Public cloud providers advertise many things. Increased business flexibility. Lower time to provision. Improved value for compute resources. However, after numerous high-profile data breaches and other outages, there is a definite uptick in interest around securing public cloud accounts. As the public cloud market reaches maturity and the players try to differentiate, enterprises, small businesses, security service providers and hackers wearing hats of all colors are digging in to protect or exploit juice corporate and user data. After having spent over a decade deploying production asystems in public cloud providers, I know they move fast, and have a few recommendations that can be applied by practitioners at almost any level to improve their organizational (or personal!) cloud security posture. This talk will give a short introduction to the elements common to public clouds, proceed to identify common vulnerability or misconfiguration scenarios encountered by the author in the context of various public cloud deployments, identify potential breaches from those misconfigurations, and wrap up with strategies to apply readily available free best-practice resources and open source tooling to identify gaps for remediation. This is likely a 55 minute talk, but could be trimmed depending on audience.
