Organizations are becoming multicloud by choice or by chance. Many of them integrate their multiple clouds with one another to improve Availability, support Disaster Recovery, and leverage the services from each provider that best fits their needs. These integrations are usually supported with long-lived credentials. These credentials are much more valuable to attackers than those that are short-lived. Even following best practices will leave your multicloud environments less secure than their single-cloud counterparts.
Join Eric Johnson and Brandon Evans, the authors of SEC510 (Public Cloud Security: AWS, Azure, and GCP) as they destroy these long-lived credentials in the Big 3 cloud providers using Workload Identity Federation. They will show how Cloud Security Engineers can securely authenticate from one cloud provider to another using short-lived, automatically rotating tokens that cannot be (ab)used in any other context. The session will conclude with a demonstration of a real multicloud web application that leverages these techniques to securely upload user data to Amazon S3, Azure Storage, and Google Cloud Storage.
Learning Objectives:
Learn why organizations are choosing to integrate their multiple cloud environments together.
Examine the risk posed by using long-lived credentials.
Evaluate the benefits and limitations of following best practices with long-lived credentials.
Observe integrations from AWS to GCP, from Azure to AWS and GCP, and from GCP to AWS and Azure.
Understand why AWS cannot access resources in Azure without transmitting powerful Azure credentials to AWS.
Access an open-source project to bootstrap your secure multicloud integrations.
Brandon is an independent security consultant and SANS Senior Instructor. He is lead author for SEC510: Cloud Security Controls and Mitigations; GPCS holder #1, multi-year RSA Conference presenter, and cloud Bug Bounty collector.
