Hey, hello everyone. Thank you for joining for my talk today. So good morning, good afternoon, good evening, wherever you are from. a quick disclaimer. so the presentation includes some research points which are purely based on my research and is not including any of the organizational review. And as an attendee, you are encouraged to conduct your own research and. Basically, look into some of these things before you start implementing in any of the years, in your organization. So let's move on to the next slide. So this is about speaker introduction. So my name is Santosh Bompally. I am basically, a cybersecurity professional with background in computer science and master's in cybersecurity. pretty much, since childhood, I was basically like a hacker. I started my journey as a hacker like way early on in my life when I first was trying to crack a bios password, basically removed a battery and basically, explored it by myself. So I had that exploration mindset pretty much baked us since my childhood. So that basically gave me opportunities to. Think through. And while acquiring, doing all of that, I was able to acquire all these multi-cloud certifications and some of these, different certifications in cybersecurity. So I was wearing different hats. I worked in instant response GRC and all the different areas in inside cybersecurity. that's what gave me a knowledge to acquire some of the certifications. And I do contributing to the. industry too. for example, some of the research publications for CSAI was able to contribute, there and pretty much Coming back here. So I basically like exploring cloud, and I'm very passionate about threat hunting because it basically gives me an opportunity to think like a bad actor. And as an engineer, I basically try to build controls around detection side and prevention side. So it, it's really fun, playing capture the flag even sometimes because it gives you opportunities to. Think a different perspective rather than your spelling controls. And I do participate in different home automation projects out there, so I do collaborate in some of those things. and I enjoy connecting with people, and share insights into cybersecurity. And, if you would like to connect, this is my LinkedIn profile, please feel free to connect and, you can also scan the QR code out there. you can, if you have any questions around the chat or any of this topic. You can always connect. So moving on to today's topic, right? So today's topic is about cloud security, posture management, and. We are gonna be talking about what are some of the strategies that you can take to basically improve the per cloud security posture and at the same time drive innovation through shift left. So that's the core point today on the. Talking about some of the strategies and how do we do it. So by the end of the presentation, you should be able to understand what CSPM is, and at the same time, you should be able to understand, what cloud NATO technologies are out there, which would basically help you, to get maximum benefit, in cloud security. So this is a quick agenda. What we have today is we are gonna be starting by analyzing a threat landscape. what are the current. Threats out there and things like search. And then we are going to be talking about building blocks of, cloud security push management. we are gonna be able to doing a deeper dive and also a demo in this area for the three where we are gonna be talking about IAC and how that is incorporated. And we are gonna talk about cloud native security policies, what they are and why you need to apply them. And then we talk about even driven architecture, p management, exception management, and key takeaways today. So really. When you look into the current challenges for cloud security industry, right? So you all might have already heard right from different breaches and all these things. These are expensive, right? So attack service is growing. we use see nation state actors and all these different entities trying to target critical infrastructures and all those things. So attack service keeps on changing, and at the same time, the different status should also enhance, and change every day to protect for some of these attacks. So if we do a quick, research right? which is out there. So if, you see my screen here? So the report here basically says Hey. If you basically go and check the real world, real world cloud security scenarios, the impact of it is really huge. So a study performed by CSA in 2024 says like majority of these are because of misconfigurations right inside the cloud. so these min configurations are huge. for example, think about it, right? you might be a manufacturing company who is like basically manufacturing cars and all these, and basically collecting the data from all these iot things, and you're sending it to the cloud. I. And you have a misconfiguration in the cloud, and that could be exploited by a bad actor, and that actor can potentially expose all the information out there, right? Or do any kind of malicious things if the pro service that you're using for iot is not. Configured in a secure way. So there are so many use cases out there from a attacker perspective that an attacker could basically exploit. So we also need to make sure like all of those things are properly configured. And the other report, what you see here, is by CIO. So what we see here is like Gartner is also coming out and saying, Hey. Majority of the times when you see cloud security misconfigurations, these, would be on the rise and at the same time these would be the customer's fault. because the misconfiguration happened, because think about the cloud, right? So it's a shared responsibility order where a provider is responsible for certain kind of security things. And as a customer, protecting some of these things is also something that we have to do. Either it could be with IEM or either it could be with some security configurations, encryption, all these things, right? going back to the slide, we talked about some of the risks, which are out there, and configuration complexity is huge because. Think about a confi, think about like an organization using tens and hundreds of services, right? Protecting all those services would require different configuration settings. And this configuration settings keeps on changing every time when the new version comes are, so staying updated as very important. So compliance. Compliance is a huge, right? if you see my screen here, so you might have been seeing it right? Compliance is something that companies would have to abide to. And if you see the growing fines here, it basically tells a story, right? It basically, we can see majority of these fines are because lack of proper controls in place, right? People tend to understand, and interpret compliance and different means and how that should be done. all of these, what is what you see here is because of failing to have those proper controls in place and, for example, GDPR, right? we need to make sure certain kind of data attribute data set should not leave a specific geographical location, right? So you have all those. Things in play when we talk about like compliance and when we talk about when you're violating with compliance or any of such. So coming back to. The foundational pillars, right? So what exactly is cloud security foundational pillar, right? So we have four different components here. So the first component is infrastructure as code scanning. So what that basically is. When you're trying to deploy your infrastructures, through code, it really helps you with lot of things, which we are gonna be doing a deeper dive shortly. So that is, you might be having different languages like Terraform, JCB Deployment Manager, which you're gonna be using for Terraform, which you're gonna be using for, deploying resources. And that is really a key in. Stopping, misconfiguration so that you can enable some of those policies right in IAC. So the second thing is cloud native security validation, right? So for example, if you have a specific use case where your deployment is not going through IAC, you need to have controls in place, which are cloud native. So think about, cloud to cloud collaboration, right? Maybe a third party is talking to your cloud and you need to have certain kind of controls in place. So that's the second pillar. Azure policies, GCB org policies, AWS organization policies would basically help you. To build some of the cloud native policies to ensure hey, if a resource is basically getting provisioned, it gets provisioned with some security settings baked in or with a specific configuration baked in. And the third thing, the third pillar, what you see there is an ontime for remediation, right? for example, if you're trying to deploy something, it's not meeting the configuration. for some reason the, the pillar two basically didn't catch it. The third thing is basically sees the, what happens in the third thing is it basically does a runtime remediation. It sees the events in the real time and it basically goes and starts remediating it with any of the native functionality, like Azure functions or GCP functions or AWS or, config policies or things like such. So having a complete understanding about the. For sure is really important. That's where compliance, monitoring and reporting comes into play. So we have majority of the tools out there, which you can do, which you could do research. Gartner basically ranks them with different quads. So you can be scared to do some research and get some information about, the best players out there. So moving on to the topic of IAC, right? So we talked about like pre-deployment scanning, so that is really a core, right? You need to have your infrastructure going through the IAC that basically helps you to basically scan those misconfigurations and do a policy integration. So that anytime when con, when this conation goes through it, you basically catch it and having an integration with VCS, maybe GitHub, you can have or any, any of the VVCS systems out there. You can have integrations natively so that whenever you check the code automatically it scan happens and it'll basically show you if, the proper template is. Configured in proper way or not. So moving on to the demo, this is a demo of what we are gonna be doing a deeper dive into. So what we're gonna be doing is we are gonna go through, we are gonna try to deploy a misconfigured application into the cloud. And you're gonna see a opa, a open policy agent, which is gonna be deployed inside the docker and how that basically scans it and how we are writing policies and how the misconfiguration is stopped. Before it moves into the cloud. So if you see my screen here, gimme a second. I'm just switching the screen. So if you see my screen here, so this basically is what? We have for IAC, right? So think about it, right? So we have a app name Insights ai. So this app basically has different modules in it. So we have code in Terraform and we have code in Bicep, right? So if you, in Terraform we had different modules. For example, let's do go inside a storage module. Let's see a. Terraform template. Yeah. This is the Terraform template. And you can see, hey, this is a misconfiguration, right? You really don't want to allow any of these things, without properly configured and see public network access is enabled, which again, for any storage account, you should not be doing it and. TT PS traffic is also disabled. So this is something, which needs to be enabled in order for encryption to happen, right? And we also see a tax problems going on inside the environment. And some of these things are misconfigurations, which should be getting caught during the deployment time. So this is a storage account. likewise, I think we also have, Subnet, I think this is pretty straightforward, getting the information out, from the variables and it's basically deploying it, but it does not have any kind of, elaborated security controls. same thing here. So this is what we have for Terraform. let's go also see a bicep template. So we talked about, so Terraform is one way of deploying it. So bicep is a secondary mechanism of deploying the same code. So this is a bicep code for the similar thing. So if you look into it, right? So again, you see here we have huge misconfigurations, right? So this, these should not be allowed, right? So for example, for this one, where you have it open to the world. And you also have draw access, which is open to the world, which basically means like, any entity out there can reach out to this particular storage account. Again, if you're basically having keys and all that, and you basically have any of this open. So basically with the keys, they can basically access it from anywhere. So some of the incidents or some of the major, Breaches, which happened over a period of time, did include some of those patterns where keys were, not rotated, and keys were saved inside a platform which was available across, and which was not properly authenticated, which led to potentially data breaches and all of such. So anyways, coming back to those, so you can see a list of, again, you can see a list of misconfigurations going on here. So what we will do is we will also do a deep dive. into what we have from there. CI perspective, right? So this is what is happening during the, build process. So we are basically getting an image, inside Docker. So kicks again is a platform which you're gonna be using, or which we have RO Opi agent, where we basically have all the policies written here. And this is an image from Check Mark and we are doing a security scan stage. What's happening here is like we basically, inside a query, we are basically what we are doing is like performing a scan. And in the scan is basically passing out the path where the custom policies are. we are gonna be touching about, these in a bit here. And we are also doing a print screen. And at the same time, we are exporting all the results, onto the screen, which you can see what's gonna happen in that particular stage. Okay, let's go back here. So here is what, so you have seen misconfiguration so far. Right now what you're gonna see is, Policies. For example, we talked about IAC policies, right? So in order for IAC policies to work, you need to be very specific about which platform you would like to have this tailored to, right? So here what you have is, again, inside the same repository. I have IAC policies here for, for the demo purposes. And here we have Terraform. And if you go through Terraform, you have list of, positive and negative, like templates. So if you look into this one, right? So this is something, an expected thing, right? So for example, if you're trying to deploy something, this is how the expected configuration should look like. And this is how the expectation con the, this is how the misconfiguration should be. So this will basically train the particular, OPA agent to basically identify what is confi misconfigured and what is not misconfigured. And then you come into the query. We write queries here, in the opa in the rego format. what happens is, it the example for this query is like, it's going have been. Packed with this compliance pack, and it is gonna be searching for some of the misconfigurations here, which are inside storage accounts. and it's gonna check for these attributes. And if any of these attributes are missing, it's basically, or if it's not or it's not meeting the expected value, it's going to throw out an error. And it's also throw out, it's also gonna show which. Specific storage account is having this issue with, so that is the reason why we use this percentile. you might be having tens and hundreds of resources which are getting deployed. So only a specific set might be having this misconfiguration. So this will basically help us to get that. So I already have a build, which was run. So let me go back here. Let me, let's go to the build jobs. So if you look at the recent build, which was failed, right? So if you look into the scan, so you can see here, okay, now this water basically says is okay, this, these are the misconfigurations and this is the reason why it failed. I'm just highlighting it here. So again, the risk rating and all these would come based on. Either how you define it inside the configuration file or either it might be coming from the vendor. So whenever you scan these, so what I did is like I included like base policies, which are out of the box and also I included with the custom policies. So all, what you can see here is like there are a list of bunch of misconfigurations like. Whatever you have seen here. And it basically tells you like, okay, these are some things that you'll have to fix in order for this technology or in order for this app to basically be getting deployed inside the cloud. So what we see here is Terraform configuration and also what we see here is the bicep configuration for, whenever it goes and scans. It basically gets everything inside. this particular IAC scan, so inside the stage what is happening is. It's basically scanning for everything, for all the built in policies and custom policies. And it's basically showing you the results stating Hey, you're not complying with any of these configurations, and that is the reason why the pipeline is getting failed. So this is really crucial because hey, this is gonna give you the feedback in the scans from the kind of, phase itself to basically say, Hey. These are the misconfigurations. This is a policy violation and this is a reason why the pipeline is getting failed and all such. So this is a demo of what we have. Let's switch back, to the main thing. So what we have seen here is like we have seen a demo. The configuration did not go, did not go through the cloud because it basically failed and we all, we captured the misconfigurations. We have seen custom policies. We have seen how we need, we can write custom policies in rego. Again, we have seen how we can use it with opa. So let's move to the next one. So again, deploying these things inside cloud in a DevSecOps model is really crucial, for any enterprise, right? if you do a proper integration with CICD, it gives you two benefits. The benefit one is like it's gonna give you a good developer experience. And a good collaborator, team, effort, right? For example, security team knows really what's happening before it is an issue on the runtime. and at the same time, developers will get a chance to review the code. Rather than security forcefully fixing some of these things, on the runtime, which is gonna be causing drift, and sometimes to application failures. So having a proper integration inside the pipeline. So as soon as the developer writes the code, whenever he. Basically mergers into the main, or when, whenever a branch is created, we can have security enabled there itself within the pipeline. So that, after every kind of merge request, automatically scan happens, and if it tries to see if a particular. Configuration file or any kind of, your IAC infrastructure configuration deployment file is meeting the configuration. If it's not, then you basically feel the bill there itself so that people basically know about it. So the second pillar, what we are now talking about is cloud native security policies. So what these are, resource specific, policy specific, for each specific cloud environment. If you have any cloud to cloud integrations, right? So you might be having an app or something, which is sitting in the other cloud, talking to this cloud. Or you might be having a vendor out there connecting you to your cloud and providing some services by basically provisioning infrastructure in your, so in your. Our cloud environment. So if you have any of that areas or if you, for some reason you don't have the capability to do an IAC deployment, but rather you have a capability to directly log into the portal and do it. So the second, one which talks about the cloud native security policies are really important because you're gonna be applying policies inside the native cloud provider. So in this case, you're gonna be using like tools like, AWS S, Azure Policies on a p work policies. So these basically restrict, what kind of things you can deploy and what, when you deploy those things, how those things should be configured in a cloud native way. So having these. In those environments, we'll give you centralized policy management control. Again, mapping back to your standards on how you would like to get this deployed and how you would basically mapping back to security requirements and all those. So compliance automation is another portion of it. For example, for few cloud services, there are specifics. Services, for example, Azure Blueprint as a service will basically enable you to deploy a specific application if it only meets certain kind of regulatory standard, right? So you can always, have those kind of things configured, inside those specific cloud providers. So that is, cloud native security policy. Moving on to the next one. so we are gonna talk about even driven security automation, right? So for instance, for some reason I easy to not work. Cloud data policy did not work, right? So you have an ability to read events in real time. Whatever is happening in the cloud. So what's going on happen here is You're gonna see the event in the real time. You're gonna perform an analysis of each event, which hap happens in the cloud, activity. And then you're gonna be having a configuration, which you can configure inside a cloud native applications like for example, Azure functions or Lambda functions, or Google functions or any of such to basically, if the configuration is not meeting the security key. A requirement then basically responded and trigger an event, which is nothing but just trigger a function to basically go and correct it. And after the particular thing happens, again, it goes through the verification loop to ensure that a proper misconfiguration is corrected. Maybe you turned on a storage account to public access and automatically an event is seen. You trigger a function automatically based on that event. And that e function goes and corrects it. And again, a verification happens. Again, all of these are something that we'll have to look into and we need to understand and balance this. for example, we need to understand what's the, MTTR for remediation, and things like that because sometimes some of these solutions get costly over a period of time. If they're not deployed in a proper format. So again, when you're stitching everything together, for example, from a monitoring perspective, so this is a crucial key, right? So we have seen IAC blocking it. We have seen if IAC is not blocking it, at least the proactive security blocks it, the cloud native. The third thing even that does not go through, you have your reactor way of, basically correcting it. Now the last part is compliance monitoring, right? So how do you tell a story? For example, if you want to, are having an app and you sometimes what's, you basically gonna be more, should basically. Benchmark that app with a specific compliance standard, or you have an industry wide standard that you're complying with, how do you check information about it? So this particular compliance monitoring portion of the cloud tool basically will help you to basically create policies. Tailored for monitoring and also would help you to prioritize which risks are high. For example, if you're trying to remediate any of these, misconfigurations gonna give you information about what are the things that you need to prioritize first based on the risk, or basically it's also gonna help you with anomaly detection, right? For example, you can have some of these things turned on where it's easier. Some of these tools have visibility into network traffic and things like those, It's gonna help you to paint a holistic story around the risk when you're trying to go and chase and fix some of these things. So again, all of these tools, majority one, have certain kind of AI capabilities, which will help you to identify if there is an act of, threat going on. some of these things are itegrated into IAM and those kind of things where it sees a behavioral analysis of a specific entity. If it's not something, it's deviating from certain, like baseline, it automatically triggers a incident response, incident to go ahead and investigate. So some of these AI driven insights are really gaining popularity, with the tools out there. So all this information, if you would like to get information about CSPM, I would highly suggest you to look into the sale, the Gartner, which basically. Checks at all the four different coordinates to check out which one is leading and all of such. So again, so when you do talking about how do you implement it, right? So the first step really is to, think about your approach, right? You need to start with discovery assessment. So you need to understand what are the current cloud assets you currently have, and if the tool currently supports all the. For cloud all your requirements too, right? For example, you have Alibaba or any of those clouds, right? So check for any of the tools which support those kind of environments too, rather than just like going with the traditional, the widely used ones. And the same time, the policy needs to be clearly defined from security perspective, which basically says okay, what are the benchmarks or what are the things that you'll have? To comply with no matter what. And what are some of the things that you are willing to do it, but you are having some of the business requirements? In a way, like you should be deviating slightly from a policy as an exception, and still you should still be able to do it. So again, the tool implementation comes with different kind of strategies. you need to ensure like proper rpac is implemented and proper kind of controls are in place and you need to have automated. Or, automation also integrated with CSPM, the CI ICD pipelines and all of those. So currently we have different kind of type terminologies and means for it. C-C-S-P-M is one, CMAP is one. So please do your research, when you're picking of any of these tools, because majority of the tools provide good kind of coverage for some of these integrations out there. So again, continuous optimization is a core for any of this platform because cloud providers keep. Keep on changing, updating the services as they keep on updating it. It's, again, something that we'll have to refine policies based on either updated security settings or sometimes, if you don't update it, it may lead to a failure, which you would definitely want to avoid. For example, if you're trying to, if someone's trying to provision a service and a specific category is not supported, but your policy defines it. And that is gonna be a block. So again, exception management key for everything, right? So you will be having exceptions that you'll have to manage. Either it's a business trip and exception where either you don't have the capability supported today to ensure like it's meeting the security requirement, or you are willing to accept the risk, right? Even in these two scenarios, those exceptions should be monitored. and should be approved by the business and the application owner, in coordination with security, right? So we need to have a documented approval pattern for it, and once we have it, you will have to consistently apply across all your tools, right? Beginning with IAC. do like proactive security. Reactive security and monitoring. So you need to have all of those things clearly defined and clearly applied across all the platforms. key takeaways here are like, shift left is a key as what we have seen that really helps to prevent a lot of sprawl in the cloud and, leverage cloud native controls and embrace automation. And adopt CSPM with AI Insights, which will help you to drive some of these conversations a lot easier with your customers. So in today's topic, we did a deep, we did a deep dive into shift left. in the future topic, we are gonna be doing a deep dive into. Some of the core native security controls where we are gonna be doing a demo of it. So this is a pattern. So at some point of time you're gonna be doing a part two where we are gonna be covering topics about cloud native security control, deep dive. how do you embrace automation and how do you basically look into the AI driven security insights? So this is what we have for today. thank you very much for joining me in and if you have any questions, please reach out to me on LinkedIn. Have a good conference. Thank you.