New Video from @CloudSecurityPodcast: Expert Discusses Cloud Security Evolution and Best Practices

In this video, Nick Jones, a cloud security expert, discusses the evolution of cloud security since 2016, current challenges, and best practices for penetration testing (pentests) in the cloud. He shares his experiences and perspectives on how companies can improve their cloud security posture, emphasizing the importance of contextualizing the results of Cloud Security Posture Management (CSPM) tools and Cloud-Native Application Protection Platform (CNAPP) tools. Nick begins by explaining how he entered the field of cloud security after accidentally discovering a misconfigured AWS infrastructure at a client's site. Since then, he has led the cloud security team at WithSecure and is now responsible for research, overseeing the work of many consultants in various fields, including the cloud. He notes that cloud security has evolved significantly, moving from simple misconfiguration scanners to sophisticated tools capable of mapping identities and detecting potential attack paths. A key point of the discussion is the importance of penetration testing in the cloud, even for companies that already have CSPM or CNAPP tools. Nick explains that these tools are excellent for identifying misconfigurations, but they often lack business context. Pentesters can provide this contextualization and identify critical vulnerabilities that could be exploited in real attack paths. He also emphasizes that companies should collaborate closely with pentesters, providing detailed information such as CSPM outputs and infrastructure code to obtain more accurate and faster results. Nick also discusses the differences between large regulated companies, such as financial institutions, and startups. Large companies are often concerned with compliance and have well-established security teams, while startups focus on speed and innovation, often at the expense of security. He mentions that startups often use frequent deployments and ephemeral infrastructures, which can make penetration testing more complex but also more resilient against persistent attacks. Regarding hybrid and multi-cloud environments, Nick recommends starting by testing the most critical assets and including CI/CD pipelines and other support systems in the assessment. He warns against using pentesters who do not understand the cloud well, as this can lead to inaccurate results and poor risk contextualization. Nick shares his thoughts on the three main attack vectors he frequently observes: secrets in CI/CD pipelines, misconfigured IAM users, and organizational-level identity management issues. He offers recommendations to mitigate these risks, such as eliminating IAM users, improving identity management, and securing CI/CD pipelines. Finally, Nick discusses detection as code and its importance for cloud security. He explains that detection as code allows applying software engineering best practices to threat detection, but it requires specialized skills and can be costly to implement. He recommends starting by consuming threat intelligence reports and using automated simulation frameworks to test detections before engaging consultants for custom purple teaming exercises. For those wishing to specialize in cloud penetration testing or build internal detection capabilities, Nick emphasizes the importance of understanding cloud specifics and staying up-to-date with the latest attack techniques. He recommends following threat intelligence reports and experimenting with simulation frameworks to develop practical skills. In conclusion, this video provides an in-depth perspective on the current state of cloud security, the challenges companies face, and best practices for penetration testing and threat detection. Nick Jones' insights are valuable for anyone looking to improve their cloud security posture or embark on a career in cloud offensive security.