My Notes#
Here are my notes taken from the SANS webcast.
- Top 6 CSP includes: AWS, Azure, Google Cloud, Alibaba Cloud, Oracle Cloud, IBM Cloud.
- Terraform allows to define cloud infrastructure as code and supports all the top 6 CSPs.
- It is practically impossible to consistently apply security controls across CSPs using any single tool including Terraform.
Organizations look to so-called βcloud-agnosticβ technologies to manage this complexity.
Cloud infra includes highly specific services and platform, and these platform are not interoperable.
- different API call schemes are used to create infra in each CSP
- fundamental security concepts differ across the CSP
- users must understand the conceptual differences between clouds and between syntactical in at diff TF providers.
Cloud IAM control, is the most important subject across CSP.
- limit access to managed services
- IAM is more useful than network control in clouds.
- AWS IAM logic flow Vs. Azure RBAC eval logic Vs. Google Cloud Policy eval
CSP may break integration (on purpose) to maintain as market leader.
Other than IaC, application integration is another barrier to cloud agnisticism.
- native clouds services are more secure than written in-house.
- either have to re-write the apps for interoperability, or not relying on native cloud services, like S3, DynamoDB, IAM.
Webcast was conducted at May 10, which is Happy SEC510 day!
Possible solutions and recommendations:
- dapr.io (ack Cloud Native Computing Foundation project)
- Use multi-region instead of multi-CSP for redundancy and simplicity.
Creating one-core application that works on multi-cloud is nearly impossible and unnecessary. (by chance)
- multi-cloud solutions:
- vendor specific: