[2021 kcdc] lessons learned from enterprise cloud securty programs

This post is my live blog from KCDC. For more, see the 2021 KCDC live blog TOC

Speaker:Karl Ots

Twitter @karlgots

Book: Azure Security Handbook

————————-

Cloud Security

  • Need cloud native security – specific to cloud provider using
  • ”Cloud can be as safe or unsafe as what you did before”

Shared responsiblity

  • Customer responsiblity: data, endpoints
  • Shared responsiblity: identity, application, os/middleware, network
  • Cloud provider responsiblity: physical

Security Program

  • Need to balance speed/“shadow cloud” (someone signing up for their own cloud account) with existing security requirements/eisting EA, lack of security awareness
  • Phases – cloud straegy, governance model, security, guidelines (ex: implementation guidelines and refernee architecture)
  • Cloud security framework defines architecture, policies and controls to secure cloud envrionment
  • Don’t be a generic list of controls. Just be tailored. Doesn’t make sense to apply anything. Cloud security alliance has a list of about 200 sample controls. Don’t just go thru a list of controls in Excel.
  • Terraform (or other tools) typically built by subject matter experts. Ex: database expert writes terraform module for database security
  • Certified products/platform concept – if you use products/components/tools that are pre-approved, can get through security faster. Vetted already

Identity and Access Management (IAM)

  • Integrate with existing IAM processes
  • DevSecOps CI/CD deloys using Azure AD ideneity to application resources. Other identities to actuall run (but not deploy and change things).
  • Need to be able to provide the CI/CD credentials not available/used by others
  • Create a vending machine type system so have to request things. ex: give me a X. Makes automated to request things

Detection and Monitoring

  • Need to enforce logging across landing zone and anything deployed
  • Centralize logs.
  • Ok to have temporary copy as well to focus on new info. Also some alerts verbose and ony want to monior key ones
  • Can build custom alerts, but doesn’t scale. If 10K Azure resources all with own logs, can be unmanagable.
  • Integrate with your SIEM an SOC
  • Separate resource logs (ex: who accessed X) and application logs (what developers log)

Network security

  • Cross subscription, cross region and cross cloud
  • Traffic from platform and infrastructure as a service + app level
  • Can grant access through
    • RBAC in the subnet – fast to do, but dev has to do it
    • Pre-provisioned NICs – medium, thru centralized cloud operations
    • Outside Azure/cloud – slow, thru centralized ops

Supply chain

  • New attack with pre-provisioned agent https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure

My take

I’ve learned/used AWS. The speaker is an Azure expert. He tried to make the presentation as cloud agnostic as possible. It was realy good for me to see how much is common across clould providers. It was goo to understand how things I’m doing fit into the bigger picture and something I wish we did differently

Live blog kcdc table of contents

My first post pandemic real life in person conference. So excited. I’ll be live blogging as I attend sessons from here. They said attenendance is about half of what it was pre-COVID. (They had about 1000 people.) I like that they had stickers with whether you felt comfortable with a handshake, fist bump or waving.

Wednesday

Thursday

Friday

After

My live coding experiment