 Hey, welcome to my talk. I know who has access to my cloud, do you? I'm Egal Fleckman. I'm an identity security engineer with yourself experience building products for identity and PKI management at Microsoft. And after a few years, I decided to leave and co-found Keto's where we do, we make it easy for companies to become passwordless with easy to use PKI solutions. And there's my Twitter, if you have any questions, I'll be in the Discord and I'll also be on Twitter. So feel free to message me wherever you prefer. And I'll also be in Vegas. So if you wanna swing by and talk to me in person, like let me know. I think here's a picture of me outside. So it looks like I do stuff outside and it's not just coding all day. So let's just jump right into it with a controversial topic. Why security reviews suck? So one of the main things is it's based on what do you think your infrastructure looks like? So it might be you forgot to close a port and in the review you go and say like, now all my ports are closed or you might say this is encrypted and it's not actually encrypted. And it also doesn't change over the years. I've seen teams that have gone over and over again with the same diagram and do not update it to the new microservices they added or they completely changed the platform. And we just kind of like assume that it's still working. And I've also seen some security professionals that care more about the actual diagram than they do from the security. I actually was blocked once until I put a box around my items to show that everything was running in Azure when it was logical that everything was running in Azure. So let's talk about how hackers actually get in and it's a hacker talk. So I had to put a black guy in a black hoodie and let's talk about the first one that is adding a member to a group. So this one is pretty easy. Like once you get access to a group and you add your identity to that group, it's pretty hard to detect because you might have like your engineering group that you add to all your Azure resources. And you're not really checking it that often. You don't change engineers that much. So like you're not gonna be checking the membership. So it's an easy way to get in and when you're checking our back and everything, you're not really gonna check for the group members. Another one is adding an Azure classic administrator. So Azure classic administrator is something that they have been trying to get rid of for like four years now, I think. And now they put them into a different tab so it's harder to add, but it's also harder to detect if someone adds someone and then you don't notice. The third one is adding a service principal as a contributor to a subscription. This was as a pentester, one of my favorite ones to do. You just add the employer to the end of the service principal and no one is gonna touch it because no one wants to break the employment. So once you're in, you're in forever and you will usually have like high contributor owner access. The next one is removing AAD only SQL authentication. That one I haven't really seen, but we're actually forcing everybody in my company to use AAD authentication for SQL and we don't want people to revert back into using SQL or creating their own passwords and everything. So we added that check to make sure that everything is secure. And then another one is adding permissions to Azure AKB policies. So basically you might have good segregation of duties, having different applications, having different access to certain secrets. Some might be able to get them, some others might be able to create them or delete them. But if someone manages to compromise one of those accounts and give themselves access to everything, then when you look at the access policies, you still see the same application. So you don't see anything different, but they might have more access than what they didn't need. And the last one I'm going to talk about is adding IP addresses to the firewall. So most companies have hundreds of IP addresses either from like your microservices that talk to your service or you might have your corporate VPN that has access to it. And adding one extra one either being like a developer being lazy and adding their home address or a bad actor adding their address so they can access the system. It's something that can go unnoticed. So the solution, we created CloudWatcher. CloudWatcher is a PowerShell module that runs on Azure Automation. It's actually in the Azure gallery so you can just go there and download it. I have instructions at the end of the slides. It scans your subscription and if it detects any configuration changes that I just mentioned, it will fail the script and then you can send an alert. We have it that like it emails, sorry calls our own call engineer and let us know. And here you have a run that it shows how it's when there is no changes detected and here's a run that it tells you that there were changes detected. So it'll tell you exactly what it found like resource providers changed and RBAC changes and it will fail the round book. So then you can have like Azure Automation like call you or like send you an email whatever you want it to do. So let's talk about what we actually cover. So RBAC changes, any RBAC change adding removing changing while it would still be adding or removing RBAC we'll catch it. Classic administration changes so you don't have to keep looking for them. We'll look for them. Azure resources providers. So Azure resource provider is something that I didn't really talk about but that's basically how Azure gives for example Key Vault access to your VMs to be able to encrypt their disks. So it's kind of like another way that you can create your custom providers that it will give you certain access to the subscription. So we like to keep that blocked to whatever we are comfortable with in our baseline. Resource creation or deletion. We don't want developers to create kind of like their own VMs or something in the production subscription that it might endanger the rest of the subscription or delete something by mistake that might be like your availability zone or something. So we want to detect them any resource creation or deletion. We also have the change of group membership. That won't, there's an asterisk because we only check first degree. So if you have nested groups we don't go through each group and check all their groups membership. We just check the membership of the first group of any group that is called anywhere in your subscription from RBAC to AD or sorry, AD admins on SQL. Anything that we can find we'll add that group and check it. SQL firewall rule changes. So if they add or remove IPs, SQL server AD. So basically I already talked about it kind of like if you change the AD only or if you change the AD administrator, Azure Key Vault access policies changes and firewalls. So now let's talk about the elephant in the room. I can see you guys all thinking, all right, EGAL is just talking about Azure Security Center. So did I just reinvent the wheel? And the answer is no. You can have a security score of 100% and still be vulnerable to these backdoors by for example, Azure Security Center will tell you if like your management port like port 22 is open to the world, but it won't tell you if it's still closed but an extra IP that is not in your corporate IP address was added. So this one is an addition to Security Center. It does not replace Security Center. We use Security Center and we also use CloudWatcher. And then for the setup, this is a great image of how we actually have it set up. We have multiple subscriptions and they're all talking, they're all cloud watching each other. And here to simplify it, I'm just showing one of the cloud watchers. So you have this production subscription that is the one that you wanna protect in this case. Then you have a cloud watcher in the same tenant that has reader access to this subscription and hopefully this other subscription has different identities managing it. So you don't have the same admin identities managing both subscriptions. And then you have the baseline. We actually have it in another tenant that CloudWatcher only has read access to pull from the storage account and get the baseline JSON. And then we run continuously every few minutes to make sure that everything is still the same and nothing has changed. And if a change is detected in any of the subscriptions will alert our engineers on it. So now let's talk about what's next. What are the next things we wanna build? So one of the things is create a UI to visualize your resources. As I said, I don't think that security reviews right now do like the best job on it. I've never seen a red team go against security review and grab the information from there. They usually just scanned the actual infrastructure. So we wanna create a UI to visualize those resources and maybe add some alerts saying like, hey, like we notice that you haven't enabled SQL AAD. Do you wanna enable that? Or we noticed that you don't have Azure Key Vault firewall rules and just kind of give you better ideas on how to protect your infrastructure, add more resources. So right now we solely focus on SQL and Azure Key Vault. The reason for that is those are the core for our company but we wanna grow it to other Azure services. And the last one is integrated with Pulumi, Terraform and Arm template. So basically we wanna be able to compare your baseline to your infrastructure as code and read the desired configurations to be able to secure it from your desired configuration to your baseline to your actual infrastructure to make sure all three match. And then thank you so much. If you have any questions, please send them to the Discord or send them on Twitter. Here's a GitHub where you can find the read me with all the information about how to install it. And then we have the slides also we posted them online. And we have a set of video that I created on my YouTube channel to guide you through all the things you have to do if you prefer a video other than a written read me.