Inside Cloud Security Essentials: with Shashank Dubey (@shashankssm) | BSides Weekly | S1E5

e e

yeah hello everyone hope you guys are doing well I'm your host Karthik VMA and uh welcome back to another episode of the besides Noida weekly podcast today's episode is indeed a very special one uh because we will be diving into a complex and a very rapidly evolving field of cyber security which is cloud security today's guest is Mr shashan du a senior Cloud security researcher whose expertise fans AWS cuetes aure and gcp Shashank has shared his knowledge at top conferences like OAS null chapters and defcom and has a knack of turning complex security issues into actionable insights through his workshops talks and blogs Shashank is a trusted voice in Cloud security and we're looking forward

to tapping into his experience and learning about the latest trends Trends and best practices in the field so sir first of all thank you so much for joining uh we we really appreciate you taking out time for us and I'll start by asking you how are you doing sir how's your day going all good and thanks Karthik for this brief introduction and I would like to show my thanks to the entire bides NOA team you guys are doing great like within a span of very few months I believe yeah you guys are doing great so yeah and also I'm doing good thank you so much sir the pleasure is all ours as I said so sir before we

start the podcast uh our majority of our viewers are freshers are our beginers or students I should say that you know have little to no idea about security or Cloud security if I more specific so so I would love to ask you because you're an expert in this field if you could describe what is cloud security to a Layman and why has it become increasingly important in today's landscape of security sir okay so before starting this uh let's not directly jump to Cloud security we need to First understand what exactly is cloud right so cloud is nothing just using someone else computer right in simple layment terms so just assume that there's a computer which is

or ser which is placed somewhere on a geographical location you are accessing it over the internet right okay now for accessing it you require certain things the very first thing is which particular protocol protocol basically set of rules how you are using it so it could be from a web application interface from a mobile application or maybe from a uh you can say like computer software so you should be having a client interaction where you are just accessing that particular computer now if you are accessing these all things at a scale larger scale so you yourself as an individual cannot set up everything and cannot ensure the connectivity always right so for that there are big players like cloud service

providers right like Amazon as your Google Alibaba BMW a lot of big names are here so they provide the entire infrastructure they have their geographical locations we generally call it as data centers right and they provide their interfaces that is uh cloud service provider interface that is AWS console or aure console or dashboard sometimes people call it so using that you connect to the cloud right basically the someone else computer or server where you do a lot of steps whatever the technology you have heard of it could be from networking it could be from databases uh servers any particular technology like AI machine learning iot everything you can do inside that Cloud because ultimately it is an

infrastructure all right now the way you are accessing it right and how this machines are communicating to each other right how the things are communicating how the things are placed so as a cloud security uh person you should be aware of these all things then how you are accessing it how are the things that plays an important role so it could be something like let's course you have to access it via your mobile phone now you are accessing it with your browser also that is some abnormal thing we should not be there so similar kind of stuffs are there where you identify the different ways of accessing those Services the way they are accessing each

other you are trying to disrupt it you are trying to change it so there comes the role of a cloud security guide so they plays around all these things how you are accessing cloud right so this is all about Cloud security all right so you know it is actually very interesting because um I went through your profile sir and I realized that you initially started I would like to tell our viewers first of all that sir just like me uh is an engineer and uh he initially started his field uh his career as a software Engineers right so from software engineer how did you think or how did you you know come into Cloud security

I'm actually very curious okay so it's a interesting story yeah so my role was a software engineer but ultimately I'm working in Cloud so from day one I'm into Cloud but there's a long story before it I mean to whomsoever I have met in past or maybe this days those who are working in Cloud security uh somehow they are accidentally into Cloud security why because initially there is field called Cloud security there are Fields like devops Cloud Engineers right Cloud Ops some fascinating names and then people used to do some stuffs over there like enabling encryption just toggle it on like drag and drop things MH people generally enable multiactor authentication they use uh something

called best practices in cloud and in those days people name it as Cloud security okay yeah and the es goes on people started evolving technology started evolving and then organizations require that there is a need of someone who is proficient into Cloud security why because uh configuration is not all about Cloud security yes that's a part because ultimately whatever the uh I mean security risks occurs they all out just because of the cloud security misconfigurations right so then people realized that there is a need of it and then they started hunting for this particular job roles they have curated it but when it comes to me so uh during my college days I was very much curious about uh from the

first year of my college I did programming a lot of programming written 800,000 lines of code in C and C++ okay uh for creating a simple application that is called back re Billing System and U something called income tax calculator I still remember projects so those were interesting to me later on uh I moved to iot also I did a lot of stuffs like all of us we do in our College days we create you know remote control robots line following robots and all so those are very important and then in the third year uh I got introduced to operating systems and I started building my interest over there I started learning Linux I I'm

very fond of like how things work so let's suppose if you are writing a command like CD or LS so what's happening in the background I tried and started hunting it I mastered those not to a proficient level but yes to an acceptable level I did all those and then I was introduced to cyber security I did a lot of cyber security initially I used to do uh web security and networ security I did all of them and those are very important and then I landed my first job that is as a software engineer okay now the Story begins uh on the day one of my first job I was introduced to JavaScript okay and uh I'm completely

blown up like what is this I'm here for security steps now people ask me to learn about call back functions yeah you know there are something called Fetch or all other functions so uh I was worried about my career from the day one that where I am currently I don't know anything about much about programming I would say those 00 lines of Koda just like e and other switch case statements so uh so that is why I was not confident about programming and I was hired for uh react role I would say okay and then I told my manager that okay I'm not here for this STS and uh I am pretty much sure that I cannot perform well in this

okay so they agreed they understood and they uh switched my profile to security but they told that since you are an intern so we only provide the intern in the software engineer domain so I said like I'm okay with it I don't care about the profile as of now I just wanted to learn and explore the security STS and then I was introduced to Cloud that okay uh if you are here for security we work in the cloud environment so you have to learn Cloud so then I learned Cloud after that uh I started building things over there so why my profile was software engineer in Cloud because I closely work with SRI those who don't

know about sari it is like sari Engineers are basically site reliability Engineers so in Cloud they are uh responsible for keeping the infrastructure up try evolving those maintaining the cost Effectiveness right so uh and then I started closely working with them so I uh explored a lot of cloud services mostly in AWS and later on uh the security stuffs are around it and that is how I landed up into security later on I started doing my own research started learning the blocks and all that we will discussing the latter part of the podcast yeah so that is the reason I wanted to ask you this question because yeah you know usually we Threshers right who I just graduated from college most

of the people who graduate uh they are like okay if I want to get into the security field I'm going to enter I'm going to become a pen tester or and they usually decide okay I'm going to be a I'm going to get into Network people are like I'm going to get into application security or iot security a few ones of skada right now out of nowhere eight it's been like you know Cloud security and every other company is like you know we need Cloud security Engineers we need Cloud security researchers and that is the reason I actually wanted to ask initially like just after graduating yeah it was like a happy accident you entered and that's exactly

what you told me and I'm actually happy sir you know I asked this question uh the next question so you said something about how Cloud security has evolved over the years and that was is the perfect segue to my next question so earlier what used to happen was that U like in a company security of obviously was never given so much importance like if we be if you think about it in earlier days right at least and there or there was a only one cyber security individual and he was responsible for setting up uh firewalls IDs IPS servers and making sure okay our network is secure he was also responsible for uh testing out web applications they were

also responsible to some extent okay take care of the cloud right of our cloud resources so sir according to you nowadays companies they feel like okay for Network we need a particular skilled individual for cloud we need another set of skills so do you do you feel that that is like the correct way the organization organizations are carrying out their operations and if yes so why do you think so okay so yes there is a requirement of specialist in each and every case why because if you are running a small organ ation that is okay you can maintain like if you have only few nodes so let's suppose if you are working in an office where there is a

setting place of let's suppose 10 people and you have a single product yeah then you need one or two Security Professionals they can manage everything starting from your network application and all other basic stuffs but when you broaden your infrastructure when you broaden your work your product and everything at every particular single point of time you will face this issue that you need an expert to tack with the problems the real time challenges that you are going to face yeah so the answer to your question it is very much required to have an specialist for each and every security specific job World it could be Network it could be Cloud even I have seen people uh in organizations

they have uh separate professional for AWS separate for SE and DCP separate for kubernetes itself so those who are working very closely in security when one guy cannot do so let's suppose if you're talking about my particular profile I'm currently dedicating myself into Cloud security so honestly if I say so my strongest Cloud part is AWS and more of kubernetes if you ask me about the deeper concepts of gcp I would fail but my organization require that uh there must be the security checklist or maybe the other stuffs which is my core you know uh working of my products of my current organization so they require someone who is very much expert in gcp right then only they can dig deeper into

it and then they can bring up a lot of things I can also do that but I need to do a better uh research on it more more efforts on it but if there is someone who knows all those things that will help the organization to grow uh very significantly so yes again answer to your question it is very much requ to have the specialist and experts for each and every particular domain okay so and so like as you said that when you started your career in Cloud security specifically in your first organization I'm assuming you had compar compared to today of course you had little to no knowledge of cloud I'm assuming right you did not have practical experience

right so what was some of the challenges or mistakes that you encountered during your learning process and like how did you you know overcome them and what advice would you have for the you know younger younger people out there so uh again I would say uh when I jumped into my first job I was completely blank about Cloud I only know that how to spin up the E2 instances and as your VMS because uh those days I was curious about how cdfs are going on and I wanted to host in fact I have hosted one or two cdfs in college days so how to make this server available for everyone so that is why I have explored digital ocean explor

aw cc2 light shell and Azure VN

okay just a minute

we just have we might have a technical glitch right now but that's okay we'll just be back

[Music]

[Music]

[Music]

a

e

e

e

e

e e

all right hopefully we guys are back so sorry for the technical glitch I'm sure ke important but no worries sir we'll I'll for the audience I'll uh ask you the question again so my question was that when you started your journey obviously just like any other beginner you must have faced a lot of challenges or have done many mistakes right so can you please share some of the challenges or mistakes you encounter during your learning process so other students can avoid making the same errors on their own Journey okay so the common mistake that everyone does is once you started learning cloud you started exploring Services you ended up exploring let's suppose 5 to 10 Services now you become

very confident that okay now I'm the master of cloud and that is the biggest mistake you do because there are more than 200 Services uh on AWS I believe if I'm not wrong uh and you can Master them all right so what happened with me I tried exploring because I was closely working with Sr team those days so I explore a lot of services in AWS right so more than 20 25 30 Services I explored now I think that I have explored all those Services now I'm very much confident then what happened uh when I come to Let's suppose LinkedIn or somewhere or maybe the blog post or somewhere and when I see people posting

about their real life challenges realtime challenges regarding any any any issues so there I I became like someone who is not having even a basic knowledge about how this thing will work so let's take an example so those days uh there was a a podcast I was listening to so not postcard it is like someone is giving some some uh telling some story on YouTube so that was from one of the biggest streaming platform and they were discussing about how they are able to uh accommodate those many viewers like viewers in cores right 1 million 10 million 20 million viewers so when there is an IPL match going on and if there is a final match going on and that is a

real time situation where uh let's suppose if one bcks went so a lot of people started gradually coming down the viewers started losing their hope that okay now India will lose this match they will sh down all their other streaming platforms and they switch to YouTube or social media platforms that is the usual uh human behavior right or user Behavior now how that particular platform is suddenly you know uh coming from this particular point to this one like let's suppose from 20 million to 2 million MH and at the same time they need to worry about their cost because on cloud you pay for what you use so let's suppose if you'll keep your infrastructure up let's

suppose I am uh hosting something on uh 500 GBS of uh RAM let's suppose right but usually I don't need for that uh streaming for 2 million people maybe I need it for 200 million people but still I'm paying for it yeah now they were talking about how they gradually shift from uh downscaling and then later on they are doing the upscaling of the environment so that is technically in Cloud that is called utter scaling so how they are managing it on that particular level of uh users or the traffic so then I learned and then they are I identified that okay I have zero knowledge about it right so that is the one mistake which I did uh you can call

it as overconfident or something but yes that happened actually and that is a very common disease I would say disease in cyber security professionals that is very common so so like uh as you said you just like you you believe even today students when they think about okay I want to be a cloud security professional Cloud security researcher they usually go on the net they let's assume if I'm that student and I decide okay I want to pursue I want to learn about AWS right so what usually students do they'll streamline okay what are the most common Used Services on AWS they'll try to master okay let's say 10 of those and then after mastering those they'll feel

okay now I know everything about the field and when they actually enter into the field and try to tackle real world problems that is where they actually realize oh I don't know actually anything right right so so according to you what is like the per like what is the solution for this how does one you know become better and actually becomes capable of tackling these real world problems okay since I named it as a disease so it is a curable disease and there is a medicine for it so the uh antibiotic for this one is learn learn and learn okay so start hunting for new things start looking out how B big guys are doing it okay if I say big guys like

big organizations are doing it so let's suppose if you're working on a streaming platform see how Netflix is doing it how hotstar is doing it right if you're working on any different product right so let's suppose payment Gateway industry now think of it how they are uh like big big players like phone pay or PDM usually those days uh razor pay how they are doing it in fact most of them publish their papers in fact most of them have released their entire infrastructure publicly that this is how our infrastructure looks like and most of them like usually on weekly or monthly basis they release some notes or blogs that you can read and understand like how this entire infrastructure is

working so just take that medicine in appropriate amount I would not say that learn blogs and blogs and blogs but yes to an appropriate amount you should take it and that is uh only you can overcome that over confident issue got it sir also so like before our every podcast right uh we roll out Google forms in which we ask our viewers if you have obviously we tell our viewers uh one week before that okay that the next guest is going to be this person okay we did the same this week as well and we asked our viewers okay are there any question that you want to ask now before we even roll out that form right there

are a few question that we know are going to come up so I'm going to ask one of them right now and I think you might have guessed it it is regarding the certifications right it has the question has to be like if we are talking about cyber security as if you don't talk about certification so I have to ask you this question and I'm actually very curious as well because uh we know about that there are a few certifications out there if you want to be if you get in want to get into application security okay there are these certification if you want to get into Network there is this OSP that you know that is the holy Gra that is

the HR fi as people say right so in Cloud security according to you is there any particular certification that you would recommend a beginner to try and get to at least you know if he's not if he or she is not able to gain experience from you know working in a company at least he or she can do that particular certification so they can learn enough so that you know at least they can just get started in the field do you have any recommendations for that okay so I would like to explain few examples that will be easy for the viewers to understand sure so if I'll talk about myself getting my first job I

have zero certifications getting my second job I have zero certifications in fact I would have zero certifications getting my third job but there is a requirement from client side that okay you have we require a guy who have the certification so then my uh organization at that time uh they asked me to complete one certification and and I did it within a span of six days I just went to few questions and all what are going to be asked in the certification and I cracked that that is AWS solution architect associate certification okay so that is again because that is a client's requirement right so this is the answer to uh your question that if you're very

much confident and you just wanted a job certific is not required but if it is uh but it is required in such cases where the filter criteria is the certification now let's understand it in simple terms now Shashank and Karthik both works for an organization a now Karthik knows the work of shashan sashan knows the work of Karthik how well they are in or maybe you are and maybe I am in my particular domain yeah now Karthik went to a company B Shashank wanted to S to Company B also now shashan talked to karik hey karik I want to come to your company for this particular job opening which I have just seen on your website now I wanted to

apply for it now Karthik knows that sashank is very good at it that job description still says that okay I need OSP certification for this for time being let's assume that but Shashank does not have that certification but Karthik knows that Shashank is very good at it for web application network security if Karthik is confident he will forward his profile here there is no requirement of certification but let's suppose Shashank don't know about any organization company C and he is fighting for getting his resume shortlisted he has to fight with other candidates where the filter criteria is ocp certification now other candidates are fulfilling it right so what you will do you need the certificate

yeah another simple example is let's suppose you are going to a class let's suppose standard eight of your school there what you are looking for you're looking for the best guy how will you identify the best guy the simplest criteria is you will look for the previous year report card yeah and you'll bring the topper from there right that is the simplest criteria this is certification is just a criteria to filter out those candidates efficiently because the job Market is very huge so that is why that is one of the filter criteria but I strongly I would say I'm not making any controversies I don't believe in certifications until and unless if I'm confident about my

work okay yeah for for people and for students out there who are trying to you know get as you said you give an example of a case C in which you know you were trying to get into a company scene which you were competing against thousands of applications for example right and if you actually want to stand out and are trying to get into Cloud security is there one or two certifications in according to you that you would recommend a person to get just to you know get started in their career uh if possible if you can afford it go for it don't fight it with your parents that I need money for doing this

certification yeah so that is the bad thing about the certification people think that that is a gateway to the job but actually that is not true all right if you know if you have a good communication skills if you have good connections if you know how to make connections and if you have a skill then there is no need of certification but still if you want to do if you can afford it for cloud I would recommend go for solution architect it is very good certification all right if you want to do it okay not just particularly certification because those are McQ questions okay and McQ questions is I believe not a good criteria to you know

examine someone's skill mhm right it's just a mistake of one word and you will end up marking the wrong option yeah right so just learn the concepts which are basically asked in the solution architect exam so that is mostly focused on highly scalable highly reliable highly available environments so that will open the Gateway for cloud not particularly for security but for cloud security is one step ahead of that that is AWS uh I believe security speciality program AWS recommend that you should do the uh solution architect canop administrator then you jump to this one okay but I know people they have completed this certification and they don't have any uh I'm just not making it

controversial I'm being frank and honest they don't know anything about this Cloud security but still they have the certification okay I don't know how they manage to do it but yes there are cartel who are working around it all right sir and you I and everyone who is in cyber security domain they know about the telegram groups they know about the online uh things that give me $50 get the voucher get your work done open it in VM and all so yes that is why certification are always controvers you okay so according to you and even I'm confused a lot of the times so there are various uh as you said cloud service providers right there is AWS there is

azure and there is Google as well I'm going to ask you a controversial question now first okay first I won't ask you this sir I'll I'll okay I'll ask you it's okay so according to you sir which do you have one favorite and if so why so AWS is my favorite it is way simpler than others okay Microsoft products are literally made for the technically smart people okay so if you use Excel I'm giving you example of Excel Microsoft Excel and if you want to make certain changes to uh rows and columns you will feel difficulties yeah like shortcuts are way too complex when you go to the same thing in the Google Sheets it's just one minute task just

drag and drops and your things will get done so Microsoft products are little bit complex and they need to make it complex because they target the Enterprise and Enterprise like big organization are not simpler their architecture is completely different then your home architecture or small organization architecture and AWS is targeting everyone whether you are a big organization whether you are a small organization okay so that is why I recommend AWS now let's come to other parts like Y is your y GCT yeah now if you are working on a Android mobile application let's suppose my organization is working on Android mobile application they need to store some of their databases no SQL databases or other databases they have option

flexible option to connect with Firebase right why the hell he is going with the AWS provided Storage Solutions he will not because their need is being fulfilled uh from the avability point of view EAS point of view uh from the cost cost Effectiveness point of view their work is done with the Firebase that is why they are using it and later on they realize that they need to spin up a server and they have a server already they have a database already on gcp that is Google Cloud there service Firebase so they will simply spin up the instance in gcp and gradually they will start using gcp this is one way another way is my organization is using ad I have 2,000

users yeah and as your is providing me a flexibility to just migrate your entire on Prime ad to as ready a great synchronization because both are the Microsoft products they know their apis they have buil it by keeping this particular thing in Center that my users mostly on active directory and I have to provide all the services by keeping active directory in the center so what I'll do my organization will choose as your I'll simply migrate all my users online now I now an aor guy now aor ready has a very good simple integr with other as your products that we call it as Services M right like teams right I want to do any stuff and I want to get

an alert on teams why would I go to AWS or gcp because I'm get I'm getting a convenient solution over there and that is even a cheaper solution yeah right so if I need to deliver something from my house and to the next available door I mean to next available house in my Colony that will be a cheaper solution rather than uh parcel it to a different house which is in a different city MH so I'll always choose the convenient option right yeah now I'm a simple guy let's make it controversial I'm a simple guy I don't own a business I don't have a Android application I don't work in ad environment where should I go the

simplest way for an student to land into cloud is AWS from my point of view okay yeah I'm not promoting AWS a is not going to give me any credits for it yeah but yes AWC is simple straightforward drag and drop click and learn I think documentation are good yeah yeah their documentation are good it is widely available for each and every problem you'll get a direct answer which is not possible with other cloud service providers I believe that is just because they are not enough mature I think so that is also another reason that you during college curriculum you know when teachers or when curriculum decides to teach students about Cloud security or cloud

in general they usually start with AWS because you know compared to the other two platforms it comparatively for Layman it is easier to you know just get started and I feel the same way the thing the reason I asked you your opinion on this was the second part of my question was which you answered uh if I be honest but I just have to ask you again is consider me like a complete beginner right so and we understand that okay organizations might decide or pick up on a solution provider depending upon their need but if a person if a beginner is trying to get a job out of these three you said you would recommend AWS or if there is a

company in mind for example let's assume uh just a example if there's a company a and if that person particular person wants to get job in a and they are using Azure so in that particular case even if the person knows AWS he would need to learn a to get a job over there am I right correct all right you have no options okay answer sir if you if a person knows AWS how easy or difficult it is comparatively to you know migrate to the other solution providers okay on the scale of 10 it is not too difficult so let's suppose difficulty is highest difficulty is 10 and lowest difficulty that is uh most easy way is one on the scale of 1 to 10

and if you know AWS so I would rate six okay six or maybe five okay that it is that much difficult to understand because the architecture is slightly different AWS is straightforward and aure is all about subscription based right so for each and every way you have to create a subscription inside that a resource Group and then your resources where this is not a case with AWS it's straightforward all right makes sense sir so another thing that I wanted uh to ask you is the short uh supply of cloud security researchers these days I touched on it earlier and you also uh said a few points on this but I would like to you know talk about it like a whole uh have

a proper conversation about it like Cloud Security Professionals seems to be in short supply these days uh I mean like there are compare comparatively less people in Cloud security as compared to pen testing or sock right what do you think the reason is and do you feel that you know the transition is happening and the change is occurring what do you think about it sir okay so again let's understand with the help of example because I believe examples are the best way to explain anything yes sir so I am into college consider myself uh I'm into college I need a job in uh let's suppose we security what I need to learn first basic of web

development second web security and I can get a job in web application security Now I need a job in Android or maybe app security Android or iOS I need to learn Android app development I need to understand the security I can get into it when I wanted to be a network engineer what I need to do I need to learn the networks first I need to understand the misconfiguration in it and I can land my job in network security right similarly with other security aspect so it is just like a single hop or maybe two hops right and you can reach that destination now reaching to Cloud security is bit difficult what you need to learn web security because cloud is

mostly provided over the web yeah then what you need to understand app security for sure why because web application VES will be there yeah I think we talked about app and web basically both are same thing yeah and then network security because Cloud network uh if you are able to compromise one asset you'll be able to compromise other assets because they are connected well connected over the network so that is why you need to understand the network also along with that you need to understand Cloud entirely how it works and then you need to learn Cloud security Mison mtion and then you will land to Cloud security so that is why there is a s Supply why because most of

the candidates will get filtered out on the first H they get the job they get satisfied they go into their comfort zone now they started enjoying their web stops they started exploring their stuffs and they will grow in that particular place those who left out they will come to uh the uh Cloud thing they start learning cloud most of them will go to the devop side def secop side few of them Cloud security is bit different it is more of a research offensive and defensive techniques dep secops is bit different thing all right they closely work with the devops guys so then rest of us will come to the cloud security it is something like uh long days back I

don't remember what is the name of that movie but there is a poli that that actor is a poli they say like yeah yeah okay I got it yes so are they they will half of them will go to the web half of them will go to Cloud they will come to Cloud security yeah that is why you will feel a sortage of them sir I love your examples by the way perfect answer perfect yes sir so another thing uh for the aspiring Cloud security researchers uh you are the perfect examples of what does your typical day look like so like you wake up what is your typical day people you want to okay you want to learn from when

I wake up yeah so I usually wake up late okay because I work late night so when I wake up I cook my own food I prepare my own lunch go to office yeah and start my day with a coffee let's come to the technical part yeah so I look my mails I look my tickets whichever has been assigned to me I work on that and most of the day goes into to research okay how that research look like so whatever the evolving attacks how those attacks are getting frame I need to simulate those attacks I need to create my own Labs I need to try that okay whatever the things that is mentioned in XYZ blog is

it true or not how to examine it so let's create a lab for it right let's suppose if someone is saying that okay uh if you have an ssrf vulnerability you can compromise a cloud if it has XYZ things matching so I need to simulate this this is a basic example that every cloud security guy will talk to you there are a lot more things apart from this so usually my day starts with it and then I come back from Office started doing other stuffs and I'll dedicate much of my time for Community I keep on looking for what all conferences are happening I keep on applying papers and all I deliver talks workshops and all

few of them get Selected Few them not uh so I'm trying better day by day in terms of cloud security and also I work on tools a lot of tools so which most probably I'll be releasing in coming days and make it open source and you guys going to love it oh I'm sure we love it for sure sir it is crazy like with every answer right I can I have a perfect segue to my next question you said sir that uh you work late at night right that was my second question is like working as a cloud security researcher do you typically have long hours or work in shifts like people usually work in sock or is the role

generally you know very flexible and comfortable or do you have to be available like you know not 24/7 but you have to be available majority of your time so I would say if you have uh created a lot of stuffs around you mhm like I'm a quite occupied person okay along with the job I do a lot other stuffs so that is why for me I'm bit occupied okay but when you compare with sock guys they are insane guys sock is like 24 into 7 365 okay so they work in sifts which eventually with us we are good on that part we just need to work on our shift we work only for like eight or nine

hours and then we get our work done and we come to the next day and we'll carry on whatever we have left the last day but sock is a hectic job I know sir you need to be aware and why we people are very much not worried about our steps because so guys are doing it if some intrusion is happening so guys are there to help us that okay your cloud has been compromised or maybe it will be compromised we have stopped it those guys are there to help us that is why we guys are like sleeping got it so so from your experience uh I'm sure you must have encountered maybe a security incident that you know was

really you know very interesting which you might not have experienced before so what approach did you take to you know to address and probably solve it did you have any experiences like that there are two one is a false positive a so what happened uh when I was working in my first organization so I have been deployed on uh it has been more than two or three months I have been deployed to take care of few of the security things and we have one vendor which manages our physical systems so they have one agent in our system and they keep on running it so for some reason there is an update from ubu those days we are using ubu there is an update

from ubu and their agent stopped working now those vendors they have some uh repres presentative they started calling all of our employees and asked to redeploy the or redownload the agent the new version of agent and then running into it so uh and and those days we are making use of Amazon workspaces okay so because those were covid times and we need to work virtually so our uh working computers are in AWS work spaces so that is a desktop as a service kind of thing where you have your machine and inside that all of your tools and you require a physical machine to connect to that once they installed uh their agent Amazon workspaces stopped working a so

people started reporting me because I am the first point of contact for them I started getting and then I asked like what you did so two or three of them have the same issue that they have installed One agent someone uh called them and then told that they are from that IT company and there is something not working that why you have to download this application and they have installed it then I was I got panicked like why happened looks like there is uh a big attack is going to happen against my organization yeah I start throwing uh messages on teams that okay please do not install anything uh it could be a Cyber attack sophisticated Cyber attack

please do not uh install anything that is one instance that is a false positive okay somehow and uh then I realized that okay uh I should have to be informed about this my manager was informed but he was on leave so that is why he couldn't pass that message to me and another incident happened with not with my organization or anyone of my organization with whom we work with but with one of my colleague who started their own venture uh something like eagro products they are selling so what happened with them they have one S3 bucket that is a storage solution provided by AWS and they have kept their JavaScript CSS files images along with product invoices and

everything and they kept that bucket open okay now some threat actor came to that bucket deleted everything deleted the bucket also because every API calls are open on that it's Caster stick Wild Card entry you can do anything so uh he ended up losing his bucket and then he called me and then told me that okay XYZ things happened now in Cloud specifically about AWS when you encounter anything any incident you first look into cloud trail because that is something which locks all the API calls you have uh performed inside your AWS environment whether it is from the CLI or GUI if you clicked any Services it will be logged into Cloud okay so I investigated the entire

cloud trail and then I identified that there are no API calls which have deleted that bucket then I started looking for looks like this bucket has been deleted from the web request m i mean objects are deleted not entirely bucket I believe so I started looking for S3 bucket where the server locks are placed mhm so I start exploring it and then I identified few of the uh suspicious API calls where someone is trying to delete make a delete request to that bucket object and they have deleted everything uh then I suggested them to get this data back from the versing so luckily they have implemented the S3 bucket versing so they are able to

recover it and then I have set a strong policy bucket policy for them and this is how I have uh responded to that incident sounds like it was crazy and it took me almost five to six hours to identify the root call because I was looking for the cloud Trill I believe that some access keys or some access has been compromised and they have deleted this but I got no lcks so that is why I need to dig into other steps so that's a very interesting story and the you know I actually we by the way so we're moving on to the last section of the podcast I have two more questions for you okay so one question

is exactly about the thing that happened right for example the experience that you had you were able to share this experience to me to all the viewers through this through this podcast right uh given your experience delivering impactful talks at various conferences do you believe that attending conferences and listening to these talks can be beneficial for one's career especially for students okay so those students who can afford they should go those who can't afford wait for the right time when the other talks and everything got public go to their websites and read about it all right because usually what happens if I as a speaker goes to any conference I'll present all those things over there and

then I'll make things public MH so even though if you are not able to attend that conference you'll be will be able to get the slides and content over there like recent days I have delivered one of my uh workshops at def cot those who are not able to uh join that yeah so you can still see the content yeah and if you want to make connections go to the conferences they are good for making connections uh I would recommend if you can afford it all right if you get the vouchers okay so if majority sorry sorry so please continue yeah and don't get very much crazy about the conferences wait for the right time one day if

you'll join any organization organization itself will sponsor you not only for going to the conferences but even a sponsor your entire trip along with the uh Workshops cost also okay so wait for the right time so there are a lot of conferences these days uh especially in the Delhi andc and I'm pretty sure all over India now that are comp comparatively oh not comparatively but that are free for students you just have to register so for those as well you do you believe that you know in that particular case if the student doesn't have to pay anything he just have to register he or she just have to register and if they can commute they can travel

and if they have the time should they go for it because of the connection and learning new stuff as you said we Indians are fond of free things you should definitely go for it all right so all right sir you'll not lose anything but definitely you will learn more of the things all right perfect so and I've been following your journey for a long while now so uh so are you planning to teach students in cyber security professional in the future this is a question that you know I'm just asking just big out of curiosity I'm accidentally into corporate I love teaching I wanted to be a professor okay but somehow I couldn't make it so answer to your question and I

love yeah that is my passion I'm always open for it just I'm one message away from you just drop a message on LinkedIn and I'll teach you if I have time yeah of course sir all right so so let's conclude this podcast with one final question I love to ask the guest this question the last question is that if you could leave your followers uh with one key takeaway or Mantra I should say about Cloud security what would it be or you know so let's not even talk about Cloud security let's talk about cyber security in general if if there's one tip that you followed uh that really helped you and you would like to tell your followers what would

that be so so be confident what you do don't be overconfident all right we Security Guys generally uh fall into the Trap of overconfidence we hack our own mobile phone by installing an application and then we think that we are a hacker it is not true that application is doing it how that application has been created what all the stuffs are being used you should be aware of that so that is why be confident about what you are doing but don't fall in the overconfidence all right that is a thumb rule or a success Mantra or whatever you call it but that is something that uh that I believe every student must follow this perfect so so thank you so much uh

for joining and sharing your wonderful insights uh about CL Cloud security cyber security and your incidents as well uh I'm sure everyone has learned a lot about Cloud Security today and some may have even found all the solutions they were looking for right here in this podcast so uh do you want to tell our viewers about something maybe a cool project or a talk that you know you're going to be part of uh yes all right let me think of it what I can suggest okay so when you started learning cloud so so cloud is more of drag and drop click and create kind of thing you should always look for the solution which can automate these stuffs right so

if I'll give me my example so when I was in my first job so I use uh I got assigned to a project where I need to identify all the orphan resources when I say Oran resources it is like those resources which are not associated with other resources but they are left behind and their parent resources have been deleted how will you identify it right so I have option that I can log to the portal look for every particular resources and then identify that okay is there any association created for it or not that is the one easiest solution for it yeah but that will take long time so what you can do you can try to automate

it a simple python script you don't require to be a pro programmer right now we have chat GPT those days we don't have I used to go in the documentation learn about the aw CLI commands and then automate it with the Bas script right now you have a flexibility to use charity and all and don't think that you don't know programming and you are making it with chat GPT so it is not valuable it is still valuable those who have created using the chat GPT or maybe other GPD platforms it is not bad it is good because you are getting your work done what else you need yeah right so if I need a uh let's suppose a cup of water

or maybe a glass of water I can purchase it for let's suppose 100 rupees maybe 20 rupees 10 rupees or I can dig a well and then carry out water from that particular well right yeah ultimately my goal is to get the water right so if my work is done using chat GPT or maybe the stack Overflow or any other sources I need to do that it is solving a problem mhm so go for it do the automations but if I'll give you that okay do this particular project all the viewers will start doing that single project and that will be not valuable because there are multiple solutions for it so create your own solutions for every particular

problem so that is that is something you can try so you can automate it using the Char if you don't know the programing all right yeah yes sir that's perfect sir uh again thank you so much sir for joining in we really appreciate you taking out time for us and uh we really enjoyed your this insightful session I certainly learned a lot and I'm sure all our viewers learned as well learned a lot of things as well uh thank you all for tuning in we'll be back very soon with more exciting podcast be sure to uh stay connected and follow us on Instagram and Linkedin for latest updates as I said I've been your host

karthika from besides NOA this is besides weekly and we are always beside you bye-bye thank you everyone

[Music]