The dream of open source is freedom, speed, and shared progress—but the reality gets messy when it meets cloud-scale business and security. We explore how Docker kickstarted containers while Google’s Kubernetes turned them into an operational standard, and why that split shaped everything from engineering culture to company strategy. From there, we compare the cloud giants’ philosophies: Google’s foundation-first approach, Microsoft’s transformation from anti-OSS to stewarding GitHub and popularizing VS Code, and Amazon’s more transactional stance that sparked high-profile forks.

The heart of the story is tension between ideals and incentives. Elastic’s licensing shift to block AWS’s managed service and Amazon’s OpenSearch fork set off years of license churn across databases, with Redis and others experimenting with “source-available” models. That turbulence pushed developers and CFOs into new due diligence: reading licenses, evaluating governance, and planning for change. It’s not just legal; it’s operational risk. We unpack what to look for in a healthy project and how to avoid license whiplash when a dependency changes course.

Security adds another layer. The XZ Utils backdoor revealed how small packages can enable state-level infiltration, while malicious NPM uploads showed how easy it is to sneak malware into developer workflows. We revisit the infamous LeftPad collapse to explain dependency fragility and why reproducible builds, version pinning, artifact mirrors, and SCA tools are essential. Our playbook focuses on practical defenses—signed releases, SBOMs, automated alerts, and least-privilege build pipelines—so teams can keep the benefits of open source without gambling their stack.

We close with a preview: AI is retracing open source’s path, from community energy to license debates and platform power. If you build in the cloud, this conversation offers grounded lessons on choosing, securing, and sustaining the code you don’t control. Enjoy the episode, then subscribe, share with a teammate, and leave a review with your biggest open source win—or worst dependency scare.

What is Open Source?
Docker
Kubernetes
Cloud Native Computing Foundation
Open Source Initiative Approved Licenses
Google's Open Source Projects
AWS Open Source Projects
The Hackers Book
Microsoft Visual Studio
XZ Utils Backdoor
Left Pad Incident

Ever wonder how free software ended up running the world’s biggest clouds? We pull on a thread that starts with the hacker ethos—access, transparency, community—and follows it through OSCON memories, Docker’s breakout moment, and the quiet power shift that came with Kubernetes. From early research culture to the realities of running production systems, we map how open source moved from ideal to infrastructure and why today’s cloud thrives on community-built code.

We look at why Docker’s elegant packaging changed developer workflows but didn’t solve the hardest problem: operating at scale. That’s where Google’s history with Borg mattered, and why Kubernetes arrived fully formed with controllers, declarative state, and battle-tested ideas. Crucially, governance moved to the CNCF, the Cloud Native Computing Foundation, letting every major cloud offer a managed Kubernetes service without locking users in. The result is a durable model for the cloud era: keep the core open and portable; offer the complicated parts—control planes, upgrades, reliability—as a managed service; and let teams build higher with confidence.

If you care about how software is built, funded, and run at scale, press play.

Links to topics from the show:
Hackers - By Steven Levy
Docker
Kubernetes
CNCF
Open Container
Podman

LinkedIn - Logan Gallagher
LinkedIn - Jon Gallagher

In this episode, Jon and Logan  explore whether generative AI fundamentally changes the build versus buy decision for businesses considering software solutions. They analyze recent claims about AI-powered cost savings and examine the underlying principles that should guide technology decisions.

• How Logan is using  AI in his common tasks 
• Looking at recent claims from companies like Klarna about replacing SaaS with AI-built software
• Revisiting the fundamental truth that Organizations must understand their core expertise when making build vs buy decisions
• "Vibe coding" with AI creates maintenance problems as context for coding decisions is lost
• Compliance, regulation, and data residency considerations become more complex with AI
• Cloud infrastructure reliability remains a critical concern for AI-dependent systems
• AI is most effective as an assistant for routine tasks rather than replacing human judgment
• Traditional business frameworks still apply when evaluating technology investments

Links:

Jon Gallagher on LinkedIn

Logan Gallagher on LinkedIn

The auto parts software mentioned:
Triad Systems became Activant

Aaron Levie - CEO of Box:
Box becoming an AI-First Company
Recommendations

If you enjoyed this episode, please tweet us at @cloudoutloudpod or email us at cloudoutloud@ndhsw.com. We hope to see you again next week for another episode of Cloud Out Loud.

When identical prompts yield different outputs and a request for "a cat running across the screen" generates four cylinders and a bobbing balloon, the non-deterministic nature of generative AI becomes impossible to ignore. Despite the power of these sophisticated models, we discovered that creating consistent, high-quality results demanded substantial human intervention – not less. Our journey moved from refining prompts to building extensive code example libraries, requiring the very software engineering expertise these systems supposedly reduce.

This experience directly contradicts the popular "vibe programming" approach where developers mindlessly shuttle between AI suggestions and error messages. While this might suffice for weekend projects (as its originator noted), it produces unmaintainable spaghetti code lacking the architectural vision essential for professional software. Real engineering demands creating systems that scale, maintain, and transfer to other developers – not just code that temporarily functions.

The lessons extend beyond development to any organization implementing AI in decision-making processes. These systems lack the contextual understanding to independently determine business priorities or handle nuanced human factors. The future belongs not to AI replacing humans, but to thoughtful partnerships harnessing each party's unique strengths.

Ready to dive deeper into AI's practical realities? Listen now and join the conversation about how we can responsibly integrate these powerful tools while maintaining human oversight and expertise. Share your experiences with us at cloudoutloud@ndhsw.com or @CloudOutLoudPod.

Jon Gallagher on LinkedIn

Logan Gallagher on LinkedIn

The Animation App on Github

Andrej Karpathy on vibe programming

*Extra!* Andrej Karpathy on "Privacy Hygiene" - protecting yourself online now

In this episode we try out what we've speculated AI, particularly GenAI is good for: expanding the capabilities of engineers as they create new applications.

This application uses Google's Cloud Run  and Google Cloud Storage to get user's specification of an animation, create the animation, then store and play the animation.

This the link to the Github repo for the application.

The AI framework for the application is Google's Gemini and the program generates the animation is Blender. The demo is programmed in Python and uses the LangChain framework to leverage Large Language Models (LLMs) in the application

Courtesy of Corey Quinn's "Last Week in AWS" Newsletter # 389 Logan and Jon discovered a presentation from Sec-T  by Chris Farris that does a great job describing the tension between the Cloud Providers and Customers when it comes to security.

The presentation does a great job of highlighting the fact that, though the cloud can be made secure, for many people the defaults they use do not make them as secure as possible. In addition, the cloud providers have to make sure that existing software and systems are not broken by the changes necessary to increase security.

Corey Quinn - Last Week in AWS

Chris Farris

Transcript

Google - Shared Fate

AWS - Security Pillar

Slack - Transitioning to IMDSv2

This episode reviews a manifesto written by Leopold Aschenbrenner, formerly of OpenAI, now a founder of an investment firm that is focused on AGI, Advanced General Intelligence. The manifesto is titled SITUATIONAL AWARENESS, The Decade Ahead.

This episode's discussion sets up who Leopold is, where he's been, and what his focus is. From there the focus is on one aspect of the document, Security. ANd here the discussion looks at what the paper cosiders vulnerabilities, versus the real-world vulnerabilities IT handles if faced with.

SITUATIONAL AWARENESS

GNU Manifesto

Hacker's Manifesto

(... oh what the heck)

Communist Manifesto

As with all the discussions of AI, and particularly LLM's and Generative AI, this is a discussion of the challenges of getting it right, making it useful, and using these tools successfully in a business.

Major Points:

1. There are a large number of commercial and open-source models available.
2. Tens and even hundreds of millions of dollars were spent, and equal amounts of person years were expended to create these models. Your business cannot and should not duplicate this effort and expense.
3. You therefore must know the best way to use the models, and that is to collect enough data about your operations to extend the models to know about your enterprise.
4. You also must have enough subject matter expertise to know when the models are producing incorrect answers, such as "hallucinations".
5. You must be aware of the security challenges the models represent, particularly in sensitive industries such as finance and health care.
6. You must be able to create testing to ensure you know and limit the risks of incorrect answers, and security problems

There is no such thing as a free lunch. You must expend the effort necessary to teach the models you use, test those models, and ensure that you have limited the scope of security problems from the models.

Cory Doctorow - Human in the Middle AI

ChatGPT 

Gemini 

Anthropic Claude

Episode Transcript 

Summary

We start off discussing the recent developments and timeline of generative AI models, particularly ChatGPT, GPT-4, Bard, Llama2, Gemini, and Claude. We covered the release of these models by companies like OpenAI, Google, Meta, and Anthropic, their performance benchmarks, and the emerging ecosystem of models. The discussion highlighted the commoditization of these models, the need to understand their capabilities and limitations, and the potential security risks and challenges associated with their use. The meeting also touched upon the concept of 'centaurs' and 'reverse centaurs' in the context of human-AI collaboration and the potential need for human oversight. Additionally, it mentioned an upcoming project involving a product based on generative AI.

LINKS

Cory Doctorow - Human in the Middle AI

ChatGPT 

Gemini 

Anthropic Claude

Episode Transcript 

Unveiling the Future of Cloud and AI at Google Cloud Next 

Episode 28: Show Notes

In this episode, we delve into the most recent big cloud conference, Google Cloud Next. We discuss what we saw, felt, and heard at this year's iconic Google Cloud Next and provide listeners with our biggest takeaways from the event. We discuss the cutting-edge tools in generative AI and machine learning that Google has rolled out and the potential these new Google offerings hold for developing robust enterprise solutions. Gain insights into the products and services that have the most potential, the obvious shift in Google’s approach to providing enterprise solutions, the integration of its new tools into current business operations, and much more! We also offer listeners our expectations of Amazon's upcoming conference and why the future of cloud computing is brighter than ever. To stay on the cutting edge of the cloud and AI revolution, tune in now!

Key Points From This Episode:

• Logan shares his thoughts on the conference, particularly on the generative AI content.
• Hear highlights of the new features and services Google had on showcase.
• Discover exciting new generative AI and machine learning tools from Google.
• Other interesting new features that enhance productivity in the cloud.
• The potential that Google’s new features have for developing enterprise solutions.
• Integrating Google’s new tools into a business's process and operations.
• We unpack Google’s noticeable shift in focus and approach to business.
• What we think are the most exciting new features and services.
• An incredible data migration story that was shared at the conference.
• Our expectations for Amazon’s upcoming conference: AWS re: Invent.

Quotes:

“It was really clear that [Google’s] butts were kicked into gear by OpenAI and ChatGPT and they are playing a bit of catchup.” — Logan Gallagher [0:02:50]

“Google is finally embracing the real world [with] a lot of these new tools.” — Jon Gallagher [0:07:49]

“The hard work of an enterprise, the hard work of running a business is still being with the new tools from Google.” — Jon Gallagher [0:11:34]

Links Mentioned in Today’s Episode:

Google Cloud Next 2023

Duet AI

Vertex AI

GKE Enterprise

AWS re: Invent 2023

Jon Gallagher on LinkedIn

Logan Gallagher on LinkedIn

Episode 27: Show Notes

Welcome back to Cloud Out Loud as we continue our discussion on generative AI and machine learning. Today is all about exploring the risks of modern machine learning and how we can properly navigate them as a society. Jon and Logan walk us through the benefits of AI tools for software companies, the dangers of poorly-trained generative AI models, why good code may not always be the kept standard, and how to assess the cost-effectiveness of the machine learning models at your company. Then, we dive into our concerns about the data of large language models, what generative AI could mean for the future of the internet itself, the perils of hallucinated AI data, stochastic parrots and other security vulnerabilities of generative AI, and so much more! To hear about the importance of transparency in machine learning and to find out what we’ll be talking about next week, press play now. 

Key Points From This Episode:

• The risks to consider when implementing AI and/or machine learning in your company.
• Assessing the best AI tools for software companies and the benefits thereof. 
• The importance of accurately separating good code from bad code after the initial prompts. 
• Exploring the dangers of mistraining a generative AI model. 
• How to know when your AI output is valid and how to monitor the system for updates. 
• Balancing costs: how cost-effective is your machine learning model for your business?
• Why we’re concerned about the data that is going into large language models.  
• How we don’t yet know what machine learning models could mean for the internet’s future.  
• Our fears surrounding hallucinated AI data and the (possible) universal adoption of bad code. 
• Some careers that could experience a boom as a result of widespread AI adoption. 
• Stochastic parrots and the lesser known/discussed security vulnerabilities of generative AI.
• What we need to focus on to make generative AI and machine learning more secure.   
• Why more transparency is needed around the data that is produced by generative AI tools.
• Recapping everything we’ve discussed today and what you can look forward to next time. 

Tweetables:

“Cleaning and curating your data is the least sexy but most important part of getting any value out of any of these [generative AI] tools.” — Logan Gallagher [04:39]

“We may be increasingly reaching the point where the internet is going to be so full of AI-generated content that our subsequent versions of generative AI models will be a snake eating its own tail.” — Logan Gallagher [21:36]

“This is something that I worry about much more than Skynet — that we end up with fragile systems or we end up with unknown attack surfaces because of frameworks that are being generated for us without our ability to have an audit trail of how this came to be.” — Jon Gallagher [32:29] 

Links Mentioned in Today’s Episode:

ChatGPT 

GitHub Copilot 

‘Stochastic Parrots: A Novel Look at Large Language Models and Their Limitations’

‘Undetectable backdoors for machine learning models’

Jon Gallagher on LinkedIn
Logan Gallagher on LinkedIn

Generative AI and ChatGPT with Logan and Jon

Episode 26: Show Notes

Machine learning and AI are fast becoming integrated into our everyday lives. However, despite its rising popularity, there is still a lot of confusion and misunderstanding around the subject. In this episode, we unravel the fundamental principles of machine learning and artificial intelligence. We start by setting the context before diving into the technical and business side of AI. We explain the different terms used, why people are so interested in machine learning, and how it is going to shake up Silicon Valley. We also provide listeners with an overview of the benefits and drawbacks of AI and machine learning and discuss how using AI can go wrong. Learn about neural networks, the transformer algorithm, the cost of implementing AI, and how to effectively leverage these technologies. We examine both positive and negative use cases, debunk common misconceptions, and emphasize the continuous nature of AI implementation. Lastly, we navigate the landscape of cognitive computing, exploring the threats it presents along with the opportunities it brings. Tune in now to ensure you do not get left behind in the AI and machine learning race!

Key Points From This Episode:

• Useful definitions and different terms are explained.
• Find out the difference between AI and machine learning.
• What algorithms popular AI tools are based on.
• Hear about exciting new technologies emerging in the space.
• Learn about the power of the transformer algorithm.
• The limitation of AI and machine learning: data.
• How much AI and machine learning can cost companies. 
• Ways companies are leveraging AI to reduce costs.
• An overview of the good and bad use cases of AI and machine learning.
• Common misconceptions surrounding AI and machine learning. 
• Why implementing AI and machine learning is a continuous process.
• Threats and opportunities of cognitive computing. 

Tweetables:

“Artificial intelligence is a broad field of study. It is an umbrella term under which these technologies fit into.” — Logan Gallagher [0:02:42]

“When you are interacting with a model that uses transformer, it can generate very human-readable and human-intelligible text and outputs that pass off as very convincing.” — Logan Gallagher [0:05:52]

“[Deploying new versions of AI] is a continuous process. If you are standing still, you are going to get left behind.” — Logan Gallagher [0:19:43]

“The business opportunity [of AI] is huge here. Thus, we are not only engaged in the standard hype cycle of technology, but we are looking at a Silicon Valley that is figuring out what business it is going to be in.” — Jon Gallagher [0:22:12]

Links Mentioned in Today’s Episode:

ChatGPT

The Transformer Model Tutorial

‘Transformer: A Novel Neural Network Architecture for Language Understanding’

OpenAI

Jon Gallagher on LinkedIn

Logan Gallagher on LinkedIn

Best Environment for Machine Learning

Episode 25: Show Notes

Lately, there’s been a lot of hype about AI. In today’s podcast, we too are going to chat about AI, and specifically the subset of artificial intelligence called machine learning. Instead of talking about the political, social, and moral aspects of this subject, however, we’re going to speak about some of the more mundane aspects of deploying this technology. Tuning in, you’ll hear about some of the recent technologies that have been the subject of hype cycles, what Logan learned about the hype cycle of crypto and how it affected AWS, and how this relates to the current hype cycles of AIML. We then discuss the ML and production experience of the three major cloud platforms (AWS, GCP, and Azure), the ML APIs that these companies have made available, and how you can extend these APIs for your unique requirements. To learn more about how to differentiate between the different cloud providers, the importance of being able to update existing models, the necessity for the automated collection and evaluation of the current model, and so much more, tune in today!

Key Points From This Episode:

• Examples of recent technologies that have been the subject of hype cycles.
• What Logan learned from the hype cycle of crypto and how it affected AWS.
• Google’s level of maturity in terms of AIML, despite seeming behind in this current hype cycle.
• The importance of knowing how to integrate AIML. 
• Three major cloud platforms’ ML and production experience. 
• The types of ML APIs that these companies have made available and some examples.
• AutoML and how you can extend these APIs for your unique requirements. 
• Examples of how you can use this technology in your company, and possible pitfalls. 
• How to differentiate between the different cloud providers, and choosing the right one. 
• What Google’s BigQuery ML is and how it works.
• How each cloud provider has an AIML suite of tools that enables people to train their models.
• Why the ability to update existing models is so important. 
• The necessity for the automated collection and evaluation of the current model for ongoing development of improved models.
• How the software practices that we’ve been learning and implementing over the years, still apply.

Tweetables:

“Maybe some of these companies like OpenAI will emerge as major players moving forward, but I think we can be sure that one of the big winners is guaranteed to be the cloud platforms.” — Logan Gallagher [0:04:01]

“That is the real use case that we can identify for ML; the ability to extend the capabilities of the working software we have.” — Jon Gallagher [0:06:14]

“What’s maybe more important than deploying a model for production is having the ability to update that model.” — Logan Gallagher [0:22:39]

“With ML and AI, there is a temptation to treat this as something new and different, but I really see all of the important software practices that we’ve been learning and implementing over the years, still applying here.” — Logan Gallagher [0:29:01]

Links Mentioned in Today’s Episode:

ChatGPT

“AWS and Blockchain”

AWS

GCP

Azure 

petqts.com 

Snowflake

Jon Gallagher on LinkedIn

Leaving the Cloud

Episode 24: Show Notes

While our preference is always to use the cloud to address IT problems, today we look at a company that is doing the opposite. 37signals, the company behind the project management software Basecamp and the email system Hey, has decided to bring their workloads off the cloud and back into a data center. DHH, the Co-owner and CTO of 37signals, recently announced that the company had spent $3.2 million on Amazon Web Services (AWS) and felt that the money would have been better spent purchasing their own servers and running it themselves. In this episode, we break down the cost structure of what 37signals spent their money on in 2022, the typical arguments for moving out of the cloud and into a data center, and what key factors you need to consider before doing the same. With so many layoffs occurring in tech companies like Google, Amazon, Microsoft, and Salesforce, and so much instability in the industry, business concerns are driving developments in the tech space more than ever before. Tune in to find out more about the future of the cloud, why moving away from it may be the right decision for 37signals, and why this is not the right move for every company.

Key Points From This Episode:

• An introduction to 37signals and the products that they are known for.
• The announcement by 37signals’ CEO that they would be moving off the cloud.
• The breakdown and cost structure of what 37signals spent their money on in 2022.
• The number that jumped out: their S3 spend. 
• Some of the typical arguments for moving out of the cloud and into the data center. 
• The key element that’s needed to move from the cloud to a data center.
• A big advantage of the cloud that 37signals does not make use of.
• Why you need to understand your user patterns before switching from the cloud to a data center.
• How 37signals has taken advantage of being as neutral to a vendor platform as possible. 
• Key factors to consider before moving away from the cloud. 
• The instability of the economy and thoughts on the lay-offs we’re seeing in tech companies. 
• Insights into the future of the cloud.
• How the tech stack could be changed to be more efficient.
• What you can expect from the podcast this year. 

Tweetables:

“Some of the advantages that the cloud has that the data center does not have, such as the ability to dramatically auto-scale out and scale back to respond to your traffic needs, are not going to be as appealing to [37signals].” — Logan Gallagher [0:11:23]

“I think it’s very interesting that they did take advantage of the cloud for that early scaling growth and it probably was beneficial at the time when Hey was growing faster than anticipated.” — Logan Gallagher [0:13:28]

“Every layoff represents a failure of management, a failure of management either to have the right kind of people or the right kind of growth or to anticipate where the economy was.” — Jon Gallagher [0:18:23]

“The cloud added more space to the tool chest, a new set of tools. Those are the tools that we pick up first. But every set of tools in IT still has a role.” — Jon Gallagher [0:19:25]

Links Mentioned in Today’s Episode:

37signals 

Basecamp 

Hey 

"Our cloud spend in 2022"  

David Heinemeier Hansson / DHH

Jon Gallagher on LinkedIn

Logan Gallagher on LinkedI

Demystifying the Security Career Path with Marsha Wilson

Episode 23: Show Notes

Today we welcome back popular guest Marsha Wilson from ScaleSec, as we unpack some of the particulars about what a career in security requires and can look like. Marsha's wealth of experience and insight are so helpful in answering some of the fundamental questions that aspiring security professionals may have now and a little further down the road too, and in our chat, we get to cover the most important of these. Our guest shares her perspective on the best characteristics to embody when stepping into a new role, how security can be integrated with product management, why a natural passion for the field is irreplaceable, and much more. She also shares some powerful questions that can help you uncover where you would like to set your sights and focus your energy. Towards the end of our chat, Marsha talks a little about the help she offers companies who employ her hiring expertise, before we sign off with some closing thoughts about the security field and ScaleSec going into a new year. Join us to hear it all!

Key Points From This Episode:

• General thoughts on the best steps for getting started as a professional in the security space.
• Forward-thinking and detail-orientation; the value of these qualities early on.
• Learning about and engaging with risk as a means to make progress. 
• Integrating security and product management teams in sensible ways.  
• Comparing the paths of internal security professionals and consultants. 
• The passion and personal interest that is necessary to have success in security.  
• Technology disruption and content moderation; limitations in the current landscape. 
• The process that Marsha goes through when helping companies find the right person to hire.  
• Plans going into the final stages of the year and into 2023! 

Tweetables:

“I would say find the thing that is curious for you.” — Marsha Wilson [0:02:44]

“In the beginning, when you are trying to demonstrate that you understand what is going on in your environment from a security perspective, detail-orientation is very important.” — Marsha Wilson [0:06:59]

“I think consuming ultimately vote with their feet, and if they are not leaving, there is no motivation for them to change.” — Marsha Wilson [0:19:59]

“Even reading things that are not specific to your industry, still broadens your mind, still gives your things to mentally munch on, that you bring back fresh and clear, provocative ideas to your team.” — Marsha Wilson [0:34:15]

Links Mentioned in Today’s Episode:

Marsha Wilson on LinkedIn

ScaleSec

Shel Silverstein

Jon Gallagher on LinkedIn

Logan Gallagher on LinkedIn

Episode 22: Show Notes

‌

‌The past week in tech has been eventful, to say the least. FTX declared bankruptcy, Elon Musk is sowing chaos with his latest decisions at Twitter, and David Heinemeier Hansson published a post on his decision to move 37signals off of the cloud. In today’s episode, we take a closer look at the high cost of cloud services and what can be done to make these services more affordable for users. We investigate 37signals’ move away from the cloud, why it was the right choice for their company, and how the responsibility is falling on engineers to make cost-effective decisions without compromising quality. Our conversation also covers Mike Julian’s article for The Duckbill Group called Why Cloud Finance Is Broken and Ineffective, and what the Japanese concept of Kaizen can teach business leaders about continuous improvement. For an informative episode on the state of cloud finance and what to do about it, make sure you tune in today!

Key Points From This Episode:

• An overview of the eventful news in tech this week.
• The latest developments at FTX and Twitter.
• The evidence of immaturity in the tech space and how it’s reflected in its leadership.
• Why the cloud marketplace and cloud engineering are still in their infancy.
• Evidence that companies are paying too much to be in the cloud.
• David Heinemeier Hansson’s decision to move 37signals off of the cloud.
• Why this decision makes sense for his organization.
• An overview of Mike Julian’s article for The Duckbill Group: Why Cloud Finance Is Broken and Ineffective.
• The pressure on engineering teams to develop an effective product that is also the most cost-efficient.
• Why it’s so important for everyone in your company to understand the business flow.
• The next step into maturity that tech companies need to take.
• The Japanese concept of Kaizen and how to implement it to improve business processes.

Links Mentioned in Today’s Episode:

37signals

The Duckbill Group

Why we're leaving the cloud

Why Cloud Finance Is Broken and Ineffective

How to Use Kaizen Methodology to Improve Business Processes

Jon Gallagher on LinkedIn

Logan Gallagher on LinkedIn

Women in IT, Cloud Security, and InfoSec with Marsha Wilson

Episode 21: Show Notes

Welcome back to another episode of Cloud Out Loud! Today we are joined, once again, by Marsha Wilson to discuss the presence of women in IT, cloud security, and InfoSec. Marsha is the CEO of ScaleSec and has had a fascinating career that spans the military and the private sector. Tuning in you’ll hear Marsha’s thoughts on how the field has evolved since she first started out, along with the changes she’d like to see going forward. We discuss the importance of soft skills when it comes to a career in cloud security and what can be done to encourage more women to pursue cloud security as a career. Marsha wraps things up by sharing her advice on how companies can support women in the field of cloud security and InfoSec, like sponsoring women in meetups and conferences, offering to speak at colleges, and making yourself available as a person women can reach out to for mentorship. 

Key Points From This Episode:

• Today’s episode: The presence of women in IT, Cloud Security, and InfoSec.
• An introduction to Marsha Wilson, CEO of ScaleSec.
• How women have reached near parity with men in fields outside of cloud security and IT.
• Marsha’s thoughts on how the field has evolved since she started her career in cloud security.
• Hear about Marsha’s experience working for the military and the private sector.
• How men and women tend to value and prioritize different aspects of their job experience.
• Why soft skills are so important as you progress in cloud security.
• Why ScaleSec decided to hire a full-time corporate trainer.
• An overview of the generational differences on Marsha’s team.
• Why Marsha is excited about upcoming generations.
• Marsha’s advice for those in the IT world looking to make a transition into InfoSec.
• Book recommendations for those interested in transitioning into cloud security.
• Why there is such a pressing need for more talent in the cloud security sector.
• Marsha, Jon, and Logan’s indirect paths into cloud security.
• Learn about the Executive Women’s Forum.
• Marsha’s advice for companies looking to hire more women in the CloudSec universe.

Tweetables:

“[There is] an incredible emphasis on soft skills as you progress in cloud security.” — Marsha Wilson [0:08:33]

“The truth is every promotion that you receive in information security, and cloud security, you have to be able to work the business acumen side, you have to be able to work the EQ side, and women have the advantage there.” — Marsha Wilson [0:08:41]

“We all want to learn from each other. We want to leverage experience … so that all of us can expand our involvement in areas that we don't know about. Overall, I find that smart people, regardless of their generation, are seeking opportunities to grow and have a positive impact.” — Marsha Wilson [0:17:57]

Links Mentioned in Today’s Episode:

Marsha Wilson on LinkedIn

ScaleSec

The Phoenix Project

The Cloud Resume Challenge

Cloud Computing for Dummies

Executive Women’s Forum

Black Girls Code

Black Girls Hack

Jon Gallagher on LinkedIn

Diminishing Risk, Increasing Profit, and Reducing Costs Through Security with Marsha Wilson of ScaleSec

Episode 20: Show Notes

Today we continue with Part 2 in our conversation with Marsha Wilson, CEO of ScaleSec. While the first episode covered Martha's advice to startups on how to create a foundation of security, this episode delves into how to deal with security issues a few years down the line if you didn't follow Martha's advice in the beginning. A lot of the recommendations included in this podcast aren't specifically directed only to those in software or hardware startups, but apply across the board as security affects all users of technology in a business. Tuning in you'll hear how to make sure that security is inherent to your business, how to convince an organization that certain secunty barriers are worth the inconvenience to your developers, and how you can reduce risk, increase profit, and reduce costs by spending money on security. We discuss the 'Cloud and Web Security Challenges in 2022' report and the hot topic of data loss prevention and compromise through third-party vendors. Martha also shares her advice to any organization that has already been breached. Tune in to hear more about the true value of your data and why your entire organization needs to understand this and be responsible for its security.

Key Points From This Episode:

• Today's episode: how to deal with security issues in your company a few years down the line.
• How to make sure that security is inherent to your business
• Why you should attach security work to the business drivers in the company itself.
• How you can reduce risk, increase profit, and reduce costs by asking for training money for a development team to learn how to incorporate security and deploy code.
• How to convince an organization that certain security barriers put in place are worth the inconvenience to your developers.
• How security personnel can inform sales personnel about the level of security they're able to provide.
• The tension between security and monetary reward and how we can ensure a minimum level of security can be created with financial feedback.
• How to get security into all parts of the organization through forming relationships in the company.
• Thoughts on how modern technology is more secure.
• The value of the human brain and expertise over security systems.
• Insight into the Cloud and Web Security Challenges in 2022 report.
• The hot topic of data loss prevention and compromise through third-party vendors.

Tweetables:

“You can never have enough security. Security is never going to max out.” — Marsha Wilson [0:16:57]

“You’re not going to get the data to begin with if you don’t prove to the customers that trusted you with their data that you’re going to keep it safe ” — Marsha Wilson [0:33:31]

“You have a commitment that you’ve made in gathering this data, that it is valuable to your company, you’re going to process it, it’s obviously valuable to the end user. You are therefore making a moral and many times legal commitment to preserving that data.” — Jon Gallagher [0:35:49]

Links Mentioned in Today’s Episode:

Marsha Wilson on LinkedIn

ScaleSec

Cloud and Web Security Challenges in 2022  

Cloud Data Loss Prevention

Jon Gallagher on LinkedIn

Logan Gallagher o

Startup Security Tips from ScaleSec

Episode 19: Show Notes

If you’re starting up a business in this day and age, cloud security should be your first priority from day one. Having basic security systems in place from the get-go can only have long-term benefits. Joining us today to talk about the importance of good security hygiene in the early stages of starting a business is Marsha Wilson, the CEO of ScaleSec. ScaleSec is a compatriot of long standing in the cloud wars and with her expertise in both security and business, Marsha has much great insight to impart. In this episode, Marsha fills us in on the most common ways in which data is breached in small businesses and breaks down the fundamental steps of cloud security. Tune in to find out how breaches happen, how to prevent them, and where to learn more about all things cloud security-related.

Key Points From This Episode:

• CEO of ScaleSec, Marsha Wilson, fills us in on the services the company provides.
• Why she’s committed to helping startups navigate cloud security.
• The most common ways in which data is breached in small businesses.
• The importance of good security hygiene in the early stages of starting a business.
• How breaches happen on Amazon Web Service (AWS), specifically.
• Three basic yet crucial foundational security measures.
• The benefits of having a password manager.
• The most effective multifactor authentication methods.
• Marsha’s best practices for laptop and mobile device management.
• The importance of old-hire deprovisioning.
• The nuances of email security.
• Why it’s recommended to use the security available to you from the cloud.
• How the cloud aids security.
• Marsha’s top three recommended cloud security-focused actions.
• Planning for durability and availability.
• Secure code and software supply chain options.
• How best to secure your technology.
• How to manage your cloud security posture.
• How to prevent misconfigurations.
• How to protect secrets.
• How to educate yourself further about cloud security. 
• Marsha shares an anecdote to emphasize the importance of learning how the cloud works.

Tweetables:

“Ransomware, stolen credentials, and phishing are the number one ways that very small businesses are pwned.” — Marsha Wilson [0:02:45]

“If you are able to use as many as possible of the managed services available to you from the cloud you’ve selected, the better off you’re going to be.” — Marsha Wilson [0:15:23]

Links Mentioned in Today’s Episode:

Marsha Wilson on LinkedIn

ScaleSec

ScaleSec Startup Security Slide Deck

Verizon 2022 Data Breach Investigations Report

AWS Digital Training

AWS Security Maturity Model

AWS Security Maturity Roadmap

AWS Security Fundamentals

Jon Gallagher on LinkedIn

Logan Gallagher on LinkedIn

Episode 18: Show Notes

Recently we’ve seen some big dollar commitments from companies to facilitate their move towards cloud. While we are big fans of cloud and going serverless, there are some key issues with these types of public commitments (with huge sums of money behind them) that bear interrogation. In today’s episode, we consult a Twitter thread by Simon Wardley, a British researcher, and former CEO best known for the creation of Wardley mapping, to help us break down what we can learn from these trends and how to find a better path forward. Tuning in you’ll hear us unpack why many of these financial commitments can be described as vanity projects, why a successful cloud journey is best undertaken through small steps, and why any large company in the IT space only starting this journey now is way behind the times. We also discuss why 80 percent of IT projects fail, the benefits of going serverless, and how to start building a culture around using serverless technologies. Tune in today for a spicy overview of these topics and the cloudy wisdom of Simon Wardley!

Key Points From This Episode:

Introducing today’s topic: The Cloudy Wisdom of Simon Wardley

• Learn about Simon Wardley and the Twitter thread that inspired today’s episode.
• Why big companies that are only investing in cloud now, in 2022, are way behind the times.
• How large companies are spending huge sums on vanity projects related to cloud computing and why they won’t deliver on their promises.
• An outline of why 80 percent of IT projects fail.
• Why IT solutions and cloud projects are best achieved through a succession of small steps, rather than a large vanity project.
• What we can learn from the close access Simon Wardley has to C-suite executives.
• Why large sum investments in cloud, especially those issued in press releases, are often more about moving markets rather than solutions or products.
• Why companies need to be engaging more closely with their engineering staff.
• The conclusion of Wardley’s thread and why he is advocating for going serverless.
• How to start building a culture around using serverless technologies.

Tweetables:

“If you're trying to tell me that you're spending a big dollar amount on cloud, you're behind the times. And often five to six years behind the times, because at this point a lot of companies have stopped just talking about that, and are well underway on that cloud journey.” — Logan Gallagher [0:01:58]

“In 2022, if you are a large corporation [that’s] been in business and IT is a critical aspect of your company. If you're not in the cloud and actively looking to decommission data centers, you're way, way, way behind the times.” — Jon Gallagher [0:02:35]

“Remember, the awful truth about IT is that 80% of IT efforts and IT projects fail. And that is a hard, goshdarn number.” — Jon Gallagher [0:05:43]

“That dollar amount, especially in these press releases, appears to just be to move markets and maybe not actually move products.” — Logan Gallagher [0:08:41]

Links Mentioned in Today’s Episode:

Simon Wardley on LinkedIn

Simon Wardley on Twitter

Simon Wardley Twitter Thread

Platformonomics

Jon Gallagher on LinkedIn

Logan Gallagher on LinkedIn

Disaster 

Episode 17: Show Notes

We here in the Pacific Northwest have been experiencing a slow-moving disaster of enormous proportions. Namely, the heatwave that much of Europe has also recently been confronted with. Similarly, in the context of the cloud, there has also been a pretty significant disaster. On 19 July 2022, there was a well-documented outage, where the London data center for Google experienced the simultaneous failure of multiple cooling systems. This impacted multiple Google Cloud services, which had a series of significant consequences for users worldwide. In the past, there have been multiple natural disasters that have affected cloud computing, and these events are only likely to become more frequent in the future. From global warming to inflation, there is a range of global factors that will impact how we use the cloud. In today’s episode, we’ll be covering how to prepare for these eventualities, and how to have proper defenses in place. Our conversation covers how to guard the systems we already have, the structures that we're building, and how to implement cloud technology optimally. We also discuss the concept of chaos engineering and how Netflix has implemented it to create resilient applications. There’s a lot to unpack here, so make sure you tune in for all the relevant details on how to prepare for the future without feeling overwhelmed!

Key Points From This Episode:

• Introducing today’s topic: Disaster.
• An overview of the heat waves that the northern hemisphere has been experiencing.
• How this heat wave facilitated an outage at the Google data center in London.
• The failure of several cooling systems and the impact this had on multiple Google Cloud Services.
• How past natural disasters have affected cloud services and what we predict for the future.
• Why the London outage was unexpected and why the next event will likely also be unanticipated.
• How mobility can help you prepare for disasters in the US.
• How to implement load balancing between regions.
• The role of planning and building to prepare for potential natural disasters.
• Why emulation is crucial to be fully prepared.
• A breakdown of how companies can practice their disaster recovery policy.
• The concept of chaos engineering and how it ensures resilience.
• How Netflix has implemented chaos engineering to make their applications extra resilient.
• Why exploring these areas of vulnerability takes tremendous commitment.
• How to apply these lessons to your own business.
• An overview of the tools that companies can leverage to ensure resilience.

Links Mentioned in Today’s Episode:

Netflix

Chaos Monkey on Github

Janitor Monkey on Github

Configuration Monkey on Github

Spinnaker

Jon Gallagher on LinkedIn

Logan Gallagher on LinkedIn

Armoring Yourself Against Marketing

Episode 16: Show Notes

Welcome back to another episode of Cloud Out Loud! We are proud public cloud advocates and believe that the public cloud is going to be the ultimate platform for IT, computing, and AI for the foreseeable future. However, there is often confusion about two areas regarding cloud computing, namely multi-cloud and hybrid-cloud. These are two very different approaches for deployment, surrounded by common misconceptions about their benefits. In this episode, we lay the confusion to rest. We delve into everything multi-cloud and hybrid cloud, defining them, identifying the differences between them, and addressing common misconceptions surrounding them. We talk about what motivates companies to choose multi-cloud or hybrid cloud approaches, and why we don’t believe multi-cloud is the best option for them. You’ll also hear about some of the common issues associated with the multi-cloud and hybrid clouds before delving into how to use multiple clouds to leverage tools available, why these approaches do not offer a competitive advantage, and a new powerful tool available to developers. Tune in to this informative episode to learn everything you need to know about multi-cloud and hybrid cloud deployment!

Key Points From This Episode:

• We define what the public cloud is and the different tiers available.
• What a private cloud is and the different off-shoots available.
• The various reasons for choosing a private cloud approach.
• Attractions and benefits of the public cloud to companies. 
• How companies can unintentionally take the hybrid-cloud approach.
• Differences between a hybrid cloud and multi-cloud.
• Reasons why a multi-cloud is not the best option for companies.
• Examples of rare scenarios where a multi-cloud deployment would be beneficial.
• Why moving to a public cloud also requires a cultural shift. 
• Security issues that are associated with deploying in multiple clouds.
• Common misconceptions about the competitive advantage of multi-cloud.
• Why using the range of ‘tools’ available from multiple clouds may be beneficial.
• Learn about a powerful new service from the cloud: Workload Identity. 
• An example of how Workload Identity could be leveraged. 
• Aspects to consider when deciding to take a multi-cloud approach.

Links Mentioned in Today’s Episode:

Jon Gallagher on LinkedIn

Logan Gallagher on LinkedIn

Episode 10 - Protecting Your Assets from Cyber Attacks

Workload Identity
Workload Identity Federation
 

Cost Control in the Cloud

Episode 15: Show Notes

Welcome back to Cloud Out Loud! As we record this at the start of July, there are lots of interesting doldrums occuring in all sectors of life. Particularly, the tech industry is being challenged. We are in the middle of a lot of lay-offs, and we are seeing a plummet in the success of startups that were thriving at the start of last year. As engineers, we’re able to identify things you could have done to limit this, and things you can implement today with the systems you are currently running in the cloud. During today’s episode, we discuss two approaches to help you to regain control of your costs. The first of these involves designing new systems that support cost control, and the second part of our conversation covers how to work with the ones we already have in place. 

Key Points From This Episode:

• The plummet we are seeing in tech startup success in July 2022.
• What we are discussing today: cost control from an engineer’s perspective.
• Two approaches including designing systems and working with the ones we have in place.
• The opportunity you have to save money through using managed services.
• How costs can run out of control by leaving managed services online.
• Why there is a variety of opinions on cost transparency.
• The engineer’s tendency to solve problems without cost considerations if they are not provided.
• How organizational policies can create guardrails around costing.
• Why it is important to turn off access to regions that you don’t use for every Cloud provider.
• When to make exceptions to the guardrails you put in place.
• What happens when neither of our initial two recommendations are effective.
• Managed services and how they can facilitate running things on demand.
• Having monitoring around API calling and API call throttling to reveal hidden costs.
• A hard and fast rule: if you are consuming a service on a per call basis, you are monitoring the quantity of API calls you are making.
• Why it is so essential to flag that something anomalous has happened that you need to react to immediately.
• Logan’s final thought: when you are picking a managed service, really look at how you will be using it in your architecture.
• The opportunities that often exist to spend less money on a service if you don’t need its full power.
  
  Links Mentioned in Today’s Episode:
  
  Jon Gallagher on LinkedIn
  Logan Gallagher on LinkedIn
  
  Corey Quinn - The Essential Gadfly of the Cloud and Cloud Costs
  
  AWS - Cost Management Guidelines
  Google Cloud - Cost Management Guidelines
  Azure - Cost Management Guidelines
  
  FinOps - What is FinOps

Cloud in Sports

Episode 14: Show Notes

We often hear about various ways the Cloud is applied, but what about sport? In this episode, we focus on sports and the public Cloud, a subject that Logan has investigated in detail. More specifically, we chat about how the various sports leagues leverage the Cloud for their data analytics platforms. We dive deep into the topic and learn how the Cloud is used to interact with the audience, the size and type of data being collected by leagues, a rundown of the various cloud-based tools being used in the space, and how the various data are being collected. We also discuss some of the challenges and controversies of sports leagues using data analytics, such as enhanced sports betting! Don't miss out on this episode to discover the fascinating and innovative applications of data analytics in sports!

Key Points From This Episode:

• A rundown of the sports leagues which are using cloud-based analytics.
• The trait that makes sports special: it is broadcast live.
• How the Cloud is being used by sports leagues to interact with the audience.
• Jon shares a practical example of data analytics in sports.
• An outline of the insight that data analytics provides to both athletes and audiences.
• We discuss the details of user-facing data and team-facing data.
• An example of team-facing data that can be beneficial to a league.
• We find out how much data is collected and used by sports leagues.
• The amount and arrangement of cameras operating during a typical baseball game.
• An interesting Google tool being used is explained: Anthos, a unified and controlled platform.
• Ways to enrich the data being collected by collecting supplementary data. 
• Highlights of the differences between the various sports and how data is collected.
• Some examples of how different sports leagues are using data analytics.
• How the ‘internet of things’ is being pushed into the space.
• The challenges in collecting performance data for contact sports.
• Logan tells us about a league that is using sensors and the internet in an interesting way.
• We talk about the potential that data analytics has to improve sports for audiences. 
• The controversial application of data analytics to sports betting is discussed.

Tweetables:

“This is a huge volume of data that they are collecting from every single game and every single team, across their leagues.” — Logan Gallagher [0:04:50]

“Aggregating all these data points into this one score is really fascinating and potentially can inform decision-making on the field.” — Logan Gallagher [0:15:29]

“All these analytics, all these data points could also lead to advanced forms of gambling.” — Logan Gallagher [0:23:27]

Links Mentioned in Today’s Episode:

Wheelhouse

Anthos

Next Gen Stats NFL

Jon Gallagher on LinkedIn

Logan Gallagher on LinkedIn

Episode 13: Show Notes

While we may have been negative about WEB3 on many occasions, today we are talking about a company implementing WEB3 technology in a way that truly seems to be a good idea. Hivemapper is a crowdsourced open source mapping platform. As the world’s first crypto-enabled dashcam, Hivemapper mines HONEY Tokens and grows a map while you drive. Tuning in you’ll hear how Hivemapper identified gaps in the marketplace and is using crypto to help fill them, how you can make money through this platform, and how different parties can benefit from it. To hear more about the effects and disappointments of crypto, some of the lessons that crypto is avoiding, and why we believe that Hivemapper is a great use of WEB3 technology, tune in today! 

Key Points From This Episode:

• How WEB3’s current manifestations have been brought to the market in a way that has undermined it in people's perceptions.
• Why our hosts have been so skeptical of some crypto technologies. 
• Today’s topic: Hivemapper and how it gestures toward some of the real potential in the WEB3 space.  
• How Hivemapper works as a crowdsourced open source mapping platform.
• How this hits home for Jon who worked for two different startups in a similar space
• How Hivemapper identified gaps in the marketplace and is using crypto to help fill them.
• How you can make money through this platform.
• How insurance companies could benefit from this in light of the California wildfires. 
• The elaborate nature of Hivemapper’s board game-like rules.
• How it seems to be built as a platform upon which you can build additional products. 
• Thoughts on the effects and disappointments of crypto and some of the lessons that crypto is avoiding. 
• The value of the incentivization on both sides of the Hivemapper platform.
• Some other thoughts and conversations that tie into this subject.

Tweetables:

“[Hivemapper] They’ve identified gaps in the marketplace, or opportunities in the marketplace, for freshness of data, coverage, etc, that they are then using crypto to help fill .” — Jon Gallagher [0:05:44]

“Video games I’m sure have contributed to how they’re setting up some of the incentive structures and game mechanics of this project.” — Logan Gallagher [0:10:22]

“If there’s a project that actually looks solid on its fundamentals, like this appears to be, we’ll applaud it. As technologists, we’re about the technology and we’re skeptical when technologies get a little too hyped.” — Logan Gallagher [0:15:47]

“What I think really appeals to us is the alignment, not just of crypto as a way of people getting paid but of the incentivization on both sides of it.” — Jon Gallagher [0:16:49]

Links Mentioned in Today’s Episode:

Hivemapper

Hivemapper Dashcam 

How HiveMapper Works: The HONEY Token 

Yanis Varoufakis on Crypto & the Left, and Techno-Feudalism 

Cory Doctorow: A useful, critical taxonomy of decentralization, beyond blockchains 

Cory Doctorow: Undetectable backdoors for machine learning models 

Jon Gallagher on LinkedIn

Logan Gallagher on LinkedIn

Episode 12: Show Notes

Lazy and cheap is the tagline of many programmers and often interpreted in a negative context. Being lazy and cheap has to do with streamlining operations and cutting costs, which are the goals of many organizations and companies. Many people are now beginning to see the advantages of cloud-based computing and automation to help streamline procedures and operations while reducing costs. In today’s episode, we define what is meant by cheap and lazy, how you can leverage cloud-based solutions, and the advantages of outsourcing and automating processes. We hear some practice examples of cloud-based approaches and the benefits that companies will see when using cloud-based approaches. We also discuss serverless cloud-based computing, its advantages, as well as misconceptions surrounding the approach. Tune in to hear insider tips and tricks about the power of cloud-based computing on another informative episode of Cloud Out Loud.

Key Points From This Episode:

• Introduction about today’s topic: lazy and cheap.
• How being lazy and cheap will ultimately lead you to the best solution.
• What the concept of being lazy and cheap means to Logan.
• What you can leverage from the cloud to reduce costs and increase productivity.
• Jon explains the mindset shift that is starting in IT regarding the cloud.
• Benefits that a company will see if they focus on processes involving the IT department.
• Jon shares an approach of focusing on IT and data that Walmart used.
• The balance between cutting costs while making processes more efficient.
• Example of the initial effort needed before you can automate processes.
• The importance of monitoring the changes and alterations to workflow.
• Outline of the approach one can use to be cheap and lazy.
• Potential the cloud has to offer for cutting costs and streamlining workflow.
• How to leverage services provided by other companies to streamline your own.
• We find out about serverless cloud-based computing and its advantages.
• A brief highlight of the misconceptions surrounding serverless cloud-based computing.
• Resource for listeners to demonstrate the power of the serverless approach.
• The takeaway message that Jon and Logan have for listeners. 

Tweetables:

“Lazy to us means minimizing the effort necessary to accomplish something.” — Logan Gallagher [0:01:07]

“Cheap in our context means minimizing the amount of resources to be expended to accomplish something.” — Logan Gallagher [0:02:43]

Links Mentioned in Today’s Episode:

Pet Cuties 

Jon Gallagher on LinkedIn

Logan Gallagher on LinkedIn

Cloud certification tests can be incredibly stressful to take and are a big investment for companies. They require a tremendous amount of time, money, and expertise to create, and need to be updated regularly.

While the majority of tests used to be done on-site, the COVID 19 pandemic has meant that most tests now take place online, which brings with it a unique set of challenges. They require moderators to ensure that all candidates write their tests in a fair environment and adhere to strict parameters, while also making accommodations for students with special needs.

In today’s episode, we discuss how Amazon and Google arrange their tests, what you can expect from them, and how best to prepare. We describe some of the stress responses we’ve had during our exams and break down the best practices we’ve developed that you can follow when writing these tests. We also unpack some of their practice questions and demonstrate methods that will help you answer every question to the best of your abilities.

To learn how to optimally budget your time during an exam, and ensure that you understand what’s being asked of you in any given question, make sure you tune in today!

Key Points From This Episode:

• An overview of how Amazon and Google arrange their certification tests.
• What public cloud service providers expect from certification tests.
• Logan’s recent experience taking two very different tests.
• The Cloud Digital Leader certification and who it’s for.
• The time, money, and effort it takes to create a single certification-worthy question. 
• The best practices that we’ve developed from taking these tests.
• Why taking the practice test is so beneficial and how to approach it.
• How to prepare for taking the exam.
• What it’s like to take the exam on-site.
• What to do if you need adaptations or assistance.
• The stress of taking these exams and Logan’s strategy for how to complete them.
• How to budget your time during these exams.
• The psychological and physiological effects of being in a testing environment.
• The best approach for understanding what's really being asked of you in a question.
• What operator words can tell you about a question and the answer they require.
• How to use the process of elimination when answering questions.
• How to use other questions for context details on a difficult question.
• The challenges of taking these tests online instead of on-site.
• What to expect from taking the test online and how to make sure you are adequately prepared and equipped to take it.
• Examples of the questions that Amazon and Google have released as practice questions.
• A breakdown of how Amazon and Google differ in their approach.

Links Mentioned in Today’s Episode:

AWS Certification

Google Cloud Certification

Google Cloud - Cloud Digital Leader

AWS - Cloud Practitioner

AWS - Professional Solutions Architect

Google Cloud - Professional Cloud Architect

Jon Gallagher on LinkedIn

Logan Gallagher on LinkedIn

Protecting Your Assets From Cyber Attacks

Episode 10: Show Notes

The Russian invasion of Ukraine has caused a heightened paranoia about cyber attacks, prompting the Department of Homeland Security to release a warning that we should be prepared to respond to disruptive cyber activity. In this episode we are going to explain why transitioning to the cloud (if you aren’t already there) is the best way to make sure that your information is secure. By leveraging cloud architecture, you can protect yourself against so many different types of attacks, and the important monitoring and auditing systems are automatically available to you at no extra cost (in contrast to on-prem systems). For advice about how you can ward off a cyber attack in the cloud in a business context and a personal one, tune in for today’s episode of Cloud Out Loud! 

Key Points From This Episode:

• Fears about a cyber attack that have gained traction since the Russian invasion of Ukraine.
• The warning that was released by the Department of Homeland Security in February.
• Security versus useability. 
• Examples of how to maintain security hygiene. 
• The additional level of security that exists in the cloud. 
• Ease of access to monitoring and audit systems in the cloud, in comparison to on-prem systems.
• Why it is crucial to continuously revisit your policies and make sure you are enforcing the principle of least privilege.
• A method of assessing whether your permissions are too permissive.
• Why a ransomware attack is more difficult to execute in the cloud.
• Infrastructure segmentation that is possible in the cloud but not in on-prem systems. 
• Problems that can arise when fixing security holes.
• Why you should always stay up to date with operating system and application updates.
• The story of the (consensual) hacking of Jeffrey Katzenberg. 

Tweetables:

“Whether you’re on premise or in the cloud, good security hygiene is your first line of defense.” — Logan Gallagher [0:03:47]

“The cloud has systems that are capturing important API calls and important commands as they happen, and give you an audit trail that you can review. Leverage that and help your security team understand what that means and align that with the data governance that you operate under.” — Jon Gallagher [0:07:26]

“My rule of thumb [is] if you spend a whole week without someone sending you an email asking for more permissions, your permissions are too permissive.” — Jon Gallagher [0:09:36]

“The cloud doesn’t think of machines, the cloud thinks of service, and when you’re using cloud SQL and RDS (and you should), the infrastructure that the service runs on is not corruptible like it is on prem.” — Logan Gallagher [0:15:30]

Links Mentioned in Today’s Episode:

Jon Gallagher on LinkedIn

Logan Gallagher on LinkedIn

The Phoenix Project

The Subtle Knife

Jeffrey Katzenberg Gets Hacked [Twitter Thread]

The GiveSendGo Data Leak

Episode 09: Show Notes

As you are probably aware, earlier this year, a convoy of truckers was making the news for protesting COVID mandates and vaccinations in Canada. Part of the convoy was raising money through GoFundMe to support these protests. After they were shut down by the site, they moved their fundraising efforts to the religious-based fundraising site: GiveSendGo. It wasn’t long before a security researcher examined the site’s code and stumbled upon most or all of the major files and private data that were being used by the website, all publicly accessible on the internet. Today we discuss how this mistake was made, what S3 buckets are supposed to be used for, and how the website’s HTML source has been updated since the vulnerability was discovered. To discover the dangers of not reorienting your mentality to optimizing for the cloud, to learn more about the set of skills we need to have when engaging with the cloud, and to hear our best practices to help you ensure that you never make a mistake like this, tune in today!

Key Points From This Episode:

• How the fund to support the protesting truckers came to be established on GiveSendGo.
• What caused the data leak and how it was discovered.
• The point of S3 buckets.
• Why S3 buckets should not be used as storage buckets.
• Why this information shouldn’t just be in separate buckets but in separate accounts too.
• Speculation about how this mistake came to be made. 
• The need for different classes of users using a website.
• What Logan discovered when he looked at the website’s HTML source code today and how it has been updated since the vulnerability was discovered.
• The danger of not reorienting your mentality to optimizing for the cloud. 
• The role of CloudFront in protecting information.
• The need for a culture and a new set of skills we have to have when engaging with the cloud. 
• How the GiveSendGo developers were notified about this problem a long time ago.
• The need for code reviews and the entire crew to understand the architecture.
• A breakdown of the best practices to ensure that this doesn’t happen to you.
• The importance of understanding what your business’s purpose is and the responsibilities and obligations entailed in the data you collect.

Tweetables:

“Understand what your business purpose is: what data are you collecting, what data are you storing, what data are you retrieving, what obligations does that data impose upon you?” — Jon Gallagher [0:26:19]

“Think of some of these cloud tools as chainsaws: They’re incredibly powerful but you need to be safe with them. You can get a lot done with them if you are trained to use it and if it’s in the right hands” — Logan Gallagher [0:28:49]

Links Mentioned in Today’s Episode:

GiveSendGo 

Amazon CloudFront 

“Incentivized Developers Make Better Security” 

Jon Gallagher on LinkedIn

Logan Gallagher on LinkedIn

Coinbase Super Bowl Ad

Episode 08: Show Notes

In today’s show, we talk about the “diminished user experience” Coinbase experienced after their Super Bowl ad and what can be learned from it. At the recent Super Bowl, Coinbase aired an advert that depicted a QR code floating on a screen which led users to a landing page that offered them Bitcoin in exchange for creating an account. The ad was a wild success, leading about 20 million people to attempt to access Coinbase within five minutes. Ironically, the influx of users was so great that the app crashed. While we don’t know the exact details of the cause of failure, we give our best guess and make recommendations for how this can be avoided. Tune in and hear about the value of internal communications, leveraging the appropriate cloud technologies, and testing.

Key Points From This Episode:

• The sales funnel used by the Super Bowl Coinbase ad starting with a floating QR code.
• An outage that Coinbase experienced due to such high traffic of visitors wanting to sign up.
• A similar experience Coca-Cola had with a Super Bowl ad they ran while they still had an on-prem servers.
• Our best guess at what caused the failure in the Coinbase infrastructure.
• The error Coinbase made to be siloed and place their focus on marketing rather than production.
• A possible solution to the overload of the authentication-authorization workflow.
• What to do in scenarios where you have an unexpected influx of new user requests.
• Different options for making sure can scale once your servers hit capacity.
• Trying as much as possible to use lightweight infrastructures that can cooperate.
• Techniques for making sure your app degrades gracefully.
• The tech equivalent of offering a guest coffee while they wait in queue for a restaurant.
• An example of an app with a massive rollout that handled it successfully: Pokemon Go.
• The ads for Super Bowl LVI (2022) had deep echoes of the Dot Com ads for Super Bowl XXXIV (2000)

Links Mentioned in Today’s Episode:

Coinbase Forced Into Outage Following Super Bowl Ad After More Traffic 'Than Ever Encountered’

Coca Cola’s Migration to AWS

Creating Pokemon Go on Google Cloud

Pokemon Go today on Google Cloud

Dot Com Companies that advertised in Super Bowl XXXIV

Jon Gallagher on LinkedIn

Logan Gallagher on LinkedIn

Many of the conversations surrounding blockchain focus on the disruptive potential of decentralization. However, at the same time, many of the biggest cloud providers are either planning to offer blockchain-based services in the near future or already have them rolled out. This creates an interesting tension that we will be exploring on today’s show. We start by reviewing where Amazon, Microsoft, and Google are in their process toward the provision of blockchain products. Amazon is currently taking the lead and we touch on the use cases for their Quantum Ledger Database and Managed Blockchain for Hyperledger Fabric offerings. From there, we highlight the fact that 25% of Ethereum nodes run on the Amazon Managed Blockchain for Ethereum. This is an interesting concept considering Ethereum’s apparent decentralization, but it also points to a tradeoff that has to be made by anybody who wants to run Ethereum nodes. We wrap up on the idea that decentralization might not have the moral valence it is often given. For engineers, the debate between decentralization and centralization centers on performance rather: which architecture can best offer a level of resiliency combined with the ability to recover?

Key Points From This Episode:

• Tension between the capabilities of the cloud and the promises of blockchain.
• Moves toward blockchain being made by Google, Azure, and AWS.
• Blockchain technologies being offered by AWS on their platform.
• A contradiction between the disruptive potential of decentralization and the adoption of blockchain by the tech giants.
• How the Amazon Quantum Ledger DB works and its similarities to DynamoDB.
• Using an analogy of a letter of credit to frame the use case for the QLDB.
• How the QLDB is consistent with the paradigm of version control.
• The value of immutable state in many programming languages.
• How the Amazon Managed Blockchain for Hyperledger Fabric works and its use cases.
• Why the Amazon Managed Blockchain for Hyperledger Fabric violates the zero trust principle.
• The irony that 25% of Ethereum nodes run on Amazon.
• Tradeoffs around price and effort that have to be made when deciding whether to run Ethereum nodes from your own rig or through a cloud provider.
• What kinds of blockchain-related products Google and Microsoft intend to sell.
• Another tension between centralization and decentralization relating to projects versus products.
• The main things engineers care about when it comes to centralization versus decentralization.
• Why the debate around decentralization comes down to the performance of the architecture, not morality.
• What to expect from our upcoming conversations about Web3.

Episode 06: Show Notes

DynamoDB is a product that signaled the beginning of the cloud-specific technology revolution; Cloud 2.0, in other words. DynamoDB is a NoSQL database service that can scale from small workloads to millions of transactions all while maintaining single-digit latency. Today’s episode is all about the numerous benefits which come with using DynamoDB, including its flexibility, the rapid pace of change that it supports, DynamoDB Streams, the speed with which it fails, and more! If you, like us, are already a fan of DynamoDB, this conversation will solidify your appreciation for the product, and if you’re fearful of it because you’re used to being a ‘relational database person’, we’re hoping to change your mind about that today! 

Key Points From This Episode:

• The power of DynamoDB.
• How to make use of DynamoDB as a user of the product. 
• An explanation of one of the main benefits of DynamoDB.
• Features that have been added to DynamoDB since 2011. 
• How databases are analogous to emergency rooms.
• Why the fact that DynamoDB fails quickly helps you maintain performance for your users.
• Resources for anyone interested in NoSQL. 
• Fears that many people have around moving to a non-relational data model. 
• What Cloud 1.0 looked like. 
• How DynamoDB supports the rapid pace of change in the industry.
• The flexibility that DynamoDB provides.
• An explanation of DynamoDB Streams.
• The impact of growth on DynamoDB. 
• Equivalents of DynamoDB. 

Links Mentioned in Today’s Episode:

Marc’s Blog: “Dynamo DB’s Best Feature: Predictability.”

Deep Dive (2021)

Fundamentals of Single Table Design

This week we pivot our focus from Google Cloud to Amazon Web Services (AWS) and their annual reinvent. We take a closer look at Amazon’s serverless offerings and how it measures up against other existing services. Tuning in you’ll hear us break down our internal definition of serverless as well as Amazon Managed Streaming for Apache Kafka (MSK) and how it diverges from the serverless philosophy. We discuss Amazon MSK’s current pricing structure and how it measures up against its competitors while also reflecting on when the cost of retraining your team outweighs their hourly rate. Our conversation covers a variety of services and topics, from the features of Google Pub/Sub, to why managers need to have a firm understanding of both cost and resource trends. To learn more about Amazon, why we are big proponents of serverless, and much more, make sure you tune in today!

Key Points From This Episode:

• Some news on AWS and its annual reinvent.
• Logan’s reaction to some recent announcements including the launch of a private 5G network service.
• How a private 5G network service responds to a request from consumers.
• Some of the serverless options that AWS has announced for things like data processing and data storage.
• Why we are big fans of serverless applications.
• Our internal definition of serverless, including pricing and use cases.
• How the term serverless gets misused and diverges from our internal definition.
• Amazon MSK and how their definition of serverless diverges from our internal definition.
• Some of the reasons why Amazon MSK is can get overly expensive.
• Why an hourly charge could be more affordable than the learning curve of acquiring new skills. 
• Why managers need to be aware of both cost and resource trends.
• Why other options like Google Pub/Sub and Dataflow are more in line with the serverless philosophy.
• Amazon’s technical debt and how it is apparent in its storage.
• Get a sneak-peek into some of the topics we’ll be covering in future episodes.

Links Mentioned in Today’s Episode:

Amazon Web Services (AWS)

Amazon Managed Streaming for Apache Kafka (MSK)

Amazon MSK Pricing

Amazon EMR

Google Pub/Sub

Google DataFlow

Google Dataproc

Hadoop

Apache Spark

Episode 04: Show Notes

This week we talk about the 5th on the series of blog entries from the Developers and Practitioners big: Avoiding GCF anti-patterns part 5: How to run background processes correctly in Python.

This post identifies problems where python code calls standard libraries to put processing in the background. While this is a common practice in data centers or on the developer’s box, in a server less environment this does not work correctly.

If there is a need to have processing separate from the main thread of execution, you should use tools such a Cloud Tasks to spin off the processing.

Key Points From This Episode:

• Code is executing in a sandbox, not a machine. Forks don’t work the way you expect
• Rather than break off threads to execute, use more instantiations of the code, or hand off execution to another Cloud Function via Cloud Tasks
• Make sure you are doing code reviews to catch problems like this early
• Some speculation on the upcoming AWS re:Invent.

Don't make promises you can't keep - Using Node.ja promises correctly in Google Cloud functions

Episode 03: Show Notes

(Recorded November 18, 2021)

Today Jon and Logan discuss the recent Google Cloud blog “Avoiding GCF anti-patterns part 4: How to handle Promises correctly in your Node.js Cloud Function”, and give their own views on how to go about this. They discuss the scenario outlined in the blog, the two patterns that the blog outlines for fixing this issue, and the origins of their own biases regarding JavaScript, before explaining their own solution to this problem using TypeScript. They also explain how this issue differs from the one they discussed in the last episode ans the importance of code not just running reliably but also being readable and maintainable. Tune in to find out why Jon and Logan are biased towards taking the clouding approach to developing this code, why you should look in the DataFlow if you’re doing an ETL pipeline, why you should reconsider deploying a system based on vanilla node.js, and what you should do if you decide to do it anyway.

Key Points From This Episode:

• Recent news: The Google outage that occurred this week. 
• Today’s topic: the blog post “Avoiding GCF anti-patterns part 4: How to handle Promises correctly in your Node.js Cloud Function”
• An introduction to the scenario outlined in this blog post. 
• Jon’s biases based on his experiences with JavaScript and its evolution. (And Jon’s embarrassing memory lapse re: AJAX)
• The two patterns for fixing this issue outlined in the blog post. 
• The rest of the blog: How to write some methods for logging and integrate those into logic that’s doing the promise database call and retrieval. 
• Jon and Logan’s bias: Why are you making an asynchronous call to a database?
• How this issue differs from the one they discussed in the last episode about how to deal with API calls that could take a long time.
• Promises, their role in JavaScript, and the problem of them being conflated with “vettable” code.
• The importance of code not just running reliably but being readable and maintainable.
• Logan’s solution to this problem using TypeScript.
• Understanding the context of this code in the browser context. 
• Why Jon and Logan are biased towards taking the cloudy approach to developing this code.
• Why you should look in the data flow if you’re doing an ETL pipeline.
• Why you should reconsider deploying a system based on node.js and what you should do if you decide to do it anyway.

Tweetables:

“Writing code that’s difficult to understand, difficult to read, difficult to maintain, you are definitely doing a disservice to your future self or whoever’s in that role in the future.” — @LoganAct2 [0:12:34]

“Be lazy, be cheap. Let the infrastructure help you catch the bugs early with something like TypeScript and collect the bugs in a central place with the Cloud Operations capability ” — @JonGal [0:14:41]

Links Mentioned in Today’s Episode:

Avoiding GCF anti-patterns part 4: How to handle Promises correctly in your Node.js Cloud Function

Typescript Reference

DataFlow -

Avoiding Being Dumb

Episode 2: Show Notes

(Recorded November 4, 2021)

Welcome to episode two of the Cloud Out Loud Podcast! Today, Jon and Logan discuss a couple of blog posts; one from Corey Quinn, Chief Cloud Economist at The Duckbill Group and creator of the Last Week in AWS newsletter, which shares some very valuable insights into where cloud providers should be going in terms of introducing people to the cloud and training people about the cloud. The second is titled ‘Avoiding GCF Anti-Patterns Part 3: How to establish outbound connections correctly’, the third in a GCP Blog series on Google Cloud Function (GCF) anti-patterns, which tackles two common issues you might encounter in your monitoring and logging when making outbound HTTP requests with a GCF and how to solve them. We tease out the common thread between both these blog posts, which echoes the overall theme of this podcast: what are the cultural changes that need to occur to take advantage of the cloud and be more effective? The cloud can bring enormous benefit to your applications, to your programming workflow, but it does require mindset change!

Key Points From This Episode:

• Diving into ‘The Dumbest Dollars a Cloud Provider Can Make’ by Corey Quinn.
• How charging for training disincentivizes people from learning about cloud platforms.
• Why Jon believes that cloud providers should provide free training and pay trainers.
• Calling for training and certification to be loss leaders for cloud platforms.
• The benefits of introducing limited time offers without diminishing the value of training.
• Next: ‘Avoiding GCF Anti-Patterns Part 3: How to establish outbound connections correctly’.
• Two common problems that arise: increased error messages and expired execution times.
• How to solve for a lower error rate or lower latency, depending on your use case.
• Using Cloud Tasks or PubSub to offload your requests to another cloud service.
• Jon on the highly technical aspects of this post versus appealing to Cloud Function newbies.
• How to break up the monolithic approach that traditional developers tend to take.
• What Corey Quinn’s post and the GCP Blog post have in common: adopt not only new skills and knowledge, but new mindsets and culture too!
• The ability and responsibility developers have to leverage the power of managed services.
• Final thoughts: the cloud is powerful and, like all powerful things, treat it like a chainsaw!
• Updates from the world of Web 3.0, the Metaverse, and NFTs.

Tweetables:

“Charging people for training and not paying trainers would be chasing after pennies and ignoring dollars.” — @JonGal  [0:03:27]

“The revenue that you may be gaining by charging for the [training] as a cloud provider is pretty small compared to the benefits that training can bring to driving future revenue for the cloud with organizations that are receiving the training.” — @LoganAct2  [0:04:57]

“Between increased error rates and increased latency, a common pattern for improving the performance of your Cloud Functions is to offload your requests to another cloud service.” — @LoganAct2 [0:09:33]

“The world is different in the cloud. Not only do you have to acquire new skills and knowledge, you have to acquire new [mindsets], possibly new [cultures] within your company.” — @JonGal [0:13:27]

Links Mentioned in Today’s Episode:

Reviewing What Not to do with Google Cloud Functions and Cloud Run

Episode 1: Show Notes.

(Recorded October 28, 2021)

Welcome to the very first installment of Cloud Out Loud! For our first show, we catch up on some recent news, including our thoughts on Facebook’s ambitious plans for their new metaverse and its accompanying data requirements. Next, we dive into our main topic, namely some of the new developments regarding Google Cloud Functions and Google Cloud Run. We take a look at recent blog posts from Google Cloud Next and discuss what they reveal about data storage and the future of Google Functions and Google Cloud Run. Our conversation also touches on Google’s presence in the cloud and data space, how they measure up against other behemoths like Amazon and Facebook, and why the way Google approaches storage through a system called Colossus is profoundly different from other players in the field. We wrap up our discussion with some thoughts on web three along with a sneak peek into future episodes. For all this and much more, tune in today!

Key Points From This Episode:

• A recap of the news of the week including an update on Cloud Next and our thoughts on some of the product announcements.
• Facebook’s ambitious metaverse and its accompanying data challenges.
• The two blog posts that Google released about Cloud Functions.
• How these blog posts inform a discussion on Cloud Functions versus Cloud Run.
• The two blog posts on avoiding GCF anti-patterns.
• How to write event-driven Cloud Functions properly by coding with idempotency in mind.
• How to reuse Cloud Function instances for future invocations.
• The trade-off between speed of execution, running out of memory, and unintentionally bloating yourself. 
• The convergences between Cloud Functions and Cloud Run.
• Some of the separate use cases for these two products.
• Our predictions for Cloud Functions and Cloud Run remaining separate products.
• Some quick thoughts and opinions from our hosts on web three.

Tweetables:

“The way Google stores things through a system called Colossus is profoundly different from everybody else. And Google had to develop this Colossus because they encountered huge amounts of data early on.” — @JonGal [0:05:03]

“We do see some convergence with Cloud Functions and Cloud Run. But they still are, I believe, separate use cases for these two products…” — @LoganAct2 [0:20:29]

Links Mentioned in Today’s Episode:

The Paper Jeff Barr tweeted about

Google Cloud Functions

Google Cloud Run

Google Cloud Next

Avoiding GCF anti-patterns part 1: How to write event-driven Cloud Functions properly by coding with idempotency in mind

Avoiding GCF anti-patterns part 2: How to reuse Cloud Function instances for future invocations

BigQuer

What To Expect From This Podcast with Logan and Jon Gallagher

Episode 0: Show Notes.

(Re-Recorded January 6, 2022)

Welcome to the very first episode of Cloud Out Loud, a podcast hosted by Jon and Logan Gallagher that reviews cloud computing trends from the lens of humans and culture. Gone are the days when hosting a production server meant building racks and starting an on-premise data center. The cloud has opened up the possibility for unlimited computing, storage, and networking. While this is incredible, it also means we have developed a tool that we don’t fully understand the capacity of yet! The revolutionary nature of the cloud points to the fact that profound shifts need to be made culturally within organizations in order to take advantage of it. Suddenly, decisions need to consider storage, networking, computing, and security, which heralds the end of siloing. It is with considerations like this in mind that we decided to launch Cloud Out Loud. We are really excited about this project and look forward to going on this journey with you in all the future episodes!

Key Points From This Episode:

• Introducing listeners to ourselves and what we aim to achieve with this show.
• The experience Logan has in the cloud space, and of the needs of users and developers.
• Jon’s background in cloud architecture and perspectives on how revolutionary it is.
• Stating our intention to review developments in the cloud and focus on Google and AWS.
• Educating companies about the changes they need to make based on how revolutionary the cloud is.
• How the cloud necessitates that decisions consider storage, networking, computing, and security.
• Our aim: To look at developments in the cloud through the lens of humans and culture.
• How the abstraction provided by the cloud allows us to wrestle with different questions like privacy. 

Tweetables:

“I have gotten to touch a lot of different areas of the cloud space as well as multiple different cloud platforms, seeing their strengths, weaknesses, and where the real potential is.” — @loganact2 [0:01:30]

“Our experience in using the cloud and the capabilities of the cloud point us to the fact that we are opening up a tool that we don’t know the potential of yet.” — @JonGal [0:03:40]

“You are going to hear us talk about this a lot. What are the cultural adaptations and changes that need to be made in order to truly take advantage of the cloud?” — @JonGal [0:04:58]

“Humans and culture are going to be a big lens through which we view many cloud news stories and events.” — @loganact2 [0:05:09]

Links Mentioned in Today’s Episode:

Logan Gallagher on Twitter

Logan Gallagher on LinkedIn

Jon Gallagher on Twitter

Jon Gallagher on LinkedIn

Nube De Helado