RSAC 2022 Session Wrap Up Series: Cloud Security & CloudSecOps


Posted on by RSAC Editorial Team

In this six-part blog series, the RSAC editorial team highlights the six buzz topics featured at RSAC 2022. Each blog will highlight one of the most popular topics and trends seen within related sessions. Our fifth topic is cloud security & CloudSecOps.

Security Industry Call-to-Action: We Need a Cloud Vulnerability Database
Pete Chronis, SVP, CISO at ViacomCBS
Ami Luttwak, Chief Technology Officer & Co-Founder at Wiz
John Yeoh, Global Vice President of Research at Cloud Security Alliance

This trio examines the security world of the pre-cloud era, the security cloud era that we have today, and how they differ in terms of vulnerabilities. In the pre-cloud era, users were fully responsible for the security of their hardware, network, servers, identities, and everything else. Security in the cloud era means cloud vendors shouldered responsibility for physical security, servers, network, hardware, managed services, and storage, while cloud users are responsible for application (CVEs), configuration, identities, and data.

The problem lies in that cloud vulnerabilities are different. There are new types of vulnerabilities (not software), such as configuration and identity vulnerabilities. Software owned by cloud providers has no defined patching process, no software version, and complex remediation steps.

Continuous Security—Integrating Pipeline Security
Vandana Verma Sehgal, Security Relations Leader at Snyk

Sehgal led her session by mentioning that the age-old battle of developers versus security versus operations still exists. Integrating security practices with the DevOps process can still be painful. DevSecOps fosters a blameless culture and focuses on the secure delivery of software.

You don’t BUY DevSecOps; you DO DevSecOps, says Sehgal. DevSecOps is an approach, a mindset, and a combination of culture, process, and technology.

Security practices must keep up with the agile pace of the cloud era. A successful program starts with the people and culture. Training and awareness, explaining and embracing new ways of working, equipping teams and individuals with the right level of ownership and tools. The new wave of CloudSecOps is a security-first approach.

Cloud Security: How to Defend Healthcare Data in the Cloud
Sai Gunaranjan, Principal Architect at Veradigm
Kyler Middleton, Cloud IAM Advocate at IAM Pulse

Digging right into the platform readiness stage, Gunaranjan and Middleton broke down AWS, Azure, and DevOps into readiness checklists on how to defend healthcare data in the cloud:

Cloud Platform Readiness Checklist for AWS: (1) Infrastructure as Code bootstrapping, (2) Flow logs and control plane logs aggregation, (3) Private network segmentation by environment and product, (4) CloudFront + Web Application Firewall (WAF)

For Azure: (1) Management groups, (2) Custom RBAC definitions (3) Centralized logging (4) Deploy Azure policies (5) Deploy Azure Defender for cloud/Azure Sentinel

DevOps Platform Readiness Checklist: (1) Remove public agent access, (2) Enable only trusted actions and extensions, (3) Remove access to host public pages or repos (4) Integrate with IDP solution to use corporate credentials

 

 

Read all of the series:

RSAC 2022 Session Wrap Up Series: Analytics, Intelligence & Response

RSAC 2022 Session Wrap Up Series: Cloud Security & CloudSecOps

RSAC 2022 Session Wrap Up Series: Security Strategy & Architecture

RSAC 2022 Session Wrap Up Series: Risk Management & Governance

RSAC 2022 Session Wrap Up Series: Hackers & Threats

RSAC 2022 Session Wrap Up Series: Zero Trust

 


Contributors
RSAC Editorial Team

Editorial, RSA Conference

Human Element RSAC Insights Risk Management & Governance DevSecOps & Application Security Technology Infrastructure & Operations

cloud security DevSecOps government regulations infrastructure security container security misconfiguration patch vulnerability & configuration management risk & vulnerability assessment

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community