The Myth of Cloud Agnosticism: Why Securing Multiple Clouds Using Terraform is Harder Than You Think

  • Wednesday, 10 May 2023 10:00AM EST (10 May 2023 14:00 UTC)
  • Speaker: Brandon Evans

The movement towards multi-cloud has been growing momentum with no end in sight. Over 50% of the respondents to the SANS 2022 Multi-cloud Survey not only use all of the Big 3 Cloud Providers (AWS, Azure, and Google Cloud), but they also use all of the next three most popular CSPs (Alibaba Cloud, Oracle Cloud, and IBM Cloud).

Organizations look to so-called “cloud-agnostic” technologies to manage this complexity. One such technology, Terraform, allows you to define cloud infrastructure as code and deploy it for many different cloud providers. Given that Terraform supports all of the top 6 CSPs, this means that an organization can produce a single set of Terraform code to securely configure them all…right?

In this webcast, Brandon Evans, SANS Certified Instructor and Lead Author of SEC510: Cloud Security Controls and Mitigations, will explain why this is not true despite the perception of many security professionals. Not only will he demonstrate that Terraform does not work this way, but he will prove why it is practically impossible for any tool to work this way. With this understanding, attendees will learn the real, more difficult techniques required to consistently apply security controls across CSPs using Terraform.

This webcast is related to Brandon’s RSA Conference 2023 presentation, "Cloud Agnostic or Devout? How Cloud Native Security Differs Between EKS, AKS, and GKE”. While watching the RSAC presentation is not a prerequisite for attending this webcast, viewers who are interested in one will likely be interested in the other.