Morey J. Haber - Cloud Attack Vectors: Building Effective Cyber-Defense Strategies to Protect Cloud Resources

This Apress imprint is published by the registered company APress Media, LLC, part of Springer Nature.

The registered company address is: 1 New York Plaza, New York, NY 10004, U.S.A.

(By Darran Rolls)

Ive had the great pleasure of collaborating with Morey Haber for more years than we both probably care to mention. Over those years, our professional paths have crossed and intersected on several fronts. As CTOs at our respective identity management companies, we partnered and collaborated on client engagements, market events, and industry initiatives. Coming from separate legs of the now changing three-legged stool of IAM, we have always shared a brotherhood of IAM orientation and a distinct passion for the delicate intricacies that surround the topics of privilege, access, and security controls. During my time at SailPoint, we counted BeyondTrust as a trusted partner, and I considered Morey a good friend.

Morey and I also shared the unique alignment of transitioning into formal CSO/CISO roles within those same companies. For us both, taking on responsibility for product and corporate security was a logical career progression and something of great value to our companies. We have since shared many stories on the significant challenges and unique opportunities that come from being responsible for security inside a security company.

Every CSO has a tough job, but being inside the security chain itself is a whole different story. As more recent security supply-chain vulnerabilities have shown, being a link in that chain drives a certain focus and concern for yourself and hundreds of others. Under Attack may not have been the rock band Abbas best-known single, but the title pretty much sums up the experience of being a CSO in todays increasingly complex and interdependent security supply chain.

Morey asked me to write the Foreword for this book because of another prior successful and rewarding joint collaboration. As I hope the reader will already know, in 2019, we co-authored the third book in this series, Identity Attack Vectors: Implementing an Effective Identity and Access Management Solution. That book was both interesting to write and intellectually rewarding to work on with Morey. Our conversations during that books writing were always a source of inspiration and motivation.

Ive always found that when technical specialists from opposite corners of the same InfoSec camp come together in the center to warm their hands around the embers of a good IAM campfire, interesting things happen. Our unique perspectives, kept on track through the common thread of privileged access and entitlements, lead to what has been referred to as one of the industrys leading texts on using IAM technologies to enhance the prevention, detection, and mitigation of cyberattacks.

In name or in concept, the cloud may seem like a distant, faraway place, both above and apart. But today, even though most significant cloud providers run separate hordes of servers in isolated server farms, in every sense, the cloud has become endlessly entwined with itself (from one cloud to another) and with the existing on-premise information technology (IT) operations. The cloud and traditional on-premise compute are common bedfellows, as comfortable as Grandpa Joe and Grandma Georgina in Charlie and the Chocolate Factory by Roald Dahl. They are now so interrelated that they can only really be thought of as a single, end-to-end system.

The average enterprise data center is a complex mix of on-premise legacy systems, virtualized servers, and containerized complex web applications all connected to and integrated with shared cloud infrastructure and cloud delivered Software as a Service (SaaS) applications (more on this later). As every IT practitioner knows only too well, todays innovation is tomorrows legacy so that mix of new and old goes on. Just like the books in this series, one builds upon the next until they make a stack. Our legacy systems support a hybrid cloud stack that employs a complex combination of on-premise and public cloud service elements.

All new and old systems contain data, privilege, and access that must be secured and managed throughout their life cycle. Quite literally, the web of complexity now spans cloud and enterprise. Ubiquitously adopted new-school CI/CD pipelines, DevOps, microservices, and an API-first economy have introduced an exponential level of complexity. This new, complex reality is littered with identities, user accounts, passwords, proxy access, keys, secrets, privileges, and fine-grained authentication and authorization access policies.

New cloud infrastructure entitlement models are shockingly complicated to understand and manage. They inevitably have data, access, and privileges bouncing back and forth across what can accurately be described as the IT blood-brain barrier. This security configuration and resulting IAM stuff, spanning cloud and on-premise, must all be accounted for, tracked, and managed, if we have any hope of retaining control.