2024-06-17 –, Breakout 1
Using a control plane bypass in Azure OpenAI as an example of when things go wrong, this talk will discuss how Azure RBAC and other Azure platform security controls work for those who have to secure Azure environments but are coming from a different cloud background. Attendees of this talk will come away with understanding differences in how permission controls work in Azure compared to AWS, other neat security controls that are natively present in Azure, using Azure permissions to find unpublished APIs, how to use the published REST APIs to discover vulnerabilities, a concrete example of why managed/built-in roles need to be carefully examined and why wildcards are bad.
For over 13 years Tyson has been securing cloud environments either his own at a Packetloop (the first big data security analytics company that was 100% cloud based), or for customers where whilst at AWS where he worked with multiple service teams on helping define the AWS Security Foundational Best Practices standard and the AWS config conformance packs in addition to other control guidance many AWS customers rely on. Now at TrustOnCloud, as well as being CTO, Tyson is a Principal researcher.