Securing Apps in the Open-By-Default Cloud

The presentation discusses the challenges of securing cloud services and presents a solution that enforces authentication controls for all services throughout their development lifecycle.

• Cloud services are open by default, making it difficult for security teams to keep up with the rapid pace of development
• The solution presented requires minimal operational overhead and holds no opinions about the project's development process
• The solution combines network control and infrastructure visibility to ensure security
• The solution includes a firewall manager and a stateless authenticator to provide authentication and authorization controls
• The solution is reliable and automated to ensure that developers do not have to instrument their services manually

The primary issue discussed is that App Engine is open by default and routable on the internet, making it difficult to enforce security policies. The presenters had to create tools to add gating after the fact to ensure security.

Services created in cloud environments like GCP or AWS are open to the internet by default. This is a problem that compounds in a workplace where developers are empowered to create new microservices faster than a security team can review them. Even if all of these services could be reviewed before launch it is infeasible for security teams to track and review all security-impacting code changes, often leading to improper auth controls and exposed services. We present a generalizable solution which automatically enforces auth controls for all services throughout their development lifecycle. Our solution is designed to require minimal operational overhead for the development and security teams and holds no opinions about the project's development process, allowing development teams to maintain their autonomy.