Episode 3: Cloud Configuration Pitfalls
Attendees Guest: Evgeny Zislis Guest title: CTO Company: ProdOPS Abstract Over 90% of IaaS/PaaS security incidents happens on consumer fault. Cloud platforms are complicated, with steep learning curve and it is easy to make mistakes. In this podcast, we talk with Evgeny Zislis, CTO for ProdOPS about the common IaaS/PaaS security mistakes and misconfigurations, categorize them and talk about measures to reduce those mistakes and identify them on time. Timing: 0:00 – 2:10 - intro and introducing our guest 2:10 - 31:05 - What are the common cloud misconfiguration and mistakes Improper security group configuration Object storage negligence - open buckets on s3 Insecure storing of API/Access Keys - config file in open Github repo is not the best place to store access keys Vulnerable servers exposed (exposing your 5 years old, not updated linux server is not recommended) Fail to segregate different services into different accounts / vpc / subnets Everyday use of root account and relying on one account only 31:05 - 34:20 Avoiding cloud misconfigurations: the process angle 34:20 - 38:33 Avoiding cloud misconfigurations: the people angle 38:33 - 49:00 Avoiding cloud misconfigurations: the technology angle 49.00 – 52:00 Summary and conclusions