Chris Farris in the Multicloud of Madness

Multicloud is Madness!!!!

Your organization is doing a poor job protecting the one cloud you have. Why in heaven’s name would you want to deploy into another cloud? In this two-part blog post, we’ll cover details from my HackCon 2024 talk “Chris Farris in the MultiCloud of Madness” (slides). Part one is here, and it covers all the weirdness between the three major hyperscalers - AWS, Azure, and GCP. The second part will provide checklists to help you establish Minimally Viable Cloud Governance in each cloud.

Creating your first GCP Organization

Note: this is the first in what I hope will become a series of GCP Security 101 posts. Most cloud governance or cloud security folks have never created a Google Organization from scratch. Typically you come into an organization that has already implemented some form of Google. Most likely, that implementation was organic. There was no planning, no design, it’s was just there. I’ve also found that cloud engineers typically only have access to https://console.

Sources of Authority in the three Public Cloud Providers

I’m spending more time thinking about Cloud Security in Google and Azure and trying to grok the differences between those platforms and AWS. One of the critical components for understanding your enterprise security stance is what is the source of authority for creating & managing resources in the cloud. As I was thinking about this, I realized that the three main players have very different models. Each model reflects on that companies pre-cloud origins.