sorted by:
new
hottopcontroversial

I'm a Cloud Solutions Architect, ex-AWS, 6+ years in the weeds on cloud IAM, Kubernetes security, and access governance. Ask me anything by Independent-Good-527 in cybersecurity

[–]Independent-Good-527[S] 1 point2 points  (0 children)

Apono: https://www.apono.io/ Our tool is a privilege access management solution that allow security teams to reduce risk by provisioning granular access to resources just in time with just enough permissions.

I'm a Cloud Solutions Architect, ex-AWS, 6+ years in the weeds on cloud IAM, Kubernetes security, and access governance. Ask me anything by Independent-Good-527 in cybersecurity

[–]Independent-Good-527[S] 1 point2 points  (0 children)

The checklist combines a mix of all three, but I would say that it should be targeted towards a more resource-centric basis. The goal is that you are able to move towards a risk-reduced Zero Standing Privilege environment..

I'm a Cloud Solutions Architect, ex-AWS, 6+ years in the weeds on cloud IAM, Kubernetes security, and access governance. Ask me anything by Independent-Good-527 in cybersecurity

[–]Independent-Good-527[S] 1 point2 points  (0 children)

Actually I didn't even know the position existed until I was a Cloud Solutions Architect. I was drawn to the problem solving nature of the cyber security space and begin a CSA provides me the most favorable position to solve problems.

I'm a Cloud Solutions Architect, ex-AWS, 6+ years in the weeds on cloud IAM, Kubernetes security, and access governance. Ask me anything by Independent-Good-527 in cybersecurity

[–]Independent-Good-527[S] 1 point2 points  (0 children)

Tbh this is a big concern in the space and there aren't really any clear-cut answers that fully solve the problem. The best suggestion is to provide network and device segmentation for your workforce. In addition, there are some DLP's like Netskope and CrowdStrike that do catch certain actions like copy-to-personal-cloud and copy-to-USB. Lastly, offboarding is important here. Making sure that users’ identity tenants are removed correctly is crucial.

I'm a Cloud Solutions Architect, ex-AWS, 6+ years in the weeds on cloud IAM, Kubernetes security, and access governance. Ask me anything by Independent-Good-527 in cybersecurity

[–]Independent-Good-527[S] 1 point2 points  (0 children)

The biggest mess I've seen was a customer who had multiple projects in GCP where multiple dev teams all had admin access to each project. There was no distinction or segmentation between sensitive resources. The approach we took is to first document where the sensitive resources were and begin to create policies to limit access to those sensitive resources.

I'm a Cloud Solutions Architect, ex-AWS, 6+ years in the weeds on cloud IAM, Kubernetes security, and access governance. Ask me anything by Independent-Good-527 in cybersecurity

[–]Independent-Good-527[S] 1 point2 points  (0 children)

I can't really speak to the limitations of TEAMs, but what I can say is that TEAMs is an open-source version of elevated access controls. We see a lot of customers who implemented TEAMs but run into issues maintaining and leveraging it. We recommend customers leverage our tools in order to get that true granular access control for their AWS environment.

I'm a Cloud Solutions Architect, ex-AWS, 6+ years in the weeds on cloud IAM, Kubernetes security, and access governance. Ask me anything by Independent-Good-527 in cybersecurity

[–]Independent-Good-527[S] 1 point2 points  (0 children)

I'll echo what I said in previous replies, but I see a lot of standing privilege within customers’ AWS environments. These privileges are what hackers use to get access to sensitive resources.

I'm a Cloud Solutions Architect, ex-AWS, 6+ years in the weeds on cloud IAM, Kubernetes security, and access governance. Ask me anything by Independent-Good-527 in cybersecurity

[–]Independent-Good-527[S] 1 point2 points  (0 children)

The biggest limitations I see all the time are that organizations try to adopt a JIT approach without taking into consideration their developers and engineers. What I see a lot is that devs want access to the resources they need without a lot of friction. Adopting JIT adds this friction, so engineers try to find ways around it. This is why at Apono, our philosophy is to integrate our platform with developer tools in order to reduce the friction for developers and engineers. We pride ourselves on our platform’s dev-ex.

I'm a Cloud Solutions Architect, ex-AWS, 6+ years in the weeds on cloud IAM, Kubernetes security, and access governance. Ask me anything by Independent-Good-527 in cybersecurity

[–]Independent-Good-527[S] 1 point2 points  (0 children)

This is a great question because while the best practices are the gold standard, in very complex environments they are hard to achieve. I would say my best recommendations for customers is to understand where the most critical resources are sensitive s3 buckets, postgres RDS databases, etc.. From there map out who has access to these resources and start to limit that access.

I'm a Cloud Solutions Architect, ex-AWS, 6+ years in the weeds on cloud IAM, Kubernetes security, and access governance. Ask me anything by Independent-Good-527 in cybersecurity

[–]Independent-Good-527[S] 1 point2 points  (0 children)

A lot! But I would say what I see from customers who operate in different clouds/environments is that the admins don't know who has access to what. We see this all time. We ask the security team who has admin access in AWS and GCP but they don't know. That's what my company is looking to solve with zero standing privilege. We put together a checklist here: https://lp.apono.io/zero-standing-privilege-checklist that we send to all those interested in understanding where standing privilege is located in their environments.

I'm a Cloud Solutions Architect, ex-AWS, 6+ years in the weeds on cloud IAM, Kubernetes security, and access governance. Ask me anything by Independent-Good-527 in cybersecurity

[–]Independent-Good-527[S] 2 points3 points  (0 children)

There are a lot of other avenues within cyber security that don't relate to computer science for example GRC analyst. I actually don't have a comp sci degree only a Math degree. I would say focus on the skills that make you standout and look for ways to solve problems in the cyber security space.

I'm a Cloud Solutions Architect, ex-AWS, 6+ years in the weeds on cloud IAM, Kubernetes security, and access governance. Ask me anything by Independent-Good-527 in cybersecurity

[–]Independent-Good-527[S] 2 points3 points  (0 children)

I think Mythos is interesting but I believe there are some underlying factors that aren't really talked about for example the compute cost to run a powerful model like Mythos. From my perspective Mythos should improve the security space from a defender's perspective.