Cloud computing security response is no different to servers racked in a regular datacenter, except for a key difference: When a server is breached, and the need exists to perform a forensic evaluation of that server, the responder has no idea where, or what, that server is. The very first steps of imaging a disk need to be rethought in an environment where disks are of variable sizes and capabilities, and are only exposed via APIs. Many things which are taken for granted in the physical world are implementation details in the cloud. Recent product launches in AWS, such as the next-generation of EC2 instances which access EBS in a different manner, as well as bare-metal instances, have changed some of these implementation details— which potentially changes what an incident responder may encounter.
Brandon has been working with AWS infrastructure for four years and is a Senior Cloud Infrastructure engineer at Twilio, where the challenge of real-time cloud communications requires thinking about security in new and exciting ways. He wants to replace himself with microservices & APIs but until he manages to do that, you’ll find him teaching anyone who will listen that they can be a “security person” too.