Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Varonis: Multi-Cloud Security Posture and AI Data Risks

Varonis
07/03/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


I'm your host, Megan Garza. This week's episode is a continuation of my chat with Jonathan Rao, VP and Distinguished Engineer at Query. During our conversation, Jonathan talked about threat modeling, the impacts of AI on organizations, and which podcasts he makes sure to never miss. If you missed part one of my conversation with Jonathan, check out the full post at varonis.com flash blog. Now sit back, relax, and enjoy part two of Speed Data featuring Jonathan Rao. Welcome to the show, Jonathan. Hey, Megan. Good morning. It's great to be here. Jonathan's expertise in data security and protection has earned him a spot as a top cybersecurity voice on LinkedIn. A former board advisor, CISO, and four-year Army veteran, Jonathan has honed his skills at Cisco, NBC, Nationwide, and Blue Cross Blue Shield. His time at Amazon Web Services helped him author Electric Eye, a multi-cloud, multi-SaaS, Python CLI tool that continuously monitors AWS services or misconfigurations that may be degrading the CIA triad. And Jonathan is not garnering hundreds of comments and reshares on social media. The AWS Community Builder volunteers with AmVet, a nonprofit that supports American veterans. Jonathan, you have quite the background. What are some of the biggest challenges to understanding your security posture across platform? I think it's more like just the difference of how it works and how some of the service level configurations are. I learned this the hard way writing Electric Eye, right, where certain clouds expose more security bells and whistles than others. So Oracle Cloud, Google Cloud, they both have their own VM service and they allow you to do things like best with like a virtual TPM. They allow you to set enclaves, they allow you to set secure boot modes. And there's a lot more to just standing up a VM than there is on, let's say, Amazon EC2 or like, hey, IMDS version two, do you want to encrypt DBS? And then you just kind of send it. I'd say one's more secure than the other. But when you're actually analyzing these things, how they all come together is really the harder part because you have different tools and different clouds. Some of them are encrypted by default. Some of them didn't have the same amount of identity protection, right, where the way that you write policies in Oracle is completely different than the way that you do like this very fine grained conditional based resource policies on, let's say, the Amazon Web Services cloud. So really, it's taken that kind of step back and like, all right, what's our threat environment? What's our core business model? Let's start threat modeling. Let's figure out, you know, where attackers could get in. What's important? Where's our important data or app logic? You know, can you shut us down? Do we even care about DDoS? Is that something that we're targeted by? What are the different threat families that could attack us? And then working its way down to saying like, OK, the CSPM tools tell me that Secure Boot isn't on or that it is on. Does any of that actually matter in the overall calculus? So that's really the hard part. I think we get away from that strategic view and just want to look to make a tree of green dots all over a CSPM. And I'm guilty of it, right, of perpetuating that culture, because Electric Eye has like a thousand checks across all these different cloud platforms and SaaS tools. But really, it's meant to use as a gauge only when it matters, just because a tool says it's bad. And in some cases, it's bad, like use MFA. Don't allow admins everywhere. Don't allow, you know, all the ports open all the time in all your apps. That should be a given. But when it gets down to like that smaller resource level configuration, that's where you actually need to, you know, get the old noggin joggin and start to think like, all right, maybe does this really matter in the grand scheme of things? Let's talk about the buzzword today, AI. How is AI impacting data security, both positively and negatively? I think it's scaring a lot of people. So maybe that's positive if you sell data security. Maybe it's negative as well. But AI as a force multiplier, I think that the large language models, if we're looking at just from like a natural language processing perspective, are really good at taking big data analytics out of the hands of the end analyst, right? So if I'm in a SIM tool, the second I get more than like 100, maybe even 50 results back from a specific query, maybe it's a detection, a hunting query, you know, my eyes glaze over. It's really, really hard, let alone across tens of thousands. Gen AI, LLM models, you know, most of like the mainstream ones, GPT-4 and GPT-4-O, the new Mistral ones, the new Anthropics, like the CloudBreeze Sonnets and Haikus and whatnot. Those are really great at gaining context and digging through that stuff. And it's, you know, good to help people write and it's good to help people, you know, even author threat models and papers at some perspective. But the danger is more, you know, and I don't want to say danger, but the risk is there for the businesses who may come out with these GAI, these generative AI products to let their end users use. I think we've all seen, you know, Google's using Reddit as their training data and Reddit is full of trash talkers online. So now if you're looking up a medical question, it might tell you to go smoke seven cigarettes and do a backflip off a bridge instead of talk to your doctor, right? There's, you know, car dealerships who put up Gen AI chatbot tools that are just struts on top of GPT-3-5-Turbo, and then they're convincing it to give them a discount on like, you know, $140,000 GLS-580, right? So I think there's more like the implementation danger, because at the end of the day, it's just, you know, a discriminator really just takes in a bunch of data, and then it has some textual analysis that it does and spits it back out at you. And then it's like, well, where does that data go? Is it being used as training data by the people who own or host the model? What happened to the user intent? What happens to user sessions? Are users able to see across their sessions? And now you start getting into like AI threat modeling. And so all that stuff, I think, is perking it. But again, you know, to harken back to my last answer, it's putting on the strategic cap to be like top down, like, is this AI tool even capable? Is the delaying chain or whatever that middleware I'm using, does it retain sessions? Does it retain memories? Where's the data going back to? Can I gate it somehow at a firewall? Can I self-host it? These are all questions you need to ask before you panic and just make generalizations about it. But I think it's more of a boon right now than it is a curse. I think the curse part of it kind of gets overplayed. But there's a lot that we still don't know about AI, and there's a lot more that we're going to continue to learn. And I think the really refreshing thing is that as an industry, at least, you know, just from seeing it on LinkedIn with a couple, you know, thousand people I'm connected with, a lot of people are taking it seriously or at least trying to educate themselves about it. And that's completely different than cloud security, where it's kind of like, ah, you know, that'll never catch on. And now here we are. So it's good, I think, overall, to see the attitude around it. And now you mentioned LinkedIn. You have a significant online presence and audience. What newsletters, blogs, podcasts would you recommend? Oh, this podcast thing. Yeah. Yeah. You know, I wish there was enough hours in the day to consume a bunch of stuff. I mean, I try to listen. So I guess the big one is a good friend of mine, Darwin Salazar. He's at Monad right now. He writes a security newsletter. Ross Halyuk writes it kind of like from a venture product management perspective as well. You have the Cyber Ranch, which is really good. David Sparks has, you know, like the Defense of Debt podcast. Query's been on it, not myself, with my CEO, Matt Eberhardt. Those are always good to listen to. And really, you know, not so much the newsletters and the podcast, but just engaging with people is where I find the most value. Being able to kind of, you know, get a good crop of like 50 to 100 people who put out stuff that's interesting. There's a lot of folks on the data side that put out a ton of great stuff. There's a lot of companies, you know, shout out to OneHouse and to their staff, Data Engineer. They put out blogs, I feel like every day talking about Apache Hoodie, talking about Lake Houses, talking about data analytics and engineering. So I think it's almost better to find somebody like that who could curate it. Because at the end of the day, you know, podcasts, you're really stuck to a schedule. You're stuck to a specific guest with a specific topic, kind of like now, right? Where somebody just sharing their opinion and, you know, hopefully useful stuff, I think is also a lot stronger, you know, so to lean in and use the power of the network to use another cliche. And I think that's why I have a following, if nothing else, just to listen to the somewhat unhinged things and the memes that I share, because, you know, I'm just me, right? I'm nothing special. I'm still learning how to do this job every day. And really, my little girls are what's more important to me than anything else. This is all a means to an end. I want to have a nice farm and maybe remarry one day and just chill out with them. And that's, that's really it. So I just try to keep it, you know, kind of light, PG-13 at times. Well, who doesn't love a good meme? A lot of people like good memes. I feel like there's more people willing to share that side of themselves. I don't want to say be more vulnerable, but, you know, maybe not and not even be more authentic. I think, you know, the vibe on LinkedIn is completely different than what it was back in like 2013. It was like very, very stuffy and everybody was scared to share. But now it's now it's a lot better. You could find anything that you want out there. Thank you so much for your time today, Jonathan. I feel like I learned so much. That does it for this week's episode of Speed Data. Take care, Jonathan. All right. Thank you, Megan.

TL;DR

  • Different cloud platforms expose vastly different security controls—Oracle and Google Cloud offer VM-level features like virtual TPMs and secure boot that AWS EC2 doesn't, making cross-cloud security posture assessment inherently complex.
  • Organizations should prioritize strategic threat modeling over CSPM checkbox compliance, asking whether specific configurations actually matter given their threat environment and business model.
  • Generative AI is a force multiplier for security analysts, particularly for processing large datasets that would otherwise cause analyst fatigue, but implementation risks around data retention and training data usage require careful threat modeling.
  • The security industry is taking AI risks more seriously than it did with early cloud adoption, with practitioners actively educating themselves rather than dismissing the technology.

Navigating Multi-Cloud Security Complexity

Jonathan Rau, VP and Distinguished Engineer at Query, discusses the fundamental challenges of understanding security posture across multiple cloud platforms. Drawing from his experience building Electric Eye, a multi-cloud security monitoring tool, Rau explains how different cloud providers expose varying levels of security controls—Oracle Cloud and Google Cloud offer features like virtual TPMs, enclaves, and secure boot modes, while AWS EC2 provides a more streamlined configuration approach. The key insight is that having different tools across different clouds creates complexity, and organizations often get distracted chasing green dots on CSPM dashboards rather than focusing on what actually matters for their specific threat environment.

Strategic Threat Modeling Over Checkbox Compliance

Rau advocates for a strategic, top-down approach to cloud security rather than reactive compliance checking. He emphasizes the importance of understanding your core business model, identifying where attackers could gain entry, locating critical data and application logic, and determining which threat families are relevant to your organization. The conversation highlights that while certain security basics are non-negotiable—MFA, restricted admin access, closed ports—many resource-level configurations require contextual analysis to determine if they truly matter in the overall security calculus. This threat modeling mindset helps security teams prioritize effectively rather than treating every CSPM finding as equally urgent.

Chapters

0:00 - Introduction and Guest Background
1:32 - Multi-Cloud Security Posture Challenges
2:46 - Strategic Threat Modeling Approach
3:58 - AI Impact on Data Security
6:14 - AI Threat Modeling Considerations
7:15 - Recommended Resources and Community

Key Quotes

3:18 "I think we get away from that strategic view and just want to look to make a tree of green dots all over a CSPM."
4:10 "I think it's scaring a lot of people. So maybe that's positive if you sell data security."
5:07 "But the danger is more, you know, and I don't want to say danger, but the risk is there for the businesses who may come out with these GAI, these generative AI products to let their end users use."
6:44 "But I think it's more of a boon right now than it is a curse. I think the curse part of it kind of gets overplayed."

FAQ

Why is multi-cloud security posture so difficult to assess?

Each cloud provider exposes different security controls and configurations. Oracle and Google Cloud offer VM-level features like virtual TPMs, enclaves, and secure boot modes, while AWS EC2 has a simpler configuration model. Additionally, identity policies are written completely differently across platforms, and some clouds encrypt by default while others don't. This means security teams need different tools and expertise for each environment, and findings from one cloud may not translate meaningfully to another.

How should organizations approach AI security risks?

Rau recommends a strategic, top-down threat modeling approach rather than blanket panic. Key questions to ask include: Is the AI tool capable of what you need? Does the middleware retain sessions or memories? Where does user data go? Is it used as training data? Can you gate it at a firewall or self-host it? The implementation details matter more than generalized fears about AI, and organizations should assess risks specific to their use case before making decisions.


Categories:
  • » Webinar Library » Varonis
  • » Cybersecurity » Data Security
  • » Cybersecurity » Cloud Security
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Cloud Security
  • AI & Machine Learning
  • Data Privacy
  • Security Operations
  • Interview
  • multi-cloud security
  • cloud security posture management
  • threat modeling
  • generative AI security risks
  • CSPM tools
  • AWS security
  • data governance
  • AI implementation risks
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Varonis: Multi-Cloud Security Posture and AI Data Risks

              Upcoming Webinar Calendar

              • 07/09/2026
                01:00 PM
                07/09/2026
                The HUMAN Experience: Empowering Agentic Trust in Practice
                https://www.truthinit.com/index.php/channel/2026/the-human-experience-empowering-agentic-trust-in-practice/
              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting an Elite Security Team to Achieve Championship-Level Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-an-elite-security-team-to-achieve-championship-level-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in AI Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-ai-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/21/2026
                01:00 PM
                07/21/2026
                HUMAN Dialogue: Insights from Attackers During the FIFA World Cup
                https://www.truthinit.com/index.php/channel/2029/human-dialogue-insights-from-attackers-during-the-fifa-world-cup/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies for Mastering the DPDP Framework
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-mastering-the-dpdp-framework/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 07/29/2026
                12:00 PM
                07/29/2026
                Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                09

                The HUMAN Experience: Empowering Agentic Trust in Practice

                07/09/202601:00 PM ET
                • Jul
                  14

                  Crafting an Elite Security Team to Achieve Championship-Level Defense

                  07/14/202601:00 PM ET
                  • Jul
                    14

                    Understanding the Crucial Role of Context in AI Data

                    07/14/202602:00 PM ET
                    • Jul
                      21

                      Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                      07/21/202604:00 AM ET
                      • Jul
                        21

                        HUMAN Dialogue: Insights from Attackers During the FIFA World Cup

                        07/21/202601:00 PM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version