Maya Kaczorowski

Security PM. Cryptography nerd. Puzzle and ice cream lover.

Maya is a Product Manager in Security B2B. She was mostly recently at GitHub in software supply chain security, and previously at Google working on container security, and encryption at rest and encryption key management. Prior to Google, she was an Engagement Manager at McKinsey & Company, working in IT security for large enterprises. She completed her Master's in mathematics focusing on cryptography and game theory. She is bilingual in English and French.

Outside of work, Maya is passionate about ice cream, making ice cream for friends at home, attending the Penn State Ice Cream Short Course in January 2014, and researching ice cream headaches. She also enjoys puzzling, running, and reading nonfiction.


Upcoming events


GitHub Universe

December 8-10, 2020


Open Core Summit

December 16-18, 2020


Prior events


Blog posts

September 24, 2020

Lightning Q&A: DevSecOps in five with Maya Kaczorowski

Last month, GitHub Supply Chain Security Product Manager Maya Kaczorowski explained what DevSecOps is and security best practices for development teams. We had some follow up questions, so we asked her back for a lightning Q&A—a quick deep dive on why DevSecOps matters for developers, and how to apply it to the developer workflow. 

August 13, 2020

Secure at every step: A guide to DevSecOps, shifting left, and GitOps

DevSecOps, shifting left, and GitOps: you’ve probably heard all of these terms recently, but you might not be sure about what they mean. The reality is that these practices share a lot of the same principles—to reduce the time developers need to spend on security, while achieving better outcomes. And who doesn’t want that? Let’s clear up some confusion and deconstruct what these terms mean, and how they apply to your security and development teams.

August 04, 2020

Secure at every step: How GitHub’s dependency graph is generatedWrite a catchy title...

With the accelerated use of open source, your project likely depends on hundreds of dependencies—203 package dependencies per repository on average, to be exact. How can you actually tell what dependencies your application has? Copy-pasting examples from documentation or Stack Overflow is just the gateway to pulling in a dependency—no one wants to rewrite a function if it already exists (especially in Java). But just because you didn’t write the code doesn’t mean that dependencies don’t require work from you. After all, open source is free, like a puppy is free.

July 23, 2020

Secure at every step: Show your dependencies some love with updates

How many of us have ignored a software update, indefinitely clicking “Remind me later” and never quite getting around to it? Unfortunately, it’s pretty common. Not only are you missing out on the latest features, but you’re also putting yourself at risk if new security issues are discovered.

For dependencies in your code, it’s the same thing. Delaying dependency version updates doesn’t mean the update goes away, unfortunately—it just makes it even harder to address down the line. If an update doesn’t include a security patch, though, is it still okay to delay it? In fact, even when updates don’t address known vulnerabilities, regularly updating your dependencies improves your security.

January 15, 2020

Exploring container security: Announcing the CIS Google Kubernetes Engine Benchmark

If you’re serious about the security of your Kubernetes operating environment, you need to build on a strong foundation. The Center for Internet Security’s (CIS) Kubernetes Benchmark give you just that: a set of Kubernetes security best practices that will help you build an operating environment that meets the approval of both regulators and customers. 

The CIS Kubernetes Benchmark v1.5.0 was recently released, covering environments up to Kubernetes v1.15. Written as a series of recommendations rather than as a must-do checklist, the Benchmarks follows the upstream version of Kubernetes. But for users running managed distributions such as our own Google Kubernetes Engine (GKE), not all of its recommendations are applicable. To help, we’ve released in conjunction with CIS, a new CIS Google Kubernetes Engine (GKE) Benchmark, available under the CIS Kubernetes Benchmark, which takes the guesswork out of figuring out which CIS Benchmark recommendations you need to implement, and which ones Google Cloud handles as part of the GKE shared responsibility model.

January 14, 2020

Securing open-source: how Google supports the new Kubernetes bug bounty

At Google, we care deeply about the security of open-source projects, as they’re such a critical part of our infrastructure—and indeed everyone’s. Today, the Cloud-Native Computing Foundation (CNCF) announced a new bug bounty program for Kubernetes that we helped create and get up and running. Here’s a brief overview of the program, other ways we help secure open-source projects and information on how you can get involved.

January 14, 2020

Announcing the Kubernetes bug bounty program

Today, the Kubernetes Product Security Committee is launching a new bug bounty program, funded by the CNCF, to reward researchers finding security vulnerabilities in Kubernetes.

January 10, 2020

Exploring container security: Navigate the security seas with ease in GKE v1.15

Your container fleet, like a flotilla, needs ongoing maintenance and attention to stay afloat—and stay secure. In the olden days of seafaring, you grounded your ship at high tide and turned it on its side to clean and repair the hull, essentially taking it “offline.” We know that isn’t practical for your container environment however, as uptime is as important as security for most applications. 

Here on the Google Kubernetes Engine (GKE) team, we’re always hard at work behind the scenes to provide you with the latest security patches and features, so you can keep your fleet safe while retaining control and anticipating disruptions.

As GKE moved from v1.12 to v1.15 over the past year, here’s an overview of what security changes we’ve made to the platform, to improve security behind the scenes, and with stronger defaults, as well as advice we added to the GKE hardening guide.

December 17, 2019

BeyondProd: How Google moved from perimeter-based to cloud-native security

At Google, our infrastructure runs on containers, using a container orchestration system Borg, the precursor to Kubernetes. Google’s architecture is the inspiration and template for what’s widely known as “cloud-native” today—using microservices and containers to enable workloads to be split into smaller, more manageable units for maintenance and discovery.

Google’s cloud-native architecture was developed prioritizing security as part of every evolution in our architecture. Today, we’re introducing a whitepaper about BeyondProd, which explains the model for how we implement cloud-native security at Google. As many organizations seek to adopt cloud-native architectures, we hope security teams can learn how Google has been securing its own architecture, and simplify their adoption of a similar security model.

November 27, 2019

Exploring container security: Day one Kubernetes decisions

Congratulations! You’ve decided to go with Google Kubernetes Engine (GKE) as your managed container orchestration platform. Your first order of business is to familiarize yourself with Kubernetes architecture, functionality and security principles. Then, as you get ready to install and configure your Kubernetes environment (on so-called day one), here are some security questions to ask yourself, to help guide your thinking.

October 31, 2019

Exploring container security: Use your own keys to protect your data on GKE

At Google Cloud, we already encrypt data at rest by default, including data in Google Kubernetes Engine (GKE). However, we understand that you may need additional controls over encryption in GKE, especially for sensitive data that is used or accessed by applications running there.

August 30, 2019

Kubernetes security audit: What GKE and Anthos users need to know

Kubernetes reached an important milestone recently: the publication of its first-ever security audit! Sponsored by the Cloud Native Computing Foundation (CNCF), this security audit reinforces what has been apparent to us for some time now: Kubernetes is a mature open-source project for organizations to use as their infrastructure foundation.

April 25, 2019

Containing our enthusiasm: All the Kubernetes security news from Google Cloud Next ‘19

At Google, we like to think of container security in three pillars: Secure to develop (infrastructure security protecting identities, secrets and networks); secure to build and deploy (vulnerability-free images, verification of what you deploy); and secure to run (isolating workloads, scaling, and identifying malicious containers in production). These pillars cover the entire lifecycle of a container, and help ensure end-to-end security.

We’ve been hard at work to make it easier for you to ensure security as you develop, build, deploy, and run containers, with new products and features in Google Kubernetes Engine and across Google Cloud. Here’s what we recently announced at Next ‘19, and how you can use these for your container deployments—so there’s less cryptojacking, and more time for whale watching, as it were.

March 29, 2019

Exploring container security: the shared responsibility model in GKE

Security in the cloud is a shared responsibility between the cloud provider and the customer. Google Cloud is committed to doing its part to protect the underlying infrastructure, like encryption at rest by default, and in providing capabilities you can use to protect your workloads, like access controls in Cloud Identity and Access Management(IAM). As newer infrastructure models emerge, though, it’s not always easy to figure out what you’re responsible for versus what’s the responsibility of the provider. In this blog post, we aim to clarify for Google Kubernetes Engine (GKE) what we do and don’t do—and where to look for resources to lock down the rest.

March 12, 2019

Exploring container security: four takeaways from Container Security Summit 2019

Container security is a hot topic, but it can be intimidating. Container developers and operators don’t usually spend their days studying security exploits and threat analysis; likewise, container architectures and components can feel foreign to the security team.

Dev, ops, and security teams all want their workloads to be more secure (and make those pesky containers actually “contain”!); the challenge is making those teams more connected to bring container security to everyone. The theme of the 2019 Container Security Summit was just that: “More contained. More secure. More connected.”

February 07, 2019

Exploring container security: Encrypting Kubernetes secrets with Cloud KMS

At Google Cloud, we care deeply about protecting your data. That’s why we encrypt data at rest by default, including data in Google Kubernetes Engine (GKE). For Kubernetes secrets—small bits of data your application needs at build or runtime—your threat model might be different, so storage-layer encryption is insufficient. Today, we’re excited to announce in beta GKE application-layer secrets encryption, using the same keys you manage in our hosted Cloud Key Management Service (KMS).

December 19, 2018

Exploring container security: Let Google do the patching with new managed base images

As a Google Kubernetes Engine (GKE) user, you already enjoy the choice of several operating system (OS) images for your nodes, which we maintain and update for you behind the scenes, notably Container-Optimized OS (COS) and Ubuntu. You bring your own container images for your workloads, based on your needs. Today, we're expanding our support for container images as well, with managed base images that you can use as a starting point when building your applications.

December 10, 2018

Exploring container security: How containers enable passive patching and a better model for supply chain security

Adopting containers and container orchestration tools like Kubernetes can be intimidating to anyone, but if you’re on the security team, it can feel like yet another technology that you’re now responsible for securing. We talk a lot about how to secure containers and avoid common containers security pitfalls (for example, in the other blog posts in this series), but did you know that you can use containers to improve your overall security posture?

December 10, 2018

Exploring container security: This year, it’s all about security. Again.

Earlier this year at KubeCon in Copenhagen, the message from the community was resoundingly clear: "this year, it's about security". If Kubernetes was to move into the enterprise, there were real security challenges that needed to be addressed. Six months later, at this week’s KubeCon in Seattle, we’re happy to report that the community has largely answered that call. In general, Kubernetes has made huge security strides this year, and giant strides on Google Cloud. Let’s take a look at what changed this year for Kubernetes security.

May 11, 2018

Exploring container security: Isolation at different layers of the Kubernetes stack

To conclude our blog series on container security, today’s post covers isolation, and when containers are appropriate for actually, well... containing. While containers bring great benefits to your development pipeline and provide some resource separation, they were not designed to provide a strong security boundary.

May 03, 2018

Exploring container security: Using Cloud Security Command Center (and five partner tools) to detect and manage an attack

If you suspect that a container has been compromised, what do you do? In today’s blog post on container security, we’re focusing in on container runtime security—how to detect, respond to, and mitigate suspected threats for containers running in production. There’s no one way to respond to an attack, but there are best practices that you can follow, and in the event of a compromise, we want to make it easy for you to do the right thing.

March 29, 2018

Exploring container security: An overview

Containers are increasingly being used to deploy applications, and with good reason, given their portability, simple scalability and lower management burden. However, the security of containerized applications is still not well understood. How does container security differ from that of traditional VMs? How can we use the features of container management platforms to improve security?

March 08, 2018

Cryptography, Cloud and Equality: a Q&A with Google Security expert Maya Kaczorowski

It's never been more critical that we give our young girls the tools they need to become the technology builders of tomorrow. One of the ways we can better equip them, is by exposing young women to how their future studies could directly apply in the real world and make them aware of the exciting career opportunities in STEM. In the hopes of doing just that, we’ve sat down for an interview with one of own trailblazers, Montrealer Maya Kaczorowski, a Product Manager at Google in Security & Privacy. 

February 27, 2018

New research: How to evolve your security for the cloud

This week, McKinsey released a report titled “Making a secure transition to the public cloud,” the result of interviews with IT security experts at nearly 100 enterprises around the world. Leveraging the expertise of Google Cloud and McKinsey security experts, the research presents a strategic framework for IT security in cloud and hybrid environments, and provides recommendations on how to migrate to the cloud while keeping security top of mind.

December 13, 2017

How Google protects your data in transit

Protecting your data is of the utmost importance for Google Cloud, and one of the ways we protect customer data is through encryption. We encrypt your data at rest, by default, as well as while it’s in transit over the internet from the user to Google Cloud, and then internally when it’s moving within Google, for example between data centers.

We aim to create trust through transparency, and today, we’re releasing a white paper, “Encryption in Transit in Google Cloud,” that describes our approach to protecting data in transit.

March 15, 2017

Cloud KMS GA, new partners expand encryption options

As you heard at Google Cloud Next ‘17, our Cloud Key Management Service (KMS) is now generally available. Cloud KMS makes it even easier for you to encrypt data at scale, manage secrets and protect your data the way you want — both in the cloud and on-premise. Today, we’re also announcing a number of partner options for using Customer-Supplied Encryption Keys.

Cloud KMS is now generally available.

January 11, 2017

Managing encryption keys in the cloud: introducing Google Cloud Key Management Service

Google has long supported efforts to encrypt customer data on the internet, including using HTTPS everywhere. In the enterprise space, we're pleased to broaden the continuum of encryption options available on Google Cloud Platform (GCP) with Cloud Key Management Service (KMS), now in beta in select countries.

August 01, 2016

How Google protects your data: Customer-Supplied Encryption Keys for Compute Engine goes GA!

Control over data or agility of the cloud? Why not both? We are pleased to announce that Customer-Supplied Encryption Keys (CSEK) for Compute Engine is now generally available, allowing you to take advantage of the cloud while protecting your Google Compute Engine disks with keys that you control.

Google Cloud Platform (GCP) automatically encrypts customer content stored at rest, including all Compute Engine disks, using one or more encryption mechanisms. We use encryption to help keep your data private and secure. You can learn more by reading our whitepaper, “Encryption at Rest in Google Cloud Platform,” which takes an in-depth look at encryption at rest across GCP.

Please reload


"what's my job? i try to get security people to give a sh*t about containers"

©2020 | Maya Kaczorowski |