2026-04-25 –, Track 1
Cloud security shouldn’t feel like deciphering a spellbook written during a power outage. This talk starts by breaking down the core concepts of cloud architecture and access control using clear, memorable analogies—yes, “Pizza as a Service” makes an appearance. In just a few minutes, the audience will understand how IAM, org policies, and service boundaries compare to the on-prem world, and how attackers use these same models to find weak spots.
Then it’s showtime. We dive into real-world cloud misconfigurations and the attack paths they create, with a mix of live demos (plus recorded backups, because the demo gods can be fickle) and open-source tools that anyone can use. We’ll walk through everything from “accidental” data exposure to the infamous public GitHub token that launched hundreds of crypto-mining VMs without detection. And yes, why cryptominers are often just the decoy for something far more concerning.
Cloud security has become very good at finding problems after they ship. Scanners run. Dashboards glow. Tickets multiply. Meanwhile, attackers stroll in through configurations that technically “passed” review. In 2026, misconfigurations still understand how to ruin everyone’s day, not because teams don’t care, but because cloud complexity has officially outrun human attention.
This session opens with the 2026 hierarchy of cloud misconfigurations, grounded in late-2025 and early-2026 breach data rather than folklore:
- Identity and entitlement overreach as the new breach starter pistol
- SaaS and API integrations quietly bypassing MFA, logging, and common sense
- Storage exposure that survived provider guardrails via authenticated access and CDNs
- Shadow environments and abandoned IaC resources that never got the security memo
From there, we stop poking the fluffy cloud creature and wondering why it bites back. Using the Guardrail Strategy and Policy as Code, security rules become executable laws of physics inside CI/CD pipelines. Public buckets fail builds. Admin-level service accounts get denied. Secrets never make it into source control. Production click-ops quietly undo themselves like a bad idea sobering up.
We’ll then introduce the Toxic Trilogy: cloud assets that are publicly exposed, highly privileged, and critically vulnerable. PaC’s real power in 2026 is context. By evaluating how these risks overlap, policies don’t just find problems, they prevent entire breach classes from ever existing.
The result is faster delivery, fewer incidents, and security that finally keeps up with cloud speed without becoming the team everyone avoids on Slack.
Key Takeaways
- Identify the top cloud misconfiguration patterns of 2026 based on real breach data
- Understand why identity and API integrations now outrank storage as breach drivers
- Recognize the Toxic Trilogy and why its overlap predicts breaches with scary accuracy
- Explain how Policy as Code shifts security from detection to prevention
- Apply a policy-first workflow to block risky cloud deployments before production
- Reduce misconfiguration risk without slowing developers or drowning in tickets
Chicago-based (but soon, Porto!) and proudly a natural creature of winter, I thrive on snow, OSS, and just the right amount of chaos. Whether sipping Grand Mayan Extra Añejo or warding off cyber threats with a mix of honeypots, magic spells, and a very opinionated flamingo named Sasha (the BSidesChicago.org mascot), I keep things interesting. Honeypots and refrigerators rank among my favorite things—though my neighbors would likely disagree.