Cloud Security anno 2025: Start Secure, Stay Secure by Rhesa Baar @BSides Ams 2025

So first of all I really want to thank Bides to invite me up to this state. So I think you did an amazing job organizing this event and I'm very happy to be part of that. So today we talk about cloud security in 25 and eh there I'm going to talk about some things that you feel like yeah of course this is simple this is easy. maybe help the companies in the Netherlands to actually implement it because I work Microsoft I cloud and AI infrastructure and security solution engineer and I talk to all of the big organizations in the Netherlands and I help them to adopt the cloud in a secure and safe way. And a lot of these things

that I talk about today, they they really have challenges with it. And if you look at my talk, you think this is easy. is a no brainer you should do it. Please talk to all of my customers and help them to implement things in a secure way. Eh I'm a security enthusiast. I've been working in the cyber security field for the last almost 15 years now. And I really enjoy it especially because you have to learn new stuff on a daily basis otherwise you're out of the game. So what are we going to talk about today? first a little bit about what are then the cloud security challenges nowadays. Then I'm going to talk a

little bit about how you can secure the use of SAS applications and then what can you do to make sure that your EAS and PAS applications are secure as well. Then I will close off with some key takeaways and eh if you have questions feel free to ask them in the end. after my talk there is also some lunch served so we can also have some conversations during lunch so when I started my IT journey 15 years ago, the company that I worked for at that moment everything was still on prem and then some Microsoft people they come over and said come come to the cloud come to the cloud because it's super secure. And at that time

that was really the feeling like o if we go to the cloud then maybe our IT systems are more secure because eh he on premise we had to really secure the network we had to secure identity so there was a lot of things to do and then we thought oh then we go to the cloud and everything is more secure because hey big companies like Amazon, Google, Microsoft they will take care of those things. But then if we look hè I just asked I used nowadays of course I used copied a lot to hè get some of the slides for me etc etc but I also asked it give me some examples of the last year of some cloud

security related incident and the list was super long right I mean I I just yes pasted some of the names here in the slide hè but I think it was yesterday cloud flare had had some incidents eh but Also for Microsoft there were some incidents in the last few months etc. So you see cloud security incidents happening on the jaily basis eh huh also with the very big names in there. And so cloud security is not that easy. But what are then the biggest security challenges with the cloud nowadays? So from all of those logos that you saw most incidents were caused by misconfigurations in human errors. People make mistakes eh for instance with crowd strike somebody really did

their best to deploy something in a fast way. But then he made a mistake and a lot of computers were inaccessible and people couldn't take their planes etc because eh KLM was a big user of crowd. But it's human errors. Then the other thing is there are a lot of knowing pet vulnerabilities in the cloud. And so if I go to my customers and we look at some dashboards, it's amazing how many vulnerabilities are out there. But sometimes they don't know what to patch anymore because there are so many vulnerabilities and a lot of these vulnerabilities . internet facing maybe h I don't have to fix it. The other thing eh from a lot of these

locos are identity and access management eh issues eh. Eh eh multifactor authentication is a technology that exists for a long time but not everybody uses it in the correct way hè or they yes they have MAV solutions that can be still intercepted. Another issue that a lot of enterprise companies face is the use of shadow IT. shadow cloud eh solutions because it's super easy to just Google something, you find a nice application and you start using it. But what if you also start using eh enterprise data in there? Then hè before we also hè during the main track the guy over there talks about ransomware attacks while those ransomware groups also discovered hey there is now a lot of interesting data

in the cloud so ransomware groups also start attacking the clouds on the more frequent basis the other issue is compliance just because you can use something doesn't mean that you are allowed to do it hè so That's also hè especially in Europe we have very complicated laws across different countries and then you really have to think about what are you allowed to use. I also work for instance with a lot of a lot of large banks that also operate for instance in Germany but in Germany some of the controls that they do in for instance the N they are not allowed to put those things also in the cloud in Germany but you have to think

about these things up front but it's complicated then you also have the risks of insiders eh arising also more in the cloud then you have the use of air insecure API

risks because technologies if something breaks there that can have big results also others and last but not least the rise of AI also empowers the rise of AI powered attacks that's also becoming a problem for the cloud so then h if I look at this list and I look back into the time when I was still working premise then I feel like hm am I really secure? There's a lot of things that I need to think about and make the cloud secure. H so we should actually fix this then hè and eh eh hè maybe hè also to take one step back like is this problem then becoming smaller? No, it's only becoming bigger. Right? A lot of companies have

started to adopt adopt generative AI they also use generative AI now to produce new applications. So also the speed of new applications popping up in the cloud it's expanding. And you also see that in the security that the rise of cloud security attacks is it's crazy. It's really on an annual basis. It's growing. It's growing. And one of the issues there is also that you have a lot of these different security fenders that really focus on specific elements and then at the end you have to tie everything together again because eh the attackers nowadays they are really smart. So they also know that you have different tools and hey and we also still work in in silos hey. So

then but then again who should fix it then h so let's maybe go back to the responsibility model is there anybody in the room that hasn't seen this before there are a few people eh that haven't seen this before. Basically what the responsibility matrix eh says is who is responsible for certain elements of your cloud applications? So when you were still on premise you were responsible for the physical layer for the application layer layer and also for the users layer. And if you go all the way up to software as a surface then most of the things are taken care of by the cloud provider but not everything. So a customer is still always responsible for the usage layer

about the data that's in there to make sure that the right accounts are in there but also to make sure that the controls that you have in the applications the configuration that that is set up in the correct way. And then in the middle you have h platform as a service, infrastructure as a service where eh with infrastructure as a service companies like Microsoft they take responsibility for the physical aspect and the rest you have do have to do yourself. And with platform as a service, it's really a mixture. Some of the things customers have to do themselves and some of the things Microsoft or Amazon, Google have to take care of it. But a lot of people they

forget about this. They think, "Oh, I do something in the cloud." So Microsoft , they say, "Yeah, but I bought a pass service from you. So, it's secure, right?" Then I'm no it can be secure, but you still have to set it up in the correct way so that still hackers cannot come in. So then maybe to go one step deeper into this.

as company to understand what SAS applications are my users using and now hey with the rise of generative AI you really have to think about these things fast because users really want to adopt new technology when I was a security officer back in the this picture shows how much time it takes before 100 million users on the planet start to adopt a certain technology for smartphones it took 17 years or 16 years before 100 million users on the planet started to use eh the mobile phones so when I worked at that company back in the days, we took almost one year to select all of the security controls.

GPS million users on the planet to adopt technology as enterprise company you don't have a whole year to think about do we allow it do we don't allow it no you have to act fast you really have to think about it do I want this application to be used by my users yes or no and there are a lot of tools out there from Microsoft but also from a lot of

users governance control on it. Do you allow it? Do you block it? Do you allow certain controls in it? And with this, it is super important and critical to really focus on the data. What is it? What is the data that you want to protect? And to in order to do this, you first need to know what is the data that your company is using and what is critical data for you. And then you have to put controls like information protection, encryption and data loss prevention policies on it. And what you also shouldn't forget is that you also need to govern your data. If your data is not needed anymore, maybe throw it away. And sometimes you have to keep

data because of regulatory reasons etc. But you really need to think about these things because they can also be used in in eh SAS applications and with software as a surface you also shouldn't forget that your SAS applications might be communicating with each other. H during the eh key talk from Rob hè also talked about the rise of entic AI h agents doing a booking for you for instance your agents might also be talking to other agents and you need to think about these things and there are also a lot of ways in which you can do that. So that's just on a very high level what you can do to secure your SAS applications. But then what about your

PAS and IAS applications? things will Amazon, Google or Microsoft cloud. So the biggest challenge here is and h I talk to a lot of these companies is really the silos in the company h because then I ask a company to the security people so who is responsible for cloud security and then they say well that's the the cloud platform team and then I ask the cloud platform team so who is responsible then for security w the developers they have their own subscriptions and and they are responsible for it and then I asked developers. Are you taking care of security? Then they want us to implement security controls then the security people tell me. And then in the end I'm

like ok so nobody is taking care of security let's take a look into your cloud estate. And then we actually see that a lot of things are wrong. And then I'm just so happy for these companies that they haven't been hacked yet or maybe the hackers are super smart because they know that they have access to a lot of data and they just won't tell anybody yet. So one of the things to overcome this eh eh h this silos is to really collaborate with each other and really work on the idea of ​​a secure landing zone. Have anybody know about secure landing zones already? I see some hands not everybody. So with a secure landing zone, it's yes,

h also what you have on the airport. What you have is you have a watch tower, you have an airport and some things are arranged eh hè by eh eh withschipol you have hè the luggage carriers etc.

still to do certain things as long as he lands on a certain landing platform. And this is also what you can do in the cloud. And eh what you then do with creating eh landing zones is that you really think about what do you arrange in the platform and what can you arrange on an application layer. And if you are designing these secure landing zones then you really have a lot of different topics where you talk about and these topics they are true for Microsoft but also for the other big cloud vendors out there. And from a security aspect, it is really important to think about identity and access management, how you will do your networking and how you will set up

your security. And what you will then end up with is something like this which looks a bit complicated but what it does in here is that it has certain aspects that is already arranged by the platform and that is really related to your security to your identity eh etc etc and what you then have in the end is that you have certain elements that are arranged by the platform and then within that eh place you get specific zones for applications where can where they can deploy their applications. But the boundaries are already controlled by the platform itself in collaborations with the security team, cloud platform team and developments teams. And then if you would zoom into one of

these eh applications for instance then the application itself has a lot of controls that it can do but already some other elements like identity and access management eh but also policy enforcement etc is done through the central platform as in the platform you can already say for instance I will never allow a storage account to be public publicly accessible the internet these are really the controls that you can set from a platform level and then there's no application that can overrule this without getting an exception first. And this is really what helps you to set ok these are the boundaries this is your safe landing zone and then you can continue but then still that application also

needs to come to the cloud eh . secure code eh principles and here the first step of course is that when a developer when he or she is coding that it is continuously triggered by ok there are vulnerabilities in your code you should fix this h because you don't wan to start with applications that already have no vulnerabilities before it's deployed to the cloud once the application is done then you also need to make sure pipelines hipelines are ways into hè how you can deploy certain applications towards your your cloud platform but you really need to have the right control for this in place so who can make for instance changes to your eh code base

who can deploy things to your cloud because you don't want that h anything is just deploy to your cloud environment but you really need to think about eh eh these things.

run protection I say ok this is like diaper for your cloud because you just know that things will happen right I have a fouryearold and yes hey so I know about sometimes you just although he can do things by himself he still needs this and this is also what you what you really need in the cloud

exp daily basfiguration et et et really need to have that one protection you have a lot of different flavors for this you have things that can defend your servers your API your containers your your secrets etc etc and you need all of these things to make sure that if something happens to your cloud environment that you have a layer of protection before things really go wrong and of course you also need to have security monitoring in the cloud that collects all of this information from all of your different drum time protection things eh your identity and access management systems but also the status eh of everything as so that you can monitor it by for instance a se that

can be sentinels plank or whatever because you really need to control everything that's that's happening in the cloud. And what I see now happening as a new trend, what I think is really good is that we are now going to a more shift left approach instead of focusing on everything that can go wrong is that we go one step where we really make the the shift left and really look into continuous threat and exposure management. So the picture here it's just a eh example of how Microsoft implemented it. But the idea here is that instead of looking into all of the different cloud vulnerabilities that are out there is that you really tie everything together.

So you also look into what your users are doing, what what's happening in your mails etc. is attack of how aer could potentially bre account because in cloud environ look of vulnerabilities list is so long nobody feels like I should fix this anymore if you really can see what is the attack pad an attacker can do to get access to certain elements

ch points et you know ok if I fix these servers if I fix this identity then I become more secure because then you can really focus on what are the actual risks instead of just focusing on compliance like just patching because you need to patch of course you need to patch but with this you really get insights into what can attacker do and fix it before an attacker actually does this and you need that diaper so too just an example of this is for instance you get an attack bed where eh as some servers are exposed to the internet there are some filmabilities on there and then you know okay from there that person h on that server there is an

identity that can log into a VM secretage system identifiable information because attack exist you also know exactly what do I need to do to fix it.

Then we come to the key takeaways because I know that I gave you a very high level overview of everything that's happening around the cloud. But I think the first thing you really need to remember is that eh cloud security it is really a team. You can't just run it from a security eh team. You can't just run it from a cloud team. You can't run it from a desps team. You really need to collaborate each other because the cloud is now so complex. There are so many different capabilities and possibilities in there. There's no way that one team knows everything. So you really need to work together to really set the boundaries eh together for

instance in that eh secure landing zone. The second part is really hè governance is really key h so for instance h when it comes down to to SAS applications h you really need to govern which applications can be used which applications can't be used but also for your pass and your you really have to have the policies in place that you really want eh eh hè people to follow h what are really the boundaries what are really the lines where you say ok this can never happen in my environment and then you can really enforce that layer act in this is hè the security team the cloud team or in the ideal situation it's it's combined effort

then also cloud security it is really a continuous process I still see eh too many times at my customers that they say yeah we have a cloud security project Then I ask ok and how long will that project last? Yeah, there will be some consultants and they will run it for six months. They will fix it. But then what are you going to do afterwards? Hey? There are new threats out there every day. So you really need to reevaluate everything on a continuous basis. And I really think security is really the most exciting field to be in because I started h what I said I started 15 years ago the principles of security they state always the same h to protect

your data h what about confidentiality integrity and availability but then all the technology that you now need to secure hè has changed so I really get to learn on a daily basis and yes I really really enjoy that was my thank you.

Thank you very much. Are there any questions?

Thank you very much for the presentation was very nice to listen to you. I have a question regarding the attack pass that you have shown in the last slide. So I would like to know which kind of tool you are using for this and if these are really reliable because that seems quite complex you know to identify complete attack pass in cloud infrastructure that can have thousands of resources storage account and VMs and so on. So that looks very complex and for me that means that I'm not sure about the reliability of the existing tools to really show you a complete attack pass without any error for example. Yes, it's a super good question, right? So

de erm I think that that I will just answer now from a Microsoft point of view because that's the product that I know the best. This was one of the most difficult things that we did over the last years because we really had to change our entire layer how we stored our security related data h because in the past everything was stored more like tables and it's super difficult to correlate all of these tables together. So we really change the entire infrastructure on which we store data to a graph based eh database. As the tool that I've just showed it is CSPM so that's cloud security posture management in combination with exposure management and yes it is super difficult to get all of

this together and I think that this is also one of the challenges why it can sometimes be so tricky when you have a lot of different security products that you are utilizing because then it's super difficult to correlate them back towards each other. So what we do with Microsoft exposure management we also make sure that you can import data from different eh vendors. It's not possible with all of the vendors out there because it's not an open API but we are making efforts to include more and more eh vendors in there. But really making sure that you have to write data deduplicating etc. It's really a difficult process and I think now we have like the first version of it and

it's getting improved eh quite fast.

Anyone else have a question? Okay , I guess it's time for lunch.