DEF CON 29 Blue Team Village - Henry - How do you ALL THE CLOUDS

If you think I'm shouting something about security strategy for a multi-cloud environment...it's because I AM. Secure your dangling DNS records. Your object storage is showing. I can see your compute workload from here. Get your security groups straight. Have you seen the laundry list of accounts no one has performed nary an IAM credential analysis? Are your analytic processes hamstrung and kludgey from, you know, being cloudy? Don't know to even assess your options? Let's talk about how to evaluate cloud security tools and the considerations you need to make for your enterprise. By now, every company should not only be aware of the cloud but actively using it to some degree—whether run by your IT department or, unofficially, by your engineering teams and sales organizations itching to invite a script kiddie to pluck your precious intellectual property—I mean, POC and strut their stuff that they can take their security and IT matters into their own hands. Either way, you need a strategy or a clue. One is good. Both are better. Tying them together is best. In this talk, I'll cover a number of random things. The generic reasons why many teams want to use cloud accounts. The common gotchas that may improve or disrupt your obviously super awesome demo for your customer, boss, team. Or just to actually do real work and expand your organization's compute demand en masse. The focus will be addressing the technical gotchas in managing, monitoring, and assessing the security needs against the "business" needs for your organization: engineering, IT, and compliance. Operationally, you'll hit a breaking point. Too many users, too many accounts, too many workloads hammering your cloud interface. I'll focus primarily on AWS but also generically cover the other major Cloud Service Provider flavors, as, in the end, it's all the same: your org may have gotten wind that there are other cloud accounts and they just wanted to play with ALL OF THEM. How do you corral these little beasts? Tools. Technology. Processes. I'll focus on open source tools like Prowler and ScoutSuite, touch some for closed source, but you'll still need to understand how to operationally point, aim, and fire to make it scale for you. In my experience, there's a certain level of "je ne sais quoi" element to getting to a comfortable level in overseeing the management of all these cloud accounts. I'll probably spend the balance of the time critiquing each tool in the end and present pros/cons and likely scenarios for you/your team/your org's maturity here to help you to drive your choice. Who knows, maybe I'll talk about my own open-source spin on things!