AWS re:Inforce 2024
Security Lifecycle Management in a Multicloud World Aps222 S

Title: AWS re:Inforce 2024 - Security lifecycle management in a multicloud world (APS222-S)

Insights:

  • Primary Concern in Cloud Security: The biggest concern among IT professionals and cloud security leaders is leaked credentials, surpassing data theft and other breaches.
  • Credential Breaches Statistics: According to a Verizon study, 90% of web application breaches result from stolen credentials, with a 400% increase in such breaches over the past two years.
  • HashiCorp's Approach: The approach to security lifecycle management is summarized as Protect, Inspect, and Connect.
    • Protect: Centralizing credentials and secrets, reducing risk through secret rotation, dynamic secrets, and just-in-time credentials.
    • Inspect: Scanning code repositories for unsecured credentials and monitoring SSH privilege access sessions.
    • Connect: Using Vault and Boundary to authenticate and authorize users with dynamic secrets.
  • HashiCorp Products:
    • Vault: A secrets manager for identity-based secrets management, handling secrets, certificates, keys, and data protection. It automates access to secrets and provides lifecycle management.
    • Boundary: Facilitates secure remote access and least privileged access management, eliminating the need for VPNs or bastion hosts.
  • Vault Radar: A new offering that scans up to 18 data sources to identify unsecured secrets, providing a dashboard for action and integration with messaging tools for automation.
  • Dynamic Secrets: Vault can create short-lived credentials for one-time use, enhancing security by ensuring that even if secrets are exposed, they expire quickly.
  • Session Recordings: Boundary can record privileged SSH sessions, providing detailed playback for security and compliance purposes.

Quotes:

  • "The biggest concern was around leaked credentials. So credentials getting leaked outside of their organization."
  • "Nine out of ten web applications were a result of stolen credentials."
  • "We call it Protect, Inspect, and Connect."
  • "Vault is a secrets manager for identity-based secrets management."
  • "Boundary is all about least privileged access, only allowing your users access to the applications that they should be using."
  • "Radar can scan up to 18 different data sources and will bring back to you where your unsecured secrets are."
  • "Dynamic secrets are short-lived credentials. So basically, as a user logs into a system, a dynamic secret can be created just for that one-time example."
  • "Boundary can record any privileged SSH session that happens on your organization."
Security Controls for Generative Ai Use Cases Gai221Segment Secure Your Cloud Network with Cisco Multicloud Defense Nis224 S