The debate focused on the role of context in threat detection.

Specifically, it is about the role of local context (environment knowledge, organization context, site details, etc) in threat detection. Can threat detection work well without such local context?

Now, some of you will say “yes, of course!” and will point at “success” (well, let’s not get into a fight over this) of anti-malware technology. After all, anti-malware tools promise to detect malware using vendor-created…

Back in August, we released our first Google/Chronicle — Deloitte Security Operations Center (SOC) paper titled “Future of the SOC: Forces shaping modern security operations” (launch blog, paper PDF) and promised a series of three more papers covering SOC people, process and technology.

Here is the next paper “Future of the SOC: SOC People — Skills, Not Tiers” (PDF) and you can easily guess it focuses on the PEOPLE aspect of the SOC. As I often said, “A SOC is first a team, all the other stuff comes later” (or something like that).

My favorite quotes are below:

  • “The genealogy…

As I hear of organizations dealing with security when migrating to the cloud, I occasionally observe cases of “extreme lift and shift.” I use this label to describe a case when an organization wants to keep every single security technology that they use on-premise after they move to the public cloud. The list can be very long and tedious; it may include such staples as firewalls, anti-malware, SIEM, EDR, NIDS, and even network forensics and NDR.

Let’s ponder this situation without judgement. Two things come to mind first:

  1. Focusing on controls vs control intent
  2. Adapting to threat model changes


As we discussed in “The Cloud trust paradox: To trust cloud computing more, you need the ability to trust it less”, there are situations where the encryption key really does belong off the cloud and so trust is externalized. While we argue that these are rarer than some assume, they absolutely do exist. Moreover, when these situations materialize, the data in question or the problem being solved is typically hugely important for an organization.

Here are three critical scenarios where keeping the keys off the cloud may in fact be truly necessary [and possible with Hold Your Own Key (HYOK)…

Sometimes great old blog posts are hard to find (especially on Medium), so I decided to do a periodic (who am I kidding, occasional — not periodic) list blog with my favorite posts of the past quarter or so.

Here is my first. The posts below are ranked by lifetime views and topic. It covers both Anton on Security and my posts from Google Cloud blog.

Top 3 most popular posts of all times:

Security operations / detection &…

Anton Chuvakin

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store