You know, usually when we talk about moving into a brand new, state of the art luxury high rise, there is this expectation of well, total safety. Right if you walk in, you see the security guard stationed in the marble lobby, you see the key card scanners on the elevators, the thick concrete wall.
Seems naturally assume, hey, I'm safe here. They have got those handled exactly.
You just think it's covered. But then you realize something terrifying. Yes, the building management secures the lobby. I mean they check the IDs at the front desk, but you left your actual apartment door wide open. Oh yeah, and your personal safe city right there in your closet is just completely unlocked. Yeah. Suddenly that feeling of total security is well, it's just an illusion. You're looking at a security landscape that you have entirely misunderstood.
It is the absolute definition of a false sense of security, and you know it perfectly mirrors the biggest misconception in digital infrastructure today. We see a massive, multi billion dollar tech company hosting our data, and we assume that because their lobby is secure, our apartment is too.
Welcome to the deep dive. That illusion of safety you just described That is exactly what we are unpacking today. We're looking at Chris Dotson's guide Practical Cloud Security, a guide for secure design and deployment. It's such an essential read, it really is, and our mission today is to take his framework, strip away all that dense, intimidating jargon, and just uncover the practical, everyday strategies used to protect digital assets.
We are going to explore everything from managing your risk to tracking down these ticking time bombs of forgotten servers.
Because while the cloud fundamentally changes how we secure things, you know, stripping away those physical walls and concrete barriers we just talked about, the why remains deeply rooted in common sense. Yeah, the underlying logic of security hasn't changed at all, just the execution.
So if you're listening to this and you have ever felt completely overwhelmed by the idea of cloud security, I mean you are definitely not alone. There is a twenty seventeen baracouta network survey referenced in our sources that is just wild to make.
Oh the responsibility one.
Yes, seventy seven percent of it. Decision makers wrongly believe that cloud providers are fully responsible for securing customer data.
It's just a staggering statistic, seventy seven percent. It shows a fundamental industry wide misunderstanding of what we call the shared responsibility model.
Right because in an old school on premises it environment, the company handles absolutely everything right exactly.
You buy the servers, you hire the guards, you lock the doors. But in the cloud, there is a literal line of demarcation, and that line, well, it moves depending on what kind of service you were actually paying for.
Okay, let's unpack this. Let's think about this like ordering pizza. I think this is the best way to visualize it. So imagine you want pizza tonight. Okay, let me keep the traditional on premises world is like making that pizza completely from scradge. At home. You buy the dough, the sauce, the cheese, You provide the oven, the dining table, the electricity, the soda, right, the soda. You have complete flexibility if you want an anchovy and cinnamon pizza, I mean gross,
but you could do it. But you do all the work and you clean up the mess exactly.
Now, let's step up to the first tier of the cloud, which is infrastructure as a service or I This is the taken bake model.
Okay, taken bake.
Yeah, you go to the grocery store and they provide the prepared dough, the sauce, and the cheese. In the digital world, that's the physical infrastructure and the virtualized environment.
Got it.
But you still have to take it home, bake it yourself, and provide the dining table and drinks. So you are responsible for patching the operating system, managing network security, and most importantly, protecting the data.
Okay, So then we move to platform as a service pass. This is pizza delivery. Yeah, they bake it, they bring it to your door in a cardboard box. They're managing the operating system in the middle, where you just provide the table and eat it. Right. And finally, software is a service sauce. This is dining out at a restaurant. Everything is done for you, the physical infrastructure of the cooking, the table, service doing the dishes.
But and this is the critical part where that seventy seven percent of it leaders get it wrong. Even in a sauce model, even when you are dining at the restaurant, there is still a shared responsibility.
Right because they just make the food.
Exactly the restaurant provides a safe, clean environment and fully cooked food, but they are not responsible for how you consume it.
Right, if you are dining out at a fancy sauce restaurant and you just inhale your food too fast and choke on it, you cannot sue the chef. It is not the restaurant's fault. Meaning, if you set your data access controls incorrectly, the cloud provider cannot save you.
Think about all those massive headline making data breaches we see involving open Amazon s three buckets.
Oh, there have been so many.
Hundreds of millions of voters data exposed, auto tracking records, sensitive credit report. People read those headlines and think, wow, Amazon got hacked.
So if they didn't, No, they didn't.
Amazon's physical servers, they're biometric scanners, their slab to slab barriers, those all held up perfectly. Those breaches were customers choking on their own pizza, basically by leaving their data access controls wide open to the public Internet.
So before we can even begin to protect our specific slice of responsibility, we have to identify who actually wants to attack it. We need to visualize our defenses. We are dealing with four main thread actors here.
Yeah, four main categories.
First, organized crime who just want financial game, then activists who are looking to disrupt your operations or discredit you for ideological reasons, insiders which are usually discardled employees after money or revenge. And finally state actors who are looking to steal national secrets, corporate intellectual property, or just cause major infrastructure disruptions.
And to defend against all four of those groups, you have to employ what we call defense in depth, meaning layers right layering your security controls so that if one single layer fails, you aren't completely exposed. You don't just put one flimsy lock on the front door. You have heavy dead bolt, you have a motion sensor alarm, and you have a fireproof safe hidden inside.
Makes sense to plan this.
Out effectively, you actually need to map your architecture. You can literally just draw simple stick figures for your standard user and your administrator, and then draw boxes for your components like a web server, an application server, and a database.
And then you draw these dotted lines around certain boxes to create what are called trust boundaries.
Precisely, a trust boundary means that anything inside that dotted line automatically trusts other things inside that same line, okay, but anything crossing that dotted line from the outside requires strict verification. If an attacker manages to breach a trust boundary, you have to assume they will eventually control every single thing inside it. By forcing an attacker to cross multiple verified boundaries, you slow them down significantly.
Let me play Devil's Advocate for a second year. If I'm listening to this and I run a small local business, maybe I have a niche scheduling app for local bakeries to manage their delivery drivers. Do I really need to spend time and money worrying about well funded nation state actors. It sounds like absolute overkill.
That is a very common objection, and the answer really comes down to the core concept of risk management. Security is not about being terrified of everything all the time, you know. It's about evaluating the mathematical likelihood of an event versus its potential impact. So a state actor specifically targeting your local bakery scheduling app very low likelihood, right.
So why Bob, if it's a practically zero percent chance, am I really supposed to defend against a ghost.
Because the impact is still catastrophic and the method of attack doesn't care who you are. State actors and organized crime rings. They don't always target specific companies manually. They use bots exactly, use automated scripts that scan the entire Internet twenty four to seven looking for open doors. They don't know you're a bakery app. They just see an unlocked database. And if that database holds thousands of users personal emails, phone numbers, and maybe reuse passwords, the impact
of that automated brooch could permanently bankrupt your business. When you identify a risk like that, you generally have four choices.
Right the four strategies avoid, mitigate, transfer, or accept exactly.
You can avoid the risk entirely by just turning the system off or not offering the feature, just don't do it right. You can mitigate the risk, maybe by choosing not to store sensitive personal data in the app in the first place. You can transfer the risk, which is what we do when we pay a cloud provider to
handle the physical data center security of Potato exactly. Or finally, you can accept it, meaning you document that you know the vulnerability exists, you get the business stakeholders to formally agree to the danger, and you just move forward.
Makes a lot of sense. You just have to know exactly what you're dealing with and what you're usually dealing with. Inside those trust boundaries is the actual prize, which is the data, the crown jewels. We have to categorize this data so we know what needs the heaviest protection. You can break it down simply into low, moderate, and high sensitivity.
Yep, the three tiers.
Low might be your server's public IP addresses, stuff that wouldn't ruin you if it leaked. Moderate could be routine internal financial info or basic personnel data. How is your trade secrets or customer financial data that is subject to strict compliance laws.
And once you know what level of data you have, you have to understand how attackers view it. They look at your data through the lens of the CIA triad, which stands for confidentiality, integrity, and availability.
Let's break that down. Confidentiality is the obvious one. They want to breach confidentiality to steal the data read the email, sale, the credit card numbers. But integrity is well, it's more subtle.
Integrity is a unauthorized modification. An attacker breaches integrity when they secretly change the data. Oh like altering records right.
Imagine an attacker getting into a bank's database. They don't need to steal the money directly if they can just add three zeros to their own account balance. Wow. Yeah, they've compromised the integrity of the data and the final piece, availability is exactly what it sounds like. Ransomware is the classic example here, locking you out Exactly the attacker encrypts your data so you can't use it, completely, destroying its availability until you pay up.
So to protect this data while it's just sitting there on a server, protecting it at rest. Encryption is the ultimate buzzword, but there is a massive flaw in how people deploy encryption.
There really is.
You can have the strongest encryption algorithm in the world, but if you leave the encryption key sitting on the exact same server as the locked data, what's the point. It's literally like installing a Titanium vault door and then leaving the key under the doormat.
Which is incredibly common unfortunately, and this is where key management services or kms come into play. Think about how a realtor shows a house. Imagine your highly sensitive data is a house.
Okay, tracking to get into the house, you need the house key. In cryptography, this is called the data encryption key or DET. It directly unlocks the data.
Got it.
But you don't want to just leave the house key lying around under the mat, so your realtor puts it inside a sturdy metal lock box attached to the front door.
Knob Oh, I see where this is going.
To open that metal lock box, you need a specific code. That code is the key encryption key or key EK. And the overarching realtor service that generates and hands out those lockbox codes to approved agents that is your key management service, the KMS.
Here's where it gets really interesting. Because of this lock box system, we get this concept called cryptographic erasure. Think about this. Practically destroying a massive multi terabyte database securely used to be a total nightmare rticck forever. You had to spend hour, sometimes days, having a computer overwrite the physical hard drives with random zeros and ones just to make sure the data was gone, but in the cloud. Because that multi terabyte database is locked by the house key,
and the house key is logging the realtor's box. If you want to permanently destroy the data, you don't even have to.
Touch the house, right You don't overwrite the terabytes of data. You just go to the cams and instantly destroy the tiny two hundred and fifty six bit lockbox CAD the key encryption key.
That is wild.
The second you press delete on that tiny string of text, that data encryption key inside the lock box is permanently trapped, and without that, those terabytes of data become an unreadable, mathematically unrecoverable bag of bits instantly forever.
That is just incredible. The efficiency of that is wild.
And what's really fascinating here is how the cloud has democratized this level of security. In the old days, to have that kind of robust key management, a company had to buy a physical piece of hardware called a hardware security module or HSM.
Those were not cheap, not at all.
These are incredibly expensive, tamper proof, military grade devices. If someone tries to pry one open, or change the temperature or even X ray it, the device senses the intrusion and physically wipes its own memory.
Wow.
Now, through multi tenant KMS systems provided by cloud platforms like AWS or Azure, even a small startup with a modi budget can leverage the power of an HSM under the hood. It has completely shifted the paradigm of data protection.
Okay, so we've secured the data, we've locked it in a cryptographic lock box, but what about the millions of virtual containers and servers actually holding it. This is where we run into the absolute chaos of cloud asset management.
Chaos is the right word for it, because.
In the old on premise it days, if a developer wanted a server, it was a capital expenditure. They put in a formal request, finance approved it. It bought a physical box, racked it in a cold room, and put a little barcode inventory sticker on it.
It took months, yep, lots of red tape.
Now it's an operational expense. A developer with a corporate credit card can spin up a server in three seconds.
Which leads to one of the biggest headaches for any security team. Shadow it unapproved, untracked digital infrastructure. And it's not just a billing problem where you're wasting money. It's a profound security nightmare.
Because you can't protect what you don't know exists exactly.
Every forgotten server is a ticking time bomb waiting to miss a critical security patch and be exploited. And you have to deeply understand what kind of assets your team is actually spinning up. Take a virtual.
Machine for instance, okay, VMS.
A VM is a digital computer that shares a physical host machine a hypervisor with other customers. Because you are sharing that physical hardware, you are potentially vulnerable to side channel attacks like the famous specter and meltdown vulnerabilities.
Let's pause on that. Because side channel attack on a hypervisor, I mean that sounds like a mouthful. How does that actually work? In reality?
It's essentially like living in an apartment building. You have your own locked room, your virtual machine, but you share the foundation, the plumbing, and the walls with other tenants.
Okay, and that shared foundation is the hypervisor.
Right. In a side channel attack, a malicious neighbor on that exact same physical server doesn't try to pick the lock on your door. Instead, they listen very very closely to how the computer's processor is vibrating or consuming power, essentially pressing a glass to the apartment wall.
Wait, really just from power consumption.
Yes. By monitoring those subtle physical changes, they can actually guess the passwords or cryptographic keys you are typing.
Wow, Okay, so that's the danger of virtual machines. But what about containers. A container doesn't even use a full operating system. It just shares a kernel. It spins up to do a job, runs for an hour, and then completely deletes itself. If a developer is spinning up thousands of these ephemeral containers a day, how on earth do you track a ghost?
That is the exact challenge. The answer is that you don't necessarily track the fleeting container itself. You inventory the container images, the blueprint, ah the blueprint, right. A native container is meant to be immutable. It doesn't get updated or patched while it's running. When a security patch is needed, the running container is destroyed and instantly replaced by a new container spun up from a freshly patched image blueprint.
So you control the source material exactly.
You control the blueprints. But to manage all of this effectively, you have to find where your asset management pipeline is leaking.
Okay, let's play this out in a real world corporate scenario to see how these plumbing leaks actually happen. Picture a rogue developer who is tired of waiting for it approval for a new project. We all know one right, they pull out their corporate credit card, bypass the official channels and just spin up a brand new AWS environment. The security team doesn't even know it exists. That's our first leak, right.
At the sort exactly. We call that a procurement leak. You have cloud expenditures happening outside of the security team's visibility. But let's say secure pready catches that. Then you run into processing leaks. This is where you see the eight of US bill. You know the cloud environment exists, but you forgot to actually enumerate and track the specific servers being spun up inside it. You're paying for a database, but it never made it onto your official inventory list, which.
Naturally leads to the next failure tooling leaks. So let's say the service finally on your official inventory list. The IT team knows about it, but nobody remembered to plug that server's IP address into your automated security scanners. It's on the list, but it's sitting in the dark, completely unchecked for vulnerabilities.
And then the final and arguably most frustrating failure findings leaks.
Let me guess they find the problem and ignore it.
Basically, the servers on the list the scanner knows about it. The scanner runs, finds a critical vulnerability, generates a bright red alert, and a human being ignores the alert or just gets lost in an overflowing inbox. To fix this entire chain of leaks, especially the processing ones, manual tracking is just possible. You have to use cloud native automation. You must enforce tagging.
Tagging like putting a label on every single moving box in your house data class coal in, high environment, colan production department, colon.
Finance exactly, and you automate it. If you have an automated policy that every single asset must have an environment tag and a data classification tag, you can run a simple script to find violations instantly.
Oh that makes it so much easier, right.
If a developer accidentally spins up a server with a high data class tag but a development environment tag, your automation can flag it or even automatically shut it down. You should never ever have highly sensitive real customer data sitting on a flimsy experimental development server.
So we've mapped our data boundaries, We've locked the data in a cryptographic lock box. We've fixed the plumbing of our shadow I by automatically tagging our assets. We've done a lot, we have, but absolutely none of that matters if an attacker just walks right through the front door using stolen valid credentials, which brings to the final and maybe most crucial piece of the puzzle, identity and access management.
I AM Identity truly is the ultimate perimeter in the cloud. Physical walls are gone. But before we build that perimeter, we have to clarify two terms that get hopelessly mixed up even by professionals, authentication and authorization.
The military base analogy clarifies this perfectly. Imagine you drive up to the heavily fortified gait of a military base. You roll down your window and hand the guard your driver's license. Yep. The guard looks at the photo, looks at your face, and decides, yes, you are exactly who you say you are. That is authentication. It is simply establishing your identity. Correct.
But just because the guard knows exactly who you are doesn't mean you actually get to drive into the base. Authentication is not enough, right. The guard then turns around, checks a clipboard and looks to see if your verified name is on the approved visitor list and specifically which buildings you are allowed to enter today. That is authorization. It is establishing your ax t us who you are versus what you are permitted.
To do, and managing that relies on the IAM life cycle. Request, approve, create, use, revalidate, and revoke and revoke is where organizations fail spectacularly.
Oh absolutely.
Let's look at a real world in nightmare scenario. Let's say you fire a highly privileged systems administrator on premise. This is easy. You deactivate their physical key card, you walk them out of the building. Maybe you forget to delete their server account right away, but it doesn't matter because they physically cannot get to a computer.
Right They're physically blocked.
But in the cloud they can access your entire infrastructure portal from their couch. If you forget to explicitly revoke their access, they are still a god in your system, and.
It is actually much deeper and more dangerous than just disabling a log in page. In the cloud, many services use what are called long lived access token.
Cooking's right.
Think about how Gmail works on your phone. When you log into your laptop and change your Google password, your phone's email app doesn't instantly stop working and force you to type the new password.
Ray, No, it just keeps working, it keeps sinking.
That's because the phone relies on a token, a digital cookie that says, hey, I was already authenticated. If your security system doesn't explicitly hunt down and revoke all active tokens when someone is off boarded, that fired administrator might still have active API keys or browser sessions that completely bypass the login screen, so they don't.
Even need a password to get back in. Exactly, that is legitimately terrifying. How do you even begin to manage that without losing your mind?
You manage it by minimizing the number of distinct identity systems you have to watch over. The absolute best practice is leveraging single sign on or SSO provided by a major cloud.
Provider, centralizing it.
Think about it. You've already paid the fee of trusting Microsoft or Amazon or Google with your underlying infrastructure. Why introduce a massive new vulnerability by trying to build your own custom, likely flawed password data. Use their robust, highly funded IAM tools to manage your identities in one centralized place, and.
For the love of everything, turn on multi factor authentication MFA.
Absolutely non negotiable. MFA relies on combining different categories of evidence something you know, like a password, something you have like a smartphone app generating a code or a physical hardware token, right, And something you are like a fingerprint or facial biometric. By requiring just two of these, which is barely a two second inconvenience for the user, you
instantly render Stolling passwords completely useless. Even if an attacker guesses your password, they don't have your physical phone so they can't get in.
Wow. Okay, let's take a breath and synthesize this journey. We started by ordering pizza as a service to visualize our shared responsibilities, learning that we can never ever outsource the responsibility of our data access controls.
Right, the chef isn't responsible if you choke.
Exactly. Yeah. We du stick figures to map out our trust boundaries against automated scripts and state actors.
We locked our high value data inside a cryptographic lock DOCS, utilizing the incredible power of key management services to perform instant cryptographic erasure without ever touching the hard drives.
We track down our plumbing leaks, realizing we have to manage the blueprints of automated containers and enforce strict tagging, so a road developer's shadow, it doesn't sneak up on us.
No more unlabeled boxes.
And finally we established that identity is the new perimeter, relying on centralized SSO and MFA to ensure the front door is heavily guarded.
It all comes down to recognizing a fundamental shift. The cloud removes the physical safety nets we used to rely on. Security is no longer about pouring thicker concrete walls. It's about rigorous logical controls.
Which leaves us with a final provocative thought for you to chew on. In a cloud first world, physical walls are completely, one hundred percent gone completely, Identity is the only true perimeter life left. Think about the profound implication of that. If an attacker guesses your password and logs into your cloud environment, they aren't actually breaking in in the traditional sense. No they're not. No alarms go off,
no doors are smashed. They were simply logging in. The system is doing exactly what it was mathematically designed to do, granting access to a verified identity. So take a hard look at your own digital shadow today. What forgotten cloud assets, outdated environment tags, or long lived access tokens? Do you have lingering in the background right now.
Because while you might feel perfectly safe sitting in the lobby of your luxury high rise.
It's time to ask yourself, did you remember to lock your own front door?
A vital question to ask in this ever shifting landscape.
Thanks for joining us on this deep dive into cloud security. Keep questioning your assumptions, keep locking those digital doors, and we will catch you next time.