Christian Philipov

Chris is a senior security consultant and heads up the Cloud Security capability area within WithSecure Consulting. As part of his day to day he leads the global team that deals with various different types of engagements of both a transactional and more bespoke nature. Chris specialises in Microsoft Azure predominantly with GCP and AWS as an additional background.


Session

06-18
11:40
20min
One extra large cloud assessment please? - Why testing at scale needs a different approach
Mohit Gupta, Christian Philipov

Cloud estates can vary vastly in size, from small single accounts, to large estates spanning multiple cloud providers. Assessing and assuring these larger environments is often a very complex undertaking, with large numbers of resources to review and secure. CSPM and CWPP solutions can cover a lot, but there's still a fair amount that requires a human-led assessment to properly assure. While it's common to see organisations performing small-scale penetration testing of individual workloads, these are time-consuming and scale poorly for larger environments.

This talk presents the methodologies and approaches developed by the speakers for effectively and efficiently performing large-scale cloud assessments covering an organisation's entire estate. It'll compare and contrast these against common existing approaches and outline why new approaches were required. It'll also cover common areas to prioritise for human assessment, how best to leverage existing tooling to support large-scale human assessments, and how to optimise the time and effort spent to provide the best levels of assurance.

Attendees can expect to gain insight into how to approach human-led assessments of large scale cloud environments, either as the assessor or as an organisation procuring such services. This includes the benefits of such approaches, key focus areas within environments that could affect swathes of the estate and how to use knowledge and information from internal tooling and subject matter experts to better inform assessments.

Democratize Cloud Security Models and Organizations
Breakout 2