New Video from @CloudSecurityPodcast: Expert Santo Discusses Cloud Security and Exception Management

In this video, the Cloud Security podcast welcomes Santo, a cybersecurity expert with extensive experience in the field. Santo shares his professional journey, which began with an early curiosity for hacking and continued with studies in cybersecurity, roles in threat hunting, and governance, risk, and compliance (GRC) management. Currently, he works at Humana, where he is particularly interested in managing exceptions in the cloud. The podcast covers several key topics, including the importance of managing exceptions in cloud environments. Santo explains that exceptions are often granted for legitimate reasons, but if not properly monitored, they can expose the organization to risks. He emphasizes that exception management must be integrated into a continuous monitoring framework to ensure that security configurations remain compliant with regulatory requirements. A crucial point of the discussion is the automation of exception management. Santo explains that automation allows for more effective monitoring and management of exceptions, thereby reducing security risks. He describes how his team has developed certified components that integrate security checks, enabling developers to quickly deploy services while adhering to security standards. This approach is particularly useful in a multi-cloud environment, where security policies must be consistently applied across different platforms. Santo also shares insights on how to start implementing automated exception management. He recommends beginning by defining a security baseline and ensuring that all security configurations are mapped to compliance requirements. Then, it is crucial to monitor these configurations to ensure they remain compliant. Once this foundation is established, teams can start integrating infrastructure as code scanning tools and cloud-native policies to automate exception management. The discussion continues on the technical challenges encountered when implementing this automation. Santo explains that exceptions can vary depending on the types of computing used, whether it's virtual machines, serverless functions, or containers. He emphasizes the importance of creating a library of policies and IaC (Infrastructure as Code) code to manage these exceptions consistently. In terms of maturity, Santo describes different levels that organizations can aim for. The first level involves ensuring that cloud-native policies are in place to prevent configuration drift. The next level involves creating certified components to enable rapid and secure scaling. Finally, organizations can start remediating existing resources and integrating SaaS components that comply with internal security standards. Santo also shares practical advice for listeners and GRC teams. He recommends starting by understanding the compliance requirements specific to their industry and creating reference architectures that integrate these requirements. He emphasizes the importance of continuous monitoring to ensure that exceptions are properly managed and that configurations remain compliant. In conclusion, Santo shares some personal details, including his interest in home automation and his love for Indian and Mediterranean cuisine. He invites listeners to contact him on LinkedIn to learn more about his work and projects. To learn more, watch the full video at the following address: https://www.youtube.com/watch?v=_sNQ5pzEJuE