I do cloud security things. And cloud things. And security things. And things. Big fan of space invaders. 👾👾👾
Social Media: @firstname.lastname@example.org
Nothing here is guaranteed to be correct, accurate, or helpful.
Temporal Technologies, Inc.
I was the second hire to Temporal’s security team in 2022. I’ve done baseline cloud security work, along with a lot of other tasks that will ultimately pay off, such as owning DNS and Domain Name registration. I implemented just-in-time access with Common Fate.
I was the second hire to Twilio’s Cloud Security team. The company grew 20x from 2015-2022, an absolutely meteoric rise. I learned a lot from a company that grew so fast, everything was stretched to the breaking point. I grew the cloud security team from just me to managing a dozen people in seven timezones. (I do not recommend directly working with humans in that many timezones.)
Intuit was going to go all-in on AWS, and to do that, a cloud security specific team was needed. AWS was very different a decade ago. We didn’t have SCPs or Organizations at all. But we did have VPCs, and we could name most of the services without trying too hard.
One of the hardest parts of working in a cloud environment is the unstable ground we build on. While the APIs themselves are usually quite stable, the actual implementation of those APIs in the cloud provider’s systems can— and do— frequently change. What were once safe assumptions and architectures can, and have, been broken by updates to services.
something worth pursuing as a strategy, a debate which is finally beginning to coalesce around the answer: “Yes”
I have some news for you, and it’s the first thing I wish I would have known — your organization already has multiple accounts. You just might not know about them.
There are a variety of reasons this strategy is one to officially support and encourage. In this talk, I will cover each of them. More accounts can make your organization more secure, more resilient, grant better control over data and encryption keys which are subject to multiple and increasing compliance regimes, and more. All of these reasons are good ones from a security practitioners perspective, but none of the previous reasons are necessarily good enough to convince the rest of your organization. I wished someone had told me budgetary controls and growth planning were more convincing, if less exciting, arguments to push for a multi-account strategy.
I have made a number of mistakes in this journey, some of which I will cover in this talk, including the reasons why you need to adopt a multi-account strategy, how to convince others to join you, the benefits you get from having multiple accounts both security and not, and the technical concerns that will need to be addressed along the way to keep everything functioning. All of these things and more I wished someone had told me before embarking on my current multi-account journey. Now, I’m ready to share my experience with others so you don’t have to make the same mistakes.
Cloud computing security response is no different to servers racked in a regular datacenter, except for a key difference: When a server is breached, and the need exists to perform a forensic evaluation of that server, the responder has no idea where, or what, that server is. The very first steps of imaging a disk need to be rethought in an environment where disks are of variable sizes and capabilities, and are only exposed via APIs. Many things which are taken for granted in the physical world are implementation details in the cloud. Recent product launches in AWS, such as the next-generation of EC2 instances which access EBS in a different manner, as well as bare-metal instances, have changed some of these implementation details— which potentially changes what an incident responder may encounter.