831a410a good bad cloud

Covert Exfiltration, Cloud Native

You’ve recently deployed a new setup. It entirely uses private IP space, a complex set of Virtual Private Cloud (VPC) routing is used. You are feeling super secure, you give the team the rest of the month off, after all, what threat could be left?

Later that day you are filling in your breach disclosure paperwork, dodging calls from the media, and there’s an ominous meeting request from your boss that also has the head of HR on the invite. What went wrong?

Well, you see, your private IP are not a firewall. They can all still talk to the cloud API’s (blob storage like GCS, Kubernetes master, DNS, message-queues like PubSub, etc). And, let me tell you, you can exfiltrate a lot of data through those. The blob store? Its a big shared disk, accessible from anywhere on earth including your private universe.

Sure, but how would they get in? Well, you deploy software right? It comes from upstream software right? Maybe something wandered in during that path? Or came sideways through your system?

You need some defence in depth. You can’t rely on a single factor (private IP) to protect. An egress API gateway. Some cloud native defence in depth.