Dunkirk, France - July 2023

Public Cloud is the most insecure form of infrastructure, except for all the others.

(With apologies to the ghost of Sir Winston Churchill1, and the rest of the British Empire)

In the hallowed halls of cloud security, where the digital winds of threat blow ceaselessly, a realization dawns upon the vigilant: we are all but mortal souls in the face of a common adversary. Whether we wield the scepter of power or toil in the shadows, the specter of breaches looms large, casting its shadow upon us all.

In the quest for fortification against this common foe, the sagacious Rich Mogull and I found ourselves in accord, spirits united over a virtual ale. Thus, we set forth to pen a treatise, a WhitePaper, if you will, to distill our combined wisdom into a Universal Cloud Threat Model.

This model, a testament to our collective understanding, posits a simple yet profound truth:

Threat Actors have Objectives against Targets using Attack Vectors
which are observed by defenders as Attack Sequences.

From the mighty nation-states to the mischievous cyber-syndicates, and yes, even to Rich’s esteemed feline companion2, the objectives vary from pecuniary gain to geopolitical advantage. The targets, though, remain constant—data, compute, and networking, each a tantalizing prize for the discerning attacker.

The crux of our model lies in the delineation of Attack Vectors, the gateways through which malevolence enters. These vectors, seven in number, form the battleground of our defense:

  1. Lost, stolen, or exposed credentials
  2. Publicly exposed resources
  3. Credentials exposed via application security flaws
  4. Unpatched vulnerabilities and zero-days in overly exposed systems
  5. Denial of Service attacks
  6. Subdomain takeover
  7. Supply chain compromise

With this clarity, our path to fortification becomes apparent: awareness, prevention, and detection. Yet, as we strive to keep our secrets safe, we are reminded of the Sisyphean nature of our task. If safeguarding our treasures were a simple endeavor, all would achieve it effortlessly.

Thus, we must heed the age-old wisdom of the ancients and employ the tried-and-tested mitigations and compensating controls:

  • Rotate long-term keys to minimize exposure
  • Embrace the mantra of MFA, for it is our shield against intrusion
  • Enforce Service Control policies to preclude unauthorized actions
  • Vigilantly monitor the network perimeter, closing doors to the uninvited
  • Cease the folly of granting databases public IPs; instead, opt for the sanctum of TailScale and the humble t4g.nano
  • Attend to Data Perimeters, for noisy intrusions may herald the compromise of credentials
  • Practice good cloud hygiene, removing all vestiges of past endeavors when they are no longer needed, lest they become unwitting accomplices to our downfall

In conclusion, let us not falter in our resolve. We shall go on to the end, we shall fight in the Permission Boundaries, we shall fight in the Service Control Policies, we shall fight with growing confidence and growing strength in the data perimeters. We shall fight on the security groups, we shall fight in the landing zones; we shall never surrender. Let us therefore brace ourselves to our remediations, and so bear ourselves that, if the public cloud lasts for a thousand years, they will still say, “This was their finest policy.”

  1. As interpreted by ChatGPT 3.5 ↩︎

  2. An Inside joke that has perpetuated through all drafts of the whitepaper and presentation at RSAC. ↩︎