Prioritizing Risk Among the Chaos of Cloud Development

Cloud development has enabled amazing innovations and allowed our companies to move faster. It’s also completely broken the old methods for prioritizing risk remediations. With an infrastructure that changes day-to-day, minute-to-minute, a cloud’s perimeter is hard to define. Checking for open network access and CVEs doesn’t keep attackers out of your cloud. The number of software vulnerabilities present at any point in the cloud, particularly with open source-driven development, far outnumber what was typical in the data center world. And the explosion of identities - representing both real users and machine identities - has opened up the attack surface for credential abuse a hundred-fold. These massive changes in scale make it overwhelming to try and to answer the question, “what should I fix next?” The sheer scale and ephemeral nature of cloud demands a new approach to risk prioritization. Beyond securing a perimeter, combinations of overlapping risks create a hidden blast radius that includes sensitive data. An attacker may enter the cloud via a vulnerability on a sandbox environment, but through subsequent indirect access abuse, be able to move laterally and access PII. The only way to stop this? Knowing where your sensitive data is, and how anyone or anything can access it - even if access requires a combination of workload, identity, and network-based risks. We’ve brought together cloud security leaders responsible for securing many of the Fortune 100 enterprise clouds to discuss how to rebuild remediation prioritization, and how blast radius intel is critical to spending your team’s remediation efforts wisely. During this session, our panel of cloud security leaders will share: • Ideas for building in the cloud fast and securely • How to overcome the cloud complexity challenge • What alignment between dev, security, and ops can do for your company • Avoiding the common pitfalls around prioritization